HIPAA got a big boost from the 2009 HITECH act, which extended privacy rules to business partners, threatened steeper penalties for violations, and promised periodic audits. But even with the beefed-up rules, these days HIPAA just doesn't seem to be that big a priority—to anyone.
One reason HIPAA elicits the big ho-hum is that, despite the fact that Health Information Technology for Economic and Clinical Health (HITECH) Act purports to be very serious about privacy violations, there hasn't been a lot of governmental follow-through. It's like dad telling the kids he's going to count to three and then saying, "One . . . two . . . two and half . . . two and three quarters . . ."
The Office of Civil Rights hasn't decided when it will conduct the periodic audits, for example, or even how it will pay for them. Sue McAndrew, the deputy director for Health Information Privacy for the OCR, said at the 18th Annual National HIPAA Summit last week that OCR is working with a HIPAA privacy and security expert to help the organization "map out essentially the range of options that we have and what would be the most effective." There are, she said, "1,000 ways to do this."
(How long do you suppose the government will take to settle on one of those 1,000 ways?)
Another factor: HHS' "harm threshold" standard in its interim final rule on breach notification, which says that the unauthorized use or disclosure of personal health information is a breach only if the use or disclosure poses some harm to the individual. So covered entities and their associates will now perform a risk assessment to determine what kind of harm the breach caused. Some Congressmen are "deeply concerned" about the harm provision because it gives covered entities and business associates a "breadth of discretion" as they investigate. Providers, meanwhile, love it. No big surprise there.
But the main reason no one seems to get too worked up about HIPAA anymore is that healthcare organizations know what they have to do to prevent breaches. And they know that some breaches—such as an employee who, acting on his or her own, dishes out juicy tidbits about celebrity patients to the tabloids—are nearly impossible to prevent. The truth of the matter is that HIPAA is no longer the big scary mystery it was in 2003.
That's not to say, however, that healthcare organizations are actually doing what they should to comply with the rules. There are still laptops with unencrypted data floating around out there, just waiting to be lost or stolen. In January 2010, there were 35 reports of breaches affecting more than 500 individuals, resulting in 712,000 notices, according to McAndrew. Most of the reports were about personal health information contained in lost or stolen unencrypted media or portable devices.
McAndrews also noted that business associates can be held directly liable for a breach of unsecure protected health information and responsible for those hefty new fines. On the other hand, she went on to say OCR would consider decreasing or even waiving some of the penalties depending on the financial state of a violating hospital. The "settlement door is always open," she added. (Two and sixteen-eighteenths . . . two and seventeen-eighteenths . . .)
While you're waiting for mom and dad to finally get to three, be sure to check out the more detailed reports from last week's HIPAA summit in Washington, DC, by HealthLeaders Media's Dom Nicastro, including an article that outlines five ways healthcare organizations could be doing a better job at HIPAA compliance:
- Five Stumbling Blocks Hinder HIPAA Compliance.
- HIPAA Harm Threshold Works, Say Providers.
- OCR Leader: No HIPAA Enforcement Schedule Yet.
Note: You can sign up to receive HealthLeaders Media IT, a free weekly e-newsletter that features news, commentary and trends about healthcare technology.