HIPAA Enforcement: When?Audit Program in Limbo, State Civil Suits Yet to Kick In
To be sure, the online posting of major health information breaches by the Health and Human Services' Office for Civil Rights has had a big impact. The HITECH-mandated list has called attention to such risks as storing information on unencrypted laptops and, hopefully, is leading more organizations to launch breach-prevention programs.
But in the past year, only a few HIPAA enforcement actions gained headlines.
If there were more headlines about fines and prison terms for HIPAA violations, compliance would improve and patient privacy would be better protected.
For example, back in April, a former UCLA Healthcare System surgeon was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. He was the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, authorities said.
And in July, pharmacy chain Rite Aid Corp. agreed to pay a $1 million fine and take corrective action to settle federal charges that it violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information in dumpsters. The Rite Aid case was the second settlement as a result of a joint HHS and FTC investigation. The agencies settled a similar case against CVS Caremark in February 2009.
If there were more such headlines about fines and prison terms for HIPAA violations, compliance would improve and patient privacy would be better protected.
Overdue EnforcementMeanwhile, two HITECH-mandated enforcement programs have yet to get out of the starting blocks.
HITECH mandated that the HHS Office for Civil Rights create a HIPAA compliance audit program.
Earlier this year, the office hired Booz Allen Hamilton to create a game plan for the auditing program. Last month, Adam Greene of OCR said the office was still "considering different audit models" and declined to reveal a timeline for the audits. He noted: "There are more than 1 million covered entities and business associates, so it's a challenge."
In addition, HITECH gave state attorneys general the power to file federal civil suits for HIPAA violations. But there's been no rush of activity among the states. So far, only the Connecticut attorney general has filed a HIPAA civil suit using the new powers under the HITECH Act. It appears other attorneys general are still awaiting training, which OCR says will finally be offered in the coming weeks.
Attorney Kathy Roe wonders whether enforcement efforts will intensify any time soon. "I have real questions as to how significant an increase there will be in enforcement activities when I consider the economics required for enforcement," she says, pointing to budgetary woes at the federal and state levels.
With complex federal health reform in the works (unless the new Congress derails it), as well as the HITECH electronic health record incentive program, "you have to really wonder whether there are enough dollars and enough people to see a notable increase in enforcement activity," Roe says.
Certainly, officials at the Office for Civil Rights and the Office of the National Coordinator for Health IT have their hands full playing catch-up with all overdue the HITECH-mandated rules and regulations. But unless HIPAA enforcement ramps up in a highly visible way, will healthcare organizations of all shapes and sizes take compliance seriously?