Proposed HITECH Rule for Business Associates Will Come Soon, Says OCR Lawyer

Apgar says BAs have been required to adhere to the same HIPAA regulations since 2003 (privacy) and 2005 (security) by contract. Also, while OCR may not levy a civil penalty, this does not prevent lawsuits alleging damages.

"Even though HIPAA includes no private right of action, HITECH did not specifically prohibit it for the HITECH provisions," Apgar says. "And if someone is harmed because the entity did not adequately protect the individual's PHI and they can prove harm, the entity still may find themselves paying out large sums of money in damages."

The bottom line? Be compliant now.

"Lack of enforcement does not change the fact that, statutorily, entities are required to adhere to a number of new privacy and security requirements included in the HITECH Act, Subpart D, effective February 17, 2010," Apgar says.

Though no enforcement plans have been announced regarding HITECH provisions, Robinson says OCR is serious about it. OCR gained 36 FTEs dedicated to HIPAA privacy and security rule compliance and enforcement this fiscal year and is now up to 132.

OCR has obtained corrective action—meaning entities taking significant and important actions to change practices to come into compliance with the privacy rule—in more than 14,900 cases since 2003.

"We strongly believe that enforcement efforts directed at obtaining changes in a covered entity's operations, practices, and policies will benefit all individuals—past, present, and future—that entrust the covered entity with sensitive health information," Robinson says. "Voluntary compliance and informal resolution are an efficient mechanism to resolve noncompliance and save resources for both OCR and a covered entity."

Joanne Finnegan contributed to this report.