[rb_social type="icons" target="_blank" twitter="https://twitter.com/healthlawoffice" facebook="http://www.facebook.com/pages/Healthlawofficecom/223595284349894" linkedin="http://www.linkedin.com/pub/mark-bonanno/8/1a/b83" rss="feed" width="1/1" el_position="first last"]

hipaa: enforcement begins
  • 5th March 20115/03/11

In rather dramatic fashion like the tornado in the Wizard of Oz, enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy law twirled into action. Two publicized cases telegraphed clearly that the federal government’s enforcement arm for HIPAA, the Office for Civil Rights, within the Department of Health and Human Services, will begin assessing significant monetary penalties against health care providers who fail to comply with HIPAA.

The first OCR case resulted in a $4.3 million penalty against a Maryland health clinic that failed to respond to patient requests for copies of medical records. The clinic later failed to respond to OCR’s investigation and subpoena (and that conduct ended up representing a large portion of the penalty). The second case drew a $1 million penalty against a teaching hospital in Massachusetts that lost medical records when an employee left them on a subway. Obviously, these are significant penalties and likely intended to draw attention to OCR’s new enforcement work.

HIPAA privacy standards have been contemplated since 1996 and in play legally since 2003 so why all the brouhaha now? Well, tucked in the American Recovery and Reinvestment Act of 2009 (also known as the “Stimulus Bill”) were two developments (among many others) that changed HIPAA from a feel-good standards-based privacy law to an aggressive reporting and penalty-driven law. Simply put, what the Stimulus Bill did was: (a) grant OCR the ability to assess significant monetary penalties against providers who fail to comply with HIPAA; and (b) create new standards and reporting requirements for breaches of HIPAA’s security standards. This latter change was significant because it focused on breaches related to unsecured information such as paper medical charts.

What to do? Well, if you detect issues related to HIPAA, stop and think: Am I in compliance? If not, or if you have no clue, it may be time to work on some compliance planning. If you have a breach situation, take it seriously and get someone in to evaluate the breach and take corrective action. As Dorothy once said: “We are not in Kansas anymore.”