HITECH: 2 Years In, Verdict Still Out

By the time the New Year arrives, HITECH will have been signed into law for approximately 23 months. Some regulations, such as the breach notification interim final rule, have been in effect, but we wait on others like modifications to the HIPAA privacy, security, and enforcement rules.

So as the New Year arrives, it's time to analyze what we've gotten out of HITECH. What is its effect on the healthcare industry right now? Qui bono? Patients, providers, or the government regulators?

The answer? It's probably too early to tell.

Perhaps the biggest question over the past two years has been what kind of enforcer will the Office for Civil Rights (OCR) be under HITECH and HIPAA? Will it be the Federal Trade Commission-shark type (20-year probation periods, etc.). Or will it maintain its "soft" image, a proactive enforcer that issues guidance and best practices?

After all, since the HIPAA Privacy Rule came into force April 14, 2003, the Department of Health and Human Services (HHS, and OCR's boss) has yet to levy any civil penalties against any covered entities (and now business associates). 

Yes, there was the $2.25 million settlement with CVS in February 2009 and the $1 million settlement with Rite Aid for privacy violations in July 2010. OCR says it is required to use those funds under HITECH for enforcement efforts.

But those investigations began before HITECH, and, technically, they weren't fines, but rather agreements that included corrective action plans.

It's difficult to forecast OCR's enforcement methods for a couple of reasons: Some final rules await, and the enforcer's "periodic audit plans," as required by HITECH, have yet to be released.

"I do not think OCR will jump on the bandwagon with heavy fines, for two reasons," says Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP. "First, it's not in their nature. They want to fix problems prospectively, not punish bad guys. And they know that most of whom they deal with aren't intentional violators.  Secondly, when they do come across a true bad actor, they'll hand it over to the tough guys: the Department of Justice. I expect OCR to remain 'civil,' and to let the DOJ deliver 'justice.'"