Final regulations setting forth how the Office of Civil Rights (OCR) should enforce HIPAA became effective back in March of 2006. As of the end of August 2007, there have been 29,994 complaints filed with the government alleging violations of privacy. Yet, to date, the OCR has not issued a single civil monetary penalty. As a result, I am asked by providers and others if it is really necessary for them to continue spending resources to stay on top of maintaining their HIPAA compliance program, to which I always respond with an unwavering "yes."
In addition to the more obvious reasons why compliance with HIPAA is a good idea, the enforcement tide may be turning. In February of 2007, the Department of Health and Human Services (DHHS) through the Office of Inspector General announced its first audit, which was of Atlanta’s Piedmont Hospital’s compliance with the HIPAA Security Rule. On April 16, 2007, DHSS then delegated to the OCR additional authority to issue subpoenas. Most recently, on April 20, 2007 HHS launched an enforcement Web site, which provides information regarding the Privacy Rule and how OCR enforces health information privacy rights and standards.
Some say that these are signs that the federal government is gearing up for increasing its national enforcement efforts. Also worth noting is that the OIG acknowledges in the 2007 Work Plan that "the wider use of electronic medical records and personal health records raises concerns over privacy and security of patient data," which may suggest more audits are on the horizon. So, keep your HIPAA policies current, alive and on your lower shelf!