by Donna Vanderpool, MBA, JD
Ms. Vanderpool is Vice President of Risk Management at PRMS, Inc. in Arlington, Virginia.
Innov Clin Neurosci. 2012;9(11–12):51–55
This ongoing column is dedicated to providing information to our readers on managing legal risks associated with medical practice. We invite questions from our readers. The answers are provided by PRMS, Inc. (www.prms.com), a manager of medical professional liability insurance programs with services that include risk management consultation, education and onsite risk management audits, and other resources to healthcare providers to help improve patient outcomes and reduce professional liability risk. The answers published in this column represent those of only one risk management consulting company. Other risk management consulting companies or insurance carriers may provide different advice, and readers should take this into consideration. The information in this column does not constitute legal advice. For legal advice, contact your personal attorney. Note: The information and recommendations in this article are applicable to physicians and other healthcare professionals so “clinician” is used to indicate all treatment team members.
QUESTION
I have been hearing about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for years, but I have not heard of very much enforcement by the government. Do I really need to be concerned about being found liable for HIPAA violations?
ANSWER
Yes. While it is true that the federal government’s enforcement of HIPAA’s Privacy and Security Rules has been limited in the past, this will no longer be true in the future.
Overview of HIPAA Enforcement
Healthcare providers required to comply with HIPAA, a federal statute, are subject to enforcement actions for violations of the Privacy Rule[1] and the Security Rule,[2] federal regulations enacted under the HIPAA statute. The Office for Civil Rights (OCR), an agency within the Department of Health and Human Services, is responsible for civil enforcement of the Privacy Rule and the Security Rule. OCR can impose civil monetary penalties on covered entities up to $50,000 or more per violation, with an annual cap of $1.5 million for identical violations.
The Department of Justice (DOJ) is responsible for the investigation and prosecution of criminal violations of the HIPAA regulations. Under HIPAA, the maximum criminal penalties are $250,000 and 10 years imprisonment.
Preliminary Distinction— Covered Entity versus Noncovered Entity
Civil enforcement of the Privacy and Security Rules is limited to those healthcare providers who are “covered entities” under HIPAA. Coverage under HIPAA is triggered by specific electronic transactions with health plans. While there are several electronic transactions that will trigger coverage under the law, the most common example is the electronic transmission of insurance claims forms, whether by the provider directly or by a third party, such as a billing service, on the provider’s behalf. To determine if you are a covered entity under HIPAA (and therefore required to comply with HIPAA), OCR has an online tool to assist you.[3] However, as discussed below, even those providers who are not covered entities can still face liability for breach of patient confidentiality under the criminal provisions of HIPAA as well as under state law.
Why HIPAA Enforcement is Increasing
HIPAA enforcement increased with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) provisions under the American Recovery and Reinvestment Act of 2009. This law included many amendments to HIPAA resulting in increased enforcement, including the following:
• Civil monetary penalties were increased to the amounts described above.
• State Attorneys General were empowered to enforce the federal HIPAA law.
• Audits for HIPAA compliance were mandated.
• Whistleblower provisions were created, allowing people who complain to OCR that a provider violated HIPAA to get part of any money that the government collects.
• Covered entities are required to report to OCR breaches of an individual’s protected health information, and OCR is required to investigate these reported breaches.
• HITECH clarified that the criminal provisions of HIPAA apply to everyone, not just covered entities.
Examples of HIPAA Enforcement
Civil enforcement by OCR. Civil enforcement actions against covered entities are typically triggered by complaints filed with OCR by individuals (not limited to patients) alleging HIPAA violations. According to OCR,[4] as of June 30, 2012, OCR has received more than 71,000 Privacy Rule complaints since 2003 and has resolved 65,460 complaints. Impermissible use or disclosure of protected health information is the most frequent complaint investigated, followed by lack of safeguards of protected health information, lack of patient access to their protected health information, uses or disclosures of more than the minimum necessary protected health information, and lack of administrative safeguards of electronic protected health information. Private practice is the most common type of covered entity that has been found to have violated the Privacy Rule, followed by general hospitals, outpatient facilities, health plans, and pharmacies.
The vast majority (over 40,000) of these complaints were not eligible for enforcement, meaning the complaint alleged a violation prior to the compliance date or the complaint alleged a violation by an entity not covered by HIPAA. No violation was found in 8,514 of the complaints investigated, whereas OCR investigated 16,788 complaints that led to enforcement. OCR can resolve HIPAA violations in the following manners:
Informal resolution. OCR may educate covered entities on their obligations under HIPAA, covered entities may agree to voluntarily comply with OCR’s corrective action, and that may end the investigation. OCR posts examples of such cases on its website,[5] including a covered entity being made aware that the Privacy Rule requires that records from other providers be included in record releases, and a covered entity being made aware that the Privacy Rule requires that individuals have access to their record created as part of an Independent Medical Evaluation (IME), regardless of the payment source for the evaluation.
Resolution agreement. OCR and the covered entity may agree to a contract under which the covered entity agrees to certain obligations (such as employee training), agrees to have its compliance monitored by OCR, and agrees to pay money to resolve the investigation. With a resolution agreement, there is no formal adjudication; similar to a settlement in litigation, the covered entity reaches an agreement with the government to settle the investigation. As an example, Massachusetts General Hospital Corporation agreed to pay $1,000,000 and implement a Corrective Action Plan to improve policies and procedures to safeguard patient confidentiality. At issue was the loss of protected health information of 192 patients of an outpatient physician practice, including patients with HIV/AIDS. Reportedly, the information was left on a subway train when an employee brought the documents home to work on them.[6]
Civil monetary penalties. In 2011, OCR imposed the first civil monetary penalty since compliance was required in 2003. OCR fined Cignet Health more than $4,300,000 based on complaints from 41 Cignet patients who complained that access to their medical records was denied in violation of the Privacy Rule. The penalty related to denial of patient access was $1,300,000. The remaining $3,000,000 was based on the covered entity’s failure to cooperate with OCR’s investigation. OCR found that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule based on the following: Cignet’s failure to respond to OCR’s investigation notification, telephone calls, or subsequent letters informing Cignet of its obligation under the Privacy Rule to provide patients with copies of their medical records; Cignet’s failure to respond to OCR’s subpoena directing Cignet to produce the records and failure to defend the resulting court action to enforce the subpoena; and Cignet’s eventual delivery to OCR of 59 boxes of original medical records, which included, in addition to the subpoenaed records, records of approximately 4,500 patients for whom OCR made no request and for whom Cignet had no basis to disclose the records to OCR.7
Civil enforcement by State Attorneys General. The first state HIPAA enforcement was brought by the Connecticut Attorney General against Health Net in 2010. The case involved a lost computer disk drive containing protected health information of more than 500,000 Connecticut residents and 1,500,000 residents of other states. The drive contained 27.7 million scanned pages, including medical records. There was no evidence that the information had been inappropriately accessed, and Health Net settled the case for $250,000. Part of the resolution agreement required an additional payment of $500,000 if it is established that the lost disk drive was accessed and personal information was used illegally.[8] The Vermont Attorney General subsequently also used the new authority under HITECH to fine Health Net $55,000 since the same breach involved 525 Vermont residents.[9]
Criminal enforcement. Initially federal prosecutors were interested in those who inappropriately used or disclosed protected health information for financial gain. Accordingly, the early criminal HIPAA cases typically involved an employee inappropriately using patients’ identities in a scheme to make money. Examples of these cases include the following:
• A medical office staff member was indicted after selling medical records of a patient who was an FBI agent to an undercover FBI agent. She pled guilty and the court accepted her plea: six months in jail plus four months of home confinement plus two years of supervised release.[10]
• A billing service employee sold a codefendant (nonemployee) personal information of over 400 patients of the billing service’s clients. The codefendant used the stolen identities to file false and fraudulent tax refunds with the IRS and secured refund anticipation loans. The employee was tried and sentenced to more than two years in prison. The codefendant pled guilty to identity theft and was sentenced to more than six years and more than $378,000 in restitution.[11]
• A hospital employee inappropriately accessed medical records of celebrities and sold that confidential patient information to a tabloid. She ultimately pled guilty, but she died prior to sentencing.[12] Note that the hospital in this case subsequently entered into a resolution agreement based on complaints of two celebrity patients after OCR’s investigation found that unauthorized employees repeatedly looked at the electronic protected health information of numerous patients. The hospital paid $865,500.[13]
Then the cases indicated a shift in the DOJ’s approach to criminal prosecution under HIPAA. No longer was financial gain required for prosecution; rather, there was criminal prosecution for snooping through medical records without any financial gain. As an example, a physician, along with other hospital employees, pled guilty to violating HIPAA by accessing the records of a high-profile hospital patient (not being treated by him) without a legitimate purpose. The impermissible viewing of the patient’s record was discovered by audits. The hospital suspended the physician for two weeks and he was required to complete HIPAA re-training. In terms of sentencing, the physician had to pay $5,000 and perform 50 hours of community service, which included educating healthcare professionals about HIPAA.[14] This case is significant for at least the following reasons:
• The physician and the other hospital employees involved had received HIPAA training. They knew what they were doing was wrong, but they did it anyway.
• There was no financial gain. The government went after the physician and other healthcare professionals for snooping.
Expected Future Enforcement
HIPAA enforcement is expected to increase as a result of the following:
• The required audits of covered entities for compliance
• The whistleblower provisions (expected to go into effect in the near future)
• Increased training for State Attorneys General on HIPAA enforcement
• Continued criminal prosecution for inappropriate peeking at patient information.
State Law
Breach of confidentiality laws. As always, physicians are obligated to maintain patient confidentiality under state confidentiality laws. HIPAA’s requirements are the floor of confidentiality protections and have been used in the courts as evidence of the standard of care.15 Moreover, states can enact laws similar to the federal Privacy Rule and Security Rule.
Consumer protection laws. In addition to enforcing the federal HIPAA regulations, state Attorneys General can enforce consumer protection laws. For example, the Massachusetts Attorney General filed suit against a hospital under the state Consumer Protection Act and HIPAA. The hospital shipped 473 unencrypted back-up computer tapes with 800,000 individuals’ protected health information to a third-party vender (business associate) to be erased and resold. The hospital did not inform the business associate that protected health information was on the tapes. Only one of the three shipped boxes arrived at the business associate. There have been no reports of unauthorized use of the missing data, and the hospital agreed to pay $750,000 to settle the case.16
Risk Management Advice
Providers should ensure an understanding of and compliance with HIPAA’s regulations. The biggest threat to the confidentiality of patient information appears to be inappropriate insider access. Employers should be aware that employees may be motivated by financial gain or merely by curiosity to inappropriately access patient information. There have also been reports of employees posting patient information and ranting about, patients online via social networking sites. So even after HIPAA training, some healthcare employees appear not to understand confidentiality requirements, or they just cannot stop themselves from breaching patient confidentiality. To minimize liability for the inappropriate actions of employees, employers should, at a minimum, do the following:
• Ensure employees understand that identifying information is not limited to patient names.
• Ensure safeguards to protect patient information are in place, such as auditing access of patient information.
• Provide effective HIPAA training and have appropriate sanctions for violations.
• Realize that younger employees may have a different view of what is private and what is not.
• Document employees’ understanding of confidentiality policies and procedures.
References
1. 45 CFR Parts 160 and 164
2. 45 CFR Parts 160, 162, and 164
3. US Department of Health and Human Services. Health information privacy. For covered entities. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html. Accessed August 2, 2012.
4. US Department of Health and Human Services. Health information privacy. Enforcement highlights. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html. Accessed August 2, 2012.
5. US Department of Health and Human Services. Health information privacy. HIPAA enforcement. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html. Accessed August 2, 2012.
6. US Department of Health and Human Services. Health information privacy. Resolution agreement. Massachusetts General Hospital settles potential HIPAA violations. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/massgeneralra.html. Accessed August 2, 2012.
7. US Department of Health and Human Services. Health information privacy. Civil money penalty. Cignet Health fined a $4.3M civil money penalty for HIPAA privacy rule violations. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetcmp.html. Accessed August 2, 2012.
8. State of Connecticut. Office of the Attorney General. Attorney General announces Health Net settlement involving massive security breach compromising private medical and financial info. http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=462754. Accessed August 2, 2012.
9. State of Vermont. Office of the Attorney General. Court approves Attorney General HIPAA settlement with health insurer. http://www.atg.state.vt.us/news/court-approves-attorney-general-hipaa-settlement-with-health-insurer.php. Accessed August 2, 2012.
10. Smith DeWaal IC. Successfully prosecuting Health Insurance Portability and Accountability Act medical privacy violations against noncovered entities. The United States Attorneys’ Bulletin. 2007;55:4. http://www.justice.gov/usao/eousa/foia_reading_room/usab5504.pdf. Accessed August 2, 2012.
11. Health Privacy Project. Health privacy stories. https://www.cdt.org/files/pdfs/20080311stories.pdf. Accessed August 2, 2012.
12. Former UCLA hospital worker admits selling celeb medical records. USA Today. December 1, 2008. http://www.usatoday.com/life/people/2008-12-01-UCLA-records_N.htm. Accessed August 2, 2012.
13. US Department of Health and Human Services. Health information privacy. Resolution agreement. UCLA health system settle potential violations of the HIPAA privacy and security rules. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uclaagreement.html. Accessed August 2, 2012.
14. Three sentenced for violations in Pressley case. Arkansas News. October 26, 2009. http://arkansasnews.com/2009/10/26/three-sentenced-for-privacy-violations-in-pressly-case/. Accessed August 2, 2012.
15. Acosta v. Byrum, 638 S.E. 2d 246 (NC. App. 2006).
16. State of Massachusetts. Office of the Attorney General. South Shore Hospital to pay $750,000 to settle data breach allegations. http://www.mass.gov/ago/news-and-updates/press-releases/2012/2012-05-24-south-shore-hospital-data-breach-settlement.html. Accessed August 2, 2012.
Submit your own question
To submit a question, e-mail Elizabeth Klumpp, Executive Editor
Send Mail
All chosen questions will be published anonymously. All questions are reviewed by the editors and are selected based upon interest, timeliness, and pertinence, as determined by the editors. There is no guarantee a submitted question will be published or answered. Questions that are not intended for publication by the authors should state this in the e-mail. Published questions are edited and may be shortened.
