By the time the New Year arrives, HITECH will have been signed into law for approximately 23 months. Some regulations, such as the breach notification interim final rule, have been in effect, but we wait on others like modifications to the HIPAA privacy, security, and enforcement rules.
So as the New Year arrives, it's time to analyze what we've gotten out of HITECH. What is its effect on the healthcare industry right now? Qui bono? Patients, providers, or the government regulators?
The answer? It's probably too early to tell.
Perhaps the biggest question over the past two years has been what kind of enforcer will the Office for Civil Rights (OCR) be under HITECH and HIPAA? Will it be the Federal Trade Commission-shark type (20-year probation periods, etc.). Or will it maintain its "soft" image, a proactive enforcer that issues guidance and best practices?
After all, since the HIPAA Privacy Rule came into force April 14, 2003, the Department of Health and Human Services (HHS, and OCR's boss) has yet to levy any civil penalties against any covered entities (and now business associates).
Yes, there was the $2.25 million settlement with CVS in February 2009 and the $1 million settlement with Rite Aid for privacy violations in July 2010. OCR says it is required to use those funds under HITECH for enforcement efforts.
But those investigations began before HITECH, and, technically, they weren't fines, but rather agreements that included corrective action plans.
It's difficult to forecast OCR's enforcement methods for a couple of reasons: Some final rules await, and the enforcer's "periodic audit plans," as required by HITECH, have yet to be released.
"I do not think OCR will jump on the bandwagon with heavy fines, for two reasons," says Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP. "First, it's not in their nature. They want to fix problems prospectively, not punish bad guys. And they know that most of whom they deal with aren't intentional violators. Secondly, when they do come across a true bad actor, they'll hand it over to the tough guys: the Department of Justice. I expect OCR to remain 'civil,' and to let the DOJ deliver 'justice.'"
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, agrees that OCR has been soft in enforcing civil and criminal penalties. However, he says it may be premature to make a call on OCR's enforcements patterns.
"A fair amount of activity is occurring at HHS, and the department is under a lot of pressure to meet the HITECH Act rule writing/enforcement deadlines," Apgar says. "So the fact that the HITECH Act has not changed any enforcement practices resulting in civil penalties is not necessary surprising. The question, though, is will the HITECH Act really have an impact in increasing HIPAA Privacy and Security Rule compliance? We wait and see."
The Ponemon Institute did not wait to see how providers feel about HITECH and HIPAA compliance. The organization surveyed 65 hospitals and published a November 2010 report that found that 71 percent of hospitals say federal regulations like HITECH have not improved the safety of patient records.
The same percentage of respondents say they have inadequate resources to prevent and quickly detect patient data loss.
Maybe they're right about HITECH. There is hardly any tangible evidence that HITECH has significantly changed the landscape of protecting patients' privacy. But it has given organizations plenty of reasons to be vigilant in their HIPAA compliance efforts.
For starters, bad publicity. Just look at OCR's breach notification website, which lists the more than 200 entities who have reported a breach of unsecured PHI affecting 500 or more individuals. That information was not public prior to HITECH.
And, state attorneys general have lawsuit powers through HIPAA violations, and Connecticut wasted no time when in 2010 its attorney general, Richard Blumenthal, went after insurer Health Net for failing to secure the private medical records of 1.5 million policyholders and for the insurers' delay in reporting the breach. The verdict? A $250,000 fine on the company for HIPAA and HITECH violations and the requirement to adopt rigorous security and notification measures.
And just months after, the Connecticut Insurance Department issued a bulletin that calls for state insurers to notify affected individuals and the state's insurance commissioner of a breach of patient information no later than five calendar days after its discovery.
Now there's some tangible evidence that HITECH is working.
Though OCR officials would not connect Connecticut's breach bulletin to HITECH, it did praise HITECH for its "heightened vigilance" around HIPAA compliance.
"The HITECH provisions have helped strengthen OCR's efforts to encourage healthcare providers, health plans and other healthcare entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules," an OCR official tells HealthLeaders Media. "Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry's use of health information technology."
As the industry moves closer to total EHRs across the board, privacy and security naturally take a front-row seat.
Naturally, the healthcare industry has a tall order ensuring patients their records are totally secure in an electronic environment. And with that assurance comes tough enforcement.
Is OCR our savior?
Many didn't think so in the beginning, Drummond says.
"When HIPAA was first passed and enforcement was given to OCR, it raised eyebrows among many health lawyers," Drummond says. "OIG was a known bulldog, but OCR was generally perceived as being much more conciliatory. Folks expected OCR to take a softer approach to obtaining compliance, working with covered entities to fix problems rather than coming in with guns blazing, subpoenas flying, and heavy fines assessed. And that's pretty much what we've seen."
Heavy fines or not, Drummond says OCR has the "right approach."
"The vast majority of participants in the healthcare field are meticulously cautious about dealing with patient privacy, always have been, and would be with or without HIPAA," he says. "In the vast majority of cases, if there's a breach, it's an accident or a mistake, and shouldn't result in a huge fine. Of course, there are bad apples in every barrel, but in healthcare, there is a pretty good culture of privacy."