Feds finally put teeth into HIPAA enforcement

Three years after the federal law's rules on securing health care data took effect, HHS has issued its first 'corrective action plan.' And more may be on the way.

1 2 Page 2
Page 2 of 2

Gallagher also expects the CMS to start working more closely on enforcement with the HHS Office of Civil Rights, which administers the data privacy rules set by HIPAA.

As of press time, the CMS had yet to respond to questions that were sent via e-mail, as an agency spokesman had requested. Providence officials also asked that questions be sent via e-mail but also hadn't responded.

Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas, agreed with Gallagher that the Providence settlement was a dramatic example of the potential consequences of HIPAA violations.

"If you look at what they're being forced to do, it's scary," he said. "They have lost their ability to contest anything; there's no way of getting out of this agreement. And this is the best deal they could get."

MacKoul added that while Providence was audited for data security violations, many of the corrective actions it is being required to implement fall into the privacy realm, showing that HHS is making little distinction between privacy and security for compliance purposes.

And based on the terms of the CAP, organizations that have to comply with HIPAA shouldn't be lulled into complacency by the previous lack of enforcement, MacKoul warned. "If I were a covered entity, I wouldn't want to roll the dice and get caught up in something like this," he noted.

The resolution agreement does appear to be a belated attempt by HHS to get the health care industry to take HIPAA more seriously, said Chris Apgar, president of consulting firm Apgar & Associates LLC in Portland, Ore. "I think it's about time they used somebody as an example," he said.

Even so, it's unrealistic to expect a large increase in the number of HIPAA enforcement actions in the near term, according to Apgar and other analysts. Such actions are triggered only when complaints are lodged against organizations. HHS has no HIPAA cops who are actively looking for violations, and health care providers aren't required to report internal violations themselves.

Also, neither the CMS nor the HHS Office of Civil Rights has anywhere near the resources or the funding needed to investigate all of the complaints that are filed. As a result, examples such as the settlement deal with Providence will likely continue to be more the exception than the rule, Apgar said.

In fact, one of the primary reasons why Providence was investigated in the first place no doubt was the publicity generated by the incidents involving lost IT equipment, said Randy Yates, director of security at Memorial Hermann Healthcare System in Houston.

"Once something that large hits the media, the government is bound to do something," Yates said. "[The CAP] puts out a message that says, 'We see this thing, and we don't like it.'"

Often, enforcement actions are important because they get the attention not just of those in charge of implementing privacy and security policies, but also of those who control the purse strings within organizations. Last year, for instance, the audit at Piedmont Hospital contributed to the approval of a $1.3 million budget item for data encryption at Memorial Hermann.

But if the investigations are as sporadic as they have been in the past, the buzz generated will fade away quickly, said Christopher Paidhrin, IT security officer at ACS Healthcare Solutions, a Dearborn, Mich.-based unit of Affiliated Computer Services Inc.

Paidhrin noted that the Piedmont audit last year initially raised a considerable amount of concern among health care providers. But most of that concern eventually melted away when the expected increase in enforcement actions failed to materialize. The same thing will likely happen in the aftermath of the Providence Health settlement, he said — unless HHS takes additional actions elsewhere and publicizes them to the same extent.

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon