Though HIPAA laws have been in place since 1996, there seems to be more bark than bite when enforcing them, especially for small behavioral health providers who fly under the radar. Where are the HIPAA Police? Are there any real vulnerabilities to mental health providers for non-compliance? Recent laws, especially those brought about by the Health Information Technology for Economic and Clinical Health Act (HITECH Act)(1), have not only increased penalties and tightened enforcement, but changed the fundamental methods for identifying non-compliance. With these new enforcement standards, you could be subject to a mandatory minimum fine of $10,000-$50,000, instigated by an on-line complaint or telephone call from any number of individuals in your practice environment. HIPAA violations may affect your professional status, liability insurability and rates, zap your time and energy and hurt your professional standing, not to mention the psychological toll it can have on you and your clients. It’s not difficult, however, to avoid harsh mandatory penalties by simply understanding “Willful Neglect” and taking basic actions to avoid it.
The Health Insurance Portability and Accountability Act (HIPAA) (2), sets the standards for the privacy protection of all health information and requires us to: maintain reasonable and appropriate administrative, technical and physical safeguards to insure the integrity, confidentiality and availability of health care information; protect against reasonably foreseeable threats or hazards to the security of information; and protect against unauthorized uses or disclosures of the information. These mandates are outlined in Security and Privacy Standards, which apply to certain health care providers, known as “covered entities.” Texas HB 300, which took effect in 2012, is even more restrictive than HIPAA, defining a covered entity as any who: “for commercial, financial, or professional gain, monetary fees or dues, or on a cooperative, non-profit, or pro bono basis, engages, in whole or part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information…” (3). According to Pamela D. Tyner of the Epstein Becker Green attorney group, “This revision impacts any entity that conducts business in Texas and collects, uses or stores PHI” (4). In other words, the times of a mental health specialist dodging HIPAA standards by claiming to be a non-covered entity in Texas are days gone by. Our compliance standards, however, are generally less stringent than those for larger covered entities. Compliance criteria is scalable and may vary based upon a specific practice. For example, a solo practitioner has much less administrative burden than that imposed on a hospital. It is essential, however, to explain in writing why an administrative standard does not apply to you and how it has been modified to fit your practice.
Fortified Enforcement and Audits
The long awaited Final Omnibus Rule has implemented the HITECH Act modifications to the Privacy Rule and other rules of HIPAA. The Final Rule, requiring compliance by September 2013, has increased coverage of HIPAA’s criminal and civil penalties. It has also granted the
DHHS Office of Civil Rights (OCR) more authority and further performance requirements when conducting audits. These changes are due in part to the DHHS Inspector General’s scathing criticism for the lack of adequate HIPAA enforcement (5). While DHHS had the authority to conduct compliance audits, HITECH now requires audits of covered entities and business associates to insure compliance. Furthermore, state attorney generals are now authorized to bring civil actions against violators in state or federal district court, meaning disgruntled clients have an avenue for civil retribution (6). For example, in the case of Fuqua vs Horizon/CMS Healthcare Corp, a Texas woman was awarded 310 million for punitive damages, partially because the company involved in the case was caught hiding records (7). This ruling is in appeal. In most cases, breaches and other HIPAA violations are not criminal and do no serious harm to the client. DHHS attempts to resolve non-compliance issues by informal means whenever possible so that covered entities may avoid penalties altogether. Now, however, there are minimum mandatory penalties for Willful Neglect.
Willful Neglect means the “Conscious, intentional failure or reckless indifference to the obligation to comply with (HIPAA)…” (8). Violations due to willful neglect carry a mandatory minimum penalty ranging from $10,000-$50,000, escalating to $1,5000,000, depending on whether the problem was corrected within 30 days following discovery.
On February 4, 2011, HHS fined Cignet Health Center $4.3 million for HIPAA violations. The penalty was not imposed for any breach of privacy; instead, Cignet was fined $1.3 million for failing to timely respond to 41 patients’ requests to access their health information, and $3 million for refusing to cooperate with the OCR’s investigation. These penalties confirm that HHS is intent on enforcing all aspects of HIPAA, not solely the privacy provisions. It also sends a clear warning to those inclined to be uncooperative or ignore the law (9).
In 2013, DHHS presented the results of mandatory Phase I onsite audits. They reported that 47 of 59 providers, and 20 of 35 health plans, had not provided a complete and accurate risk analysis. Phase II audits will target covered entities such as behavioral health specialists. These will not be onsite audits, but rather desk audits of documentation, underscoring the old dictum, “If it was not written, it didn’t happen.” Phase II audits will focus more intensely on the most frequent errors identified in the first audit, reinforcing the salience of risk analysis (10).
In a presentation to the American Society of Interventional Pain Physicians, entitled Compliance for Success: OIG and HIPAA, attorney David Vaughn stated that of all the government reported cases so far, fines ranged from $50,000 to $2.3 million (11). About half of the penalty amounts were not related to breaches, but rather to the organizations’ lack of written HIPAA policies and procedures, written risk assessments and/or HIPAA training certificates for employees. According to the American Psychological Association, “While HHS has focused its enforcement on large entities, we are aware of some small and solo practices that have been subject to substantial penalties and/or serious enforcement actions” (12). Now the government seems to have less tolerance for any entity, regardless of size, lacking the fundamental elements of an effective compliance program.
Who Are the Watchdogs Now, and How Does This Affect Reported Complaints?
You may think that with increased government scrutiny, most HIPAA violations are uncovered in government audits, but this is not the case. Complaints come primarily from disgruntled clients or employees (13). Joe Borich, a Kansas attorney specializing in HIPAA compliance issues, reported that HHS is required to establish a process whereby individuals affected by a HIPAA violation may receive a percentage of any penalty or settlement collected with respect to that violation A second bit of unfinished business is a proposed rule that would dramatically increase the payment to Medicare Fraud Whistleblowers, from a current maximum of $1000 to nearly $10 million. In addition to fueling the wrath of an already frustrated client or employee, these foreseeable dictums provide a powerful incentive for plaintiffs and their attorneys to closely monitor covered entities and business associates for HIPAA violators.
Before implementation of the Final Rule, there was no obligation for business associates to act as “watchdogs,” but now they must take action if a covered entity appears to be violating HIPAA (14). Covered entities are now required to scrutinize themselves, giving notice to patients and HHS if they discover that “unsecured” Protected Health Information (PHI) has been breached, such as stolen or improperly accessed. The law stipulates, however, that HHS must be notified only if the breach poses a “significant risk of financial, reputational or other harm to the individual” (15). In one such case, a small hospice in northern Idaho self-reported that an unencrypted laptop computer containing unsecured PHI had been stolen from a worker’s car, which eventually resulted in them being assessed a $50,000 fine (16).
The risk of a reported HIPAA violation has multiplied since 2013 simply because the number of individuals required to report them has increased. While HHS could inspect complaints at its discretion prior to 2013, they are now required to investigate them if the covered entity appears to have willfully neglected the law.
Consider this scenario: an unhappy client, co-worker or business associate lodges a HIPAA complaint against you or your organization. They are savvy enough to suggest you have engaged in Willful Neglect, or in the course of this process, it comes to light there are no policies and procedures, risk assessments, or workforce training standards. This, in turn, triggers a mandatory HHS investigation. You could be facing an unwaivable fine, which in many cases would have been avoided altogether with some basic leg work before the complaint and minimal changes to procedure following it.
What to Do
The good news is that the risk of a mandatory HHS investigation can be greatly reduced by:
- Implementing written policies and procedures as set forth in 45 CFR part 164, including those dealing with uses and disclosures rules; electronic security; patients’ rights; breach notification; and administrative requirements.
- Training workforce members concerning your policies and procedures and documenting the training. Texas Code 300 mandates that covered entities must provide mandatory customized employee training regarding State and Federal regulatory requirements (17).
- Identifying and correcting any potential HIPAA violation with documentation of such actions, including the imposition of sanctions against those who violated HIPAA.
- Re-evaluating policies and procedures periodically.
- Notifying clients and HHS of privacy breaches, if necessary.
- Cooperating with OCR during any investigation.
As the director of a behavioral health clinic in west Texas, I developed a policy and procedure manual in 1999. It had grown to be 6 inches thick, an unsystematic, hit and miss compilation of do’s and don’ts, which had modest practical utility. Yet, when thoroughly investigating the HIPAA requirements 2 years ago, it was alarming to find I hadn’t: directly addressed the 18 Administrative Safeguards required by the Security Rule; recorded a single risk assessment; or incorporated a standard workforce training program and sanction policy. Oops.
Upon consulting with colleagues, it seemed that most psychologists had unexceptional knowledge of HIPAA and the consequences for non-compliance. Our team worked over 18 months to understand and implement basic compliance requirements in our practice, which were then applied to the development of an on-line program. Hopefully it will help other therapists incorporate the HIPAA basics into their practices “without pulling their hair out.”
Maintaining client confidentiality and privacy is a core value of our profession and thus HIPAA is natural to our ethical inclinations. The government insists that we willfully engage in the process as a work in progress, without expecting us to perfect it. Hopefully we can promote patient privacy and minimize risk by responding in the spirit of our noble profession, and taking the basic steps to avoid Willful Neglect.
What steps have you taken to avoid willful neglect?
Submit your questions and feedback regarding HIPAA compliance to firstname.lastname@example.org and we will work with our experts to provide the information you need.
* Editors Note: This document is not intended to provide legal advice. Consult legal counsel for answers for specific privacy and security answers.
1). US Department of Health and Human Services. Title XIII of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act, Subtitle D-Privacy (hereinafter ‘HITECH Act”).
2). US Department of Health and Human Services. The Health Insurance Portability and Accountability Act of 1996, (HIPAA) Privacy, Security and Breach Notification Rules.
3). Texas Health and Safety Code. Section 181.101 (b).
4). D Tyner. (2012, July 9). Texas House Bill 300 Significantly Expands State’s Patient Privacy Protections for Covered Entities. [Web log comment]. Retrieved from http://www.ebglaw.com/publications/texas-house-bill-300-significantly-expands-states-patient-privacy-protections-for-covered-entities/
5). Department of Health and Human Services, Office of Inspector General. (Oct, 2008). Nationwide Review of the Centers for Medicare & Medicaid Services HIPAA Act of 1996 Oversight. (OIG Publication A-04-07-05064).
6). American Recovery and Investment Act of 2009. (2009). Pub. L. No. 111-5, Title XIII, 123 Stat. 115, 13410(e). Herein cited as ARRA.
7). Tomes, J. (2014). Phase II Audits: HIPAA Privacy, Security, and Breach Notifications Heads Up: HIPAA & HITECH Act Blog by Jonathan P. Tomes, Veterans Press, Inc. 2014.
8). HITECH Act (45 CFR 164.401).
9). H Troxell. (2011, December 20). HIPAA Penalties Now Mandatory for Willful Neglect. [Web log comment] Retrieved from http://www.hawleytroxell.com/2011/12/hipaa -penalties-now-mandatory-for-willful-neglect/
10). Tomes, J. (2013). Recent Compliance Changes Brought about by the New Omnibus Rule, by Increased DHHS Enforcement, and by Risks Inherent in New Technologies. Supplement to Mental and Behavioral Health and HIPAA: An Uneasy Alliance. Copyright 2013 by Jonathon P. Tomes, Veterans Press, Inc., and EMR Legal, Inc.
11). D Beaulieu-Volk. (2014, April 8). 6 HIPAA best practices you’re probably not following. (Web log comment) Retrieved from http://www.fiercepracticemanagement.com/story/6-hipaa-best-practices-youre-probably-not-following/2014-04-08
12). American Psychological Association Practice Organization, (2013). HIPAA Final Rule: What You Need to Know. In HIPAA For Psychologists, continuing education course. Available from www.apapractice.org/privacy/DesktopPlayer.cfm
13). Borich, J. (2011). HIPAA and Medical Records Law: Meeting the Privacy and Security Regulations. Cross Country Education.
14). American Psychological Association Practice Organization, (2013). HIPAA Final Rule: What You Need to Know. In HIPAA For Psychologists, continuing education course. Available from www.apapractice.org/privacy/DesktopPlayer.cfm
15). ARRA 13410.
16). US Department of Health and Human Services. (2013). HHS announces first HIPAA breach settlement involving less than 500 patients. Retrieved from http://www.hhs.gov.news/press/2013pres01/2013102a.html
17). Texas Health and Safety Code. Section 181.101.