HITECH Act Means More Aggressive HIPAA Enforcement

Lora Bentley

Since the Health Insurance Portability and Accountability Act became law, enforcement has been a weak link. The number of covered entities that are in full compliance has been low, simply because the Department of Health and Human Services hasn't had much of an enforcement mechanism in place. But that was before the American Recovery and Reinvestment Act was signed into law last month.


Before ARRA, there were HIPAA audits here and there. Florida's Piedmont Hospital was used as an example in 2007, and experts warned covered entities to be prepared. Still, those subject to the law complained that the requirements weren't really clear, and they dragged their feet to comply. Now, not only will HIPAA covered entities have to sit up and take notice, but those who do business with HIPAA covered entities will have to pay attention as well.


In addition to the extension of HIPAA security and privacy concerns to "business associates" and the addition of federal data breach notification rules, Title XIII of ARRA (aka the HITECH Act) includes aggressive enforcement provisions. Schwabe, Williamson and Wyatt shareholder Kelly Hagan says the most significant are those that provide for enforcement incentives to the Department of Health and Human Services' Office of Civil Rights. Hagan says:

"Civil penalties collected in the future by the Office of Civil Rights (OCR) for privacy or security violations will be turned over to the agency to fund even greater enforcement efforts. If history is any guide, then OCR's current complaint-driven, compliance-oriented approach to enforcement will shift quickly to a more aggressive and punitive strategy."

Though the penalty and enforcement provisions are set to become effective on Feb. 17, 2010, Hagan notes that "exceptions swallow the rule. The article includes a helpful chart listing the effective dates for each of those exceptions. Of particular interest perhaps, is Feb. 17, 2011, when monetary penalties will become mandatory if a violation results from "willful neglect."

Add Comment      Leave a comment on this blog post
Mar 20, 2009 11:25 AM Mahala Fife Mahala Fife  says:

I am a Release of Health Information/HIPAA Consultant.  I can tell you, from 12 years of experience in medical records, unless a professional release of information service is used, HIPAA compliance is almost nil.  Medical records staff are not trained on how to handle the release of health information and the law are easily forgotten.  Forcing EMR is not going to help, it makes accidental HIPAA breaches even easier to occur.  I have also seen a large clinic adopt EMR first hand . . . they went from 45 employees down to 15, only because there weren't paper charts anymore.  What a way to help the economy!?!?!  My prediction is that this Act will barely be followed and complied with.  HIPAA breaches occur on a daily basis, nobody tracks it, and who is going to enforce another act when HIPAA is barely being followed.  I wish that HIM staff were more knowledgeable about HIPAA and that EMR was utilized when the healthcare provider was ready, not because the government said so.  This is why I am a Consultant in this field now, I want to help and I will.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.