One of the biggest themes emerging out of this week's 20th National HIPAA Summit is that we're seeing real changes regarding HIPAA and health information technology. Unlike some prior HIPAA Summits--and I've attended them regularly since the first summit in 2000--the government has made some major strides in the past few months finalizing the security rules mandated by the HITECH Act, empowering health information exchanges and ramping up enforcement. The first HIPAA compliance audits have gone smoothly and are progressing nicely, according to KMPG, OCR's subcontractor. A few of the presenters seemed relieved and rather proud that they had something of substance to share.
So the industry is really in the middle of a sea change. We've moved from "good HIPAA" focused on educating covered entities, to "bad HIPAA" aimed to catch violators; "HIPAA light" to "caffeinated HIPAA," according to Summit co-chair attorney Alan Goldberg. "It's no longer Mister Rogers' Neighborhood," he said.
It's important to remember, though, that from a practical standpoint, these changes directly impact providers' use of their EHRs, which are chock full of the patient health information subject to HIPAA. Once that final omnibus bill goes into effect, hospitals, doctors and others have to protect their patient data in the EHRs (and elsewhere) better than they had before.
If they don't, they'll be subjected to more onerous enforcement with higher penalties. They'll have to re-negotiate contracts with EHR vendors and new business partners with whom they're going to share data. All of this in addition to meeting Meaningful Use and transitioning to ICD-10 and HIPAA 5010.
Let's also keep in mind that HHS' work these days goes way beyond EHRs and health IT. The agency currently is implementing new fraud-fighting initiatives, the new Sunshine Act requiring manufacturers to report payments made to physicians and others, the new rule requiring overpayments to be returned within 60 days, and more. So providers, likewise, have to absorb changes in addition to their EHRs.
Can providers afford all of these new obligations? And if so, how will they do so? It's no wonder doctors are concerned about the future and the number of hospitals is shrinking.
HHS officials admitted at the Summit that the agency has had to deal with budget restraints. Susan McAndrew, deputy director of the Office of Civil Rights, noted that while OCR is authorized to audit up to 150 covered entities for HIPAA compliance this year, at present it looks like it will only conduct 115 due to limited resources. OCR's enforcement budget is to be cut by $2 million, according to Director Leon Rodriguez.
I hope there's some way to recognize that providers are in a similar boat. - Marla