Since the Health Insurance Portability and Accountability Act became law, enforcement has been a weak link. The number of covered entities that are in full compliance has been low, simply because the Department of Health and Human Services hasn't had much of an enforcement mechanism in place. But that was before the American Recovery and Reinvestment Act was signed into law last month.
Before ARRA, there were HIPAA audits here and there. Florida's Piedmont Hospital was used as an example in 2007, and experts warned covered entities to be prepared. Still, those subject to the law complained that the requirements weren't really clear, and they dragged their feet to comply. Now, not only will HIPAA covered entities have to sit up and take notice, but those who do business with HIPAA covered entities will have to pay attention as well.
In addition to the extension of HIPAA security and privacy concerns to "business associates" and the addition of federal data breach notification rules, Title XIII of ARRA (aka the HITECH Act) includes aggressive enforcement provisions. Schwabe, Williamson and Wyatt shareholder Kelly Hagan says the most significant are those that provide for enforcement incentives to the Department of Health and Human Services' Office of Civil Rights. Hagan says:
"Civil penalties collected in the future by the Office of Civil Rights (OCR) for privacy or security violations will be turned over to the agency to fund even greater enforcement efforts. If history is any guide, then OCR's current complaint-driven, compliance-oriented approach to enforcement will shift quickly to a more aggressive and punitive strategy."
Though the penalty and enforcement provisions are set to become effective on Feb. 17, 2010, Hagan notes that "exceptions swallow the rule. The article includes a helpful chart listing the effective dates for each of those exceptions. Of particular interest perhaps, is Feb. 17, 2011, when monetary penalties will become mandatory if a violation results from "willful neglect."