When the Health Information Technology for Economic and Clinical Health (HITECH) law was passed, one of the key elements of the expanded privacy and security rules was the enhanced enforcement opportunities. The Department of Health and Human Services (HHS) Office of Civil Rights was given substantial new authority to issue penalties at substantially higher amounts. Additional criminal remedies were developed, particularly for violations by individuals. And state attorneys general were given formal authority to act on their own initiative against HIPAA violations.
Now, almost two years after the passage of the HITECH law, we have seen little additional enforcement of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, consistent with the overall approach that was taken in the initial years of HIPAA enforcement. Can we expect this to continue?
Looking forward, we anticipate three developments in 2011 for health care privacy and security enforcement. First, we anticipate that the HHS Office of Civil Rights will start to flex its enforcement muscles, through modest increases in its enforcement activities, particularly for violations involving ongoing problematic behavior. Second, we anticipate that the real enforcement wild card will be at the state level, as state attorneys general and various other enforcement agencies-whether under a HIPAA rubric or not-take action to punish entities that have engaged in problematic behavior involving health care information. Third, we also expect to see the Federal Trade Commission (FTC) acting as a significant enforcement authority on health care privacy issues, particularly in connection with security breaches.
The HITECH Legislation-A Reminder
It was widely anticipated that the Obama Administration would be more aggressive about HIPAA enforcement than its predecessor. This expectation-combined with the substantial new enforcement tools provided by the HITECH legislation-created an environment where more enforcement seemed likely.
The legislation expanded enforcement opportunities in three major ways. First, the legislation increased substantially the penalties that may be imposed for violations of the rules, from the prior high of $25,000 to as much as $1.5 million. Fines are mandatory in situations involving "willful neglect." Moreover, the legislation mandated that the HHS secretary "shall formally investigate any complaint of a violation of [these provisions] if a preliminary investigation of the facts of the complaint indicate such a possible violation due to willful neglect." In addition, there is a requirement that some of these new penalty amounts may even be provided to "harmed" individuals in the future.
Second, state attorneys general now have clear and explicit authority to enforce the HIPAA rules. While state attorneys general have initiated HIPAA-related actions in the past, relying on their inherent authority to act to protect the citizens of a state, HITECH essentially creates a parallel enforcement environment for violations. On the one hand, this enforcement is limited in meaningful ways, mainly in terms of the amounts that can be sought by the state attorneys general. On the other hand, however, this approach creates realistic risks of differing standards and inconsistent actions from state to state. Moreover, while the HHS Office of Civil Rights is severely constrained by the detailed procedures of the HIPAA enforcement rule, it is not at all clear that the state attorneys general are bound by these procedural protections.
Third, correcting what many saw as an oversight in the prior HIPAA provisions, the legislation now permits enforcement actions against individuals employed by health care entities. Even though the Department of Justice has creatively pursued a limited number of criminal cases against individual employees (mainly where identity theft, health care fraud or some other serious criminal activity was combined with the HIPAA issue), HITECH provides broader and more explicit authority for enforcement against individuals.
Following this legislation, HHS has issued a revised enforcement rule. This rule-published as an interim final regulation-made certain changes driven by the legislation, although it also left several elements for future rulemaking proceedings. Essentially (as described by HHS),
This interim final rule conforms HIPAA's enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions.
Therefore, as of February 2010, HHS had the authority to utilize these new penalty amounts against covered entities for violations of the "old" HIPAA rules.
Most recently, as part of the omnibus-proposed HITECH rule (available at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf), HHS took the next step in the evolution of the enforcement rule, proposing changes in the rule to deal with the new provisions adopted by HITECH. As with the remainder of this proposed rule, the comment period is closed, and HHS expects to issue a final rule in the first quarter of 2011.
Interestingly, the proposed rule, in addition to proposing specific procedures and interpretations of portions of the enforcement provisions, made clear that the new components of this rule-many of which simply reflect a transfer of the HITECH language into the HIPAA rules-will not take effect and be subject to enforcement until (essentially) seven months after the publication of the final rule. For many entities, particularly business associates, this postpones the potential applicability of these new HITECH penalties (and, for business associates, any enforcement at all) for an additional period.
So, while HHS continues to explore how to implement its new statutory enforcement authority, it has taken only one significant public step on enforcement, through a recent case involving Rite Aid pharmacy. (HHS also has begun to publish information about reported security breaches and apparently is investigating many of these breaches, but it has not yet taken enforcement steps in connection with these breaches).
In the Rite Aid "Resolution Agreement," Rite Aid and various affiliated entities agreed to pay $1 million to address HIPAA violations, along with agreeing simultaneously to an FTC consent order. The case addressed a recurring HIPAA problem (and one that has been the subject of previous enforcement actions, as well)-the disposal of identifying information contained on drug bottles. Under the agreement, Rite Aid has agreed to take corrective action to improve its overall disposal policies, and to implement an ongoing corrective action program. The HHS "corrective action" plan will remain in effect for three years. The FTC's order, issued under the FTC's general enforcement authority, will remain in place and require certain independent assessments for 20 years.
The Latest Enforcement Step
Since the Rite Aid agreement in July 2010, HHS has announced no formal enforcement actions (although there are various reports of additional corrective action plans). While HHS continues its investigations into reported security breaches and other potential violations, state authorities are not hesitating to take their own steps to enforce either HIPAA or "HIPAA-like" rules. Most recently, for example, the state of California has taken action against multiple hospitals in California in response to security breaches involving improper "insider access" to health care information. These actions-taken under a specific California state statute-reflect an ongoing problem that is present across the country, but is resulting in enforcement primarily in California (to date). Essentially, we are seeing a wide range of situations where corporate insiders-who appropriately have access to information as part of their jobs-are then misusing this access for improper purposes, ranging from "snooping" in celebrity medical records to more nefarious activities, such as identity theft and health care fraud. See Nahra, "Security Risks from Insiders," Privacy In Focus (June 2009), available at www.wileyrein.com/insiders.
In response to this ongoing problem in California, the state issued fines of almost $800,000 to seven medical facilities, bringing fines under this statute to more than $2.2 million.
The OCR Effort Will Ratchet Up, but Only Gently
Despite significant concern from the health care industry about how the new HITECH provisions would be enforced, there is no indication to this point that the Office of Civil Rights will do anything dramatic to change how it enforces the HIPAA rules. So far, HHS' enforcement effort has reflected a realistic and rational approach to fixing problems and taking steps to ensure that problems do not recur. That means there is no reason to be wary of a significant uptick in the aggressiveness of enforcement efforts. HHS' approach to enforcing the HITECH provisions reflects this continuing attitude.
But Don't Ease Up on Compliance Efforts
Even though HHS will not be acting in a substantially more aggressive manner, we can expect that its patience is wearing thin for health care entities who do not pay attention to their obligations. While HHS understands that security systems are not perfect, and that not every breach requires aggressive enforcement, we can expect that HHS will have little patience for (1) repeat offenders; (2) companies that ignore their compliance responsibilities; and (3) companies that take steps that clearly and explicitly violate HIPAA provisions. This is a good time to review overall HIPAA compliance obligations, to ensure that your company is meeting all of its current obligations and the new requirements arising from HITECH.
The States Are the Real Wild Card
The HHS efforts to date reflect a reasoned and measured approach, coupled with an appropriate understanding of the challenges and complexity of the health care system. HHS is willing to let companies work through reasonable problems, particularly where compliance efforts are under way and appropriate.
With that said, there is no particular reason to expect that state officials will act in the same manner, as to timing, volume or reasonableness. Therefore, we expect that the states will end up being the more substantial regulator of health care privacy compliance over the next few years, whether tied to "HIPAA-like" laws at the state level or actions by state attorneys general to respond to publicly identified events. So far, HHS has not explored in any significant detail how the state attorneys general can act to enforce HIPAA, and we can expect to see cases where substantial pressure is brought on health care companies to settle highly publicized cases.
Don't Forget About the FTC
The second wild card involves the role of the FTC on health care privacy issues. As the Rite Aid agreement demonstrates, the FTC is willing to be involved in health care privacy cases, and may in fact act more aggressively in some of these situations. The FTC also has been given some significant authority to regulate certain "non-HIPAA" aspects of privacy on a going-forward basis, including the breach notification rule affecting personal health records. The FTC also has been holding hearings on other aspects of its privacy authority, including health care issues. For business associates, for example, to the extent that HHS is indicating that it will not engage in enforcement action against business associates until seven months after the final rule is published, the FTC may be an alternative enforcement channel, particularly in connection with security violations.
In summary, while the HITECH enforcement era has been slow to emerge, we can expect at least a modest uptick in 2011, particularly when the final HITECH rules take effect. In addition, we may see enforcement steps-potentially with higher penalties or other consequences-by both relevant state agencies and the FTC.