It has been well over a decade since the passage of HIPAA in 1996. HIPAA has caused many changes in the way the business of health care works, including going a long way to create the position of “health information professional.” One area where HIPAA has, as yet, had little impact has been in enforcement. The history of enforcement of HIPAA’s privacy and security rules has been slim and almost none. The changes in behavior that have occurred have been done out of a desire to follow the law, and not due to fear of prosecution or administrative action.
First and foremost in this regard, I note the recent decision of the Department of Health and Human Services to transfer the authority for enforcement of HIPAA’s security rules to the Office of Civil Rights. The Office of Civil Rights is certainly in a better position to undertake enforcement than CMS. According to my colleague, Tom Barker, the Office of Civil Rights has a field force of 275 investigators that have an annual budget of $40 million. I believe OCR will need to justify that budget and the most visible way to do that is to bring enforcement actions and recover significant penalties. Nevertheless, $40 million does not go as far as it used to, and it certainly is not enough for a broad-based, nationwide enforcement initiative. Instead, I suspect we will start to see incrementally more enforcement actions, higher financial penalties and a few selected audits.
Also pushing HIPAA enforcement is the HITECH Act, which was passed in February 2009 and much of which will go into effect in February 2010. Through the HITECH Act, HIPAA business associates under HIPAA are now subject to almost the same regulations as HIPAA covered entities. Penalties for HIPAA violations also were increased, and the ability to enforce some rules has been extended to state attorneys general.
There is one additional factor in the enforcement environment that is little-noticed, but nevertheless is very significant: the general public.
Most HIPAA issues that have been addressed by government officials were brought to light after a consumer complaint. This is a model that is true in many other regulated areas: it is often the complaint that drives the enforcement action and the whistleblower who pushes to have a civil or criminal case filed. And consumer sensitivity to privacy and security issues is growing explosively. Along with this activity at the consumer level, we can expect a parallel increase in the number of HIPAA whistleblowers. Experience in the health care fraud arena suggests that consumer complaints and whistleblowers will be the two most significant factors leading to more enforcement activities.
So what is to be done? I am not yet ready to start crying wolf about HIPAA enforcement. But I would suggest that it is time to start applying the same techniques that you, your employer or institution use (or should be using) to ferret out complaints and whistleblowers, such as exit interviews for all departing employees, so that their concerns can be heard before they depart.