HITECH called for "periodic audits" to ensure HIPAA compliance, but as of today the Office of Civil Rights has not created a calendar of when those periodic audits will take place.
Sue McAndrew, the deputy director for Health Information Privacy for OCR, said at the 18th Annual National HIPAA Summit Thursday that OCR is working with a HIPAA privacy and security expert to help the organization "map out essentially the range of options that we have and what would be the most effective."
OCR is considering its budgetary means as well as the most effective method. "There are 1,000 ways to do this," McAndrew said.
HHS published in the Federal Register on October 30 the HITECH Act enforcement interim final rule for the February 17, 2009 HITECH Act deadline.
The interim rule includes no amendments to the enforcement provisions in HITECH, according to the rule itself.
HITECH calls for greater penalties for HIPAA violations and increased enforcement through "periodic audits." And that provision, section 13411 of the HITECH, targets covered entities and business associates. In the new rule, the civil monetary penalties increased greatly, with a maximum penalty of $1.5 million for all violations of an identical provision.
As for the latest numbers surrounding HIPAA complaints, OCR in 2009 reported it received 7,116 complaints, a sharp decrease from the prior three years:
- 2008: 8,526
- 2007: 8,174
- 2006: 7,334
Why the decline in 2009? Perhaps it was a year of policy-making, and HIPAA enforcement and complaints were in limbo.
Uday O. Ali Pabrai, CISSP, CHSS, chief executive and co-founder of HIPAA Academy in Newport Beach, CA, said at the HIPAA Summit Thursday he thinks enforcement activity—and breaches—will become more prevalent after this month.
"I think there will be a lot of data breaches we'll be hearing about in the media this year," Pabrai said.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.