HITECH Carries a Big Stick

Security enforcement, penalties toughened
HITECH Carries a Big Stick
Editor's Note: This four-part series analyzes how to comply with the data security and privacy provisions of the HITECH Act.
Part #1 outlines how the Act encourages broader use of encryption.
Part #2 spells out the need to conduct a risk analysis and prepare a data security plan.
Part #3 describes compliance with new data security breach notification requirements.
Part #4 outlines the tough new data security enforcement provisions.

(Part four)

The tough enforcement provisions of the HITECH Act may scare some healthcare organizations into finally getting their data security act together.

"I believe many organizations have not been willfully negligent, but have just not made security enough of a priority," says security consultant Kate Borten, president of the Marblehead (Mass.) Group. "Enforcement will give the industry a little kick in the butt."

HITECH beefs up enforcement of the old HIPAA privacy and security rules; authorizes tougher penalties for violations; and adds new requirements, including prompt notification of individuals affected by data breaches.

After years of lax enforcement of the Health Insurance Portability and Accountability Act's privacy and security rules, HITECH spells out several tough enforcement measures, including:

  • conducting periodic audits of healthcare organizations and their business associates to ensure they are complying;
  • designating the Office of Civil Rights within the U.S. Department of Health and Human Services to enforce HITECH's breach notification rule, effective Feb. 22, 2010; and
  • enabling state attorneys general to bring civil actions for violations.

If that wasn't enough, penalties can now be levied against individuals within a healthcare organization as well as the organization itself. And penalties for breaches of personal healthcare information or other HIPAA violations now range up to $1.5 million per violation. These are separate from any criminal penalties that might apply.

"Too many years have gone by where these rules simply were not enforced," Borten contends. Congress used the HITECH Act to "set the tone for enforcement and penalties," she adds.

A significant case

On Jan. 13, the Connecticut attorney general filed suit against Health Net of Connecticut Inc., charging the insurer with HIPAA violations following a breach of identifiable medical records and Social Security numbers. The case alleges the insurer took too long to notify individuals affected by the breach.

The Connecticut case, believed to be the first of its kind, likely is the start of a wave of state cases to come, Borten predicts. "Enabling state attorneys general to enforce the HIPAA rules is a powerful tool," she says.

More consumers are likely to file complaints at the state level rather than attempt to navigate through the federal bureaucracy, she argues. "We'll see many more complaints now, and we'll see states taking a big role in enforcement," she predicts.

Until now, many smaller healthcare organizations, such as clinics, "felt pretty comfortable that they wouldn't be on the radar screen of the federal government" if they were guilty of a security violation, Borten says. Now that states are also involved in enforcement, organizations of all sizes know that they face potential penalties for their actions, she argues.

The power of audits

As a result of funding provided under the HITECH Act, HHS is hiring more auditors to check on healthcare organization's security policies, says Tom Walsh, president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues.

Auditors will check on such details as whether the organization has a risk analysis process, he adds. But they'll go even further.

"In the security audits conducted so far, auditors have asked for things like the latest results of a network vulnerability scan or a network penetration test," Walsh says. "There's nothing in HIPAA that requires these, but the auditors have an expectation that covered entities, like hospitals, can present evidence that they are doing these scans and tests."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.