Articles

Can Your Practice Afford to Pay $1,500,000 for HIPPA Violations?

Kathleen Quiroz and Jerry B. Cohen

M.D. News Magazine (January 2010)

If you have not recently performed an audit of your compliance with the HIPAA Privacy and Security Rules, now would be the time to do so. Several changes to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) in February, 2009, now have been conformed by federal regulations issued by the Department of Health and Human Services (“HHS”) on October 30, 2009. Certain of these changes merit close scrutiny, especially those impacting HIPAA enforcement, fines and defenses.

HIPAA Enforcement Provisions
On October 30, 2009, HHS issued an Interim Final Rule to conform the enforcement regulations promulgated under HIPAA to the statutory revisions made by the HITECH Act. These changes strengthen the civil money penalty authority of HHS by (i) establishing categories of violations that reflect increasing levels of culpability; (ii) significantly increasing the civil money penalties that may be assessed by HHS; and (iii) abolishing or modifying affirmative defenses available to physicians and other covered entities.

New Civil Money Penalties Scheme
Prior to the HITECH Act, a medical practice that violated HIPAA was subject to a maximum civil money penalty of $100 per violation, with an annual cap of $25,000 for identical violations occurring during the same calendar year. HIPAA, as amended by the HITECH Act and conformed by the Interim Final Rule, now provides for a four-tiered civil money penalties scheme. Under the new penalties scheme, the maximum civil money penalties for violations occurring on or after February 18, 2009, range from a minimum penalty of $100 per violation to a maximum penalty at least $50,000 per violation based upon the level of culpability associated with such violations, with an annual cap of $1,500,000 for identical violations occurring during the same calendar year.

Tier One
Under this new scheme, a medical practice is subject to a minimum penalty of $100 per violation if it violates a provision of HIPAA and (i) did not know of its violation and (ii) would not have discovered its violation even if it had exercised “reasonable diligence.” These violations remain subject to a maximum penalty of $50,000 per violation and are subject to the cap of $1,500,000 for violations of the identical provision of HIPAA in the same calendar year. For purposes of the HIPAA enforcement rules, reasonable diligence means that the medical practice undertook the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

Tier Two
Also under the new penalties scheme, if a medical practice violates a provision of HIPAA and that violation is due to circumstances that would make it unreasonable for the practice, despite the exercise of ordinary business care and prudence, to comply (defined in the HITECH Act as “reasonable cause”), the practice will be subject to a minimum penalty of $1,000 per violation. Again, these violations remain subject to a maximum penalty of $50,000 per violation and the cap of $1,500,000 for violations of the identical provision of HIPAA in the same calendar year.

Tiers Three and Four
If a medical practice violates a provision of HIPAA and that violation is shown to have arisen from a conscious, intentional failure or reckless indifference to the obligation to comply (defined in the HITECH Act as “willful neglect”), the penalties that may be assessed against the practice will vary depending on whether the practice corrected the violation within a prescribed 30 day period. The 30 day period begins on the first date the practice knew, or would have known by exercising reasonable diligence, that the violation occurred. If a practice corrects a violation due to willful neglect within this 30-day period, it will face a minimum penalty of $10,000 per violation, again up to a maximum penalty of $50,000 per violation. If the practice does not correct the violation within the 30-day period, it will face a minimum penalty of at least $50,000 per violation. In either case, the cap of $1,500,000 for violations of the identical provision of HIPAA in the same calendar year applies.

Affirmative Defenses
Recent changes to HIPAA have not only significantly increased the civil money penalties that may be assessed by HHS, they also have abolished or modified the affirmative defenses available to covered entities. One such important change involves the affirmative defense of “lack of knowledge.” Prior to the HITECH Act, HHS could not impose civil money penalties on a medical practice if the practice could establish that it did not know (and, by exercising “reasonable diligence,” would not have known) that it violated HIPAA. For violations occurring on or after February 18, 2009, this affirmative defense is no longer available to medical practices. Therefore, a violation that once may have been shielded from penalty by this defense now may be the subject of a tier one penalty as previously described.

Effective Date of Changes to HIPAA Enforcement Rules
The new four-tiered civil money penalties scheme applies to violations that occur on or after February 18, 2009. The Interim Final Rule issued by HHS on October 30, 2009, “grandfathers” violations that occurred prior to February 18, 2009. Those violations will continue to be subject to a maximum penalty of $100 per violation, subject to a cap of $25,000 for identical violations occurring in the same calendar year. For violations that occur both prior to and after February 18, 2009, HHS will treat the violations that occurred before February 18 under the old penalty scheme and will treat the violations that occurred after February 18 under the new penalty scheme. The same treatment will apply to the abolition and modification of the affirmative defenses available under HIPPA. Those changes will apply only to violations occurring on or after February 18, 2009.

HIPAA Compliance Audit
The changes discussed in this article are but a few of the numerous changes made to HIPAA by the HITECH Act. If you have not recently performed an audit of your compliance with the HIPAA Privacy and Security Rules, as amended by the HITECH Act, it is extremely important that you do so, especially in light of the significant penalties that may now be assessed against medical practices for violations of HIPAA.

Jerry B. Cohen and Kathleen Quiroz are Shareholders with Oppenheimer, Blend, Harrison and Tate, Inc. - a top ranked Health Care law firm in San Antonio and Kerrville. Collectively, they have served Corporate and Health Care clients for 39 years and have been recognized by their peers in the legal industry as leading attorneys at both the local and national level. You can reach the Health Care Practice of Oppenheimer, Blend, Harrison and Tate, Inc. at 210.224.2000.

Copyright 2010, Oppenheimer, Blend, Harrison and Tate, Inc.