HITECH Breach Notification Enforcement BeginsAudits have not yet kicked in
Compliance audits of healthcare organizations, however, will not begin until contracts for state attorneys general training and audit comparative analyses are awarded, according to the Office for Civil Rights at the U.S. Department of Health and Human Services.
The Office now coordinates enforcement efforts for the breach notification rule as well as the HIPAA privacy and security rules.
Under HITECH, penalties can now be levied against individuals within a healthcare organization as well as the organization itself. And penalties for breaches of personal healthcare information or other HIPAA violations now range up to $1.5 million per violation. These are separate from any criminal penalties that might apply.
The HITECH breach notification rule, requires healthcare organizations to notify patients affected by a information security breach within 60 days. They also must notify the Department of Health and Human Services and local news media if the breach involves more than 500 individuals.
The rule, which went into effect last September, called for a delay in imposing penalties for violations to give healthcare organizations time to comply.
"The Office for Civil Rights will use our enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before Feb. 22, 2010," the Office said in a statement. "OCR continues to work with covered entities, through technical assistance and voluntary corrective action, to achieve compliance."
For fiscal 2010, the Office of Civil Rights increased by 36 the number of full-time equivalents across the country who are dedicated to healthcare privacy and security compliance and enforcement, agency officials added. The total number of enforcers is now 132.
The Office, however, stressed that voluntary compliance is preferable to imposing sanctions. "Voluntary compliance and information resolution are an efficient mechanism to resolve noncompliance and save resources for both OCR and the covered entity."
Covered entities include hospitals, physicians and health insurers, among others. Under HITECH, these organizations' business associates-- companies that have access to personal health information--must report breaches to the covered entities with whom they do business. Examples of business partners are banks, billing firms, health information exchanges and software companies.
Audits haven't begun
HITECH provided funding for more HHS audits of healthcare organizations and their business associates to monitor compliance. But those audits have not yet kicked in, officials said.
"At this time, OCR is in the final negotiation phase of awarding HITECH contracts for state attorneys general training and audit comparative analyses. Thus audits related to this initiative are not being conducted," officials said.
In addition, HHS is evaluating proposals it received to support a comprehensive campaign for communication and education of the public on healthcare information security issues.
Under the HITECH Act, state attorneys general are authorized to bring civil actions for violations.
On Jan. 13, the Connecticut attorney general filed suit against Health Net of Connecticut Inc., charging the insurer with HIPAA violations following a breach of identifiable medical records and Social Security numbers. The case alleges the insurer took too long to notify individuals affected by the breach.
How to comply
To comply with HITECH, hospitals, clinics, insurers and others must prepare a detailed plan for how to deal with a breach if one should occur, says Dan Rode, vice president for policy and government relations at the American Health Information and Management Systems Society, Chicago.
The plan should spell out who will be involved in notifying patients of a breach, how the organization will conduct an analysis of why the breach occurred and what steps should be taken to prevent future breaches, he says.
To read a story on compliance, click here.