The Department of Health and Human Services (“HHS”) has announced a new penalty structure for the civil money penalties (“CMPs”) for HIPAA violations that apparently reduces the penalties for violations that are not due to the willful neglect of covered entities and business associates. The Notification of Enforcement Discretion reduces the maximum annual CMP in the lower three of the four tiers of penalties. A graphic representation of the old and new four tiers follows:
Penalty
Tier |
Level of
Culpability |
Minimum Penalty
per Violation |
Maximum Penalty
per Violation |
Old Max.
Annual Penalty |
New Max.
Annual Penalty |
1 | No knowledge | $100 | $50,000 | $1.5 million | $25,000 |
2 | Reasonable Cause | $1,000 | $50,000 | $1.5 million | $100,000 |
3 | Willful Neglect Corrected | $10,000 | $50,000 | $1.5 million | $250,000 |
4 | Willful Neglect Uncorrected | $50,000 | $50,000 | $1.5 million | $1.5 million |
Whether this change actually reduces the potential burden, particularly on smaller entities, seems problematic. A $25,000 maximum annual CMP for a small entity that has a violation when it was unaware that it had violated HIPAA and, by exercising a reasonable level of due diligence, would not have known that it had violated HIPAA certainly seems like a boon. The same theory would appear true for tiers 2 and 3.
But two aspects of the CMPs call into question just how much benefit, if any, this new enforcement rule really provides.
First, of the enforcement actions to date, the vast majority have been tier 4 actions. And we now have the maximum CMP or settlement in lieu thereof (“SILT”) of $16 million. So what does that maximum say about the $1.5 million annual cap? Well, that cap is for identical violations in a calendar year. And HHS considers a security or privacy violation of each individual’s protected health information (“PHI”) as a separate—that is, not identical—violation, as illustrated by the infamous $4.3 million CMP that HHS imposed against Cignet Health for failure to provide to 41 patients copies of their records, as required under the HIPAA Privacy Rule. HHS considered the withholding of each record as a separate violation and each day that it was withheld as a separate violation in coming up with the $1.3 million portion of the CMP to add to the $3 million for various acts of non-cooperation with the Office for Civil Rights (“OCR”) inspections. See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/index.html. HHS certainly didn’t find violation one―that is, improper violation of individuals’ right of access under 45 C.F.R. § 164.524―and violation two―that is, failure to cooperate with an HHS investigation under §160.310. No, it found multiple violations that were not identical. So the maximum annual CMP seems somewhat illusory.
Second, does this apparent, if perhaps illusory, lessening of the CMPs indicate that OCR is now going to go after the smaller providers who may not have the resources to defend against an OCR investigation of an alleged violation that might result in a CMP?
In a similar enforcement action, the author got a phone call from a psychologist who was being investigated for criminal Medicare fraud for upcoding—assigning a code to her service that got a higher reimbursement than the service actually performed. I advised her that I thought she had a good defense but that she would need to hire not only a good lawyer, experienced in Medicare fraud defense, but also a coding expert witness. She said that she didn’t have the funds to do that and was going to accept the government’s plea bargain that would not include any jail time. But what was a federal felony conviction and the inability to bill government sources of payment going to do to her? And I got a similar call a little later. Could DHHS adopt this tactic and start focusing on the small fry that will be forced to settle with the feds.
Anthem, Inc., an independent licensee of the Blue Cross and Blue Shield Association, which suffered the $16 million settlement, certainly had the resources to defend against the allegations that it had failed to conduct a risk analysis, failed to regularly review records of system activity, failed to properly handle a breach, failed to implement policies, and failed to prevent unauthorized access. Does a one-clinician office have those resources?
So, one can only wonder, just how helpful is this change in the maximum annual penalties for HIPAA violations? We here at Veterans Press and EMR Legal hope that you don’t have to find out.
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.
If you would like to hear a webinar by Jon Tomes on this topic, consider signing up for his upcoming webinar on the topic “How to Avoid Seven-Figure HIPAA Civil Money Penalties and Other Disasters” at https://www.edupliance.com/webinar/how-to-avoid-seven-figure-hipaa-civil-money-penalties-and-other-disasters. This webinar is scheduled for Tuesday, May 21, 2019, noon to 1:30 pm CT.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.