HIPAA Enforcement Still An Empty Promise
The Health Insurance Portability and Accountability Act, better known by its acronym (HIPAA), was passed by Congress way back in 1996. Yet, in spite of its being on the record books as long or longer than almost any other major regulatory compliance mandate facing IT departments, it has clearly been the proverbial "red-headed stepchild" when it comes to enforcement.
The Office of Civil Rights is actually tasked with enforcement of the law. According to a post by Rebecca Herold, "The Department of Health and Human Services (HHS) Department Office of Inspector General (OIG) appears to be making movement on their promise in their Fiscal Year 2007 Work Plan to 'review HIPAA privacy and security implementation under Medicare and Medicaid to identify key issues in the HHS information technology initiative.'"
Herold cites two references in the April 9 issue of Privacy and Law Report, from the Bureau of National Affairs (BNA, a subscriber site) as potential signs of increased enforcement. The report states auditors will reportedly assess Piedmont' Hospital in Atlanta's compliance with the HIPAA security rule and indicates the Centers for Medicare & Medicaid Services (CMS) are also planning increased enforcement.
Yet, in the same post, Herold shares these paltry statistics from the Office forCivil Rights, the governing body responsible for HIPAA enforcement. "Through February 28 [the department] had closed 77% of the 25,662 complaints it had received. The OCR referred 373 of the complaints to the Justice Department for criminal investigation."
If my math serves me correctly, that means that, of the nearly 20,000 complaints the OCR "investigated", less than 2% were worth further action? COME ON!!
Oh, and why is Health and Human Services promising any improvements if it's up to the Office of Civil Rights is the one that has got to be the ones to step up and make improvements in enforcement?
Sounds like a pretty empty promise to me.
Very recently I came across one tool which I really find more helpful. This tool will help many organizations for multitask compliance achievement. A crosswalk between different regulations poster from Symantec is a very useful tool.
Posted by: flash games | March 21, 2009 at 04:13 AM
good post. thanks for sharing knowledge.
Posted by: service-now expert | January 17, 2009 at 12:16 AM
I try to avoid discussion of HIPAA enforcement and fines and approach the task of compliance as good for the healthcare client and the patients they serve.
Posted by: flash games | January 04, 2009 at 09:11 PM
Alex -
Your post on "HIPAA Enforcement Still an Empty Promise" is sadly on point. The healthcare industry understands that enforcement is lacking and as a result the attention to HIPAA regulations are not at the level of concern (or implementation) it should be. By contrast, look at the adherance to OSHA, where employers fully understand that enforcement is significant.
Still, while enforcement is lacking, it is up to HIPAA consultants (like this commentor), to work with healthcare clients to understand the value in conducting for example, the required Evaluation Standard 164.308(a)(8), which requires a periodic technical and non-technical evaluation of the healthcare organizations security safeguards to demonstrate and document compliance with their security policy and the security rule requirements. In doing so, the required periodic evaluation provides a professional opinion about the organizations compliance health. The evaluation offers clues to the condition of security safeguards. If safeguards are found lacking, the evaluation is used to help check the return to good compliance health
Personally, I try to avoid discussion of HIPAA enforcement and fines and approach the task of compliance as good for the healthcare client and the patients they serve.
For more reading, see HIPAA Vital Signs at www.dgpeterson.com
Grant Peterson, J.D.
HIPAA Consultant
Posted by: Grant Peterson, J.D. | November 03, 2008 at 03:21 PM
http://pspgames247.com
Posted by: john | July 28, 2008 at 08:27 PM
Please come my new blog
http://travelanywhere.ru
Let's argue on it
Posted by: Seersboinoure | July 12, 2008 at 10:30 AM
Actually to both points...it's hard to know how to take the government when they haven't really provided any type of leadership in terms of defining on a practical level what does being compliant with HIPAA involve. The definition and enforcement of GLBA seems to work a whole lot better. Also the FDIC is constantly updating and defining what security measures banks are required to have.
The second point that goes along with the first comment - Network Instruments published a survey today on the attitudes of network professionals towards compliance and network security.
Only around 16% of respondents felt their current network tools were good enough to ensure compliance with government regulations, including SOX, HIPAA, or Basel II. 47% weren’t confident in the ability of their tools to ensure compliance, while an additional 37% were unsure.
Given the low level of respondents who felt confident and the high number of unsure respondents, it's probably fair to say that there is confusion in IT around what constitutes compliance. There are a number of causes...IT staff spread thin, vaguely written regulations, and the confusing clutter of vendors messages.
You can see the post I referenced at: www.networkinstruments.wordpress.com
Posted by: Stephen Brown | August 21, 2007 at 06:05 PM
It is having said that until today 2007 many of healthcare organizations are unaware of what exactly the HIPAA rules and regulations are for. With the growing incidence of privacy breaches the compliance authorities should need to put more efforts bringing awareness about the HIPAA compliance and should try to make it easy and cost effective for organization to get HIPAA compliant. Very recently I came across one tool which I really find more helpful. This tool will help many organizations for multitask compliance achievement. A crosswalk between different regulations poster from Symantec is a very useful tool. This poster is crosswalk between: Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada) http://www.compliancehome.com/symantec/
Posted by: Mike | July 24, 2007 at 08:21 AM