Sunday, March 7, 2010

HIPAA Enforcement

Is HIPAA meaningful? For a long time, the answer to that question was arguably no. The date for compliance with the privacy rules was April 14, 2003, and the date for compliance with the security rule was two years later (the HIPAA Wikipedia entry has a good summary of this history). Nevertheless, it wasn't until 2007 that the first HIPAA audit took place (see here), and the lack of enforcement led many to believe that HIPAA was basically toothless (see, e.g., here).

Now though, that may be changing. One of the notable features of the HITECH act was that it gave state attorneys general the right to file suit on behalf of state residents who have been harmed by a HIPAA violation (the text of the act can be found here). Since then, the attorney general of Connecticut has taken advantage of that new authority, and filed suit against Health Net Connecticut, Inc. for HIPAA violations (among other things). The press release is here, and the complaint can be found here. Does this herald a new era of aggressive HIPAA enforcement? I tend to think not. The HITECH act limits the amount of damages recoverable by attorneys general to $25,000 per calendar year for violations of any individual requirement or prohibition, so HIPAA enforcement isn't going to be a panacea for states which already have limited enforcement budgets. On the other hand, there has already been one suit, and if an attorney general is already thinking about bringing an action (e.g., under some applicable state law), the extra HIPAA recovery could make the difference in whether a suit is brought. Either way though, with the Connecticut attorney general's action, the era of absent HIPAA enforcement is officially closed.

4 comments:

compliance helper said...

While the financial rewards to their state might be minimal, the publicity for the AG could be beneficial. Taking on the greedy insurance company on behalf of the consumer will look good in an election campaign.

public key infrastructure said...

As you mentioned in the post that The HITECH act limits the amount of damages recoverable by attorneys general to $25,000 per calendar year for violations of any individual requirement or prohibition, so HIPAA enforcement isn't going to be a panacea for states which already have limited enforcement budgets.You mean those states will not get any benefit?

Runescape Money said...

For anyone who is any unhappy game player it's possible to question them carry out Cheap Runescape Gold powerleveling to suit your needs and after that you're going to get a high level sooner and they will allow you to to get runescape precious metal Runescape Gold.In respect the words perhaps you have could have a knowing regarding runescape clan? And also do you need to create a family?

Anonymous said...

We used to feel the grace of the time, five minutes kicking the gw2 gold trip, but we in it repeated a lot of this, so we may be wrong. If they draw water, after 1 minute you can kick buy gw2 gold them.