HHS published in the Federal Register today (October 30) the HITECH Act enforcement interim final rule, standard procedure of the February 17, 2009 HITECH Act.
The interim rule includes no amendments to the enforcement provisions in HITECH, according to the rule itself.
The interim final rule becomes effective November 30. HHS has invited public comments, which will be considered if received by December 29.
The HITECH Act calls for greater penalties for HIPAA violations and increased enforcement through "periodic audits." The civil monetary penalties increased greatly, with a maximum penalty of $1.5 million for all violations of an identical provision.
However, HHS' enforcement plans are unclear. OCR, the HHS entity that oversees HIPAA privacy and security, named regional education and outreach coordinators and promised audits. But exactly how much enforcement, when and to whom is unknown.
At September's HIPAA Summit conference, Sue McAndrew, the OCR deputy director for Health Information Privacy, told HealthLeaders Media she did not know the process by which HHS will conduct audits.
OCR may build on existing types of audits or perhaps partner with the Inspector General, McAndrew speculated.
"We are basically in the process of doing some scanning and weighing our options of what kinds of audit programs are out there and what turns out to be the most effective," McAndrew said then.
HHS this week says the HITECH enforcement measures will "strengthen the HIPAA protections and rights related to an individual's health information."
The remaining HITECH provisions, which have yet to become effective, will be addressed in the next few months in forthcoming rulemakings.