Medicare Compliance & Reimbursement

HIPAA confidentiality violations will cost $20,000 apiece under proposed rule If the U.S. Department of Health and Human Services (HHS) has its way, healthcare providers will finally be able to confidentially report medical errors -- without risk of legal liability. The Patient Safety and Quality Improvement proposed rule, published in the Feb. 12 Federal Register, outlines a proposal that establishes "patient safety organizations," (PSOs) and also discusses what the penalties would be for those who aren't careful with patient safety issues. The HHS proposes creating PSOs, to which providers could report potential medical errors. The PSOs would then analyze the data so that future medical errors could be avoided. In addition to offering an outlet to report clinical errors, the proposal also covers patient confidentiality issues, noting, "The regulation is very specific that patient safety work product is subject to confidentiality and privilege protections, and persons that breach the confidentiality provisions may be subject to a $10,000 civil money penalty, to be enforced by the Office for Civil Rights (OCR)." Further, the proposal notes, "the $10,000 limit applies to each person separately, not the act that was a violation. Thus, in the circumstance where an agent and a principal are determined to have violated the confidentiality provisions, the Secretary may impose a civil money penalty of up to $10,000 against the agent and a civil money penalty of up to $10,000 against the principal, for a total of $20,000 for a single act that is a violation." Despite the steep penalties that the new proposal recommends, the sanctions would be imposed in addition to the existing HIPAA confidentiality penalties, says Charlotte, NC attorney Heather Cook Skelton, Esq. "In theory, that means that the same act, if found to violate both the Patient Safety and Quality Improvement Act (as enforced under the proposed regulations) and HIPAA's privacy or security provisions, could be subject to dual fines," says Kelly S. Kuglitsch, Esq., with Whyte Hirschboeck Dudek in Milwaukee. Section 3.408 of the new proposed regulations indicates that "even if an act were found to violate both the PSQIA and HIPAA, an agency could take the entire facts and circumstances into consideration to determine whether a dual fine is warranted," Kuglitsch advises. But because fines imposed on HIPAA violators have been few and far between, "even if an act happened to violate both the PSQIA and the HIPAA privacy regulations, I believe that the risk of a dual fine is very low, barring some extremely egregious scenario," she says.