In my July 6, 2011, blog posting, I reported that the Office of the Inspector General (“OIG”) had slammed DHHS on its lack of effective HIPAA enforcement. Now, Congress has gotten in on the act. During a Senate Judiciary Committee’s Privacy, Technology and the Law Subcommittee hearing on November 9, 2011, witnesses called for stronger federal enforcement of health data breach protections.
Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, testified that the health care industry appears to be rarely encrypting data, which may easily lead to a breach if one loses a laptop, for example.
Kari Myrold, privacy officer at Hennepin County Medical Center in Minneapolis, said that many health care providers do not take data encryption seriously. She said that, until the federal government strengthens enforcement of health data breach protections, providers are unlikely to adequately protect data.
Senator Al Franken (D-Minn.), chair of the subcommittee, apparently not as a comedian, said that federal enforcement of current rules against data breaches is “simply not satisfactory.” According to Franken, only one of the 22,500 data breach complaints received by HHS has resulted in civil monetary penalties. Although that statement may not be exactly accurate because a number of covered entities have entered into settlements to avoid civil money penalties, it should further convince covered entity that the time to get compliant is now.
Meanwhile, Sen. Tom Coburn (R-Okla.), a physician, questioned whether the adoption of EHRs is worth the security risks.
Leon Rodriguez, the Director of the DHHS Office for Civil Rights, told the senators that the federal economic stimulus package in the HITECH Act increased the amount of civil penalties for a health data breach from $100 per violation to as much as $50,000 or more per violation. He added that he believes that the increased penalties have reinvigorated covered entities’ compliance efforts.
It’s time to take HIPAA compliance seriously, guys! Get your risk analysis done and your security squared away now before Congress makes HIPAA compliance way more onerous and expensive.