The Health Insurance Portability and Accountability Act (HIPAA) has fundamentally changed the health care industry’s privacy and security practices. However, the federal government’s enforcement efforts historically have been complaint-driven and sporadic. As a result, HIPAA-covered entities and business associates typically have failed to make compliance a priority. In fact, in 2008, the federal Department of Health and Human Services Office of Inspector General published a report criticizing the government’s HIPAA oversight, concluding that, "reliance on complaints alone was ineffective" for identifying noncompliance.
The era of reactive and passive enforcement has ended, however. In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the American Recovery and Reinvestment Act, which included enhanced HIPAA enforcement provisions and increased penalties for noncompliance. Most notably, HITECH required the federal Department of Health and Human Services’ Office for Civil Rights (OCR) to conduct periodic HIPAA compliance audits. HITECH also imposed new HIPAA privacy and security requirements and expanded those already in place. Since HITECH’s enactment, the Office for Civil Rights has imposed civil monetary penalties in seven cases, whereas it did so only in two cases between 2003 and 2010.
