General Surgery Coding Alert

HIPAA:

Grasp Real Penalty Risk for Privacy Violations

Published on Tue Sep 18, 2018

Having a program is not enough.

You might think you’re safe from enforcement action if you have a good HIPAA compliance plan in place for your surgery practice.

Not so fast: A recent penalty levied by the feds suggests that having a plan in place is not enough — if you fail to follow your own plan.

Check Out This Case

Recently, an HHS Administrative Law Judge (ALJ) ruled on the side of the HHS Office for Civil Rights (OCR) against the University of Texas MD Anderson Cancer Center, according to an agency release on the subject.

Here’s why: MD Anderson sidestepped its own risk analyses, failing to encrypt devices that contained electronic protected health information (ePHI).

The ALJ decision was in line with the OCR’s Notice of Determination and “stated that MD Anderson’s ‘dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,’ a risk that MD Anderson ‘not only recognized, but that it restated many times,’” the OCR release mentioned.

Consider this Compliance Refresher

A few years back, the HIPAA Omnibus Final Rule introduced and solidified a new penalty structure, as well as new definitions relating to HIPAA violations. The definitions for three terms in particular are pivotal under the penalty system.

Reasonable Cause: An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
Reasonable Diligence: Business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

What’s more: Willful neglect violations must be investigated and penalties are mandatory, points out HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont, and the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions allow continued corrective actions, even if there’s no penalty. Plus, your state Attorney General can bring HIPAA actions, too.

Review the Tiered Penalty Structure

The ALJ put MD Anderson’s actions within the Tier 2 level of HIPAA violations, according to the ALJ decision. “This is the second summary judgment victory in OCR’s history of HIPAA enforcement, and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations,” stated the agency release on the subject.

The size of such a large Civil Monetary Penalty (CMP) for a second level HIPAA violation is significant, and may be a harbinger of things to come.

Remember, the feds instituted section 13410(D) of the HITECH Act, which became effective for HIPAA violations on or after Feb. 18, 2009. Sheldon-Dean breaks down the penalty tiers:

Tier 1: Did not know and, with reasonable diligence, would not have known — $100 to $50,000 per violation.
Tier 2: Violation due to reasonable cause and not willful neglect — $1,000 to $50,000 per violation.
Tier 3: Violation due to willful neglect and corrected within 30 days of when known or should have been known with reasonable diligence — $10,000 to $50,000 per violation.
Tier 4: Violation due to willful neglect and not corrected within 30 days of when known or should have been known with reasonable diligence — $50,000 per violation.

Inflation: Don’t forget that HHS tweaked these baseline fines in the name of inflation back in 2016 as mentioned in an interim final rule published in the Federal Register. The changes are applicable to violations occurring after November 2, 2015. Here’s the maximum amount each HIPAA violation may cost you under the CMP adjustment: