Enforcement Action Following September 23 Compliance Deadline
As of September 23, 2013, Covered Entities and Business Associates are expected to be in compliance with the Omnibus Final Rule that amended the Health Insurance Portability and Accountability Act of 1996 and accompanying regulations (the statute and regulations together, HIPAA) (the Final Rule), which codified changes to the Enforcement Rule1 enacted as part of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). To assist in its efforts to enforce HIPAA and respond to patient complaints of noncompliance, the Office for Civil Rights (OCR), a subagency of the U.S. Department of Health and Human Services (HHS), is empowered to assess tiered penalties tied to corresponding levels of culpability and prescribed to initiate mandatory investigations or compliance audits in instances of willful neglect. In addition to the revised enforcement role of the OCR, there were several modifications made to the affirmative defenses available to Covered Entities and Business Associates under the Final Rule.
Mandatory Action for Willful Neglect
The Final Rule requires the Secretary of HHS (the Secretary) to launch an investigation where a preliminary review of the facts in a complaint filed with its office indicates a possible HIPAA violation due to willful neglect. Similarly, the Secretary must initiate a compliance review where a preliminary review of information received other than through a complaint (such as a media report or communications from a state agency) indicates a HIPAA violation due to willful neglect of a Covered Entity or Business Associate. The Secretary retains continued discretion to investigate all other complaints or initiate compliance reviews. The preamble to the Final Rule suggests that the threshold for mandatory action is the mere possibility, not probability, that a willful violation has occurred based on a preliminary review of the facts. HHS has not provided meaningful guidance regarding such threshold despite commenters’ requests for such guidance.
Correspondingly, the Secretary now has discretion to initially attempt to resolve HIPAA violations through informal means. This obligation was previously mandatory, but the preamble to the Final Rule explains that this provision had to be discretionary in order to support the Secretary’s mandatory actions described above. Effectively, the Secretary now has discretion to directly impose a civil monetary penalty without exhausting informal resolution avenues, regardless of the level of culpability implicated by a preliminary review of the facts.
Under the revised enforcement regime, violations of HIPAA are assessed by level of culpability of the Covered Entity or Business Associate and penalized by a corresponding civil monetary penalty. The chart below indicates the level of culpability, its definition and the dollar range of civil monetary penalty that the Secretary may impose.
Click here to view table.
Determining Number of Violations and Civil Monetary Penalty Amount
The Enforcement Rule grants the Secretary wide discretion in assessing civil monetary penalties, including the authority to waive the imposition of a penalty altogether. The number of violations will be determined on a case-bycase basis, but for purposes of the calendar-year limit, the preamble provided several illustrative examples. A breach of unsecured protected health information (PHI) would likely be assessed by the number of individuals affected. Thus, a breach of one 100 persons’ PHI would constitute 100 identical violations, and the aggregate penalty imposed would be subject to the $1,500,000 calendar-year limit. Similarly, violations for a failure to maintain adequate safeguards would be calculated by the number of days the safeguards were not in place. However, a breach of 100 persons’ PHI due to a failure to maintain adequate safeguards for 10 days would be treated as 100 identical violations for breach, and 10 identical violations for failure to maintain adequate safeguards, each of which would be subject to the $1,500,000 calendar-year limit. Ultimately, a Covered Entity or Business Associate could still be fined more than $1,500,000 in any calendar year because a single incident could be the result of identical violations of several different provisions of HIPAA, each subject to the calendar-year limit.
In determining the amount of civil monetary penalty, the Secretary will consider the following factors: (i) the nature and extent of the violation; (ii) the nature and extent of the harm resulting from the violation; (iii) the history of prior compliance with the administrative simplification provisions, including violations; (iv) the financial condition of the Covered Entity or Business Associate; and (v) such other matters as justice may require.
Covered Entities’ and Business Associates’ primary mechanism for defending against the imposition of civil monetary penalties are the affirmative defenses set forth in the regulations. The Final Rule amends these in several notable respects. For violations after February 18, 2011, Covered Entities and Business Associates must demonstrate that a criminal penalty has actually been imposed in order to bar civil monetary penalties. Previously, and still effective for violations prior to February 18, 2011, the Covered Entity or Business Associate needed only to show that the subject violation was criminally “punishable.” Further, for violations after February 18, 2009, the Secretary is barred from imposing a civil monetary penalty where the Covered Entity or Business Associate corrects the violation within 30 days of the first date it knew or should have known by exercising reasonable diligence that the violation occurred, absent circumstances of willful neglect.
Disclosure of PHI
In addition to its own enforcement action, the HITECH Act and the Final Rule include provisions to increase coordination among enforcement agencies. Specifically, the Final Rule addresses the ability of the Secretary to disclose the pertinent facts, including PHI protected by HIPAA, to other state and federal agencies. PHI (as defined under HIPAA) that is obtained by the Secretary during an investigation or compliance review is explicitly authorized to be disclosed to other state or federal agencies. Namely, the Secretary may share such information with (i) states’ Attorneys General to pursue civil enforcement actions under HIPAA and state privacy laws on behalf of state residents; (ii) the Department of Justice to pursue criminal HIPAA penalties; or (iii) the Federal Trade Commission for purposes of pursuing remedies under consumer protection laws. Covered Entities and Business Associates should be aware that this express permission to disclose PHI in conjunction with the results of compliance reviews and audits could lead to greater exposure and liability for HIPAA violations, depending on the relevant factual circumstances.