Flash back to February 17, 2009.
President Obama signed into law the $787 billion American Recovery and Reinvestment Act of 2009 that included provisions for heightened HIPAA enforcement and stiffer penalties for privacy and security violations.
The next day, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced that CVS, the nation's largest retail pharmacy chain, had to pay the U.S. government $2.25 million and take corrective action in a settlement for potential privacy breaches affecting millions of patients.
Seemed as if they were serious about enforcement. After all, it took them less than 24 hours to act.
But today, seven months later, there is uncertainty about that promised HIPAA enforcement.
Certainly, HHS has made moves in the direction of increased enforcement. In August, it announced it would expand its privacy enforcement team with two HIPAA "privacy specialists," who will help the public better understand their rights under HIPAA and enforce compliance among covered entities and business associates.
The "senior health information privacy outreach specialists" are operating under the Office for Civil Rights (OCR), which enforces the HIPAA Privacy Rule and Security Rule and the Patient Safety and Quality Improvement Act's confidentiality provisions through its Division of Health Information Privacy; HIPAA Security came under OCR's umbrella on July 27.
That news came a little less than a month after HHS announced it would advertise a position for two "Health Information Privacy Specialists." Those positions, according to the job posting at the time, are "responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information."
But when will this enforcement affect your organization? And how regular will they be? Random audits? Planned, coordinated ones?
The HITECH Act calls for "periodic audits" to ensure HIPAA privacy and security compliance, but the government itself doesn't know what that means—yet.
At the 17th annual national HIPAA Summit at the Wardman Park Hotel in Washington, DC, on Tuesday, government officials directly involved in HIPAA said the enforcement process has yet to be determined.
David Blumenthal, MD, MPH, national coordinator for HHS' Health Information Technology, deferred a question posed by HealthLeaders Media to his Office for Civil Rights (OCR) colleagues.