According to recent comments made by a senior staff member at the HHS Office for Civil Rights (OCR), the federal government expects to finalize regulations later this year or in early 2011 amending the HIPAA privacy, security and enforcement regulations as necessitated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act, enacted on February 23, 2009, expanded the scope of HIPAA privacy, security and enforcement standards to subject business associates and their subcontractors to the same administrative, technical and physical security safeguard requirements as covered entities, including civil and criminal sanctions for violating the health information privacy of individuals.
OCR now is reviewing comments received in response to the proposed HITECH Act regulations, released July 8 and published in the July 14, 2010, Federal Register. According to published reports, OCR received some 550 submissions by the September 13, 2010, deadline for public comments on the proposed regulations.
In other comments, the OCR staffer indicated that under the HITECH Act's breach notification requirements (which took effect on September 23, 2009), the predominant causes of larger breaches for which HHS has received notification are theft of laptops and other portable devices, followed by abandonment or improper disposal of paper records, loss of desktop computers, printable electronic devices and portable devices such as thumb drives or other storage media. Unauthorized computer hacking and IT incidents are a relatively smaller cause of breach notifications, according to the OCR source. These statistics perhaps indicate that covered entities need to focus just as heavily on physical security measures as on technological firewalls and virus prevention. Furthermore, in light of the vast majority of cases involving portable devices, data encryption remains one of the top priorities for securing "mobile" protected health information from a potential breach or security incident.
The stakes for privacy violations and data security breaches under HIPAA are rising. Prior to the HITECH Act, the highest civil monetary penalty imposed for a single HIPAA violation was $100. Under the HITECH Act, the maximum fine is raised to $50,000 or more per violation, and an organization's exposure can reach more than $1 million for multiple violations occurring in a year.