We've already established that the HITECH Act, part of the American Recovery and Reinvestment Act, will extend the reach of the Health Insurance Portability and Accountability Act (HIPAA). It adds compliance requirements for those who provide services to HIPAA-covered entities, and could well usher in a period of very aggressive enforcement.

After reading shareholder Kelly Hagan's article on the Schwabe, Williamson and Wyatt Web site the other day, I called him to get more detail on the enforcement provisions in the HITECH Act. As I mentioned earlier, he thinks the most significant of these provisions is the one found in subsection 13410(c). It requires civil penalties that are collected under the Act to be funneled back into the Department of Health and Human Services' Office of Civl Rights enforcement budget.

He points to the creation of the Fraud and Abuse Control Account: "It was remarkable when they put the Fraud and Abuse Control Account in place and started funneling the monetary penalties back into the enforcement agency's budget how quickly that became a priority. If history repeats itself, what that suggests is that the OCR's traditional approach to enforcement, which has been complaint-driven and compliance-oriented, is going to ... become more proactive, more punitive."

We're going to see civil penalties for HIPAA violations, he says. One provision in the HITECH Act even makes them mandatory for "willful neglect" that gives rise to a violation. That requirement is set to come into force no later than Feb. 17, 2011. "And if OCR reacts the way [the Department of Justice's Office of Inspector General] did, we'll see them before that," Hagan says.

That is the most significant provision in the entire bill, in Hagan's opinion. "All of a sudden HIPAA compliance becomes a fact of life instead of a paper tiger. I hope I'm wrong. I hope they do maintain a compliance-oriented approach. But if history is any guide, that won't happen," he says.

Other changes to enforcement measures include the provision that gives state attorneys general the authority to enforce the law on behalf of aggrieved parties, and a provision that gives HHS OCR the right to bring criminal charges if the Department of Justice declines to do so. These too, present significant compliance challenges, according to other experts.

More on those conversations in the days to come.