Today a story ran in the Washington Post about how no fines have yet been given for HIPAA noncompliance.  So far close to 20,000 complaints regarding HIPAA compliance have been with the Department of Health and Human Services (HHS) oversite agencies, the Office for Civil Rights, responsible for the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services, responsible for the HIPAA Security Rule.

The article indicates 73% of the complaints (over 14,000) were found to have no violation involved, or the HHS required the covered entities (CEs) involved to fix the problems.  This really is not at all surprising.  Back when HIPAA went into effect the HHS indicated that they would address HIPAA compliance by complaint-driven activities and investigations, and work with the CEs by working with them to fix the problems. 

On February 16 of this year, the HHS released the "HIPAA Administrative Simplification: Enforcement; Final Rule" that became effective March 16 2006 to more clearly define their compliance and enforcement plans.  Within this Enforcement Rule it is specifically stated:

"§ 160.410 Affirmative defenses.
(a) As used in this section, the following terms have the following meanings:
Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision
violated.
Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
(b) The Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violation, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d–6;
(2) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the federal common law of agency, and, by exercising reasonable diligence, would not have known that the violation occurred; or
(3) The violation is—
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
§ 160.412 Waiver.
For violations described in § 160.410(b)(3)(i) that are not corrected within the period described in § 160.410(b)(3)(ii), the Secretary may waive the civil money penalty, in whole or in part, to the extent that payment of
the penalty would be excessive relative to the violation."

So, you can see this is still apparently the planned course of action.

What does this mean with regard to HIPAA having teeth?  Hmm...well...this pretty much leaves HIPAA gumming the noncompliance meat.

I agree with many of the viewpoints at the end of the Washington Post article.  Many, if not most, CEs, knowing that they will only get in trouble with HIPAA noncompliance if 1) someone complains, and then 2) they are not cooperative, after the fact, with the HHS oversight agencies, will choose to stay their current course and take no compliance actions.  The CEs I've spoken to have told me this, and they've even blogged about it and discussed it in maillists and discussion groups.  The motivators for compliance have basically been removed. 

The only real motivators now are the penalties for criminal noncompliance, which have been applied twice so far.  Too bad crimes have to occur before actions are taken...isn't it better to prevent the crimes to begin with by applying security and privacy safeguards? 

It is also really too bad that the government, which is more aggressively pursuing compliance for other regulations, such as SOX and the FTC Act, has taken such a milquetoast attitude with patient information privacy and security.  If HIPAA enforcement is to be effective, it appears that the public will need to be more vocal in their calls to have the regulation enforced.  And, it would be good if the CEs would just do the right thing to protect the privacy and security of protected health information (PHI) and follow the regulations now instead of waiting until their hand is caught in the noncompliance cookie jar.  One alternative may be the FTC Act...most CEs have posted privacy policies on their websites...notice of privacy practices (NPPs) are a requirement of HIPAA.  If CEs do not follow them, couldn't they be found to be guilty of commiting unfair and deceptive business practices? 

We know the FTC and SEC are diligent in pursuing noncompliance cases...maybe the FTC and SEC heads should have lunch with the HHS head and discuss this issue.

The HIPAA Privacy Rule has been in force since 2003...it's time the honeymoon period is over.  If the HHS would look at the increasingly large numbers of incidents occurring every week...heck, every day...they should realize enforcement and associated penalties are necessary for compliance and PHI protection.

Which brings me to wonder...how will the VA laptop/hard drive theft be handled through an HHS HIPAA violation investigation?  E&Y was a VA business associate (BA) who lost PHI about 26.5 million individuals...certainly seems something should be done.  Others think so as well...see "Health-privacy coalition seeks HIPAA review of VA." 

Technorati Tags
information security
IT compliance
corporate governance
government oversight
HIPAA
FTC Act
personal data breach
Department of Health and Human Services
regulatory enforcement
privacy