In 2012, there has been a continuation of the trend toward heightened regulation and enforcement of the privacy and security requirements under the Health Information Portability and Accountability Act (“HIPAA”) and under other state and federal health privacy laws. Although there have not been any significant changes to federal health privacy laws this year, federal enforcement activity continues to be strong.
Recent actions taken by the Department of Health and Human Services (“HHS”) suggest that HHS’s approach to regulating health information privacy and security is continuing to shift in the direction of enforcement as another way to send a message about the importance of voluntary compliance. In 2012, HHS’s Office of Civil Rights (“OCR”) entered into a number of highly publicized settlements with HIPAA covered entities (“Covered Entities”) stemming from alleged violations of HIPAA. Also this past year, OCR launched a new HIPAA audit and compliance program (“Audit Program”), which it initially intends to use for information-gathering and compliance improvement purposes. In addition, HHS continues to promote better privacy and security practices, most recently by incorporating certain privacy standards relating to medical records access into its electronic health records (“EHRs”) incentive program’s eligibility requirements.