Automatic Fines: HITECH, HIPAA, and Willful Neglect - The Importance of Policies and Procedures

October 13, 2010

All organizations that handle protected health information (“PHI”), including business associates of such organizations, need to be aware of a recent proposed rule that could subject the organization and its business associates to mandatory fines. As described below, the failure to have the proper policies and procedures may be considered willful neglect and subject the organization and its business associates to these mandatory fines. Additionally, under the proposed rule, if a business associate hired a subcontractor to handle PHI, that subcontractor would also be subject to the rules.

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, passed as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”), increases the financial risks for organizations handling PHI who do not have policies and procedures in place as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The HITECH Act established a tiered civil penalty structure for HIPAA violations, where violations resulting from willful neglect are subject to a mandatory penalty. On July 12, 2010, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) published the Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act (the “Proposed Rule”). In the Proposed Rule, the OCR made clear that it would consider not having the required HIPAA policies and procedures in place as demonstrative of willful neglect.

Who Must Have Policies and Procedures in Place?

Before the HITECH Act, HIPAA applied only to the use and disclosure of PHI by covered entities, which included health care providers, health plans, and health care clearinghouses. Vendors providing administrative services to covered entities and to whom PHI was disclosed, known as business associates, were not directly subject to HIPAA’s privacy and security requirements. Instead, these business associates were required to sign business associate agreements through which they agreed, by contract, to maintain the privacy and security of PHI. The HITECH Act changed this requirement for business associates and the OCR’s Proposed Rule seeks to change it for subcontractors.

Business associates. The HITECH Act expanded the scope and application of HIPAA to directly apply several of HIPAA’s security and privacy requirements to business associates. Among other provisions, this expansion includes the Policies and Procedures and Documentation Requirements outlined in 45 CFR § 164.316, which requires organizations to “[i]mplement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements” of the Security Rule. Business associates are also subject to the HIPAA civil and criminal penalties and enforcement proceedings for violations. As such, business associates are directly liable for violations and are subject to penalties for such violations.

Subcontractors. In the Proposed Rule, the OCR seeks to explicitly include subcontractors in the business associate definition. Specifically, the OCR proposes to define subcontractors as:

[T]hose persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information.

As further explained by the OCR, the:

[P]roposed provisions avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity. Allowing such a lapse in privacy and security protections may allow business associates to avoid liability imposed upon them by sections 13401 and 13404 of the [HITECH] Act, thus circumventing the congressional intent underlying these provisions.

The OCR makes clear, however, that covered entities need not contract directly with the subcontractors of their business associates, but could instead rely on the business associates to comply with the necessary provisions.

The Civil Penalty Structure and Enforcement

To encourage compliance, the HITECH Act sets forth a civil penalty structure. As stated in the HITECH Act, the HHS Secretary has discretion to determine the amount of the penalty based on the “nature and extent of the violation and the nature and extent of the harm resulting from such violation.” Additionally, the Secretary is prohibited from imposing civil penalties if the violation is corrected within 30 days. This 30 day grace period is not available for actions deemed to be demonstrative of willful neglect.

 

 

 

HIPAA Violation

Minimum Penalty

 

Maximum Penalty

 

Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA

 

 

 

$100 per violation, with an annual maximum of $25,000 for repeat violations

 

 

 

$50,000 per violation, with an annual maximum of $1.5 million

 

 

 

 

HIPAA violation due to reasonable cause and not due to willful neglect

 

 

$1,000 per violation, with an annual maximum of $100,000 for repeat violations

 

 

$50,000 per violation, with an annual maximum of $1.5 million

 

 

HIPAA violation due to willful neglect but the violation is corrected within 30 days of the date on which the person liable for the violation knew, or by exercising reasonable diligence would have known, that he/she violated HIPAA;

 

mandatory penalty

$10,000 per violation, with an annual maximum of $250,000 for repeat violations

 

 

$50,000 per violation, with an annual maximum of $1.5 million

 

 

HIPAA violation is due to willful neglect and is not corrected;

 

mandatory penalty

$50,000 per violation, with an annual maximum of $1.5 million

 

 

$50,000 per violation, with an annual maximum of $1.5 million

 

 

 

In addition to enforcement by the Secretary, the HITECH Act also granted enforcement rights to each State Attorney General (“AG”) to bring civil suits on behalf of the state’s residents. The AG can sue for injunctive relief or damages. But, “damages imposed on the person for all violations of an identical requirement or prohibition during a calendar year” are limited to $25,000.

Richard Blumenthal, the AG of Connecticut, was the first to use this new HITECH Act enforcement right, among his other options, when his office sued Health Net of Connecticut for losing the medical and financial information of nearly 450,000 enrollees and failing to timely notify those affected. Health Net settled the lawsuit in July 2010 by agreeing to pay $250,000 in fines, implementing a corrective action plan that includes continuing to provide identity theft protection as well as improving systems controls, management and oversight structures and training employees. It is notable that the settlement is $250,000, which is larger than the $25,000 maximum set forth in the HITECH Act. This difference likely resulted from other claims against Health Net, such as the failure to timely notify.

Blumenthal is continuing his enforcement, announcing on August 18, 2010 that his office launched an investigation into the security breach at Yale Medical School. The data breach involved the theft of a laptop and the loss of PHI of over 1,000 individuals.

Willful Neglect and the Requirement to Have Policies and Procedures

HIPAA defines willful neglect as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 45 CFR § 160.410. In the Proposed Rule, the OCR clarified that the “term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur but also encompasses a conscious intent or degree of recklessness with regard to its compliance obligations.” These compliance obligations include having the required policies and procedures in place.

In the Proposed Rule, the OCR provides the following examples:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.

2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.

The OCR went on to clarify that, “the covered entities’ failures to develop or implement compliant policies and procedures . . . demonstrate either conscious intent or reckless disregard with respect to their compliance obligations.” In other words, such behavior demonstrates willful neglect, subjecting the organization to a mandatory penalty. Additionally, the OCR notes that in “the second example, the covered entity’s refusal to accept any requests for restrictions from individual patients who inquire would be grounds for a separate finding of a violation due to willful neglect.” That is, organizations must not only have policies and procedures in place but also implement and enforce them.

Notably, the OCR does not provide any examples with business associates. Nonetheless, the HITECH Act makes clear that business associates must now comply with the policies and procedures provision of HIPAA and are subject to the same monetary penalties as covered entities.

Some Concluding Comments

The changes the OCR outlined in the Proposed Rule in July are mere proposals. The final rule has yet to be published, however, the comment period ended on September 13, 2010. As such, the final rule may be out by the end of the year.

Organizations should keep abreast of the upcoming changes because the OCR intends to provide covered entities and business associates with 180 days to come into compliance after the publication of the final rule with most of the rule’s provisions. There will be an additional one-year transition period for covered entities and business associates to comply with changes to their existing business associate contracts or other arrangements. Finally, there will be no exceptions for small health plans. Notably, this 180 days is subject to change because the OCR was seeking comment on the length of the compliance period.

FOR MORE INFORMATION, PLEASE CONTACT:

Craig A. Phillips is a member in Dickinson Wright’s 
Troy office and can be reached at
248.433.7231 or cphillips@dickinsonwright.com.

Tatiana Melnik is an associate in Dickinson Wright’s
Ann Arbor office and can be reached at 734.623.1713
or tmelnik@dickinsonwright.com.

 

 

  • EMAIL
  • |
  • PRINT

RELATED PRACTICES: