The federal health care privacy statute or HIPAA (Health Information Portability and Accountability Act) is no longer a new acronym – either in the medical profession or in general society. Like Medicare, ObamaCare and other contemporary healthcare developments it is familiar to most citizens. And most healthcare professionals have at least a passing knowledge of the basic requirements of the HIPAA Privacy Rule.
But what is not so well known are the penalties – both monetary and otherwise – that can be imposed if the HIPAA Privacy Rule or Security Rule are violated. Thus, the purpose of this article is to briefly summarize those potential sanctions and the process by which they are investigated and, ultimately, enforced.
HIPAA sanctions can be civil, criminal and, theoretically, both. While somewhat complicated, the procedure for determining the scope of the penalty is designed to be commensurate with the facts and circumstances surrounding the violation. While to some the penalties may seem overly harsh, it cannot be said that the government has not fully informed us of those risks. See www.hha.gov/ocr/office. So it makes sense for those at risk to at least have a basic knowledge of how serious the penalties can be and to take steps to avoid them.
The Investigation Process
Complaints concerning violations of the HIPAA privacy or security rules are investigated by the Office of Civil Rights (OCR) of the United States Department of Health and Human Services. For a complaint to be investigated it must present facts which, if proven to be accurate, would violate either the HIPAA Privacy Rule or the HIPAA Security Rule. The former has been in effect since 2003 and the latter since 2005.
Ordinarily, the complaint must be filed with the Office of Civil Rights within 180 days of the date the filer either knew or should have known that the alleged violation occurred. However, this time limitation may be waived under certain circumstances.
Obviously, to be a valid complaint, it must assert a violation by a Covered Entity as that term is defined by HIPAA and its corresponding regulations. Any number of persons or entities can be Covered Entities but certainly a physician or physician group that electronically transmits health information as part of certain financial and administrative transactions comes within that definition.
If the Office of Civil Rights does notify you or your medical group that it is investigating a complaint alleging a violation of either the Privacy Rule or the Security Rule, it is imperative that immediate action be taken. Among the steps to be taken is making sure that any and all documents, in electronic form or otherwise, that may relate to what is being investigated be preserved and protected. Failure to do so could lead to other problems including the imposition of a penalty and, if imposed, the size of that penalty.
In general, the civil penalties increase significantly with the level of culpability. For example, is a nurse employed by a medical practice commits a HIPAA violation the penalty could be as little as $100 for that single violation or it could be as high as $50,000. In short, a huge difference.
In the above example, the minimum $100 penalty would only be available if the nurse did not know that she or he had actually violated HIPAA and, in addition, would not have known of that violation if he or she had used reasonably diligence.
On the other hand, if the violation occurred due to willful neglect but was then corrected within the required time frame, the penalty could be $10,000 for that single violation. But, if that same willfully negligent violation was not timely corrected, the penalty could increase to $50,000. To repeat, the penalty increases dramatically with the level of culpability.
Some healthcare providers remain indifferent about the consequences of a HIPAA violation investigation. This is a mistake. As noted above, the HIPAA privacy standards are enforced by the Office of Civil Rights (OCR) of the Department of Health and Human Services which has noticeably increased its HIPAA investigations in recent years.
Criminal prosecutions for violating the HIPAA statute have been less common than civil enforcement proceedings. Nevertheless, it is critical to understand that if a covered entity or any individual who knowingly obtains or discloses individually identifiable health information in violation of the administrative simplification provision of HIPAA can be fined up to $50,000 and can be imprisoned for up to one year or both. More egregious violations can result in even harsher monetary penalties and longer prison terms.
HIPAA criminal cases are prosecuted by the Department of Justice through any one of the 94 United States Attorneys’ Offices throughout the United States and its territories. And because criminal liability (i.e., conviction) is governed by the federal sentencing guidelines, the potential overall sanction (money and imprisonment) can be potentially very severe.
Moreover, the stakes for criminal violation just got higher. On September 9, 2015 the Department of Justice through Deputy Attorney General Sally Quillian Yates, announced that in the future the government would increase its focus on individual corporate employees as well as the entity itself. Although this is not a new concept in federal criminal prosecutions, and it remains to be seen how the Justice Department will apply the Yates Memorandum to HIPAA prosecutions, this renewed focus on individuals should not be ignored.
In addition to financial penalties and possible incarceration, under specific circumstances a healthcare provider could also be excluded from federal healthcare payment programs such as Medicare.
The above discussion clearly underscores the critical importance of having a well-designed HIPAA compliance plan and routine training to implement that plan. Regularly revising the covered entity’s compliance plan and training policies is, of course, also important. Mistakes are inevitable so the question to be asked is not whether a violation will happen, but when. In the author’s experience, if a covered entity has designed and implemented a robust HIPAA compliance plan, when the Office of Civil Rights comes knocking your chances of avoiding an expensive penalty are greatly enhanced, if not eliminated.