A year and a half ago, when authority for enforcing the security and privacy provisions of HIPAA was transferred from Centers for Medicare and Medicaid Services to the Office of Civil Rights (OCR) in the Department of Health and Human Services, some observers warned that this would mean heightened enforcement of those provisions. The fact that OCR could use the fines it collected to fund further enforcement activities raised the level of concern among these observers even higher.
However, the alarm apparently wasn't loud enough for most providers to hear it. The $1 million fine that Massachusetts General Hospital has just agreed to pay OCR might start getting people's attention. So might the $4.3 million fine that OCR recently collected from Cignet Health, which operates a health plan based in Largo, Md.
OCR presented its message loud and clear at the recent HIMSS11 conference in Orlando, Fla. Adam Greene, senior health IT and privacy advisor to OCR, told attendees at a packed session that his office plans to tighten up current privacy and security regulations, while enforcing the increased financial penalties required by the HITECH Act. Those include $50,000 per year per physician for repeated "unknowing violations" and $1.5 million per year for hospitals that commit the same kind of violations. The penalties for intentional violations are much more severe and can include jail time.
Still, the level of security breaches remains high. Just in the 16-month period that ended in December 2010, the electronic health records of more than 6 million people were compromised, according to a recent study. Naturally, greater enforcement of the regulations is amply warranted. What's unclear, though, is how much of a dent OCR's activities will put in efforts to build health information exchanges.