Who can blame physicians for letting their guard down a bit when it comes to HIPAA’s privacy and security regulations? After all, people have been “crying wolf” for years about the danger of violating the law while the government has done little in the way of enforcing the law against private practices.
But now there are reasons to believe that the threat of a more aggressive enforcement posture is real.
First, the HITECH Act, part of the economic stimulus legislation adopted in February, calls for increased enforcement. It also raises the penalties for violations, and for the first time, applies the rules to business associates of entities covered by HIPAA. (Those covered entities, which include all physicians and hospitals that perform any electronic transactions, must observe the privacy rules for both paper and electronic records. The security regulations apply only to electronic information.)
Second, the Department of Health and Human Services’ recent decision to transfer authority for enforcing the security rules from CMS to the HHS Office of Civil Rights is seen by some observers as a signal that the administration is taking enforcement more seriously than its predecessor did.
Finally, under the HITECH Act, the Office of Civil Rights is required to conduct periodic audits of healthcare providers to ensure their compliance with the privacy and security rules. There is no doubt that the government is going to start peeking under the covers of HIPAA compliance more frequently and aggressively than it has up to now.
How far will the Fed go?
The Office of Civil Rights is responsible for investigating alleged violations of HIPAA rules, as well as statutes that prohibit various kinds of discrimination. The office is relatively small. With a field force of only 275 investigators and a budget of about $40 million, it lacks the resources necessary to conduct widespread audits, according to Thomas Barker, a partner in the law firm Foley Hoag in Washington, D.C., who was acting general counsel to HHS in the administration of George W. Bush.
Although President Obama has not asked for significant new funding for the civil rights office, the HITECH Act includes a provision that would transfer to the office any civil penalty or settlement collected through enforcement of the HIPAA privacy and security rules. Barker calls this a highly unusual provision that could lead to a greater number of fines and settlements, because the civil rights office can use the proceeds to fund future investigations.
Briar Andresen, a partner specializing in government compliance in the Minnesota law firm Fredrickson & Byron, agrees with Barker. And she cites recent job openings for privacy rule investigators at the Office of Civil Rights as evidence that the agency plans to expand its reach. “If OCR is able to get more money to do their thing from doing their thing, they can build and expand,” she says.
Conflict? What conflict?
The office denies that these speculations have any validity. According to an official who spoke on the condition that he not be identified, “there’s no linkage that we’re aware of” between the agency’s plans to step up enforcement of the privacy and security rules and its ability to retain the funds it collects as result of the enforcement. The office is not relying on these funds, he says, and while it is increasing its staff by about 10 percent, he adds, it is not staffing up “to be the IRS of health information privacy.”
The official says that Congress’ call for increased enforcement simply reflects the need to ensure that Americans can trust providers to safeguard the privacy and security of their personal health information in EHRs and health data networks. “We intend to seek compliance from covered entities, and have every expectation that they will comply with privacy and security rules. We’re going to respond to consumer complaints, and we will aggressively enforce the privacy and security rules where there are indications of noncompliance.”
The office plans to continue the same approach to enforcing the privacy and security rules that it has used since they’ve been in effect, the official says: by responding to consumer complaints, and by conducting compliance reviews prompted by media reports and other information not related to specific complaints.
As for the “periodic audits” required by Congress, the agency views this as a matter of checking a sample of providers to make sure that they’re following specific rules, such as placing “privacy filters” on computer screens — as opposed to spot audits, in which providers are randomly selected for a full review, something the official says is not planned.
Possible fines
The bigger question is how OCR plans to deal with violators. The HITECH Act raised the maximum monetary penalties to $50,000 per year for repeated identical violations on an “unknowing” basis — that is, by accident — and to $1.5 million per year for all such violations by a covered entity. If you commit a “knowing” violation, the fines per violation range from $50,000 to $250,000, and you may also be sentenced to as much as 10 years in prison. In fact, no one has ever done prison time for a HIPAA violation. CMS has never even issued a fine, though it says it has collected $2.3 million in settlements, mostly from large companies like the CVS pharmacy chain. (Its most significant — and perhaps only — collection from a healthcare provider: $100,000 from Providence Health & Services in Portland, Ore., last year.)
If OCR continues to rely on patient complaints, providers might not see a big change in its enforcement stance. But observers doubt that OCR will stop there.
“Until now, enforcement of the privacy rule has been all complaint-driven, and it will probably continue to be complaint-driven,” Andresen says. “But the audit function opens up new possibilities for the government.” She urges physicians to make sure their practices are in full compliance with the latest regulations.
Foreseeing “bigger audits and greater enforcement” of the law, Erica Drazen, managing partner, emerging practices, for CSC Consulting, warns that many physician practices and hospitals are vulnerable. “Everybody realized that HIPAA was important, but there wasn’t an ongoing push, and it has been delegated down. But the word is that this isn’t how it will be treated in the future. People have to put a bright light on this issue and get their act together.”
Ken Terry is a New Jersey-based freelance writer and the author of the book “Rx for Health Care Reform.” He can be reached via editor@cmpmedica.com.
This article originally appeared in the November 2009 issue of Physicians Practice.
