Curious about what it will be like if you get slapped with allegations that you ran afoul of the Health Insurance Portability and Accountability Act privacy and security rules? The process will be all too familiar if you've ever had a run-in with the HHS Office of Inspector General. In an interim final rule published in the April 17 Federal Register, the Department of Health and Human Services lays out its plans for HIPAA enforcement, and says its procedural model will be OIG rules on imposing civil monetary penalties. That means the cogs of HIPAA enforcement will be similar - in some cases virtually identical - to the OIG's CMP procedures: investigative subpoenas, administrative law judge hearings, prehearing document reviews, etc. HIPAA enforcement will be assigned to two HHS agencies: the HHS Office for Civil Rights and the Centers for Medicare & Medicaid Services. HHS stresses that it "intends to seek and promote voluntary compliance." Nevertheless, enforcement actions are inevitable and the agency says it wanted to get its enforcement cards on the table early on. Comments on HHS' enforcement plan are due June 16. To see the rule, go to www.access.gpo.gov/su_docs/fedreg/a030417c.html. Lesson Learned: Health care providers can't afford to be complacent about HIPAA. Despite the feds' claims that they'll work with providers on privacy and security rule compliance, the groundwork is being laid for imposing fines on wayward organizations.