To round out my recent postings regarding the impact of the American Recovery and Reinvestment Act of 2009 (ARRA) on healthcare organizations, I wanted to touch on the enhancements to the enforcement rules. I spoke about the mandatory reporting of a breach in one of earlier posts. Now HHS doesn't need to wait for a complaint or audit to find the breaches. Offending organizations have to tattle on themselves, and then get hit with the penalties. I wish this was how it worked at my house. I've got 4 kids and I'd love to institute mandatory self incrimination. Doubt it will work that well in either scenario, but we can always hope.
Some of the caps on willful negligence have also been raised or removed. This is important as it changes the risk model some organizations have been operating under. Knowing the most a penalty for non-compliance could cost them has allowed organizations to factor this into their risk models. If mitigating the risk is close to or more than the potential penalty, the risk may be deemed acceptable and nothing is done to mitigate it. This is great risk management for the company but bad for the patient. Eliminating a cap for willful negligence should help organizations take a harder look at the true risk they are facing, not just the financial risk.
The final interesting tidbit in the enforcement modifications is the delegation of authority to the state attorneys general. Unless there is a pending federal action, the attorney general of a state now has the authority to seek civil damages for violations of HIPAA. The limitations of these damages are lower than the federal level however there is a much greater chance of a zealous state attorney general taking action against an organization on behalf of the residents of that state than any enforcement action being taken by the federal government.
All in all, I believe these changes help strengthen HIPAA and will force some organizations that have looked for any and all loopholes to reconsider their approach to security and privacy. There is no perfect solution and I'm the last person who wants more federal regulation on any industry. However, I like to see regulations that may actually help us move toward an end state we all agree should be reached rather than one that leaves us scratching our heads from the get go.
P.S. I'm not commenting on the need, usefulness, benefits or detractors of ARRA as a whole. Simply the sections I've mentioned in these posts. Please no flaming rants about the role of the federal government, corporate responsibility or other hot topics of the day. Respectful and intelligent comments both in favor of or in contradiction to my posts will be responded to. All others will be ignored…respectfully.