HIPAA Enforcement Still An Empty Promise
The Health Insurance Portability and Accountability Act, better known by its acronym (HIPAA), was passed by Congress way back in 1996. Yet, in spite of its being on the record books as long or longer than almost any other major regulatory compliance mandate facing IT departments, it has clearly been the proverbial "red-headed stepchild" when it comes to enforcement.
The Office of Civil Rights is actually tasked with enforcement of the law. According to a post by Rebecca Herold, "The Department of Health and Human Services (HHS) Department Office of Inspector General (OIG) appears to be making movement on their promise in their Fiscal Year 2007 Work Plan to ‘review HIPAA privacy and security implementation under Medicare and Medicaid to identify key issues in the HHS information technology initiative.’"
Herold cites two references in the April 9 issue of Privacy and Law Report, from the Bureau of National Affairs (BNA, a subscriber site) as potential signs of increased enforcement. The report states auditors will reportedly assess Piedmont’ Hospital in Atlanta’s compliance with the HIPAA security rule and indicates the Centers for Medicare & Medicaid Services (CMS) are also planning increased enforcement.
Yet, in the same post, Herold shares these paltry statistics from the Office forCivil Rights, the governing body responsible for HIPAA enforcement. "Through February 28 [the department] had closed 77% of the 25,662 complaints it had received. The OCR referred 373 of the complaints to the Justice Department for criminal investigation."
If my math serves me correctly, that means that, of the nearly 20,000 complaints the OCR "investigated", less than 2% were worth further action? COME ON!!
Oh, and why is Health and Human Services promising any improvements if it’s up to the Office of Civil Rights is the one that has got to be the ones to step up and make improvements in enforcement?
Sounds like a pretty empty promise to me.
*** This is a Security Bloggers Network syndicated blog from IT Best Practices and Compliance Reporting Information authored by abakman. Read the original post at: https://www.bakmansblog.com/2007/04/hipaa_enforceme.html
