The Office for Civil Rights of the Department of Health and Human Services (HHS) is charged with enforcing the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA), which protect individuals' personal health information (PHI) in both electronic and paper forms. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, OCR is further required to make an annual report to Congress on both rules and their enforcement.

The privacy rule took effect in 2003, and the security rule, dealing with electronic PHI, took effect in 2005.

In its just-released report to Congress, OCR said it has received 57,375 complaints of violations of the privacy rule since its 2003 effective date Of those, 52,339 (91 percent) have been resolved, and 5,036 (9 percent) remain open. The agency said it has received 803 security rule complaints since the rule took effect, and has resolved 577, or 72 percent, of them, leaving 226, or 28 percent, open.

According to language in the contract, "Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements."

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established privacy and security standards for entities that handle personal health information (PHI). The American Reinvestment and Recovery Act (ARRA) of 2009 strengthened those standards and tightened accountability. Now the audits will test compliance.

KPMG hopes to conclude the process by the end of 2012.

The Final Rule expands the power of the Health and Human Services Secretary to impose civil penalties and fines, which will take effect on Nov. 30 for all HIPAA violations occurring on or after Feb. 18, 2009.

The minimum civil penalty per violation is now $100 for violations that would not normally be detected using due diligence but rises to $1,000 if the violation is "due to reasonable cause and not to willful neglect." Violations that are due to willful neglect and are subsequently corrected will be fined a minimum of $10,000, but that rises to $50,000 if no corrective action is taken.

No covered entity (or business associate, which are now treated the same as covered entities) can be fined more than $1.5 million for all violations of a single provision.

In the past, covered entities could block imposition of any fine if they showed they had no knowledge of the violation. That loophole has been closed, but fines can be avoided if an unknown violation is corrected within 30 days of discovery.

“This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” said Georgina Verdugo, director of HHS’s Office for Civil Rights, which oversees HIPAA’s privacy, security and breach notification rules.  

The increased penalties in the Final Rule are in addition to breach notification requirements announced earlier this year.

The HHS’s Office of Civil Rights (OCR) will be accepting public commentary on the Interim Final Rule until Dec. 29, 2009.