In May, The Office of the Inspector General issued a report on the results of an audit conducted for the Office of Civil Rights on the effectiveness of HIPAA compliance. The report wasn’t so great.
“Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so. The only reviews OCR mentioned were related to our hospital audits. In the absence of evidence of a more expansive review process, we encourage OCR to continue the compliance review process begun by CMS in 2009.”
This report was a follow up to a 2008 report that was much worse.
Perhaps in response to this, In June, Texas became the first state to pass a law that provides for even greater scrutiny for HIPAA, in part as a response to ineffective Federal enforcement.
According to Healthcareinfosecurity.com: Republican State Representative Kolkhorst says she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level. "There's no data more sensitive than your healthcare data," she says. "We have lots of laws to protect financial data; I wanted to strengthen our laws protecting healthcare data."
While it may be true that the state of security in health care isn’t great…is it really true that enforcement at the federal level isn’t happening? Yes and no. Prior to 2011, HHS had taken only four major enforcement actions with resolution amounts totaling approximately $3.4 million. This year, however, there have been 3 major enforcement actions just in the first 6 months totaling almost $6.2 million. Most recently, the UCLA Health System was fined $865 million for broad security issues.
HIPAA Major Enforcement Actions Timeline:
- August 2008 – Providence Health Systems - $100,000
- Feb 2009 – CVS Caremark - $2.25 million
- January 2010 – Health Net - $250,000
- July 2010 – Rite Aid - $1 million
- February 2011 – Cignet Health - $4.3 Million
- Feburary 2011 – The General Hospital Corp/Mass General - $1 million
- July 2011 – UCLA Health System - $865,000
There is more to the federal level enforcement story, however. HHS publishes data on their enforcement actions. Not all of them end in monetary awards, but there is a significant amount of work being done. According to the data, there were 9,158 resolutions in 2010, up from 8,092 resolutions in 2009.
This brings us to the question of the most recent amendment to HIPAA, the HITECH Act. HITECH significantly expanded HIPAA’s enforcement mechanisms, including allowing state Attorney General’s to now enforce HIPAA and bring their own civil actions. Connecticut’s Attorney General was the first to bring such an action in January of 2010. It appears that state enforcement actions haven’t been that plentiful.
Here’s the big question: If HITECH allows state attorney generals to enforce HIPAA, how can Texas claim that there isn’t enough enforcement at the Federal level? I could find no evidence of the Texas Attorney General's office bringing an action for enforcement of HIPAA...(If I missed one, please comment below.)
This creates a dangerous precedent if other states begin to follow Texas. The whole point of having a federal standard is so that companies can have one clear rulebook to follow. Adding new rules for every state would drastically increase the costs for compliance (and probably increase the costs for healthcare overall).