(June 16, 2014): It has been over a year since the effective date of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) comprehensive modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement and Breach Notification Rules, commonly referred to as the Omnibus Rule. Covered entities were given until September 23, 2013, 180 days from the effective date, to come into compliance with most of the Rule’s requirements. Halfway through the new-year, many covered health care providers still have not met these requirements and are worried about becoming subject to the consequences of HIPAA non-compliance.
I. HIPAA Modifications:
HHS issued modifications to the HIPAA Privacy, Security, and Enforcement and Breach Notification Rules to strengthen the privacy and security protection for individuals’ health information. Modifications include:
- Making business associates of covered entities directly liable for compliance with certain HIPAA Privacy and Security Rules’ requirements;
- Strengthening the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibiting the sale of protected health information without individual authorization;
- Expanding individual’s rights to receive electronic copies of their health information and restricting disclosures to a health plan concerning treatment for which an individual has paid out-of-pocket in full;
- Requiring modifications to, and redistribution of, a covered entity’s notice of privacy practices;
- Modifying the individual authorization and other requirements to facilitate research and disclosure of child immunization proof of schools, and to enable access to decedent information by family members or others; and
- Incorporating the increased and tiered civil money penalty structure provided by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
II. Consequences of HIPAA Non-Compliance:
How violations are counted for purposes of calculating a civil money penalty depends on the section violated and the circumstances surrounding the noncompliance. Where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured protected health information, the number of identical violations of the Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected. With respect to continuing violations, such as lack of appropriate safeguards against breaches of unsecured protected health information for a period of time, the number of identical violations of the safeguard standard would be counted on a per day basis. In many breach cases, there will be both an impermissible use or disclosure and a safeguards violation, for each of which HHS may calculate a separate civil penalty.
The tiered penalty structure has penalties ranging from $100 to $50,000 per violation, depending on the level of culpability, with a $1.5 million cap per calendar year for multiple violations. Even where there is merely a possibility of a violation due to willful neglect, HHS can impose civil monetary penalties without exhausting informal resolution options. Criminal penalties range up to 10 years imprisonment.
III. Examples of Penalties Resulting from HIPAA Non-Compliance:
A large health services company and health plan have collectively paid the HHS OCR $1,975,220 to resolve potential violations of HIPAA Rules. The settlements were a result of significant risks to the security of electronic protected health information. The risks arose from unencrypted laptop computers and other mobile devices. In addition to payment of fines, the health services company agreed to adopt a corrective action plan to show how they will avoid such risks in the future. The health plan agreed to additionally provide HHS with an updated risk analysis, a corresponding risk management plan, and it is also required to retrain its workforce and document its ongoing compliance efforts.
In another recent case, two New York hospitals collectively paid $4.8 million to the HHS OCR to settle charges of violating the HIPAA Rules. In addition to the fine, both are also required to implement a corrective action plan. The organizations submitted a joint breach report to OCR after learning that protected health information on 6,800 patients was accessible on Google and other internet search engines. The compromised data included patient status, vital signs, medications and lab reports.
IV. Final Remarks:
The fines and accompanying requirements are steep, and the modifications move HIPAA enforcement away from the previous voluntary compliance framework and toward a penalty-based system. If covered entities have not come in to compliance with the HIPAA modifications and established adequate safeguards, it is important that they do so as expeditiously as possible. Based on the rule modifications, covered entities have until September 22, 2014 to bring all of their Business Associate Agreements and Subcontractor Agreements into compliance with the Rules.