HIPAA Help Now! - HIPAA Boot Camp! Just The Facts!

HIPAA Help Now! @ RegulatoryPro.us Your Total HIPAA Compliance Solutions by provided by HIPAA expert Tim McGuinness, Ph.D.

	HIPAApedia™ An in-depth guide to key features of the United States Health Insurance Portability & Accountability Act (HIPAA) of 1996 and the Administrative Simplification Rules

Enforcement & Penalties

We all know that HIPAA / ASCA are Federal Laws, subject to enforcement. It is important to understand how enforcement might occur, so as to understand the risks for non-compliance. In general Federal Enforcement will be focused (based upon discussions with CMS/OCR) on the more significant compliance violations, and clearly common sense and good faith efforts play a huge role. However, there are more mechanisms for enforcement than just the Federal Government!

Federal & State Enforcement

HIPAA permits both Federal and State enforcement of HIPAA violations:
GENERAL PENALTY FOR FAILURE TO COMPLY WITH REQUIREMENTS AND STANDARDS (unintentional violations):

SEC. 1176. (a) GENERAL PENALTY

(1) IN GENERAL.--Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

(2) PROCEDURES.--The provisions of section 1128A (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.

(b) LIMITATIONS

(1) OFFENSES OTHERWISE PUNISHABLE.--A penalty may not be imposed under subsection (a) with respect to an act if the act constitutes an offense punishable under section 1177.

(2) NONCOMPLIANCE NOT DISCOVERED.--A penalty may not be imposed under subsection (a) with respect to a provision of this part if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision.

(3) FAILURES DUE TO REASONABLE CAUSE.--

(A) IN GENERAL.--Except as provided in subparagraph (B), a penalty may not be imposed under subsection (a) if--(i) the failure to comply was due to reasonable cause and not to willful neglect; and (ii) the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.

(B) EXTENSION OF PERIOD.-- (i) NO PENALTY.--The period referred to in subparagraph (A)(ii) may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply. (ii) ASSISTANCE.--If the Secretary determines that a person failed to comply because the person was unable to comply, the Secretary may provide technical assistance to the person during the period described in subparagraph (A)(ii). Such assistance shall be provided in any manner determined appropriate by the Secretary.

(4) REDUCTION.--In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) that is not entirely waived under paragraph (3) may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.

SUMMARY

Each violation: $100.

Maximum penalty for all violations of an identical requirement:

May not exceed $25,000.00 per year

Example: one piece of paper left on a desk during an audit is $100 – one open door $100 – one system unattended while logged in $100* Policies and procedures have compliance errors or minor omissions probably $100*

Wrongful or Negligent Disclosure of Individually Identifiable Health Information:

HIPAA SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part--(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).

(b) PENALTIES.--A person described in subsection (a) shall -- (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

SUMMARY

Wrongful disclosure offense: $50,000, imprisonment of not more than one year, or both.

Offense under false pretenses: $100,000, imprisonment of not more than 5 years, or both.

Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.

The term 'knowingly' or ‘should know’ means that a person, with respect to information—‘‘(A) acts in deliberate ignorance of the truth or falsity of the information; or ‘‘(B) acts in reckless disregard of the truth or falsity of the information, and no proof of specific intent to defraud is required.’’. Refer to Subtitle D - Civil Monetary Penalties

Examples: Management knowingly allows patient information displayed on an unattended system where unauthorized individuals can view or access = $50,000.00* Provider provides no HIPAA awareness traing for its employees = $50,000.00* Business Associate fails to comply with Privacy Rule requirements, and covered entity knowingly disregards enforcement of business associate agreement requirements, covered entity is liable for $50,000.00* A provider, or local government incorrectly views themselves exempt from HIPAA or (through documentation) declares intent to non-comply = $50,000.00 per PHI stored, managed, or transmitted.

* Based upon examples, commentary, and discussion provided by CMS

Enforcement Agencies

Both the Federal Government and the individual states may enforce HIPAA. Additionally, states will enforce their own laws that apply with separate penalty structures. Therefore the two principal agencies for enforcement will be:

DHHS Office For Civil Rights

State Attorney’s General

However, as HIPAA is a requirement for the participation in Medicare and Medicaid programs. Failure to comply can result in loss of participation and billing privileges. There has also been discuss of the Centers for Medicare and Medicaid maintaining a HIPAA non-compliance blacklist, similar to those maintained by the FDA.

CMS has stated that all Medicare transactions must be electronic and in compliance with HIPAA's requirements by the end of 2003. Therefore, non-compliant transactions would be rejected.

Other Enforcement Methods

HIPAA also permits civil litigation (in state court under tort standards of care) in the event of Privacy and Security violations that result in damages to a Patient. This is widely expected to be the area of greatest risk and liability.

Whistle Blowers – who earn a bounty on fines!
These individuals can identify violators to both the government enforcement agencies as well as to patients who's right have been violated. Federal Labor regulators prevent retaliation against whistle blower employees who take these actions. Additionally, Whistle Blowers may potentially receive a bounty from the government as a percentage of fines levied (as defined in HIPAA Title II Subtitle A)

Suspension from Medicare Payment
A covered entity may be suspended due to their actions for a period of up to 3 years from receipt of Medicare payments for services.

Civil Litigation
It should be expected that litigation will result from poor or non-compliance. Litigators will use HIPAA to further other litigation goals in State Court, as well as to enforce HIPAA directly for their clients who may have been damaged as a higher requirement for Standard of Care. Two probable approaches include:

Tack-on to Malpractice Suits
Where litigators will use HIPAA violations as a means to demonstrate poor conformance with policy and procedural requirements.

Privacy Suits – simple & punitive damages!
In this case, fines and awards would follow the law, with potential significant punitive damages.

HIPAA Compliance Suits in the Public Interest!
This would be attorneys who litigate in the public interest, asking the court to impose fines for non-compliance, and who are rewarded with attorney's fees for their effort. This is based upon the opinions of select attorneys only, and to our knowledge, has not be proven or validated by any known court to date.

Please note:
While there is not a clear right to a "Private Cause Of Action" under HIPAA. There is a general consensus in the industry that plaintiffs will sue under their state tort law such as right to privacy. The Federal statutes will allege to be the standard of care that the covered entity fell below and if a breach of the rules and subsequent damages result, all of the elements for a tort claim will be met.

These represent possible scenarios only, until precedent and case law clarifies. However, HHS agencies have already engaged in aggressive HIPAA Title 1 compliance enforcement, as well as under Medicare.

Please note:
Entities that are living under CIAs (Corporate Integrity Agreement with the OIG resulting from Medicare/Medicaid irregularities) are at high risk for scrutiny AND enforcement!

As always, you need to explore your risks and liabilities with your attorney! Please feel free to have your attorney contact us - we provide risk assessment and management services as well! Click here for more information.

Compliance Is Required

It is A cost of doing Business!

Failure to Comply IS Expensive!

Heavy Fines

Jail Terms

High Liability

Business Disruption!

Customer/Patient/Business Partner Impact

Please consider:
Imagine the business disruption that a civil privacy litigation could produce! Since it would be both an exploration of your policies and procedures, as well as their implementation and training practices, virtually every aspect of your business could be subject to discovery! The time and effort to defend an egregious non-compliance violation would probably be several times the effort to achieve and maintain reasonable compliance!

For more information about how
to solve your compliance issues - click here!

Please note:
We recognize that HIPAA, ASCA, and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association. No matter which services firm you select, be sure that their work is performed under the requirements of your state, in conformance with the law, and reviewed by your own attorney for your protection. It is the covered entity that bears ALL liability for compliance with these laws.

Don't Forget!

This website, webpage, or linked documents do not constitute legal advice and is for educational purposes only. The provider (Tim McGuinness, Ph.D.) accepts no responsibility for its accuracy, review, distribution, or use in any way. This website, webpage, and or linked documents are based on currently understood HIPAA, ASCA, and/or Federal, State, and Local Statutes, rules, regulations, standards, and/or implementation guides and is subject to change without notice, as changes in HIPAA/ASCA rules and regulations or subsequent interpretative guidance by courts or other bodies. You assume responsibility for understanding this material and its applicability and/or use. This website, webpage, and/or linked document is designed to conform with HIPAA/ASCA rules as understood and may need to be interpreted by your attorney as needed to conform with state law where that state law is more stringent than the federal rules or other state - you’re use of this information must always be reviewed and approved by your own attorney prior to use. Please refer to our Terms and Conditions page for additional limitations and restrictions.