Meet the provisions of the HIPAA Privacy, Security, and Breach Notification Rules or prepare to pay the price.
Ignorance of your legal obligations under HIPAA is not a justifiable excuse for failing to implement reasonable and appropriate safeguards.
Covered entities have had sufficient time to establish effective HIPAA compliance programs — so much time, in fact, that you shouldn’t expect leniency. As recent HIPAA headlines demonstrate, getting strapped with substantial penalties doesn’t require a data breach or even a filed complaint.
The most frequent and common HIPAA violations result from a few poor choices — neglecting to perform an organization-wide risk assessment, failing to follow up on risk assessment with organization-wide risk management, failing to install a HIPAA-compliant business associate agreement, disclosing PHI without authorization, and exceeding the 60-day deadline for issuing breach notifications.
Any one of these choices, whether deliberate or unintentional, can compromise your patients’ protected health information (PHI) and financially sink your organization.
For most covered entities, federal enforcement of the Privacy Rule began in 2003. The Office for Civil Rights’ (OCR) enforcement activities have since improved the privacy practices of covered entities and the privacy protection of health information, achieving the latter through corrective actions it has obtained.
The requirement for HIPAA covered entities to comply with the Security Rule came into effect in April 2005. OCR assumed enforcement of the Security Rule in July 2009. Thus, OCR has been overseeing compliance with both Privacy and Security Rules for roughly a decade.
In addition to levying stiff civil monetary penalties on organizations that fail to uphold the standards prescribed in HIPAA laws, OCR typically issues a corrective action plan (CAP) to noncompliant organizations to ensure they resolve their security issues.
CAPs play a critical role in preventing future HIPAA violations. They’re also expensive to fulfill, as you might imagine. Not only do CAPS frequently take years to complete, but they also often require an organization to hire additional staff and purchase new technologies — in the wake of paying a hefty fine.
Tip: Invest in necessary staff, training, and technologies on the front end. Paying the price to do business in accordance with the law is less costly than operating outside the law.
The second federal enforcer of HIPAA compliance is the Department of Justice (DOJ). At OCR referral, the DOJ pursues cases with suspected criminal violations. After referring such cases to DOJ for criminal enforcement, OCR works in tandem with the DOJ, as follows:
Beyond federal prosecution, state attorneys general can file civil actions with US district courts. Endowed with authority by the Health Information Technology for Economic and Clinical Health Act (HITECH), state attorneys general can pursue monetary penalties for the exposure of PHI of state residents. Worse, an organization responsible for exposing the PHI of residents from multiple states may be ordered to pay fines to attorneys general in multiple states.
In 2013, to align with penalties under the HITECH Act, the HIPAA Omnibus Rule introduced a new penalty structure, as well as new definitions relating to HIPAA violations. To fully grasp this new penalty system, you must understand three pivotal terms:
As you might infer from the above definitions, unintentional HIPAA violations can incur CMPs. Anything from lacking a risk assessment to failing to adhere to aspects of the HIPAA Security Rule could amount to factors prompting OCR to dole out punishment for a data breach or reported risk of data breach.
After an unencrypted, non-password-protected Blackberry went missing, the Children’s Medical Center of Dallas paid $3,217,000 in a 2017 OCR HIPAA settlement, ranking as the year’s costliest violation.
In 2018, the University of Texas MD Anderson Cancer Center paid $4.3 million after three of its unencrypted devices were lost. MD Anderson had an encryption policy in place several years before its unencrypted devices went missing.
Tip: It’s just a matter of time before a vulnerability become a violation. Implement all prescripts identified in your risk assessment without delay.
By failing to encrypt devices that contained e-PHI, MD Anderson sidestepped its own risk assessment. “MD Anderson’s dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of e-PHI, a risk that MD Anderson not only recognized, but that it restated many times,” said the OCR Notice of Determination.
CMPs for HIPAA violations are assigned via a tiered civil penalty structure. The secretary of the Department of Health and Human Services (HHS) has discretion to determine the amount of the penalty based on the nature and extent of the violation and the nature and extent of injury caused by it. The level of negligence and the severity of the HIPAA violation, in other words, will be proportionate to the CMP imposed on the responsible party. Take a look at the table below, which shows the violations and penalties spelled out in the Federal Register.
|Tier||HIPAA Violation||Minimum Penalty||Maximum Penalty|
|1||Unknowing||$100 per violation, annual maximum of $25,000 for repeat violations||$50,000 per violation, annual maximum of $1.5 million|
|2||Reasonable Cause||$1,000 per violation, annual maximum of $100,000 for repeat violations||$50,000 per violation, annual maximum of $1.5 million|
|3||Willful neglect, violation is corrected within the required time*||$10,000 per violation, annual maximum of $250,000 for repeat violations||$50,000 per violation, annual maximum of $1.5 million|
|4||Willful neglect, violation not corrected within required time*||$50,000 per violation, annual maximum of $1.5 million||$50,000 per violation, annual maximum of $1.5 million|
* “Required time” in most cases is 30 days of when the violation is known or should have been known with reasonable diligence.
The secretary is prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days, a period that may be extended at HHS’ discretion.
Regarding maximum penalties capped at $1.5 million for a given year, note that both the Children’s Medical Center of Dallas and MD Anderson settlements were substantially higher, at $3.2 million and $4.3 million respectively. If you’re wondering how these organizations came pay above the annual cap, look closer at the payment structure. The payment cap applies to a single violation occurring in a given year. Also, if violations went undiscovered and occurred over several years, the annual cap is cumulative, as was the case with MD Anderson. The ALJ upheld OCR’s determination of $4,348,000 in penalties, based on each day of MD Anderson’s noncompliance with HIPAA.
Inflationary Adjustment: In 2016, HHS raised baseline fines to account for inflation. The new penalties can be found in an interim final rule published in the Federal Register. These changes are applicable to violations occurring after November 2, 2015.
With inflationary adjustments, the maximum amount of each HIPAA violation may cost in CMPs:
As mentioned earlier, you should note that state attorneys general can pursue civil actions in addition to these CMPs.
Be sure to join us later this week when we home in on HIPAA’s Privacy Rule and what constitutes a criminal violation.
Download your FREE copy of What Your Practice Must Know About the HIPAA Privacy & Security Rules to build on your baseline knowledge of HIPAA compliance and effectively train your team.
Rely on TCI’s best-in-class HIPAA compliance handbook — the HIPAA Handbook 2018 — to establish robust policies, procedures, and employee training. Our nationally-recognized HIPAA compliance experts lay out best practices and walk you step-by-step through the dos and don’ts of compliance. We also addressed new target areas and introduce you to tools to nail down risk assessments, tighten up your EHR privacy and security, reassess your risk analysis plan, prep for audits, and more.
Stay on top of evolving regulations, new technologies, and security threats with current, to-the-point guidance in your monthly subscription to Health Information Compliance Alert. In every issue, our experts tackle challenging security scenarios across the spectrum of health IT to keep you in the know, help you train your staff, and equip you to implement protocols to preserve the integrity of your practice.