Skip to main content

Feds Unsure About HIPAA Enforcement Practices

 |  By HealthLeaders Media Staff  
   September 18, 2009

Flash back to February 17, 2009.

President Obama signed into law the $787 billion American Recovery and Reinvestment Act of 2009 that included provisions for heightened HIPAA enforcement and stiffer penalties for privacy and security violations.

The next day, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced that CVS, the nation's largest retail pharmacy chain, had to pay the U.S. government $2.25 million and take corrective action in a settlement for potential privacy breaches affecting millions of patients.

Seemed as if they were serious about enforcement. After all, it took them less than 24 hours to act.

But today, seven months later, there is uncertainty about that promised HIPAA enforcement.

Certainly, HHS has made moves in the direction of increased enforcement. In August, it announced it would expand its privacy enforcement team with two HIPAA "privacy specialists," who will help the public better understand their rights under HIPAA and enforce compliance among covered entities and business associates.

The "senior health information privacy outreach specialists" are operating under the Office for Civil Rights (OCR), which enforces the HIPAA Privacy Rule and Security Rule and the Patient Safety and Quality Improvement Act's confidentiality provisions through its Division of Health Information Privacy; HIPAA Security came under OCR's umbrella on July 27.

That news came a little less than a month after HHS announced it would advertise a position for two "Health Information Privacy Specialists." Those positions, according to the job posting at the time, are "responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information."

But when will this enforcement affect your organization? And how regular will they be? Random audits? Planned, coordinated ones?

The HITECH Act calls for "periodic audits" to ensure HIPAA privacy and security compliance, but the government itself doesn't know what that means—yet.

At the 17th annual national HIPAA Summit at the Wardman Park Hotel in Washington, DC, on Tuesday, government officials directly involved in HIPAA said the enforcement process has yet to be determined.

David Blumenthal, MD, MPH, national coordinator for HHS' Health Information Technology, deferred a question posed by HealthLeaders Media to his Office for Civil Rights (OCR) colleagues.

Sue McAndrew, the OCR deputy director for Health Information Privacy, asked later in the day by HealthLeaders Media, said she did not yet know the process by which HHS will conduct audits.

OCR may build on existing types of audits or perhaps partner with the inspector general, McAndrew speculated.

"We are basically in the process of doing some scanning and weighing our options of what kinds of audit programs are out there and what turns out to be the most effective," McAndrew said.

OCR has only levied two major fines—Providence Health & Services in July 2008 ($100,000 fine and corrective actions) and CVS in February 2009 ($2.25 million fine).

According to HHS, the federal government will spend about $24.3 million on privacy and security efforts, including:

  • Audits

  • Reports to Congress

  • Training for state attorneys general

  • Carrying out regulatory and enforcement requirements of HITECH

Tagged Under:


Get the latest on healthcare leadership in your inbox.