You know the "what" when it comes to HIPAA privacy and security enforcement: New federal laws this year include larger monetary fines, periodic audits, civil-suit authority to state attorneys general, and new HIPAA Security Rule compliance to business associates (BAs) of covered entities.
You now know the "who": The Office for Civil Rights (OCR), long the HIPAA Privacy Rule warden, inherits the security rule per a July 27 announcement by HHS Secretary Kathleen Sebelius.
But for covered entities, the bigger questions are "when" and "how much." When will this stepped-up enforcement arrive? And how regular will it be?
"I think the initial intent is to combine privacy and security investigations, audits, etc., in one division given [that] many security violations/breaches lead to privacy breaches," says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR. "It's logical that there be one enforcement shop for privacy and security. As far as what it means on the auditing side, that's likely not something we will know until next year."
By next year, major regulations in the Health Information for Economic and Clinical Health (HITECH) Act should be approved–most importantly, a definition of unsecure PHI (due August 18, 2009) and business associates compliance with the security rule (February 18, 2010).
The jury's out on what the organizational change for OCR and CMS means for providers. For HHS, the move will "eliminate duplication and increase efficiencies in how the department ensures that Americans' health information privacy is protected," according to an HHS press release sent yesterday.
"Privacy and security are naturally intertwined, because they both address protected health information," Sebelius said in the release.
OCR has only levied two major fines—Providence Health & Services in July 2008 ($100,000 fine and corrective actions) and CVS in February 2009 ($2.25 million fine).
Since the compliance date in April 2003, OCR, according to its Web site, has received 44,911 HIPAA privacy complaints, of which 19.4% (8,756) led to enforcement actions (8,756).
More than half (57.5%) of the cases were closed because they were not eligible for enforcement. Another 10% of investigations led to no findings of violations.
Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, blogged yesterday.
"It'll make it much less confusing, not only for [covered entities] and BAs, but also for the oversight agencies, and hopefully more effective for more active enforcement actions," Herold says.
John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, Ellicott City, MD, and chairperson of the team that created the HIPAA Security Rule, calls the move by HHS "not a bad idea."
Parmigiani says OCR taking in security:
- Eliminates the communication/enforcement barriers on cases where there are both privacy and security alleged violations.
- Establishes a single focal point and accountability of inter-agency dealings with other federal healthcare enforcement arms as well as state data protection agencies
- Gives added incentive for enforcement to OCR, whose resources directly benefit from penalties collected per HITECH
- Isolates CMS' HIPAA Administrative Simplification enforcement role to transactions, code sets, and identifiers, which is more in line with a health insurance (payer) organization's responsibilities.
No matter what OCR will be responsible for, it's never been known as an enforcement shark, says Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP.
"Frankly, when the privacy rule first came out, many of us were left scratching our heads at the assignment of enforcement to OCR, which is not known as an aggressive agency," Drummond says. "If you want covered entities to really take the privacy rule seriously, assign enforcement to the Office of the Inspector General. The OIG strikes fear into the hearts of providers; OCR, not so much."