Have you ever heard of a federal agency in charge of enforcing a set of regulations that is partly funded by the penalties it imposes on violators? I had not, until I began researching the provisions of the HITECH Act that are related to the HIPAA privacy and security rules. Part of the economic stimulus package that was passed in February, the HITECH Act focuses primarily on incentives for providers to adopt electronic health records and to use them to improve the quality of care. But it also stiffens the penalties for privacy and security violations by HIPAA-covered entities, which include most doctors and hospitals, and requires the Department of Health and Human Services (HHS) to periodically audit providers to make sure they're complying with the law.
Of course, in this era of yawning government deficits, the HITECH Act did not provide any money to HHS to step up enforcement of the HIPAA privacy and security rules. And the Obama Administration has not asked for a significant increase in appropriations for HHS' Office of Civil Rights, which now enforces these regulations. Moreover, the OCR was just recently given responsibility for the security rules, which had formerly been the province of the Centers for Medicare and Medicaid Services (CMS). But, conveniently, the HITECH Act did provide for transfer of the proceeds of any fines or settlements related to HIPAA violations to OCR, the very agency that decides which entities have broken the law.
The OCR denies that there's any linkage between its enforcement efforts and the funds it might collect from HIPAA violators in the future. But Thomas Barker, a partner in the Foley Hoag law firm and former acting general counsel to HHS in the Bush Administration, say he believes that this provision will lead to more fines and settlements. Another expert in the compliance field, Briar Andreson, who is a partner in the Minneapolis law firm Fredrikson & Byron, says, "If OCR is able to get more money to do their thing from doing their thing, they can build and expand."
Andreson points out that OCR is already increasing its staff of investigators in the privacy enforcement field. OCR, which also fields complaints about civil rights violations, says that it is increasing its field force of 275 investigators by only 10 percent. The office states it has no intention of launching a major effort to audit healthcare providers for HIPAA privacy and security violations.
In response to the audit requirement in the HITECH Act, OCR says, it will audit groups of HIPAA-covered entities to ensure they are complying with the law. These sweeps will not be spot audits, but will focus on whether providers are complying with specific requirements, such as having privacy filters on computer screens. Nevertheless, it seems certain that more providers will be audited than in the past.
Up to now, OCR and CMS have mainly responded to consumer complaints about violations and have asked violators to submit corrective action plans. No entity has been fined yet, although one health system in Portland, OR, paid $100,000 in a settlement last year, and some other organizations have settled with OCR.
OCR is trying hard to convey the impression that its enforcement efforts will be business as usual. But the Obama Administration is clearly sending the message that it will have far lower tolerance for violations of the privacy and security rules than its predecessor did. So providers, beware.