While the Department of Health and Human Services only recently finalized the privacy rule, many covered entities are getting back to the tall order of implementing their compliance strategies. But what happens to those who fail to comply with the Health Insurance Portability and Accountability Act? In which guise and when will HIPAA enforcement arrive? While some in the health care industry feel that worrying about enforcement of HIPAA is akin to putting the cart in front of the horse, others tell Eli that enforcement is closer than we might think, and that preparations should be made for what some see as an inevitable duty of the HHS' Office for Civil Rights. And though it's not clear what steps toward enforcement of the rule the OCR will take, some believe that violations of state law is the place to focus one's attention. State laws often are more strict than the federal guidelines outlined by the HHS' rule, sources tell Eli. As things stand now, providers likely don't need to worry that the HIPAA police will be out there, says Abby Pendleton, an attorney with Wachler & Associates in Royal Oak, MI. "However, I believe we will see enforcement through patient complaints. Also, we will likely see state law causes of action in the future," she claims. That's exactly the kind of enforcement Teresa Burkett is concerned with, an attorney with Tulsa, OK-based Boone Smith David Hurst & Dickman. Burkett says Oklahoma has very stringent laws regarding confidentiality, particularly with such areas as communicable diseases. She believes most employees don't even consider the possibility of issues like the disclosure of health information being enforced in their work place. Burkett believes that plaintiffs' attorneys are going to milk HIPAA enforcement for everything it's worth. And while federal law states that improper divulgence of protected health information carries with it a $100 fine, she believes that's peanuts compared to the penalties some lawyers will be able to dredge up. But another health care attorney feels the OCR's readiness to enforce HIPAA shouldn't be underestimated. RobertMarkette,anattorneywith Gilliland & Caudill in Indianapolis, says he's not as certain as others that HHS won't take action to enforce the reg. "Although I understand HHS has taken the public position that, at least initially, they want to help providers become compliant, I do not expect that 'honeymoon' period to last for long."
"I think that, rather than being concerned that you're going to have this $100 fine per improper divulgence, that the thought of some wild plaintiffs' lawyer saying to a [covered entity], 'not only did you cut off the wrong leg, but you told the newspaper' is much more disturbing."
Burkett says she's far less of a believer that covered entities will reach for HIPAA compliance as a response to the feds' enforcement efforts, and feels the real goad that prods covered entities into compliance will be stimulated by a less benign force: plaintiffs' attorneys out for blood.
"I am very careful to get our clients in to HIPAA compliance as quickly as possible because of the likelihood of a lawsuit brought by some of our more vociferous plaintiffs lawyers, not because I'm worried about the Office for Civil Rights," Burkett asserts.
He says that, like any other government agency charged with enforcing laws or regulations, the demand to "show some results" will eventually fall squarely upon the OCR's shoulders. "Combining the inevitability of enforcement with the practical steps a provider can take to limit any potential liability that may arise under HIPAA, I think the enforcement of HIPAA will be more troublesome than the civil liability side," he opines.