After years of easy-going (some would say non-existent) enforcement, HIPAA enforcement finally appears to be heating up. Consider the following…

• HHS conducted it’s first-ever, on-site inspection for HIPAA compliance in March 2007 at Piedmont Hospital in Atlanta, Georgia.
• In 2007 HHS granted new and expanded subpoena authority to the Office for Civil Rights to use in HIPAA violation investigations.
• As of 2009, over 400 cases have now been referred to the US Department of Justice over possible criminal violations of HIPAA.
• The 2009 HITECH Act, part of the ARRA, expanded HIPAA investigations and enforcement, to include, for the first time, mandatory investigations and penalties for cases involving “willful neglect”.
• HHS re-delegated HIPAA Security enforcement in August 2009, moving it from the CMS to the OCR. The OCR now handles investigations and enforcement for both the Privacy and Security Rules.
• Announced August 2009, HHS is hiring more investigators to accommodate the growing number of complaints and it’s new, combined Privacy and Security enforcement duties.

Combine these with the ever-growing number of breaches, and the ARRA changes to HIPAA enforcement, and you have an blossoming enforcement situation every Covered Entity (CE) and Business Associate (BA) should be concerned about.

CEa and BAa simply must get their HIPAA “ducks in a row” as we approach 2010. The major provisions of the ARRA and the HITECH Act kick in on February 18th 2010, and HIPAA enforcement will continue to heat up. Be ready and be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.