The proliferation of security breaches of patients' confidential health information is causing the government to increase and intensify its enforcement of the Health Information Portability and Accountability Act (HIPAA) to protect the data, according to Leon Rodriguez, director of the U.S. Department of Health & Human Services' Office for Civil Rights (OCR).
Rodriguez, speaking at the 20th National HIPAA Summit in Washington, D.C. on Monday, noted that it's not OCR's intent to go fishing for enforcement cases, but that many of the security breaches point to fundamental privacy and security problems that contributed to the breach, such as lack of staff training.
"The environment needs to change. The same vigilance that providers bring to the fraud and abuse environment they should apply to the HIPAA environment," Rodriguez said.
HIPAA's breach notification rule, created by the HITECH Act in 2009, requires covered entities to report to affected individuals and HHS security breaches of patient information. Breaches involving more than 500 individuals are publicized on HHS' website, known as the "wall of shame." More than 400 entities have been added to the wall of shame since it was created in 2009.
Rodriquez pointed out that only 24 percent of the breaches on the wall of shame involved breaches of paper records; most involved electronic data on computers, electronic health records, and portable electronic devices. He also noted that only 7 percent were due to IT hacking; most of them were caused by human error, such as theft or loss of the equipment.
"Enforcement tells a story that explains to others not to do this," he said.
Rodriguez also stated that the projected $2 million budget cut to OCR, requested by President Obama in his 2013 budget, will not affect OCR's enforcement efforts, since HITECH entitles the agency use money recovered in enforcement to be applied to additional enforcement activities.