The HITECH Act significantly strengthened the available legal tools for enforcing health information privacy law, according federal health officials, who pledged to step up their pursuit of health security and privacy rule violators.
Last year's health IT law tightened the Health Insurance Portability and Accountability Act's (HIPAA) security and privacy rules, increased fines, and centralized oversight in HHS' Office of Civil Rights. OCR, which issued an enforcement rule that took effect in November, can now impose penalties of up to $1.5 million per violation.
"OCR has significantly strengthened tools with which to obtain compliance," said Marilou King, senior attorney and acting senior advisor for privacy compliance and enforcement in HHS's Office of General Counsel Civil Rights Division.
King spokes at a May 11 at a conference on privacy and security sponsored by OCR and the National Institute for Standards and Technology.
"And the goal of the enforcement program will be to obtain compliance from covered entities and from new regulated entities as HITECH has authorized," she said, referring to healthcare providers, plans and their business partners.
Some at the conference said it was expensive for small physician practices to comply with HIPAA security and privacy provisions. In response, King said, "the cost of compliance may now, in view of these penalty amounts, look a lot more reasonable than the cost of doing nothing."
Susan McAndrew, OCR's deputy director for privacy, said that without a set of sound policies and practices, privacy "would be just a principle. We want it to be a reality for consumers," she said.
The result will "infuse consumer confidence to put their information into electronic health records and to advance sharing this information in order to improve the quality of healthcare and the efficiency that the industry needs," she added.
OCR has already received more privacy and security complaints this year than last year, said David Holtzman, a health information privacy specialist at OCR.
Most of the complaints warrant investigation, and of those, 74 percent result in the provider or plan making a "systemic change" to resolve the complaint and improve privacy and security, he said.
Complaints are most often related to gaps in information access management, access controls, security awareness training and device and media controls, Holtzman said.
For example, a small practice lost personal health information because its desktop computer was stolen and the data it held was not encrypted. The computer also held almost all of the information they needed to maintain daily operations.
"The loss of the device was crippling because of the chances that the information would get out to unauthorized individuals but also because they did not have the information needed to carry on the practice," Holtzman said.
OCR worked with the provider simply to come up with stronger locks and doors and to set up encryption for their storage media.
In another example, a provider unintentionally made personal health information accessible online as the result of the network effect of trying to update security patches throughout its various information systems.
Patch management on one information system "had an unintended but devastating effect on another information system," that shared access to the network, he said.
