Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule

Practitioners, healthcare facilities and their business associates carefully following the continuous spate of developments in the niche of adopting HIPAA-compliant data privacy measures should be aware about the senate hearings that were held recently, on November 9, 2011. This special discussion was titled as 'Your Health and Your Privacy: Protecting Health Information in a Digital World'. The discussion was attended by the Senate Judiciary Committee and Sub-committee on Technology, Privacy & Law. The discussions focused mainly on the federal enforcement of patient data protection measures introduced and updated by HIPAA and HITECH Act respectively.

First Set of Discussions

An important aspect of this discussion included the unsatisfactory implementation of HIPAA-compliant workplace measures. This view was presented by the chairman of the sub-committee, Al Franken. The first panel, opening the discussions, included Loretta Lynch, the U.S. Attorney, who is also a part of the Attorney General's Advisory Committee (as a part of Health Care Fraud Working Group). The other panelist was the Director of HHS Office for Civil Rights (OCR), Leon Rodriguez.

Al Franken Leads the Argument

Franken's opening note was positive, outlining the benefits associated with adoption of EHR (electronic health records) but later emphasized that patient data protection measures weren't being executed with diligence. Al Franken addressed officials from the HHS (Department of Health and Human Services) and DOJ (Department of Justice), insisting that the overall rate and manner in which HIPAA-defined mandates were being implemented were far below the expectations. He was critical of the fact that many complaints related to non-compliance with HIPAA regulations weren’t being prosecuted properly. Along with his team of panelists, Franken underlined that there was an urgent need to introduce a Final Rule which ensures that implementation of HITECH Act-defined changes to the HIPAA Privacy & Security Rules is executed more urgently.

Counter to Franken's Statements

Rodriguez and Lynch insisted that their respective organizations were committed to the uniform enforcement of healthcare privacy laws through HITECH Act and the Privacy & Security Rules of HIPAA. Lynch further underlined the agency’s commitment to this cause by outlining the recent efforts made by DOJ to enforce criminal provisions for those flouting HIPAA regulations. Rodriguez too cited OCR cases that were brought against Rite Aid and Massachusetts General Hospital which included significant financial penalties.

Franken's Counter-Arguments

Franken further stated that even though DOJ and OCR were serious with their enforcement efforts, HIPAA-defined regulations still remain largely unenforced. He provided statistical figures saying that from 2003 onwards, nearly 22,500 complaints regarding HIPAA non-compliance were registered with the HHS. Even though HHS has the authority to investigate such complaints, the OCR diluted the HIPAA violations to nominal fines only. Apart from financial penalties, some cases were resolved via mutual settlements. Franken further clarified that out of the 495 such cases referred to the DOJ via HHS, only 16 HIPAA prosecutions were confirmed from the referrals.

Franken admitted that some cases might have been followed under different statutes, but largely DOJ didn’t provide a transparent tracking system, helping officials like him know how many HHS-referred cases of HIPAA violation were actually prosecuted. Franken opined that this kind of accountability was vital for ensuring effective monitoring of cases referred to DOJ and the actual number of prosecutions. Franken was critical of the lack of a stringent final set of HITECH regulations and even questioned when a more comprehensive final rule was expected from the HHS but Rodriguez refrained from providing a particular schedule. Franken further emphasized that even the existing statutes could be used more dexterously for enforcing medical privacy laws in a more rigorous manner.

Second Panel's Hearings: Similar Views Expressed

The second panel of the hearing restated the urgent need to introduce a Final HITECH Rule. This view was supported by the Director of Health Privacy Project at Center for Democracy and Technology-Deven McGraw. He was adamant that the HITECH rule-defining process was too slow. He even testified that the nation lacked a consistent environment for enforcing HIPAA regulations. He echoed Franken's view about the need for more transparency in HIPAA enforcement cases.

Views of McGraw were further supported by Privacy Officer for Hennepin County Medical Center (Minneapolis), Kari Myrold, who also underlined the lack of a Final HITECH Rule as the major deterrent handicapping HIPAA Privacy & Security Rule enforcement. When answering Senator Richard Blumenthal, Kari emphasized that until the Final Rules were put forth, people were not going to realize the seriousness of following HIPAA regulations and thus, compliance-related issues would continue.

These views about the lack of a final rule announcement are not misleading with most business associates choosing to delay their HIPAA compliance expenditures since HHS announced in February 2010 that enforcement would be delayed a bit.