HIPAA got a big boost from the 2009 HITECH act, which extended privacy rules to business partners, threatened steeper penalties for violations, and promised periodic audits. But even with the beefed-up rules, these days HIPAA just doesn't seem to be that big a priority—to anyone.
One reason HIPAA elicits the big ho-hum is that, despite the fact that Health Information Technology for Economic and Clinical Health (HITECH) Act purports to be very serious about privacy violations, there hasn't been a lot of governmental follow-through. It's like dad telling the kids he's going to count to three and then saying, "One . . . two . . . two and half . . . two and three quarters . . ."
The Office of Civil Rights hasn't decided when it will conduct the periodic audits, for example, or even how it will pay for them. Sue McAndrew, the deputy director for Health Information Privacy for the OCR, said at the 18th Annual National HIPAA Summit last week that OCR is working with a HIPAA privacy and security expert to help the organization "map out essentially the range of options that we have and what would be the most effective." There are, she said, "1,000 ways to do this."
(How long do you suppose the government will take to settle on one of those 1,000 ways?)
Another factor: HHS' "harm threshold" standard in its interim final rule on breach notification, which says that the unauthorized use or disclosure of personal health information is a breach only if the use or disclosure poses some harm to the individual. So covered entities and their associates will now perform a risk assessment to determine what kind of harm the breach caused. Some Congressmen are "deeply concerned" about the harm provision because it gives covered entities and business associates a "breadth of discretion" as they investigate. Providers, meanwhile, love it. No big surprise there.
But the main reason no one seems to get too worked up about HIPAA anymore is that healthcare organizations know what they have to do to prevent breaches. And they know that some breaches—such as an employee who, acting on his or her own, dishes out juicy tidbits about celebrity patients to the tabloids—are nearly impossible to prevent. The truth of the matter is that HIPAA is no longer the big scary mystery it was in 2003.