San Diego Business Journal

The Office of Civil Rights is keeping mum on plans to respond to hospital industry concerns that a major accrediting body could be violating patient privacy.

Patrick Hadley, a spokesman for the federal agency, which oversees the landmark Health Insurance Portability and Accountability Act, or HIPAA, said officials there have not decided if they will issue guidance to the Joint Commission on Accreditation for Healthcare Organizations, or JCAHO.

The Chicago-based American Hospital Association's privacy concerns peaked during a national e-mail campaign last month in which San Diego-area health care leaders participated.

The virtual campaign was triumphant in convincing JCAHO not to seek further contracts to sell patient or hospital data to third parties, such as insurance companies. The organization will honor its contract with Blue Cross Blue Shield, which is several months long and ends in February. The amount was not disclosed.

Nancy Pratt, senior vice president of clinical effectiveness at Sharp HealthCare, one of San Diego's largest hospital networks, said she's "thrilled" JCAHO backed off of selling data but wonders why the organization still wants patient-specific data.

"Patients entrust us with their personal information, and we have a responsibility to protect that," Pratt said.

JCAHO has said that it wants patient level data to ensure "accuracy and completeness" of information it receives from hospitals in order to issue accreditation. It has said that it would not release patient information to third parties.

The Office of Civil Rights met with JCAHO and the American Hospital Association individually, as well as together in recent months at the request of the hospital association.

Oakbrook Terrace, Ill.-based JCAHO, considered the gold standard of hospital accreditation, has said it will work to resolve Hospital Association concerns. The agency is one of only two private organizations designated by the federal government to accredit hospitals for Medicare reimbursement.

Hadley said the meetings "involved discussions about business associate relationships" in relation to data sharing and privacy rules.

Rick Wade, senior vice president at the Chicago-based Hospital Association, said he's concerned that even though JCAHO voted not to sell data to third parties, it might sell the information to the government.

"We want the process around JCAHO, data and HIPAA law settled once and for all," Wade said.

Hadley said the office does not issue "advisory opinions" unless a formal complaint is filed.

Wade said the Hospital Association felt it would get a faster response by requesting guidance from the office instead of filing a formal complaint, which can take years to resolve.

Wade said if the federal office does not issue guidance to JCAHO, the Hospital Association will consider filing a formal complaint.

"(JCAHO was) selling data to Blue Cross Blue Shield plans, and that raises HIPAA concerns right there," Wade said. "Hospitals are responsible for protecting that data to make sure specific patients cannot be identified."

The data includes information such as how many patients are treated for certain ailments and if hospital staff responded appropriately.

The hospital association's e-mail campaign also expressed blatant concern that JCAHO may not be protecting patients' privacy.

Officials from regional associations such as the Hospital Association of San Diego and Imperial Counties and the California Hospital Association said recently that they opposed the sale of the data and are concerned about patient privacy issues. Some said selling data was a conflict of interest considering JCAHO's quasi-governmental role.

The Office of Civil Rights said that, as of last week, it had no further meetings scheduled with either organization.