I received an email notification about State Attorneys General HIPAA enforcement training posted by Joseph Conn at ModernHealthcare.com. The HITECH Act gave authority for state attorneys general to bring civil actions to obtain monetary damages for residents in their state for HIPAA Security Rule and Privacy Rule. What might it mean that the Office of Civil Rights (OCR) has scheduled enforcement seminars open only to State Attorneys General and their staff? The OCR has four of these 2-day seminars scheduled between April and June of this year, in Dallas, Atlanta, Washington and San Francisco. Whereas before the HITECH Act HIPAA was seen as having no teeth, in part due to the lack of enforcement resources available, bringing cash strapped state-resources into the picture could change the compliance landscape considerably.
Here are topics covered in these seminars as documented on the OCR’s website:
- General introduction to the HIPAA Privacy and Security Rules
- Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
- Investigative techniques for identifying and prosecuting potential violations
- A review of HIPAA and State Law
- OCR’s role in enforcing the HIPAA Privacy and Security Rules
- SAG roles and responsibilities under HIPAA and the HITECH Act
- Resources for SAG in pursuing alleged HIPAA violations
- HIPAA Enforcement Support and Results
Based on the topics covered, a couple of questions come to mind:
Will the states only get involved after a PHI disclosure incident or reported violation, or is there some intention of a pro-active HIPAA audit? The OCR indicates that their enforcement process can be initiated by either a complaint or a compliance review. What will drive the State Attorneys General enforcement actions?
How will the State Attorney’s General interpret the HIPAA Security Rule? HIPAA leaves plenty of latitude for compliance. Flexible guidelines can be a good and a bad thing for covered entities and business associates. On the positive-side flexibility enables a healthcare organization to create a meaningful and practical information security program that effectively mitigates security risk – the intent. However, State Attorneys General may also interpret compliance guidelines differently than their targets. The effect of this is that healthcare organizations may focus more on the letter of the law, than the intent. However, compliance and security are two different things. At Redspin we are more comfortable with organizations that take a practical risk-based approach to security and HIPAA Risk Analysis, than someone purely focused on compliance. We’ve seen too many cases of organizations that claim to be 100% compliant but are in reality totally insecure.