OCR's HIPAA Enforcement: More Bark or Bite?
You know the "what" when it comes to HIPAA privacy and security enforcement: New federal laws this year include larger monetary fines, periodic audits, civil-suit authority to state attorneys general, and new HIPAA Security Rule compliance to business associates (BAs) of covered entities.
You now know the "who": The Office for Civil Rights (OCR), long the HIPAA Privacy Rule warden, inherits the security rule per a July 27 announcement by HHS Secretary Kathleen Sebelius.
But for covered entities, the bigger questions are "when" and "how much." When will this stepped-up enforcement arrive? And how regular will it be?
"I think the initial intent is to combine privacy and security investigations, audits, etc., in one division given [that] many security violations/breaches lead to privacy breaches," says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR. "It's logical that there be one enforcement shop for privacy and security. As far as what it means on the auditing side, that's likely not something we will know until next year."
By next year, major regulations in the Health Information for Economic and Clinical Health (HITECH) Act should be approved–most importantly, a definition of unsecure PHI (due August 18, 2009) and business associates compliance with the security rule (February 18, 2010).
The jury's out on what the organizational change for OCR and CMS means for providers. For HHS, the move will "eliminate duplication and increase efficiencies in how the department ensures that Americans' health information privacy is protected," according to an HHS press release sent yesterday.
"Privacy and security are naturally intertwined, because they both address protected health information," Sebelius said in the release.
OCR has only levied two major fines—Providence Health & Services in July 2008 ($100,000 fine and corrective actions) and CVS in February 2009 ($2.25 million fine).
Since the compliance date in April 2003, OCR, according to its Web site, has received 44,911 HIPAA privacy complaints, of which 19.4% (8,756) led to enforcement actions (8,756).
More than half (57.5%) of the cases were closed because they were not eligible for enforcement. Another 10% of investigations led to no findings of violations.
Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, blogged yesterday.
"It'll make it much less confusing, not only for [covered entities] and BAs, but also for the oversight agencies, and hopefully more effective for more active enforcement actions," Herold says.
- CEO Exchange: Preparing for Population Health
- EHR Systems 'Immature, Costly,' AMA Says
- Advocate, NorthShore Deal Would Create 16-Hospital System
- Better HCAHPS Scores Protect Revenue
- Narrow Networks Cut Costs, Not Quality, Economists Say
- 3 Strategies for Retaining Millennial Employees
- 'Early Offer' Malpractice Programs May Spur Reform
- Power of price: In South FL and the nation, healthcare costs often are shrouded in secrecy
- Two NY hospitals to offer free hip and knee replacement surgeries for qualifying patients in December
- Hospital mergers may lead to higher prices