By Robert Portman, JD, MPP, and Samantha Marshall, JD, January 02, 2014A rule that took effect a few months ago gives the Secretary of Health and Human Services more tools to enforce the HIPAA privacy and security rules and significantly increases the penalties for providers who breach those rules. On Jan. 17, 2013, the U.S. Department of Health and Human Services (HHS) released its final omnibus rule implementing the Health Information Technology for Economic and Clinical Health Act (HITECH Act) changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Thus, while HIPAA enforcement has already been on the uptick in recent years, the omnibus rule will likely increase the pressure on health care providers and other covered entities to understand and comply with the HIPAA rules.
What are the penalties for violating the HIPAA rules?
HIPAA penalties break down into civil and criminal. The omnibus rule raises the stakes in both areas.
For violations that occurred before the enactment of the HITECH Act on Feb. 18, 2009, the Secretary cannot impose a fine of more than $100 per violation with a maximum of $25,000 for identical violations in a given year. For violations that occurred after Feb. 18, 2009, the omnibus rule provides for four levels of civil monetary penalties depending on the level of culpability of the person violating the statute:
(1) Unknowing: The person who violated the privacy or security provisions of HIPAA did not know or have reason to know that she had violated HIPAA. Such violations are subject to a $100 to $50,000 penalty per violation, not to exceed $1.5 million per incident per year.
(2) Reasonable cause: The violation was the result of “reasonable cause” as opposed to “willful neglect” (defined below). Reasonable cause is defined as a situation where a provider knew that it might be violating HIPAA, and took reasonable steps to comply with HIPAA, but was unable to do so despite exercising ordinary business care. Providers who violate HIPAA intentionally or due to willful neglect are not considered to have had “reasonable cause.” It is important that providers take corrective action for suspected reasonable cause violations as soon as they are able so that these violations are not treated as willful. HHS has illustrated the “reasonable cause violation” provision with the case where, despite having compliant policies in place, a provider did not respond in a timely fashion to a patient’s request for access to her patient records due to an unusually high volume of access requests. The provider was able to respond to the majority of the requests during this violation time period and subsequently continued to respond in a timely manner to future access requests. In this example, HHS noted that because the provider acted in a good faith attempt to comply with the law, the violation was the result of reasonable cause. Had the provider not attempted to address the backlog of requests, the violation may have risen to willful neglect. Reasonable cause violations are subject to a $1000 to $50,000 penalty per violation, not to exceed $1.5 million per incident per year. [pagebreak]
(3) Willful neglect — corrected: Willful neglect is a “conscious” or “intentional” failure to comply with HIPAA. It also includes situations where a provider was reckless in protecting against HIPAA violations. These violations occur where the willful neglect was discovered but corrected within 30 days of the time when the person discovers the problem and are subject to a $10,000 to $50,000 penalty per violation not to exceed $1.5 million per incident in a given year.
(4) Willful neglect — not corrected: The violation was the result of willful neglect but corrective action was not taken within 30 days of the time when the person became aware of the problem or should have been aware of it. Such violations are subject to a fine of $50,000 per violation, not to exceed a maximum of $1.5 million for such violations in a given year.
The limits on these penalties are only caps for a single incident in a given year. A provider could be subject to more than $1.5 million in fines if it violates several provisions of HIPAA or does so on multiple occasions. For example, if in January of 2014, an employee of a provider loses a laptop that contains protected health information (PHI) and then in April of that year a different employee of the same entity is caught going through patient records without any reason to be looking at them, HHS would likely consider these as two separate incidents. Each incident on its own could cost the provider up to $1.5 million.
Within the tiered structure, the Secretary has discretion to determine the penalty for an individual provider who has violated HIPAA, subject to a list of factors outlined in the omnibus rule. These factors include:
(1) The nature and extent of the violation, including the number of people affected and for how long the violation occurred;
(2) The nature and extent of the harm caused by the violation, including physical, financial, and reputational harm as well as whether this harm made it difficult for an individual to get health care;
(3) The history of the provider’s compliance with HIPAA, including whether the current violation is similar to a provider’s past violation(s), whether the provider tried to fix the problem, and how the provider has responded to help from the Secretary over HIPAA compliance issues or other HIPAA complaints in the past; and
(4) The provider’s financial circumstances, including whether these circumstances made it difficult for the provider to comply with HIPAA or whether a fine would make it difficult for the provider to continue providing health care. [pagebreak]
Any one of these factors could reduce or increase a civil monetary penalty imposed under the omnibus rule. It is important, should a violation occur, to minimize the consequences of that violation as much as possible by having a solid compliance plan in place and to document all compliance efforts.
Initial responsibility for enforcing the HIPAA rules falls with the HHS Office of Civil Rights (OCR). OCR has significantly expanded HIPAA enforcement activity since the passage of the HITECH Act in 2009. Moreover, OCR has awarded a $9 million contract to KPMG to help audit HIPAA compliance by providers and their business associates. Those audits are on-going and early results indicate this model to be an effective means for OCR to monitor HIPAA compliance across a wide range of entities.
Because of the strength of the HIPAA penalties and the extensive discretion given to the Secretary to determine the amount of a penalty, most providers subject to HIPAA enforcement actions have ultimately settled with OCR. Though this makes it difficult to know the precise circumstances of such settlements — i.e., whether a provider was being penalized for unknowing violations vs. reasonable cause or willful neglect violations — it is clear that providers are now subject to huge fines under HIPAA in addition to being subject to burdensome Corrective Action Plans (CAPs) imposed by the Secretary. (Cases that do not settle will be referred to the Department of Justice for civil or criminal prosecution.)
For example, Shasta Regional Medical Center (SRMC) agreed to settle HIPAA Privacy Rule violations for $275,000 on June 13, 2012 and submit to a CAP after two senior employees discussed a patient’s PHI with and sent letters to the media without authorization, and after SRMC sent an email to all SRMC employees again describing this patient’s medical diagnosis and treatment. OCR became aware of these violations after seeing a Los Angeles Times news article discussing this patient’s information. [pagebreak]
On Sept. 17, 2012, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) settled a possible HIPAA privacy and security violation for $1.5 million and submitted to a CAP. MEEI had submitted a breach report to OCR about a lost laptop containing ePHI. After an OCR investigation, the agency determined that MEEI had insufficient protections in place against the loss of ePHI on portable devices.
Finally, on April 13, 2012, Phoenix Cardiac Surgery, P.C. (PCS) settled its violations of HIPAA Privacy and Security Rules for $100,000 and agreed to be subject to a CAP. PCS had been using a publicly available Internet calendar to post over 1000 patient appointments at its offices, had transmitted ePHI over an Internet-based email account system, and had established only minimal policies and procedures to protect its patients’ ePHI. The SRMC, MEEI, and PCS HIPAA violations are examples of the kinds of inadvertent — yet costly — data breaches that providers can make if they are not thorough in the development of their internal employee policies and training. These providers’ experiences spin a cautionary tale that should encourage others to be even more diligent in implementing HIPAA compliance procedures.
HIPAA also provides for criminal penalties for violations concerning individual identifiable health information based on three levels:
(1) Knowledge: Persons who knowingly use, obtain, or disclose PHI can be subject to a fine of no more than $50,000 and/or imprisonment for one year. The Department of Justice, which enforces HIPAA penalties, has clarified that “knowing” in this context means general knowledge that a violation is occurring, not that a specific violation has occurred.
(2) False pretenses: Persons who violate HIPAA under false pretenses could be subject to a maximum $100,000 fine and/or imprisonment of up to five years.
(3) Intent: Persons who intentionally sell, transfer, or use PHI for commercial advantage, personal gain, or to cause malicious or serious harm can be subject to a criminal fine of no more than $250,000 and/or up to 10 years imprisonment. [pagebreak]
The omnibus rule didn’t actually increase or otherwise change these criminal penalties, but it did give the Secretary more flexibility to impose a civil monetary penalty on a provider that has engaged in conduct that could have been subject to criminal prosecution.
Just as providers have been increasingly subject to civil monetary enforcement, so too the government has been more active in bringing criminal enforcement actions against HIPAA violators. On Oct. 20, 2011, Paul C. Pepala, an employee of Shadyside Hospital, received a sentence of probation for one year under HIPAA for knowingly releasing Shadyside patient names and social security numbers to the public, which were then used by others to file false tax returns in 2008. In 2010, Huping Zhou, MD, a licensed cardiothoracic surgeon, was sentenced to four months in prison under HIPAA for reviewing patient records without authorization while working as a researcher at UCLA in 2003.
What is important about these criminal convictions is that they concern breaches that could happen inadvertently in almost any hospital if providers are not thorough in their training and oversight of employees. Even if the hospitals themselves were not fined for these violations, these activities can be incredibly damaging to patient trust in the populations they serve and if not corrected could lead to further violations and aggravated civil fines down the line.
Should providers only be worried about the feds?
While previously only OCR could bring HIPAA enforcement actions, under the omnibus rule, the state attorneys general are now authorized to pursue HIPAA violations as well. State attorneys general can also pursue these violations using state consumer protection laws and often pursue a combination of HIPAA and state legal enforcement action against providers. (Note that individuals cannot bring a civil action under HIPAA, but they can bring cases under state privacy laws.)
For example, on May 24, 2012, Massachusetts Attorney General Martha Coakley announced that South Shore Hospital had agreed to a consent judgment in state court for $750,000 after sending 473 unencrypted back-up tapes of over 800,000 individuals’ PHI off-site to be erased. Two of the boxes went missing during transport, along with the PHI they contained. Coakley had previously filed suit against South Shore under both the Massachusetts Consumer Protection Act and HIPAA. [pagebreak]
Are providers responsible for the actions of business associate contractors and vendors?
The omnibus rule makes providers more responsible for the actions of their business associates that violate HIPAA. Previously, providers were protected against being penalized for the activities of their business associates (i.e., vendors and certain other contractors that handle PHI for health care providers and other covered entities) so long as they had an appropriate contract with their business associates in place. Now, regardless of the existence of a business associate contract, if the business associate is acting as an agent of the provider (i.e., the provider controls the activities of its business associate), the provider might be responsible for paying a penalty for HIPAA violations by such business associates. Thus, it is now more important than ever to ensure that business associates are HIPAA-compliant and are handling PHI appropriately. To this end, they should add provisions to their business associate agreements that require proof of compliance with HIPAA, including requiring business associates to provide proof of conducting a risk assessment; implementation of policies and procedures addressing administrative, technical, and physical safeguards; and providing HIPAA compliance training.
What can providers do to reduce the risk of HIPAA violations/penalties?
With the full implementation of the expanded liability rules and penalty structure under the omnibus rule, coupled with increased audits, civil and criminal enforcement actions are likely to increase and become more costly in the future. It only takes one slip-up for a provider to find itself on the wrong side of an embarrassing data breach and corresponding federal or state investigation. Sound HIPAA policies and procedures, vigorous commitment to following them, and good employee training programs are the best recipe for avoiding a HIPAA disaster.
The Academy provides additional guidance on HIPAA as well as manuals to help dermatology practices comply. To learn more, visit www.aad.org/hipaa.