Flurry of HIPAA Activity Expected Over Next Three Months

As for enforcement, Congress promised in ARRA "periodic audits" to ensure HIPAA compliance. Government officials told HealthLeaders Media in September they weren't sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010.

"If you've got a headline [because of a major breach], they're likely going to come and investigate you," Apgar says. "But they're wavering on how they will conduct compliance audits. Not because they're not going to do it, but because they don't know when yet. The House version of the healthcare reform bill calls for more strict enforcement than ARRA, so they want to wait to see what comes out in healthcare reform."

Apgar adds the government can fine up to $50,000 for one HIPAA violation and a maximum of $1.5 million for the same type of violation per calendar year—regardless of the severity of the breach.