Is HIPAA enforcement getting any stronger?

Following the disclosure in November that employees at University Medical Center of Southern Nevada (UMC) have been sending patient information outside the hospital to personal injury lawyers and other outsiders, the FBI opened a criminal investigation into the systematic leads of patient data. According to reports in the Las Vegas Sun, one or more UMC insiders have been selling the daily patient registration forms from the hospital, — including names, birth dates, social security numbers, and medical condition information — so that personal injury lawyers could solicit clients. With the high level of scrutiny on UMC after the leaks became public, it seems the hospital has a less than stellar record complying with privacy laws, particularly including HIPAA.

In an interesting take on the issue, a more recent article in the Sun suggests UMC shouldn’t be too concerned about the breach, noting the extreme rarity with which HIPAA violations have been punished in the years since the HIPAA Privacy Rule went into effect. While HIPAA enforcement history is a matter of public record and there is no question that the imposition of harsh penalities has been the exception, rather than the rule, among the provisions of the HITECH Act passed in February was the strengthening of penalties for HIPAA violations. These stronger provisions are noted in the Sun article, but the prospect of criminal prosecution isn’t considered to be very likely. What this analysis overlooks is the specific language on HIPAA enforcement in the HITECH Act, which both requires a formal investigation and mandates the imposition of penalties in cases of “willful neglect” (HITECH Act Subtitle D, §13410). It’s not trivial for investigators to show willful neglect, particularly proving that non-compliance was both known and ignored or insufficiently remedied in the past, but the early public information on this investigation suggests a long-term pattern of HIPAA non-compliance despite widespread awareness of HIPAA requirements by UMC staff. It seems it is cases just like this that the improved enforcement provisions of the law were intended to address.