A new era of Privacy and Security Rule enforcement may be upon us. The Office of Inspector General (OIG) has initiated audits of covered entities for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The audits began March 2007 at Piedmont Hospital in Atlanta, Georgia – the first hospital provider in the country to undergo such an audit.

In addition, on April 16, 2007, Secretary Mike Leavitt of Health and Human Services delegated to the Director of the Office for Civil Rights the authority to issue subpoenas in investigations of alleged violations of the HIPAA Privacy Rule.

These two significant events represent something of a surprise in enforcement of the HIPAA Privacy and Security Rules.

Privacy Rule Enforcement

The Office for Civil Rights (OCR) has enforced the HIPAA Privacy Rule since its effective date in 2003 – largely, if not exclusively, based on a voluntary compliance approach with complaint-driven investigations. In fact, unofficial reports claim that OCR received approximately 24,000 complaints from 2003 through 2006 – over 75 percent of which have been closed. Less than 40 complaints have been accepted by the Department of Justice for further investigation or prosecution. To date, no OCR-initiated investigations have taken place (absent a private complaint), and no fines have been levied against covered entities by OCR for Privacy Rule violations.

However, covered entities should be prepared: The April 2007 delegation of subpoena power may result in a more proactive enforcement of the Privacy Rule in the near future.

Security Rule

OCR’s counterpart for the enforcement of the HIPAA Security Rule is the Centers for Medicare & Medicaid Services (CMS). CMS also has not investigated providers proactively for compliance with the Security Rule since its effective date in 2005. Perhaps concerned about Security Rule enforcement, however, the OIG has begun its Security Rule audit of health care providers.

A hint of the new enforcement effort was given in the 2007 OIG Work Plan – when the agency noted that its Office of Audit Services would:

review the experience with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) administrative simplification privacy and security implementation in Medicare and Medicaid to identify key issues that may be relevant to the Department [of Health and Human Service]’s health information technology (IT) initiative. The Department’s health information technology initiative has a primary objective of fostering the use of electronic medical records throughout the health industry to promote economy and efficiency in the delivery of health services and to enhance patient safety.

It appears that, with electronic medical records on the action item list of CMS and with efforts underway at most major health systems to convert to electronic records systems, the OIG is concerned that the IT systems that will house these records must be secure and must be operated in compliance with the Security Rule. As further evidence of the CMS and OIG concerns, on December 28, 2006, CMS published guidance on the Security Rule entitled, “HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information,” which is available on the CMS Web site at www.cms.hhs.gov.

Recent months also have seen a significant number of information security breaches involving electronic protected health information (PHI). Many of these have involved lost or stolen laptop computers with inadequate security. These security incidents are no doubt the reason that CMS issued its guidance on remote access to electronic PHI. The OIG audit initiative presumably represents another reaction by the government to a growing concern over the security of health information.

What exactly does the Security Rule require of covered entities? Although complex and technical, the Security Rule first requires that a “risk assessment” be undertaken by the covered entity to assess thoroughly the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI maintained by the covered entity. The Security Rule also requires the covered entity to take certain steps to ensure that risks of improper use or disclosure of electronic PHI are minimized. The Security Rule does not specify all of the electronic safeguards that must be employed, but it does require a detailed process by which vulnerabilities are assessed and appropriate safeguards are implemented. Particularly where PHI is accessed or transmitted by means of remote devices or via the Internet, reasonable safeguards must be implemented to prevent unauthorized access or disclosure of electronic PHI. In all, there are over 40 standards with which a covered entity must comply. The covered entity must meet all of the Security Rule “Required Standards” as noted in the rule and should assess in writing the reasonableness and applicability of the rule’s “Addressable Specifications.” Documentation is the key to HIPAA security compliance.

With audits of security compliance underway by the OIG, every covered entity is well-advised to review its HIPAA security program and verify that its compliance with the HIPAA Security Rule is well documented.