HITECH Act Mandates Audits to Determine HIPAA compliance
By William O’Toole
O’Toole Law Group
HIPAA privacy and security audits are not looming out there on the horizon, they are happening now. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) mandates audits of health care providers to investigate and determine if they are in compliance with the HIPAA Privacy Rule (effective in 2003) and Security Rule (effective in 2005). Today these audits are performed by KPMG under an almost $10 million contract with the Office of Civil Rights (OCR). As a reminder, HIPAA regulations require that health care providers perform periodic evaluation and updating of their own policies, procedures and safeguards with regard to the privacy and security of patient health information. Providers should actively review their internal policies and practices, both in preparation for what may come in terms of audits, and because it is a wise and prudent measure for protection of their organization in this ever-litigious society.
Still on the horizon but not here yet is the pending finalization of HITECH Act regulations that will amend the HIPAA privacy, security and enforcement regulations. The Department of Health and Human Services issued its Notice of Proposed Rule in July 2010, which is the initial step in finalizing regulations that could eventually be published and enacted. With an extensive commentary response the final decision was delayed in 2011 but is expected to occur by the end of 2012. The amendments to HIPAA, if adopted, essentially put real teeth into the enforcement aspect in the event of non-compliance by a health care provider with the already present HIPAA requirements. Perhaps the most important element in the amendments to HIPAA is that mandatory penalties will be imposed for willful neglect on the part of the health care provider (Covered Entity in HIPAA terminology). It is not possible to explain today what “willful neglect” could be interpreted to mean in the future, but sound advice to providers includes once again a careful review of your existing policies and procedures with regard to the protection of patient information.
Although this post is targeted to providers, as a side note, for the Business Associate (HIPAA term referring to entities that provide services to health care providers that entail use of or access to patient information) audience, under certain situations The HITECH Act extends the imposition of both civil and criminal penalties under HIPAA to Business Associates, not just Covered Entities. As a general message of caution, this component of the health care industry should also take on the self-evaluation of existing policies, procedures and safeguards.
Another aspect to the impact of HITECH on HIPAA is that OCR was given the authority to enforce HIPAA Privacy and Security Rules and has been systematically investigating situations involving data breaches by health care providers. Since the enactment of HITECH thousands of breaches in the health care industry have been reported. Although penalties exist under current law, imposition is rare at this point. That said, two significant penalties were assessed in 2011 in excess of $1m and involved large health care organizations; it is expected that the occurrence will only increase in the future.
In summary, HITECH is here. Elements that are in force today require diligence, review, and oversight by all health care providers. Aspects to come if finalized further strengthen the importance of this advice.