Something that has bothered me, and many others, for a very long time is how there have been absolutely no enforcement actions for the Health Insurance Portability and Accountability Act (HIPAA) privacy rule or security rule since they went into effect. Passing a law and then not doing anything to enforce it, even after the enforcement agencies have received tens of thousands of complaints reporting noncompliance, makes the law weak and prone to disregard by covered entities (CEs) who see others getting away with noncompliance with just a, “Whoops! Sorry, we’ll try to fix that.”
In 2006 I had multiple phone conversations with four different folks, two in the OCR HIPAA enforcement office and two in the CMS HIPAA enforcement office, and as a result I became very discouraged by their stated lack of initiative to actively pursue HIPAA infractions, even those where reported incidents could clearly indicate some huge noncompliance problems.
Now it appears that Federal enforcement of privacy and security rules under HIPAA may be increasing after this very long period no enforcement actions.
The Department of Health and Human Services (HHS) Department Office of Inspector General (OIG) appears to be making movement on their promise in their Fiscal Year 2007 Work Plan to “review HIPAA privacy and security implementation under Medicare and Medicaid to identify key issues in the HHS information technology initiative.”
According to the April 9 issue of Privacy and Law Report, from the Bureau of National Affairs (BNA, a subscriber site), OIG auditors in Region IV have announced they will conduct an audit of Piedmont Hospital in Atlanta. The auditors will reportedly assess Piedmont’s compliance with the HIPAA security rule.
The same BNA report indicates the Centers for Medicare & Medicaid Services (CMS) is also planning increased enforcement.
In December 2006, the CMS issued guidance to address concerns about the vulnerability of data used off-site on devices such as laptops, home-based personal computers, personal digital assistants (PDAs), and “smart phones,” and the dangers of accessing data from hotel, library, or other public workstations and wireless access points, including those that employees can set up at home or use at public sites, such as Starbucks. The CMS warned, “Covered entities should be extremely cautious about allowing the offsite use of, or access to [electronic personal health information].”
The Office for Civil Rights (OCR) is responsible for administering and enforcing compliance with the HIPAA privacy rule. Through February 28 they had closed 77% of the 25,662 complaints it had received. The OCR referred 373 of the complaints to the Justice Department for criminal investigation.
Will we see actual enforcement penalties applied in 2007 to CEs with clear noncompliance infractions? Only time will tell.
Tags: awareness and training, CMS, HHS, HIPAA, Information Security, IT compliance, OCR, patient privacy, policies and procedures, privacy, privacy rule, security rule