HIPAA compliance must address organization oversight

November 1, 2008

HHS is giving HIPAA enforcement efforts more teeth with fees and Corrective Action Plans

Approximately five years after the promulgation of the final privacy and security regulations under HIPAA, and two and a half years after the promulgation of a final rule addressing the implementation of civil money penalties, the first-ever monetary settlement paid, and Resolution Agreement/CAP, to resolve a potential violation of the HIPAA privacy and security standards was entered into between Department of Health and Human Services, Office of Civil Rights (OCR) and the Centers for Medicare and Medicaid (CMS) and Providence Health and Services, Providence Health System, and Providence Hospice and Home Care.

Providence agreed, without any admission of liability, to pay the government $100,000 and implement a comprehensive, three-year Corrective Action Plan (CAP). OCR and CMS had launched their investigation after Providence notified the state of Oregon, and affected patients, of the data breach, some of whom then filed complaints with the federal government.

This settlement appears to be a part of a trend of increased complaints of violations and enforcement by the OCR. Also, in March 2007, the OIG began auditing covered entities' compliance with the privacy and security regulations as well as OCR regulators being granted the authority to issue subpoenas in its civil privacy investigations without having to first seek the approval of the HHS Secretary. The enforcement trend and the settlement sends a signal to the industry of the need to elevate privacy and security as a focus area of compliance.

Now that HHS likely believes that covered entities have had sufficient time (approximately five years) to come into compliance with HIPAA privacy and security rules, HHS may be concluding that the time has come to add some "teeth" to its enforcement.

As such, the action taken against Providence is probably not an isolated measure, and is more likely the harbinger of a more aggressive approach to enforcement.

This column is written for informational purposes only and should not be construed as legal advice.

John Eriksen is a senior associate at Epstein, Becker and Green, P.C. in its Health Care and Life Sciences practice group and focuses primarily on health regulatory, compliance, managed care and transactional matters.