Recent actions by the federal government reflect an increasingly aggressive interest in HIPAA compliance.  The cost of compliance – and consequences of noncompliance – now reach into the seven figures.  A recent spate of enforcement actions, audits, criminal indictments, breach investigations and new regulations demonstrate the rapidly changing and growing HIPAA enforcement regime.

• HIPAA Enforcement Actions.  As noted in a prior alert, the federal government recently assessed a multi-million dollar civil monetary penalty and entered into multiple resolution agreements with several covered entities for alleged HIPAA violations. The staggering amount of the enforcement actions (between $865,000 and $4.3 million) reflects the new, vastly increased penalty ranges for HIPAA violations.  The HITECH Act (enacted as part of the American Recovery and Reinvestment Act of 2009) increased the maximum penalties for HIPAA violations from $100 per day (with a $25,000 annual cap) to $50,000 per day of violation and a $1.5 million annual cap for the same violation. The Office for Civil Rights ("OCR") within the U.S. Department of Health and Human Services enforces HIPAA compliance.
  
  
• HIPAA Compliance Audits.  In November 2011, OCR began auditing covered entities and business associates to assess compliance with HIPAA Privacy and Security Rule requirements.  Randomly selected audit targets are requested to provide extensive documentation of HIPAA policies and procedures.  While the audits are primarily a "compliance improvement activity," OCR reserves the right to initiate a review if an audit indicates a "serious compliance problem."  Although the initial pilot program calls for only 150 audits of covered entities, OCR intends to expand the audit program.
  
  
• HIPAA Breach Notification Investigations.  The HITECH Act requires covered entities to notify individuals of certain unauthorized breaches of their health information.  Additionally, certain breaches affecting 500 or more individuals must be self-reported to OCR and disclosed to the local news media.  In many cases, notice of the breach will invite an OCR investigation into the covered entity's HIPAA compliance program.  Effective HIPAA policies, safeguards and breach notification procedures - including appropriate responses to potential breach situations - help minimize regulatory scrutiny and public relations quagmires.  The HIPAA breach notification requirements are especially significant in light of the almost-daily news reports of large-scale loss of, or unauthorized access to, patient health information.
  
  
• HIPAA Criminal Indictments.  HIPAA criminal investigations are rare. However, in 2011 the federal government indicted several individuals for alleged criminal violations of HIPAA.  Notably, in one of these cases the federal government alleged only an improper disclosure, not sale of the information for commercial gain.  These developments further evidence the federal government's renewed attention to HIPAA enforcement and monitoring.
  
  
• Proposed HIPAA/HITECH Regulations.  As noted in prior alerts, in July 2010 OCR issued Proposed Rules to implement the HITECH Act's mandated changes to HIPAA's regulatory structure.  The Proposed Rules change HIPAA marketing provisions, expand the definition of business associates, and alter Business Associate Agreement requirements, among other provisions. The Final Rule has not yet been issued, and there is still no indication of when the final regulatory requirements will be released.
  
  
• Proposed Accounting Rule Changes. Earlier this year OCR proposed significant changes to the accounting provision of the HIPAA Privacy Rule.  Under the existing accounting rules, an individual can receive information on a covered entity's disclosure of the individual's protected health information, with certain exceptions.  However, the right does not extend to disclosures for treatment, payment and healthcare operations ("TPO") purposes.  This important exception reduced the regulatory burden on covered entities since many uses and disclosures of PHI are for such purposes.  The HITECH Act eliminated the TPO exception and required covered entities and/or business associates to provide an accounting of disclosures for TPO purposes which are made through an electronic health record.  The proposed changes also provide a new right to an "Access Report," which would describe the uses and disclosures of certain patient information for a three year period prior to the request.  OCR has not issued a final rule or indicated when the finalized regulations will be released.