HITECH: 2 Years In, Verdict Still Out

Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, agrees that OCR has been soft in enforcing civil and criminal penalties. However, he says it may be premature to make a call on OCR's enforcements patterns.

"A fair amount of activity is occurring at HHS, and the department is under a lot of pressure to meet the HITECH Act rule writing/enforcement deadlines," Apgar says. "So the fact that the HITECH Act has not changed any enforcement practices resulting in civil penalties is not necessary surprising. The question, though, is will the HITECH Act really have an impact in increasing HIPAA Privacy and Security Rule compliance? We wait and see."

The Ponemon Institute did not wait to see how providers feel about HITECH and HIPAA compliance. The organization surveyed 65 hospitals and published a November 2010 report that found that 71 percent of hospitals say federal regulations like HITECH have not improved the safety of patient records.

The same percentage of respondents say they have inadequate resources to prevent and quickly detect patient data loss.

Maybe they're right about HITECH. There is hardly any tangible evidence that HITECH has significantly changed the landscape of protecting patients' privacy. But it has given organizations plenty of reasons to be vigilant in their HIPAA compliance efforts.

For starters, bad publicity. Just look at OCR's breach notification website, which lists the more than 200 entities who have reported a breach of unsecured PHI affecting 500 or more individuals. That information was not public prior to HITECH.

And, state attorneys general have lawsuit powers through HIPAA violations, and Connecticut wasted no time when in 2010 its attorney general, Richard Blumenthal, went after insurer Health Net for failing to secure the private medical records of 1.5 million policyholders and for the insurers' delay in reporting the breach. The verdict? A $250,000 fine on the company for HIPAA and HITECH violations and the requirement to adopt rigorous security and notification measures.

And just months after, the Connecticut Insurance Department issued a bulletin that calls for state insurers to notify affected individuals and the state's insurance commissioner of a breach of patient information no later than five calendar days after its discovery.
Now there's some tangible evidence that HITECH is working.

Though OCR officials would not connect Connecticut's breach bulletin to HITECH, it did praise HITECH for its "heightened vigilance" around HIPAA compliance.