I’ve been reading so much about HIPAA lately; no enforcement actions yet, but a lot of changes, proposals and initiatives.
Two more I read about recently:
* On Friday, April 20, to coincide with the fourth anniversary of the enforcement of the HIPAA Privacy Rule, the Department of Health and Human Services (HHS) announced the launch of an enhanced Web site that will make it easier for consumers, health care providers and others to get information about how the Department enforces health information privacy rights and standards. According to the HHS:
“The Health Information Privacy Web site provides comprehensive information about the Privacy Rule, which creates important federal rights and requirements to protect the privacy of personal health information. The enhanced Web site, http://www.hhs.gov/ocr/privacy/enforcement provides information for consumers, health care providers, health plans and others in the health care industry about HHS’s compliance and enforcement efforts. The new information describes HHS activities in enforcing the Privacy Rule, the results of those enforcement activities, and statistics showing which types of complaints are received most frequently and the types of entities most often required to take corrective as a result of consumer complaints. The other information on the Web site covers consumers‚Äô rights to access their health information and significantly control how their personal health information is used and disclosed, as well as guidance about how to submit complaints about possible violations of the law and extensive guidance for entities who must comply with the rule.”
* On Monday, April 23, HHS Secretary Mike Leavitt formally announced he delegated subpoena powers to the Office for Civil Rights (OCR) at HHS and the authority for the director to re-delegate subpoena power for the investigation of potential violations of the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) and the Patient Safety Quality Improvement Act.
According to HHS, HIPAA “authorizes the issuance of subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation by the secretary and the enforcement of such a subpoena in court in event of refusal to comply.”
In a separate announcement, Leavitt also granted subpoena power to the Centers for Medicare and Medicaid Services (CMS) to enforce other areas of HIPAA, including rules governing transaction and code sets.
I’m glad to see more information being provided about the actual enforcement activities and the related statistics; those have always been almost impossible to find, and numerous calls I’ve made to the HHS, OCR and CMS have always come up with virtually no one there knowing what the actual statistics were.
We shall see what the new subpeona powers mean…perhaps more active enforcement on the horizon?
Tags: awareness and training, CMS, government, HHS, HIPAA, Information Security, IT compliance, OCR, patient privacy, PHI, PII, policies and procedures, privacy, privacy rule, security rule