HITECH Carries a Big Stick
Security enforcement, penalties toughened(Part four)
The tough enforcement provisions of the HITECH Act may scare some healthcare organizations into finally getting their data security act together.
"I believe many organizations have not been willfully negligent, but have just not made security enough of a priority," says security consultant Kate Borten, president of the Marblehead (Mass.) Group. "Enforcement will give the industry a little kick in the butt."
HITECH beefs up enforcement of the old HIPAA privacy and security rules; authorizes tougher penalties for violations; and adds new requirements, including prompt notification of individuals affected by data breaches.
After years of lax enforcement of the Health Insurance Portability and Accountability Act's privacy and security rules, HITECH spells out several tough enforcement measures, including:
- conducting periodic audits of healthcare organizations and their business associates to ensure they are complying;
- designating the Office of Civil Rights within the U.S. Department of Health and Human Services to enforce HITECH's breach notification rule, effective Feb. 22, 2010; and
- enabling state attorneys general to bring civil actions for violations.
If that wasn't enough, penalties can now be levied against individuals within a healthcare organization as well as the organization itself. And penalties for breaches of personal healthcare information or other HIPAA violations now range up to $1.5 million per violation. These are separate from any criminal penalties that might apply.
"Too many years have gone by where these rules simply were not enforced," Borten contends. Congress used the HITECH Act to "set the tone for enforcement and penalties," she adds.
A significant case
On Jan. 13, the Connecticut attorney general filed suit against Health Net of Connecticut Inc., charging the insurer with HIPAA violations following a breach of identifiable medical records and Social Security numbers. The case alleges the insurer took too long to notify individuals affected by the breach.
The Connecticut case, believed to be the first of its kind, likely is the start of a wave of state cases to come, Borten predicts. "Enabling state attorneys general to enforce the HIPAA rules is a powerful tool," she says.
More consumers are likely to file complaints at the state level rather than attempt to navigate through the federal bureaucracy, she argues. "We'll see many more complaints now, and we'll see states taking a big role in enforcement," she predicts.
Until now, many smaller healthcare organizations, such as clinics, "felt pretty comfortable that they wouldn't be on the radar screen of the federal government" if they were guilty of a security violation, Borten says. Now that states are also involved in enforcement, organizations of all sizes know that they face potential penalties for their actions, she argues.
The power of audits
As a result of funding provided under the HITECH Act, HHS is hiring more auditors to check on healthcare organization's security policies, says Tom Walsh, president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues.
Auditors will check on such details as whether the organization has a risk analysis process, he adds. But they'll go even further.
"In the security audits conducted so far, auditors have asked for things like the latest results of a network vulnerability scan or a network penetration test," Walsh says. "There's nothing in HIPAA that requires these, but the auditors have an expectation that covered entities, like hospitals, can present evidence that they are doing these scans and tests."