Health Information Compliance Alert

Published on Sun Aug 22, 2010 PDF

If violators are not going to be prosecuted (or fined) heavily, why should they worry?

The Centers for Medicare and Medicaid Services (CMS) -- which is the federal agency responsible for enforcing HIPAA security regulations -- will put on kid gloves when it comes to governing compliance with the rules says a post on www.bizjournals.com.

It says in the post that according to Stanley Nachimson, senior technical adviser to CMS's Office of HIPAA Standards, the agency is still working on its security enforcement procedure, but the agency will, at present, be waiting for complaints to drive enforcement.

It also says in the post that civil penalties will be considered by CMS only when an entity fails to correct the problem, according to Nachimson. Present laws stipulate that penalties cannot exceed $100 per violation and $25,000 per year. What's more, criminal violations pertain only to breaches of the privacy regulations and will not apply to security violations, says Nachimson.

Based on the government's approach to the enforcement of privacy violations, which falls under the purview of the U.S. Office for Civil Rights, CMS is unlikely to come down hard on security violators, says Dan Landrigan, editor, HIPAA Security Compliance Guide in the post. He noted that the agency has chosen to work with the healthcare industry on HIPAA compliance and not against it.

Going by HHS data through Jan. 31, the U.S. Office for Civil Rights has received 10,785 privacy complaints since the regulations came into effect. Of these, 62 percent have been resolved. In the majority of cases, the complaint was either dismissed because the incident occurred prior to the compliance date, the agency determined that no violation occurred, or it was able to resolve the matter through voluntary compliance.

The rest of the privacy complaints (38 percent) are either still being processed or have been turned over to the U.S. Justice Department for possible criminal prosecution. HHS says it has turned  over about 170 privacy complaints to the Justice Department. HHS notes the most common complaints have been alleged impermissible use or disclosure of patient information and failure to provide individuals access to their medical records. Private healthcare practices had the most complaints, followed by hospitals, pharmacies, outpatient centers and group health plans.

(Editor's note: The article that was referenced here is posted at: http://www.bizjournals.com/sacramento/stories/2005/04/11/focus6.html.)