Health Care E-Bulletin: HIPAA Enforcement is Here!
February 23, 2006
Over the last few years, a significant number of our health care provider-clients have put HIPAA compliance on the back burner because of the government’s delay in issuing final rules on non-compliance penalties. However, on February 16, 2006, the U.S. Department of Health and Human Services published a final rule regarding the enforcement provisions relating to HIPAA (the “Enforcement Rule”). The Enforcement Rule applies to all of the “administrative simplification” regulations (including the HIPAA Privacy and Security Rules), and goes into effect right away, almost immediately (March 16, 2006). The Enforcement Rule clarifies that only “covered entities” (as defined in the HIPAA rules, and which include most physician practices, hospitals and other health care providers) are subject to enforcement actions for HIPAA violations. Thus, for instance, a business associate of a covered provider generally is not subject to enforcement by the government for HIPAA violations. Unfortunately, the Enforcement Rules make it clear that a covered provider may be held responsible for any Privacy or Security Rule violations committed by its agents, including workforce members and such business associates. For this reason, it is important that covered providers adopt and maintain HIPAA-compliant policies and procedures, provide ongoing training for members of their workforce, and have in place HIPAA-compliant agreements with all of their business associates. Further, to avoid liability for the acts or omissions of such business associates, covered providers must take steps to cure or end any known breaches.
HIPAA enforcement is primarily a complaint-driven process. The Enforcement Rule allows any person--such as an unsatisfied patient, a disgruntled employee, or a disappointed vendor--to submit written complaints to the government if such person believes that a covered provider is not complying with the HIPAA provisions. Further, upon receiving a complaint, the government will investigate the matter and attempt to resolve the matter by informal means such as allowing the covered provider to demonstrate compliance. If compliance is not shown, the covered provider likely will be asked to submit an acceptable corrective action plan that outlines the steps to be taken to become compliant. If the corrective action plan is approved by the government and implemented, the investigation stops and no further action is taken. On the other hand, if the government and a covered provider are unable to resolve the matter informally, the government may impose a civil money penalty. However, not every instance of non-compliance will lead to penalties. A covered provider generally will not be subject to civil money penalties for HIPAA violations if it can show that the HIPAA violation occurred despite taking reasonable efforts to be in compliance.
Civil money penalties for HIPAA violations may not exceed $100 per violation--which might be construed as a violation for each patient not properly handled--but not more than $25,000 in the aggregate for identical violations throughout a given calendar year. In determining the amount of any civil money penalty, the government will consider, among other factors, the circumstances under which the violation occurred, the degree of culpability of the covered provider, and such provider's history of prior compliance with the HIPAA rules. The Enforcement Rule goes on to detail numerous formal notice and procedural steps that must be taken before a penalty is imposed. Additionally, there are avenues to formally appeal (up to federal court) after a penalty is imposed. Clearly, however, "winning" a HIPAA penalty appeal--especially if it takes several layers of appeal--may come at the expense of considerable lost time and cost. The Enforcement Rule therefore should serve to reinforce to covered providers (and others) that (i) now HIPAA violations are a serious matter, and (ii) taking the steps to become (and stay) HIPAA-compliant is the best way to avoid costly future penalties. Covered providers therefore should take the issuance of the Enforcement Rule as an opportunity to review their HIPAA compliance program, including their policies and procedures, training programs, and business associate agreements. If updates or supplements are needed--and many clients have put them off--now is the time to put them into effect.
Several attorneys in our Health Care Practice Group have significant experience in HIPAA compliance matters with covered entities of all shapes and sizes, as well as with business associates of such covered entities. So, as needed, please feel free to call the Taft attorney with whom you work most often or any of the Health Care Practice Group members listed to the right of this bulletin.
HIPAA enforcement is primarily a complaint-driven process. The Enforcement Rule allows any person--such as an unsatisfied patient, a disgruntled employee, or a disappointed vendor--to submit written complaints to the government if such person believes that a covered provider is not complying with the HIPAA provisions. Further, upon receiving a complaint, the government will investigate the matter and attempt to resolve the matter by informal means such as allowing the covered provider to demonstrate compliance. If compliance is not shown, the covered provider likely will be asked to submit an acceptable corrective action plan that outlines the steps to be taken to become compliant. If the corrective action plan is approved by the government and implemented, the investigation stops and no further action is taken. On the other hand, if the government and a covered provider are unable to resolve the matter informally, the government may impose a civil money penalty. However, not every instance of non-compliance will lead to penalties. A covered provider generally will not be subject to civil money penalties for HIPAA violations if it can show that the HIPAA violation occurred despite taking reasonable efforts to be in compliance.
Civil money penalties for HIPAA violations may not exceed $100 per violation--which might be construed as a violation for each patient not properly handled--but not more than $25,000 in the aggregate for identical violations throughout a given calendar year. In determining the amount of any civil money penalty, the government will consider, among other factors, the circumstances under which the violation occurred, the degree of culpability of the covered provider, and such provider's history of prior compliance with the HIPAA rules. The Enforcement Rule goes on to detail numerous formal notice and procedural steps that must be taken before a penalty is imposed. Additionally, there are avenues to formally appeal (up to federal court) after a penalty is imposed. Clearly, however, "winning" a HIPAA penalty appeal--especially if it takes several layers of appeal--may come at the expense of considerable lost time and cost. The Enforcement Rule therefore should serve to reinforce to covered providers (and others) that (i) now HIPAA violations are a serious matter, and (ii) taking the steps to become (and stay) HIPAA-compliant is the best way to avoid costly future penalties. Covered providers therefore should take the issuance of the Enforcement Rule as an opportunity to review their HIPAA compliance program, including their policies and procedures, training programs, and business associate agreements. If updates or supplements are needed--and many clients have put them off--now is the time to put them into effect.
Several attorneys in our Health Care Practice Group have significant experience in HIPAA compliance matters with covered entities of all shapes and sizes, as well as with business associates of such covered entities. So, as needed, please feel free to call the Taft attorney with whom you work most often or any of the Health Care Practice Group members listed to the right of this bulletin.
