You’re probably aware that you could be heavily fined for noncompliance with HIPAA. But did you know?
You’re also liable for HIPAA violations by your business associates as well!
The HIPAA Omnibus Final Rule Mandates Three-Tiered Penalties for all HIPAA Violations!
On Jan, 17th 2013, the Department of Health and Human Services (HHS) released the Final Omnibus Rule establishing a variety of requirements in the Genetic Information Nondiscrimination Act of 2008 (GINA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).
What this means in a nutshell is that HHS is actively imposing civil money penalties (CMPs) for all violations of the HIPAA/HITECH Act. Before now, penalties were only applied in extreme cases. However, as part of the HITECH Act, The Final Rule increases the fines for civil penalties and includes a tiered penalty structure that’s aligned with the nature and circumstance of the violation.
The Rule—Increases the amount of CMPs, reduces the number of defenses, and requires imposition of CMPs for every violation caused by willful neglect.
The amount of the penalty will increase with the level of culpability; the maximum penalty for violations of a HIPAA provision is $1.5 million per year!
The tiered structure separates the level of culpability into four separate violation categories:
- Unknowing: The covered entity or business associate didn’t know, and reasonably couldn’t have known about the violation.
- Reasonable Cause: The covered entity or business associate knew, or by using reasonable diligence would have known that the act or omission was a violation. The covered entity or business associate wasn’t acting with willful neglect.
- Willful Neglect – Corrected: The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, within 30 days of discovery, the covered entity or business associate corrected the violation.
- Willful Neglect – Uncorrected: The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. The violation wasn’t corrected within 30 days of discovery.
Four Penalty Categories:
|Violation Category||Each Violation||Total CMP for Violations of an Identical Provision During the Same Calendar Year|
|Willful Neglect – Corrected||$10,000-$50,000||$1,500,000|
|Willful Neglect – Uncorrected||At least $50,000||$1,500,000|
Monetary Penalties for Acts by Your Business Associates
According to the Final Rule, covered entities are liable for all violations by their business associates. It also states that business associates are liable for the acts of their agents.
In general, an agency relationship occurs when the agent’s actions can easily be directed or controlled during the course of performing their duties, regardless of whether actual control has occurred.
Although business associates are directly regulated under HIPAA, covered entities will still be held responsible for their business associates’ actions. Therefore, covered entities must ensure that they are HIPAA-compliant through their business associate contracts, and business associates must do the same for their subcontractors.
So How Can You Protect Yourself? With a HIPAA Technology Risk Analysis by Veltec Networks.
The Consequences of Failing to Conduct a HIPAA Risk Analysis
Any healthcare entity that deals with protected health information (PHI) should conduct a HIPAA Risk Analysis for multiple reasons.
- A risk analysis will identify PHI-containing systems, which can help assess the vulnerabilities and prioritize the risk on those systems. Conducting a HIPAA Risk Analysis can also assist in the development of strategies to safeguard those systems. All of these simple efforts are necessary in order to ensure acceptable protection of patients’ health information.
- HIPAA requires all healthcare entities to conduct a risk analysis. The HITECH Act in 2009 increased the penalties and enforcement under HIPAA, however, many healthcare entities ignored this requirement. The Office for Civil Rights (OCR) and the arm of the U.S. Department of Health and Human Services (HHS) have been taking this issue very seriously by imposing severe civil monetary penalties for all violations. OCR strongly believes that it is unreasonable to fail to conduct a HIPAA risk analysis.
- It’s an important process that helps healthcare entities prevent data breaches by helping them understand their security posture. Data breaches have become a common occurrence due to healthcare entities rushing out to digitize PHI and find technologies that will improve efficiencies, cut costs and improve the healthcare systems outcome. The financial and reputational fallout that will occur from losing patient data makes it well worth your companies’ time to conduct a risk analysis.
- The Electronic Health Record (EHR) Incentive Payment Program was created by HITECH to give healthcare entities more incentive to conduct a risk analysis. Healthcare providers must display that they are meaningful users of EHRs to qualify for payments under this program. In order to do this, they must confirm that they’re conducting a risk analysis. Over $12.7 billion dollars have been paid out to 240,000 providers so far, due to the amount spent to date; the Federal government has begun to question the programs integrity. The Federal Government is seeking entities that have falsely attested to the necessary qualifications, in order to recoup payments. All entities receiving payments under the EHR Incentive Payment Program, that have not yet conducted a risk analysis, will be at risk for losing those payments.
- Any healthcare entities receiving EHR incentive payments without conducting a risk assessment are eligible to be held liable under the False Claims Act. The OIG has made this a top priority to 2013, and are looking to start open investigations against all allegedly false attesters. Liability will be up to three times the amount of the EHR incentive payment, and all healthcare entities that are found attesting may be excluded from Medicaid or Medicare.
In Summary—Failing to conduct a risk analysis may result in:
- An increased risk of suffering from data breaches;
- OCR enforcement including resolution agreements and civil monetary penalties;
- CMS enforcement to recoup EHR incentive payments; and
- OIG enforcement under the False Claims Act, including liability of 3 times the EHR incentive payment and exclusion from all federally funded healthcare programs.
It’s imperative that you undergo a HIPAA Risk Analysis to protect your business.