OCR's HIPAA Enforcement: More Bark or Bite?
You know the "what" when it comes to HIPAA privacy and security enforcement: New federal laws this year include larger monetary fines, periodic audits, civil-suit authority to state attorneys general, and new HIPAA Security Rule compliance to business associates (BAs) of covered entities.
You now know the "who": The Office for Civil Rights (OCR), long the HIPAA Privacy Rule warden, inherits the security rule per a July 27 announcement by HHS Secretary Kathleen Sebelius.
But for covered entities, the bigger questions are "when" and "how much." When will this stepped-up enforcement arrive? And how regular will it be?
"I think the initial intent is to combine privacy and security investigations, audits, etc., in one division given [that] many security violations/breaches lead to privacy breaches," says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR. "It's logical that there be one enforcement shop for privacy and security. As far as what it means on the auditing side, that's likely not something we will know until next year."
By next year, major regulations in the Health Information for Economic and Clinical Health (HITECH) Act should be approved–most importantly, a definition of unsecure PHI (due August 18, 2009) and business associates compliance with the security rule (February 18, 2010).
The jury's out on what the organizational change for OCR and CMS means for providers. For HHS, the move will "eliminate duplication and increase efficiencies in how the department ensures that Americans' health information privacy is protected," according to an HHS press release sent yesterday.
"Privacy and security are naturally intertwined, because they both address protected health information," Sebelius said in the release.
OCR has only levied two major fines—Providence Health & Services in July 2008 ($100,000 fine and corrective actions) and CVS in February 2009 ($2.25 million fine).
Since the compliance date in April 2003, OCR, according to its Web site, has received 44,911 HIPAA privacy complaints, of which 19.4% (8,756) led to enforcement actions (8,756).
More than half (57.5%) of the cases were closed because they were not eligible for enforcement. Another 10% of investigations led to no findings of violations.
Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA, blogged yesterday.
"It'll make it much less confusing, not only for [covered entities] and BAs, but also for the oversight agencies, and hopefully more effective for more active enforcement actions," Herold says.