Monthly Archives: April 2012

April 25, 2012

Avoid New HIPAA Penalties

Recent changes to the HIPAA privacy and security rules dramatically increase health care providers' and their business associates' potential liability for HIPAA violations.

HIPAA Civil Penalties Are Now Mandatory. In 2009, the penalties for HIPAA violations were increased 500 times their prior limits. Effective February 2011, the Office of Civil Rights ("OCR") is required to impose HIPAA penalties if the covered entity or its business associate acted with willful neglect, i.e., with "conscious, intentional failure or reckless indifference to the obligation to comply" with HIPAA requirements. The following chart summarizes the penalty structure:

Conduct of covered entity or business associate Penalty
Did not know and, by exercising reasonable diligence, would not have known of the violation $100 to $50,000 per violation;
Up to $1,500,000 per identical violation per year
Violation due to reasonable cause and not willful neglect $1,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year
Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violation Mandatory fine of $10,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year
Violation due to willful neglect and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation Mandatory fine of not less than $50,000 per violation;
Up to $1,500,000 per identical violation per year

The federal government is serious about the new penalties: the OCR has imposed millions of dollars in penalties or settlements since the mandatory penalties took effect. State attorneys general may also sue for HIPAA violations and recover penalties of $25,000 per violation plus attorneys' fees. When implemented, HITECH amendments will allow patients to recover a portion of any settlement or penalties related to a HIPAA violation, thereby increasing patients' incentive to report HIPAA violations.

The good news is that if the covered entity or business associate does not act with willful neglect, the OCR may waive or reduce the penalties, depending on the circumstances. More importantly, if the covered entity or business associate does not act with willful neglect and corrects the violation within 30 days, the OCR may not impose any penalty; timely correction is an affirmative defense.

HIPAA Violations May Be A Crime. Federal law prohibits any individual from improperly obtaining or disclosing protected health information from a covered entity without authorization; violations may result in the following criminal penalties:

Prohibited Conduct Penalty
Knowingly obtaining or disclosing protected health information without authorization. Up to $50,000 fine and one year in prison
If done under false pretenses. Up to $100,000 fine and five years in prison
If done with intent to sell, transfer, or use the information for commercial advantage, personal gain or malicious harm. Up to $250,000 fine and ten years in prison

Physicians, hospital staff members, and others have been prosecuted for improperly accessing, using or disclosing protected health information.

Entities Must Self-Report HIPAA Breaches. The risk of penalties is compounded by the fact that covered entities and business associates must self-report HIPAA breaches that pose a significant risk of financial, reputational or other harm to the individual whose information was breached. If the business associate learns of such a breach, it must report the breach to the covered entity without unreasonable delay. The covered entity must report a breach to the affected individual or their personal representatives and the federal Department of Health and Human Services ("HHS"). If the breach involves more than 500 persons, the covered entity must also publish information about the breach through local media.

What You Need To Do To Avoid Penalties. Given this increased exposure, health care providers and their business associates should do the following to avoid HIPAA penalties:

1. Assign HIPAA responsibility. Covered entities must designate persons to serve as their HIPAA privacy and security officers, and document the designation in writing. The privacy and security officers are responsible for ensuring HIPAA compliance.

2. Know the use and disclosure rules. The basic privacy rules are simple: covered entities and business associates may not use, access or disclose protected health information without the patient's valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception. Covered entities and business associates may use or disclose protected health information for purposes of treatment, payment or certain health care operations without the patient's consent; however, they may not use or disclose more than is minimally necessary for the permitted purpose. Additional exceptions apply to specific situations. The OCR maintains a very helpful website to aid covered entities' compliance:

3. Know patients' rights. HIPAA grants patients certain rights concerning their health information. Among others, patients generally have a right to obtain copies of their protected health information; request amendment to their information; and obtain an accounting of impermissible disclosures. Covered entities and business associates must know and allow patients to exercise their rights. Cignet Health was fined $4.3 million for, among other things, failing to timely respond to patient requests to access their health information.

4. Maintain written policies. HIPAA requires covered entities and business associates to develop and maintain written policies that implement the privacy and security rule requirements, including those dealing with confidentiality and patients' rights. Having the required policies is a key to avoiding penalties. According to HHS, maintaining the required written policies is a significant factor in avoiding penalties imposed for "willful neglect." Rite Aid paid $1,000,000 to settle HIPAA violations based in part on its failure to maintain required HIPAA policies. This week, a Phoenix cardiology group was fined $100,000 in part because it failed to have written policies required by HIPAA. To obtain a checklist of required policies, contact me at

5. Develop compliant forms. HIPAA requires that certain documents used by covered entities and business associates satisfy regulatory requirements. For example, HIPAA authorizations must contain certain elements to be valid. Covered entities must provide patients with a notice of privacy practices that contains certain statements. Other forms may be developed to ensure compliance with patient rights. Ensure your HIPAA forms satisfy the regulatory requirements.

6. Execute business associate agreements. Although HIPAA now applies directly to business associates, HIPAA still requires covered entities to execute "business associate agreements" with their business associates before disclosing protected health information to the business associate. Under proposed rules, business associates must execute similar agreements with subcontractors to whom the business associate discloses protected health information. The business associate agreements must contain certain elements. Breach of the business associate agreement exposes the business associate to contract claims by the covered entity in addition to civil or criminal penalties imposed by the government. Covered entities are generally not liable for the actions of their business associates unless the business associate is acting as the agent of the covered entity. Make sure your business associate agreements confirm that the business associate is an independent contractor, not your agent.

7. Train employees and agents. Having the policies and forms is only the first step; covered entities and business associates must train their employees to comply with the policies and document. HIPAA requires that new employees are trained within a reasonable period of time after hire, and as needed thereafter. Documented training is a second critical step to avoid HIPAA compliance. According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.

8. Use appropriate safeguards. The government recognizes that patient privacy cannot be absolutely protected. HIPAA does not impose liability for "incidental disclosures" so long as the covered entity or business associate implemented reasonable administrative, technical and physical safeguards designed to protect against improper disclosures. The security rule contains detailed regulations concerning safeguards that must be implemented to protect electronic health information. The privacy rule is less specific. The reasonableness of safeguards depends on the circumstances, but may include, e.g., not leaving protected health information where it may be lost or improperly accessed; checking e-mail addresses and fax numbers before sending messages; using fax cover sheets; etc.

9. Respond immediately to any breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate any privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA. It may also require covered entities to terminate an agreement with a business associate due to the business associate's noncompliance. Second, an entity may be able to ameliorate or negate any risk of harm to the patient by taking swift action, thereby avoiding the obligation to self-report HIPAA violations to the individual and HHS. Third, a covered entity or business associate can avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.

10. Timely report breaches. If a breach of unsecured protected health information poses a risk of significant financial, reputational or other harm to the patient, business associates must promptly report the breach to covered entities, and covered entities must notify the patient within 60 days. If the breach involves less than 500 persons, the covered entity must notify HHS by filing an electronic report no later than 60 days after the end of the calendar year. If the breach involves 500 or more persons, the covered entity must file the electronic report when it notifies the patient. The written notice to the patient must satisfy regulatory requirements.

11. Document your actions. Documenting proper actions will help you defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.

As I write this article, the Office of Management and Budget is reviewing new HIPAA regulations. Covered entities and business associates should watch for the new regulations and implement any additional changes as necessary.

April 6, 2012

Beware Professional Courtesies

Many health care practices or facilities waive or discount co-pays or deductibles for other physicians, the physician's family members, or the physician's staff as a "professional courtesy." Although often well-intentioned, such practices can violate state and federal laws and managed care contracts.

Courtesies to Referring Physicians. Giving professional courtesies to a physician or their family members will violate the federal Stark law if the physician refers certain designated health services payable by Medicare or Medicaid unless specific regulatory standards are satisfied, including the following:

  1. The courtesy is offered by entities with a medical staff, which includes group practices, hospitals, and similar entities. Solo practitioners do not qualify.
  2. The entity has a written professional courtesy policy approved in advance by its governing body.
  3. The courtesy is offered to all physicians on the entity's medical staff or in the entity's local community regardless of the volume or value of referrals between the parties.
  4. The courtesy is not offered to anyone who is a federal health care program beneficiary unless there is a showing of financial need.

Stark law violations require repayment of amounts received from Medicare and Medicaid for services rendered or items provided per improper referrals. Additional administrative penalties may apply.

Courtesies to Induce Referrals. Even if an arrangement satisfies Stark, it may still violate state and federal anti-kickback statutes if offered to induce referrals. The federal Anti-Kickback Statute prohibits soliciting, offering, or giving remuneration to induce referrals for items or services covered by federal health care programs, including Medicare or Medicaid. Similarly, the federal Civil Monetary Penalties Law prohibits offering inducements to federal program beneficiaries, including waiving co-pays and deductibles absent a showing of financial need. Violations of the federal statutes may result in significant criminal and administrative penalties. State anti-kickback laws may also apply.

Courtesies to Patients with Private Insurance. Even if no government health care programs are involved and there is no intent to induce referrals, state laws and managed care contracts may still prohibit waiving co-pays and deductibles. For example, Idaho Code ยง 41-348 prohibits engaging in a regular practice of waiving or rebating deductibles. Violations may result in a $5000 fine. In addition, most managed care contracts require providers to collect co-pays and deductibles; failure to do so may breach the contract. Blue Cross of Idaho recently sent a letter to providers warning of such actions.

The Bottom Line. Given the foregoing statutes, providers should ensure that their professional courtesy policies comply with the following:

  1. If the courtesy is offered to a physician who refers designated health services, make sure you have a written professional courtesy policy that satisfies the Stark law regulations.
  2. If private insurance is involved, do not waive or discount co-pays or deductibles unless there is a documented showing of financial need or you obtain permission from the health insurer.
  3. Never offer professional courtesies as a way to induce referrals.
  4. If you offer a professional courtesy, it is generally safer to waive the entire fee than to waive co-pays and deductibles. The government and private payors are not as concerned if they are not required to pay for the service; however, you still need comply with Stark.