The Security Scrutinizer with Howard Anderson

HIPAA Enforcement: When?

Audit Program in Limbo, State Civil Suits Yet to Kick In
HIPAA Enforcement: When?

When the HITECH Act was enacted as part of the economic stimulus package early in 2009, much was made of its provisions calling for tougher enforcement of the HIPAA privacy and security rules, along with tougher penalties. But at the dawn of 2011, we're still waiting for ramped-up enforcement to begin.

To be sure, the online posting of major health information breaches by the Health and Human Services' Office for Civil Rights has had a big impact. The HITECH-mandated list has called attention to such risks as storing information on unencrypted laptops and, hopefully, is leading more organizations to launch breach-prevention programs.

But in the past year, only a few HIPAA enforcement actions gained headlines.

For example, back in April, a former UCLA Healthcare System surgeon was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. He was the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, authorities said.

And in July, pharmacy chain Rite Aid Corp. agreed to pay a $1 million fine and take corrective action to settle federal charges that it violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information in dumpsters. The Rite Aid case was the second settlement as a result of a joint HHS and FTC investigation. The agencies settled a similar case against CVS Caremark in February 2009.

If there were more such headlines about fines and prison terms for HIPAA violations, compliance would improve and patient privacy would be better protected.

Overdue Enforcement

Meanwhile, two HITECH-mandated enforcement programs have yet to get out of the starting blocks.

HITECH mandated that the HHS Office for Civil Rights create a HIPAA compliance audit program.

Earlier this year, the office hired Booz Allen Hamilton to create a game plan for the auditing program. Last month, Adam Greene of OCR said the office was still "considering different audit models" and declined to reveal a timeline for the audits. He noted: "There are more than 1 million covered entities and business associates, so it's a challenge."

In addition, HITECH gave state attorneys general the power to file federal civil suits for HIPAA violations. But there's been no rush of activity among the states. So far, only the Connecticut attorney general has filed a HIPAA civil suit using the new powers under the HITECH Act. It appears other attorneys general are still awaiting training, which OCR says will finally be offered in the coming weeks.

Attorney Kathy Roe wonders whether enforcement efforts will intensify any time soon. "I have real questions as to how significant an increase there will be in enforcement activities when I consider the economics required for enforcement," she says, pointing to budgetary woes at the federal and state levels.

With complex federal health reform in the works (unless the new Congress derails it), as well as the HITECH electronic health record incentive program, "you have to really wonder whether there are enough dollars and enough people to see a notable increase in enforcement activity," Roe says.

Certainly, officials at the Office for Civil Rights and the Office of the National Coordinator for Health IT have their hands full playing catch-up with all overdue the HITECH-mandated rules and regulations. But unless HIPAA enforcement ramps up in a highly visible way, will healthcare organizations of all shapes and sizes take compliance seriously?



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.