HHS is giving HIPAA enforcement efforts more teeth with fees and Corrective Action Plans
Approximately five years after the promulgation of the final privacy and security regulations under HIPAA, and two and a half years after the promulgation of a final rule addressing the implementation of civil money penalties, the first-ever monetary settlement paid, and Resolution Agreement/CAP, to resolve a potential violation of the HIPAA privacy and security standards was entered into between Department of Health and Human Services, Office of Civil Rights (OCR) and the Centers for Medicare and Medicaid (CMS) and Providence Health and Services, Providence Health System, and Providence Hospice and Home Care.
Providence agreed, without any admission of liability, to pay the government $100,000 and implement a comprehensive, three-year Corrective Action Plan (CAP). OCR and CMS had launched their investigation after Providence notified the state of Oregon, and affected patients, of the data breach, some of whom then filed complaints with the federal government.
This settlement appears to be a part of a trend of increased complaints of violations and enforcement by the OCR. Also, in March 2007, the OIG began auditing covered entities' compliance with the privacy and security regulations as well as OCR regulators being granted the authority to issue subpoenas in its civil privacy investigations without having to first seek the approval of the HHS Secretary. The enforcement trend and the settlement sends a signal to the industry of the need to elevate privacy and security as a focus area of compliance.
Now that HHS likely believes that covered entities have had sufficient time (approximately five years) to come into compliance with HIPAA privacy and security rules, HHS may be concluding that the time has come to add some "teeth" to its enforcement.
As such, the action taken against Providence is probably not an isolated measure, and is more likely the harbinger of a more aggressive approach to enforcement.
This column is written for informational purposes only and should not be construed as legal advice.
John Eriksen is a senior associate at Epstein, Becker and Green, P.C. in its Health Care and Life Sciences practice group and focuses primarily on health regulatory, compliance, managed care and transactional matters.
FDA Updates for Week of May 13: First Bispecific Antibody for Solid Tumor
May 18th 2024The FDA has approved a new type of bispecific antibody to treat small cell lung cancer and an additional indication for Breyanzi for patients with follicular lymphoma. The agency has set review date for gene therapy for enzyme deficiency. In addition, Biogen have Eisai hve begun a rolling submission of subcutaneous Leqembi for Alzheimer’s disease.
Read More
Omega-3s For Dry Eye Disease? Not the Answer According to This Study
May 17th 2024Some research has suggested that omega-3 fatty acid supplements could help treat dry eye disease. But Korean investigators reported results from a randomized clinical trial this week in JAMA Ophthalmology tthat showed no benefit.
Read More