“Today the message is loud and clear: HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule . . .”
With this February 4, 2011 statement, the U.S. Department of Health and Human Services (“HHS”) clearly articulated its enforcement focus when it imposed a $4.3 million penalty for a violation of HIPAA’s Privacy Rule. Of the $4.3 million penalty, $1.3 million was for failure to timely provide 41 individuals with access to their protected health information (“PHI”). An additional $3 million was for failure to cooperate with HHS during the investigation. A mere 10 days later, HHS announced a $1 million settlement for violations of the HIPAA Privacy and Security Rules based on PHI that was left on a subway.
These recent enforcement actions highlight two important points.
- HHS is actively imposing the substantially increased enforcement penalties authorized by a 2009 amendment to HIPAA known as HITECH; and
- Penalties may be imposed regardless of whether there is an actual loss or disclosure of PHI.
Enforcement Actions Extend to Health Plans
Although the penalties described above applied to health care providers, employer-sponsored health plans should be aware they are equally subject to enforcement action. Many of the 13,459 HIPAA privacy and security complaints resolved by HHS through investigation and enforcement since 2003 dealt with health plan violations.
Steps Health Plans Should Take Now to Avoid Penalties Later
HHS has stated that it expects a “culture of compliance” where privacy is taken seriously, and that “willful neglect” will be dealt with much more severely than in the past. A "robust" HIPAA Privacy and Security compliance program can minimize (if not eliminate) violations, and related penalties should a violation occur. For example, a plan can use its compliance program to demonstrate that lower penalties should apply because a violation did not result from willful neglect. Further, penalties may be reduced or waived if a plan’s compliance program results in prompt correction of violations.
To comply with the Privacy and Security Rules, health plans should take the following steps:
- Periodically update HIPAA Privacy and Security Policies and Procedures. Changes to these policies and procedures were recently required by HITECH (enacted in 2009).
- Provide periodic HIPAA training. New training also was required by HITECH.
- Review Business Associate Agreements (BAAs). BAA changes also are required by HITECH.
- Monitor HIPAA compliance. This should include regular internal compliance audits according to HHS.
Many employers have not yet completed their compliance with the new requirements under HITECH. In addition, their Privacy and Security programs may not have been reviewed and updated in a number of years. Please let us know if Baker Botts can help you develop a compliant HIPAA Privacy and Security program for your group health plans to reflect your culture of compliance and limit your exposure to the substantial penalties that may apply.