|
For some time, HIPAA officials have been promising an increase in scrutiny and enforcement. Now they have the person in place to carry out their mission.
Georgina C. Verdugo was appointed in September as the new director of Health and Human Services' (HHS) Office of Civil Rights (OCR), the governing body that holds authority over the enforcement of the HIPAA privacy rule.
Earlier this year the OCR also gained control over HIPAA security, a duty previously belonging to the Centers for Medicare and Medicaid Services (CMS). Given this newfound jurisdiction, Verdugo, a former assistant United States attorney in the U.S. Attorney's Office who served as deputy assistant attorney general under President Clinton, seemed a natural choice. Her appointment sends a clear and precise message to wrongdoers that security will be tighter than ever.
"There's no question that [Verdugo's] appointment strongly indicates the influence of the Department of Justice," said Dan Rode, MBA, FHFMA, vice president of policy and government regulations for the American Health Information Management Association (AHIMA).
Rode, who holds a certification in privacy and security, said that recent meetings with OCR staff members have proven OCR's determination to implement newly legislated security measures, such as breach notification requirements, which go into effect in February of 2010. Furthermore, the OCR plans to incorporate the Genetic Information Act of 2008 into the HIPAA privacy rule, as they did with the breach notification.
"The focus is on getting new legislation incorporated into HIPAA," summarized Rode. "There are numerous other privacy regulations currently in legislation that will be coming forth in the near future to implement pieces of the privacy provisions under ARRA."
The deadline for those provisions is early February 2010, so updates on those measures should be forthcoming.
Obviously, the new regime at OCR has placed an increased emphasis on enforcements--and as such, numerous fraud cases have already come forth between HHS and the Department of Justice. Rode expects that similar action will follow between OCR and the Department of Justice.
"The fact that Ms. Verdugo's background is in justice leads me to believe that the administration was very aware of the need for enforcement," reasoned Rode.
According to OCR's Web site, less than 20 percent of HIPAA privacy complaints have culminated in enforcement actions since its implementation in 2003. Whether that number increases remains to be seen, but the increased emphasis cannot be denied.
Impact on AHIMA
Rode acknowledged the lag in annual renewed privacy training for many AHIMA members and other health information professionals. "I know that's been lax in some organizations because of the cost," he said.
The new regulations, however, provide department heads and managers with increased motivation to update practices and procedures. "It will require a new round of training programs--which they should've been doing anyway," said Rode. "Our privacy workers will be hard at work to see these measures implemented."
That said, Rode believes OCR will continue to work with groups that may have issues with HIPAA-as evidenced by their implementation of a 6-month grace period for the breach notification requirements. He cautioned, however, that the authority now exists for OCR to go after those individuals who misuse information.
"Congress has required a greater amount of auditing of privacy and security," said Rode. "Both our legislators and the Obama administration have stepped up their work in this area," said Rode. "I think Ms. Verdugo coming on board is another signal of the intention to be very serious about privacy and security as it relates to health information."
Rob Senior is managing editor at ADVANCE and can be reached at RSenior@advanceweb.com.
|