The Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) hosted the annual Safeguarding Health Information: Building assurance through HIPAA Security Conference in Washington, DC, last week. My law partner, Richard D. Dvorak, attended the conference, as he said he would in his guest blog post of May 7, 2012. He said that he heard the following information at the conference. (He might have written this blog item himself, but he is on the way to Maine to give HIPAA seminars this week while I will later be doing the same in Louisiana, Alabama, and Mississippi. We can expect Richard to have more to report about the conference shortly.)
At the conference, OCR Director Leon Rodriguez said that tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past. The lower tolerance comes from the fact that, given HIPAA’s 15-year history and the substantial technical assistance that OCR and NIST have provided covered entities, little excuse exists for non-compliance.
Director Rodriguez also indicated that the final DHHS rule modifying the HIPAA Privacy and Security Rules is very close to publication and will include extending HIPAA liability to business associates. He emphasized, however, that business associates should not wait for the publication of the final rule because of the ability of state Attorneys General to enforce the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), as evidenced by Minnesota Attorney General Lori Swanson’s recent lawsuit against Accretive Health, a business associate that committed a security breach involving patient data.
Director Rodriguez also highlighted OCR’s audit program, which he expects will become “a permanent and robust program.” Linda Sanches, a senior advisor at OCR responsible for the audit program, added that OCR is not planning to sanction covered entities based on audit results unless they reveal a serious violation. Sanches also indicated that, although OCR has the authority to audit business associates, it has no plans to do so in this phase of the audit program.