June 07, 2019
Last month, the U.S. Department of Health and Human Services (HHS) updated the penalties that providers, including organizations, individuals, and/or business associates, will face for violating the Health Insurance Portability and Accountability Act (HIPAA). These updates concern changes to the "culpability" aspect of HIPAA's penalties.
Under HIPAA, and its counterpart the Health Information Technology for Economic and Clinical Health Act ("HITECH"), based on the updates, providers face penalties for violating HIPAA based on their level of "culpability" when committing the violation.
Tier One: The provider did not know and could not reasonably have known of the breach.
Penalties now capped at $100-$50,000/violation, capped at $25,000/year the issue persisted.
Tier Two: The provider "knew, or by exercising reasonable diligence would have known" of the violation, but the provider did not act with willful neglect.
Penalties now capped at $1,000-$50,000/violation, capped at $100,000/year the issue persisted.
Tier Three: The provider acted with "willful neglect" and corrected the issue causing the violation within a 30-day time period.
Penalties now capped at $10,000-$50,000/violation, capped at $250,000/year the issue persisted.
Tier Four: The provider act with "willful neglect" and failed to make a timely correction.
Penalties now capped at $50,000/violation, capped at $1.5 million/year the issue persisted.
"Willful neglect" is defined a "conscious, intentional failure or reckless indifference to the obligation to comply" with HIPAA requirements.
The most common violations that providers encounter will occur under Tier One or Tier Two. These are also typically the tiers where violations occur because providers failed to implement, review, or revise their HIPAA policies and procedures. Importantly, last year HHS collected a record amount of penalty payments from providers for HIPAA violations, totaling almost $29 million.
Always remember: Under HIPAA, no matter how small a PHI breach, providers and business associates are required to notify patients, HHS, and possibly the media. This requirement applies regardless of whether one patient or 1 million patients were affected.
Based on these changes and potential penalties, this is a great time for providers to take the following steps to ensure that the risk of HIPAA violations is kept to a minimum.
1.Review and revise (or otherwise implement) their HIPAA compliance plan policies and procedures and Notice of Privacy practices.
2.Ensure all employees and contractors have received training on HIPAA requirements.
3.Review or implement the system and procedures for recognizing and reporting HIPAA violations.
4.Review and revise all business associate agreements to ensure compliance with current rules and regulations. If providers have not revised their business associate agreements since 2013, the agreements are no longer compliant with the new business associate rules that were passed in 2013 and new agreements will need to be drafted and signed.
As part of the Patient Protection and Affordable Care Act, all providers enrolled in the Medicare, Medicaid, and CHIP programs are required to implement compliance programs. Importantly, the Office of Civil Rights retains the right to audit providers' compliance programs, with 88 areas of compliance identified under the HIPAA Privacy and Breach provisions. These areas of compliance are further divided into Required and Addressable protocols. Required protocols are those which a provider must adopt, and addressable protocols are those which a provider must assess whether each implementation specification is a reasonable and appropriate safeguard for its environment and practice. If a provider makes a decision not to implement a certain safeguard, it must document both why it has come to the conclusion not to adopt and, if necessary, implement an equivalent alternative. Investigators reserve the right to request this rationale if a safeguard is not implemented.
If you need additional assistance regarding implementation or review of compliance plans, HIPAA training, or HIPAA breach analysis and notifications, please do not hesitate to contact Bryan E. Meek, Esq. (330-253-5586 or firstname.lastname@example.org), who is an attorney in Brennan, Manna & Diamond's Provider Relations, Audits, and Appeals Unit, a division of BMD's Healthcare Department.
This Week's Audit Tip Written By:
Bryan Meek, JD
Bryan is an Attorney in Brennan Manna & Diamond's Health Law Department and Labor & Employment Department.