Although it first took effect in 2003, the Department of Health and Human Services did not issue a civil monetary penalty for violation of the HIPAA Privacy Rule until late last month. Cignet Health, a health plan located in Temple Hills, Md., was ordered to pay $4.3 million for violating the Rule, only to be followed days later by Massachusetts General Hospital in Boston, which agreed to pay $1 million to settle allegations of Privacy Rule violations.
The Privacy Rule is considered to be one of HIPAA's most complex regulations — it sets the standards for how protected health information, in any form, should be controlled. HIPAA includes substantial civil and criminal penalties for violation of its provisions, with fines ranging from $100 per violation up to $250,000 and 10 years in prison.
Kimberly J. Kannensohn, a partner with the healthcare practice at McGuireWoods, says there have been various drivers for this new, aggressive enforcement climate. "All healthcare providers, and hospitals in particular, need to revisit HIPAA compliance efforts," says Ms. Kannensohn. Here are five things to know about the new enforcement climate under HIPAA.
1. Two converging factors are driving HIPAA enforcement. The first is the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009. Addressing the privacy and security concerns with the electronic transmission of PHI, HITECH enhanced HIPAA enforcement once it went into effect. The second factor is the increased portability of health information, primarily through electronic devices. "Someone can walk out of their office with PHI on a flash drive, or have it on a laptop that is later stolen from their car," says Ms. Kannensohn. "This is the source of many of the inadvertent disclosures of PHI that we hear about from clients."
2. The Office of Civil Rights is becoming more proactive in its approach. Historically, the OCR had a reactive approach in its enforcement of HIPAA. "There were a few high profile cases, but proactive enforcement was more the exception, than the rule" says Ms. Kannensohn. While Mass General's alleged violation of HIPAA (an employee leaving PHI on a subway while commuting to work) is egregious on its face, Ms. Kannensohn says it is important that hospitals do not assume that the OCR is limiting its enforcement to extreme cases. In this new climate, cases do not have to shock the conscience to be pursued by the OCR. "The approach overall now is to be more aggressive," says Ms. Kannensohn.
3. Hospitals need to revisit HIPAA compliance efforts. Given the breadth of hospital staff and volunteers, along with the volume of PHI accessible to staff, hospitals need to make sure HIPAA compliance efforts consist of more than a plan document. Entities often adopt a plan document, do a bit of training and then ease up on compliance efforts. "Now, because of the HITECH Act and this new enforcement approach, hospitals should review their compliance documents, update them, conduct training of all their staff and determine how often the hospital will conduct retraining," says Ms. Kannensohn. According to Ms. Kannensohn, this is particularly important in light of the HITECH mandate for the performance by the federal government of periodic audits of all covered entities, including hospitals.
4. A hospital's HIPAA compliance factors into its marketability. With an uptick in mergers, affiliations and integrations, a provider's HIPAA compliance can make or break a deal. "For example, as part of due diligence, hospitals need to evaluate the HIPAA compliance of the practice or provider they're looking to acquire," says Ms. Kannensohn. Otherwise, hospitals may be taking on potential liability. "HIPAA compliance should be part of any hospital's due diligence checklist."
5. There are numerous sources for the filing of a HIPAA complaints. In contrast to the False Claims Act, which is somewhat esoteric and often invoked by former disgruntled employees who act as whistleblowers, HIPAA is a more commonly understood law that affects anyone who receives healthcare in the United States. Thus, under HIPAA, there are more potential sources for the filing of complaints. "A complaint may be filed by anyone, including a patient, a relative of a patient, a current employee or a former employee," says Ms. Kannensohn. Moreover, patients are specifically informed in each provider’s notice of privacy practices of their right to file a complaint. Finally, as mentioned earlier, there is an incredible amount of portability with PHI, such as handheld phones, EHRs, laptops and flash drives, all of which enhance the chances of wrongful disclosure. Thus, increased vigilance, good security systems and a robust and fully implemented compliance program are essential for hospitals seeking to avoid investigation or liability under HIPAA.
Learn more about McGuireWoods.
Read more about HIPAA:
- Massachusetts General Pays $1M to Settle HIPAA Violation Allegations
- Maryland's Cignet Health to Pay $4.3M for HIPAA Violation
- Protecting Patient Data to Protect Your Hospital: A Guide
The Privacy Rule is considered to be one of HIPAA's most complex regulations — it sets the standards for how protected health information, in any form, should be controlled. HIPAA includes substantial civil and criminal penalties for violation of its provisions, with fines ranging from $100 per violation up to $250,000 and 10 years in prison.
Kimberly J. Kannensohn, a partner with the healthcare practice at McGuireWoods, says there have been various drivers for this new, aggressive enforcement climate. "All healthcare providers, and hospitals in particular, need to revisit HIPAA compliance efforts," says Ms. Kannensohn. Here are five things to know about the new enforcement climate under HIPAA.
1. Two converging factors are driving HIPAA enforcement. The first is the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009. Addressing the privacy and security concerns with the electronic transmission of PHI, HITECH enhanced HIPAA enforcement once it went into effect. The second factor is the increased portability of health information, primarily through electronic devices. "Someone can walk out of their office with PHI on a flash drive, or have it on a laptop that is later stolen from their car," says Ms. Kannensohn. "This is the source of many of the inadvertent disclosures of PHI that we hear about from clients."
2. The Office of Civil Rights is becoming more proactive in its approach. Historically, the OCR had a reactive approach in its enforcement of HIPAA. "There were a few high profile cases, but proactive enforcement was more the exception, than the rule" says Ms. Kannensohn. While Mass General's alleged violation of HIPAA (an employee leaving PHI on a subway while commuting to work) is egregious on its face, Ms. Kannensohn says it is important that hospitals do not assume that the OCR is limiting its enforcement to extreme cases. In this new climate, cases do not have to shock the conscience to be pursued by the OCR. "The approach overall now is to be more aggressive," says Ms. Kannensohn.
3. Hospitals need to revisit HIPAA compliance efforts. Given the breadth of hospital staff and volunteers, along with the volume of PHI accessible to staff, hospitals need to make sure HIPAA compliance efforts consist of more than a plan document. Entities often adopt a plan document, do a bit of training and then ease up on compliance efforts. "Now, because of the HITECH Act and this new enforcement approach, hospitals should review their compliance documents, update them, conduct training of all their staff and determine how often the hospital will conduct retraining," says Ms. Kannensohn. According to Ms. Kannensohn, this is particularly important in light of the HITECH mandate for the performance by the federal government of periodic audits of all covered entities, including hospitals.
4. A hospital's HIPAA compliance factors into its marketability. With an uptick in mergers, affiliations and integrations, a provider's HIPAA compliance can make or break a deal. "For example, as part of due diligence, hospitals need to evaluate the HIPAA compliance of the practice or provider they're looking to acquire," says Ms. Kannensohn. Otherwise, hospitals may be taking on potential liability. "HIPAA compliance should be part of any hospital's due diligence checklist."
5. There are numerous sources for the filing of a HIPAA complaints. In contrast to the False Claims Act, which is somewhat esoteric and often invoked by former disgruntled employees who act as whistleblowers, HIPAA is a more commonly understood law that affects anyone who receives healthcare in the United States. Thus, under HIPAA, there are more potential sources for the filing of complaints. "A complaint may be filed by anyone, including a patient, a relative of a patient, a current employee or a former employee," says Ms. Kannensohn. Moreover, patients are specifically informed in each provider’s notice of privacy practices of their right to file a complaint. Finally, as mentioned earlier, there is an incredible amount of portability with PHI, such as handheld phones, EHRs, laptops and flash drives, all of which enhance the chances of wrongful disclosure. Thus, increased vigilance, good security systems and a robust and fully implemented compliance program are essential for hospitals seeking to avoid investigation or liability under HIPAA.
Learn more about McGuireWoods.
Read more about HIPAA:
- Massachusetts General Pays $1M to Settle HIPAA Violation Allegations
- Maryland's Cignet Health to Pay $4.3M for HIPAA Violation
- Protecting Patient Data to Protect Your Hospital: A Guide