The Office of Civil Rights has set a March 2012 target date for release of the long-awaited final HITECH rules. These rules amend HIPAA’s privacy and security regulations, and put real teeth into the government’s HIPAA enforcement efforts as they relate to non-compliance by health care providers (as well as other covered entities) and their business associates. Indeed, HITECH has given OCR the authority to investigate data breaches by health care providers and to assess significant monetary penalties for breaches resulting from willful neglect. Under HITECH, OCR has also recently contracted with KPMG to conduct random HIPAA privacy and security audits. These audits, which began in December 2011, are ongoing.
As a result, health care providers and business associates alike can no longer ignore their obligations under HIPAA. Immediate attention should be given by covered entities and their business associates to (1) conduct a new or update an existing risk assessment to identify threats and vulnerabilities related to their PHI, (2) create and/or update HIPAA policies and procedures to mitigate identified threats and vulnerabilities, (3) train workforce members to protect and safeguard PHI consistent with these policies and procedures, and (4) to document such actions. Indeed, inaction does not eliminate the obligation, and instead may serve to exacerbate the consequences of non-compliance under HIPAA/HITECH.