Increased penalties
Prior to the HITECH Act, HIPAA enforcement focused on voluntary corrective action and was largely complaint driven. HITECH has created a more proactive and punitive enforcement regime where the government actively looks for violations. Fines are assessed based on the degree of culpability of the covered entity.
The HITECH Act provides for penalties of $100—50,000 per violation. Fines at the low end of the scale are applicable when the covered entity didn’t know (and wouldn’t have known by exercising reasonable diligence) that it had violated the law. Penalties at the top of the scale are assessed for violations that are due to willful neglect and aren’t corrected during the 30-day period following discovery of the violation. OCR is required to investigate any of these types of incidents.
It’s also required to levy fines in such cases. Although there’s an annual cap of $1.5 million for all violations of an identical provision in a calendar year, the same incident could result in a violation of several standards, permitting the government to assess up to $1.5 million for each standard violated.
Civil enforcement actions
Under its new “tough love” policy, OCR has taken numerous civil enforcement actions against a variety of healthcare providers for a range of HIPAA violations, including:
- July 2011: UCLA Health System was fined $865,500 and entered into a three-year corrective action plan (CAP) as a result of the viewing of electronic medical records of celebrities and other patients by unauthorized employees;
- February 2011: Massachusetts General Hospital was fined $1 million and entered into a three-year CAP due to the loss of documents containing protected health information (PHI) of 192 patients, including several with HIV/AIDS, by an employee on a subway train;
- February 2011: OCR imposed a $4.3 million fine on CIGNET Health, because of that organization’s failure to comply with patient’s rights to access their medical records and its failure to cooperate with OCR’s investigation of such noncompliance;
- June 2010 and January 2009, respectively: Rite Aid Corp. and CVS/Caremark were each fined heavily ($1 million in the case of Rite Aid and $2,250,000 in the case of CVS/Caremark) for failure to properly dispose of prescriptions, labeled pill bottles and other items containing individuals’ PHI.
Criminal prosecutions
Perhaps more alarming for many covered entities is that the Department of Justice has brought 38 criminal prosecutions under HIPAA. Thirty-two of these cases resulted in conviction by a plea bargain, although one resulted in a conviction following a jury trial.
Although the majority of these cases were brought against persons accessing records for purposes of personal gain (e.g., identity theft for the submission of false Medicare claims, or selling celebrity PHI to the media), several of the prosecutions were brought against persons alleged to have violated HIPAA without a motive of personal gain. Examples of these cases include the following:
- Physicians and staff at a hospital in Tennessee accessed the records of a local TV news anchor out of curiosity;
- A UCLA Health System employee accessed the medical records of celebrities and co-workers out of curiosity; and
- A nurse accessed a patient’s records at the request of a psychologist evaluating the patient’s fitness to have custody of a child.
These cases highlight the danger of snooping. Criminal sanctions include fines of up to $250,000 and imprisonment of up to 10 years if the use or disclosure is committed for commercial advantage, personal gain or malicious harm.
State enforcement
The HITECH Act also includes a provision authorizing state attorney generals to file lawsuits against violators on behalf of the state’s residents. These suits can seek injunctions against future violations and damages of up to $100 per violation, subject to a cap of $25,000 for identical violations in the same calendar year. In addition, the court can award attorneys’ fees. The attorney generals of Connecticut and Vermont were the first to use this new authority. Both states entered into agreements with HealthNet for failing to secure patient health and financial information.
Pilot audit program
Finally, the HITECH Act requires HHS to conduct periodic audits to ensure compliance. To begin implementation of this requirement, OCR recently initiated a pilot audit program that will assess up to 150 organizations. These audits began in November 2011 and will be completed by the end of 2012, to be followed by a permanent audit program.
Although both covered entities and business associates will ultimately be subject to the permanent audit program, OCR is auditing covered entities in the initial round. OCR has indicated it will audit a wide range of types and sizes of covered entities.
The OCR audits process will employ usual and customary audit procedures. Entities selected for audit will first receive a letter informing them of their selection and asking them to provide documentation regarding their privacy and security compliance efforts.
Following these letters, auditors will conduct site visits during which they will interview key personnel and observe the processes and operations of the organization to determine whether it’s in compliance. The visits are expected to last between three and seven days, depending on the complexity of the organization.
Following the visits, auditors will develop and share with the entity a draft report, including proposed findings. Prior to finalizing the report, the entity will have an opportunity to discuss concerns and describe corrective actions implemented to address the identified problems. The final report won’t be posted on a public website or otherwise made publicly available in a manner that identifies the audited party. OCR has indicated that the audits are primarily “a compliance improvement activity,” rather than an enforcement mechanism.
OCR hopes to use the audit process to better understand covered entities’ compliance efforts and to determine the types of technical assistance and corrective actions that are most effective when noncompliance is found. However, should an audit reveal a serious compliance issue, OCR may initiate a separate compliance review to address the problem. That review could result in enforcement action.
Self auditing
In anticipation of these audits, covered entities and their business associates would be well-advised to conduct internal self-audits to ensure they are compliant with HIPAA’s numerous and complex requirements.
Although the audit program is being characterized by OCR in relatively benign terms, recent enforcement actions by the agency indicate that it may treat serious violations harshly.