"The HITECH provisions have helped strengthen OCR's efforts to encourage healthcare providers, health plans and other healthcare entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules," an OCR official tells HealthLeaders Media. "Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry's use of health information technology."
As the industry moves closer to total EHRs across the board, privacy and security naturally take a front-row seat.
Naturally, the healthcare industry has a tall order ensuring patients their records are totally secure in an electronic environment. And with that assurance comes tough enforcement.
Is OCR our savior?
Many didn't think so in the beginning, Drummond says.
"When HIPAA was first passed and enforcement was given to OCR, it raised eyebrows among many health lawyers," Drummond says. "OIG was a known bulldog, but OCR was generally perceived as being much more conciliatory. Folks expected OCR to take a softer approach to obtaining compliance, working with covered entities to fix problems rather than coming in with guns blazing, subpoenas flying, and heavy fines assessed. And that's pretty much what we've seen."
Heavy fines or not, Drummond says OCR has the "right approach."
"The vast majority of participants in the healthcare field are meticulously cautious about dealing with patient privacy, always have been, and would be with or without HIPAA," he says. "In the vast majority of cases, if there's a breach, it's an accident or a mistake, and shouldn't result in a huge fine. Of course, there are bad apples in every barrel, but in healthcare, there is a pretty good culture of privacy."