Health providers facing stiff HIPAA regulations

In the coming months, health care providers and contractors to the health industry can expect broader HIPAA coverage, beefed-up enforcement and stiffer civil penalties for violations.

Some of the changes have already taken effect; others will soon.

The changes to the Health Insurance Portability and Accountability Act were passed under the HITECH (Health Information Technology for Economic and Clinical Health) Act as part of the economic stimulus legislation earlier in 2009.

Steep new fines, which can reach $1.5 million, were clarified in an interim final rule from the Office of Civil Rights that took effect Nov. 30, 2009.

However, the rule did not elaborate on or alter the statutory penalties that technically went into effect upon enactment in February 2009, according to health care attorneys.

They are warning health care providers to expect a heavier hand on HIPAA enforcement.

“I think the Office for Civil Rights is staffing up to take a more proactive approach to enforcement,” says Kelly Hagan, a health care attorney and shareholder at Shwabe, Williamson & Wyatt in Portland, Ore., who noted that the statute also calls for the fines collected to be put back into more enforcement.

One major change is that employees of health care providers can be held personally (and criminally) liable for violations.

State attorneys general are also authorized to bring civil suits on behalf of a patient or other individual whose data is breached by a HIPAA violation to recover statutory penalties and attorney fees.

In addition, the statute requires that rules be promulgated within three years to allow individuals harmed by a HIPAA violation to receive a percentage of any civil monetary penalty, said Amy Fehn, an associate at Wachler & Associates in Royal Oak, Mich., who represents health care providers.

Hefty fines & fuzzy definitions

The new penalties for HIPAA violations are tiered based on “reasonableness” or “willfulness”:

• $100 minimum per violation if the covered entity was unaware of the violation and would not have known by exercising reasonable diligence
• $1,000 minimum per violation resulting from a “reasonable cause”
• $10,000 minimum per violation for “willful neglect” that is corrected
• $50,000 minimum per violation for “willful neglect” that is not corrected

Fines for multiple violations of an identical provision max out at $1.5 million per calendar year.

But attorneys say the definitions are fuzzy.

For example, in order to show that a violation resulted from a “reasonable cause,” a covered entity would have to show that it was unreasonable to comply with the rule, said Fehn.

“That’s going to be a tough standard,” said Fehn, although she added that it might be possible to meet the standard if a covered entity did everything right but the violation occurred because of a rogue employee.

She also noted that while “willful neglect” could mean a conscious intentional failure, it could also mean “reckless indifference.”

Such an interpretation should worry small health care providers, many of whom do not have a policy in place.

“It’s a little fuzzy, and I would think a little bit scary to small providers because that is the maximum penalty. … If you don’t have a policy, is that considered to be reckless indifference? You could be on the hook for $1.5 million,” said Fehn.

Breach notification provisions

New breach notification provisions are another change to the rules.

If a breach of an individual’s protected health information occurs, a covered entity must notify the individual within 60 days.

The 60-day-period starts running when an employee or agent of the entity realizes a potential breach - not when the provider determines a breach has in fact occurred after investigation, said Fehn.

“As soon as an employee finds out, ‘Oh gosh, I sent a medical bill to the wrong address,’ that’s when the 60 days starts to run. … The problem is people often don’t want to report mistakes right away,” said Fehn.

Therefore, health care providers are strongly advised to have policies and training measures in place requiring employees to immediately report a suspected violation, she said.

Breaches involving more than 500 individuals, such as where a laptop or other mobile device containing private patient data is lost or stolen, must be reported to the Department of Health & Human Services and to a major media outlet in your area - in addition to notifying each of the individuals affected.

Entities must also keep a log of violations and report them within 60 days of the end of a calendar year.

A health care provider may not be required to report a breach if it determines the breach didn’t cause harm.

Such an example may occur where a bill was incorrectly sent but contained only an individual’s name, without additional private information, Fehn suggested.

“If you do risk assessment and decide there was not a great risk to the person of any kind of harm, technically you do not have to report it,” she said.

However, this exception has drawn protests from privacy advocates (and disagreement from some senators who wrote the HITECH Act) who say it should be up to the patient to decide if he or she was harmed, said Fehn. She noted that the provision may be changed in light of the controversy.

Even if the provision remains, a health care provider must weigh carefully whether to employ it.

This is because an entity could face a double penalty (the fines are “per violation”) - once for the privacy violation and again for not reporting it - if it turns out the violation should have been reported.

The breach notification provisions are in effect but will not be enforced until February 2010.

‘Business associates’ provision

HIPAA will directly cover “business associates” of covered entities beginning in February 2010.

Examples of entities that might fall under this newly-regulated category are vendors to the health care industry, such as IT providers, billing and phone services, third party administrators of health plans, and document or data storage companies.

“We’re getting a lot of calls from business associates,” said Fehn. “It’s the first time they’ve had to take [HIPAA] seriously. Before, it was just a contractual obligation [with the covered entity]. Now they will be subject to penalties.”

Questions or comments can be directed to the writer at: sylvia.hsieh@lawyersusaonline.com