HITECH led to current enforcement push
The Health Information Technology for Economic and Clinical Health (HITECH) Act and the subsequent Omnibus Final Rule have dramatically increased the likelihood that unauthorized releases of protected health information (PHI) will be discovered, for several reasons, says Stephen Treglia, JD, legal counsel at Absolute Software, a consulting firm in Austin, TX.
Treglia outlines the effects:
- The HITECH Act empowered certain federal and state agencies to pursue investigations. On the federal side, the Office for Civil Rights (OCR) was given the authority to investigate complaints and conduct random audits.
- HITECH also granted jurisdiction to all state attorney generals to pursue Health Insurance Portability and Accountability Act (HIPAA) and HITECH investigations.
- HITECH changed who is responsible for identifying PHI breaches, imposing a breach notification requirement to OCR for any unauthorized release of PHI.
- The Omnibus Final Rule increased the likelihood of enforcement actions for HIPAA-HITECH violations by permitting the Department of Health and Human Services (HHS) to develop regulations providing for the distribution of collected monies for successful investigation to complainants, offering the means to reward whistleblowers for information provided to OCR.
- The Omnibus Final Rule made it easier to enforce HIPAA's Privacy Rule and Security Rule by changing the burden of proof when a breach occurs. Previously, once a breach occurred, the violating entity simply could allege no harm resulted from the breach and it would be up to the complainant to prove harm existed. The Omnibus Final Rule has reversed that situation. Now, once a breach occurs, it is up to the violating entity to disprove harm occurred.