THIS IS AN ADVERTISEMENT
Firm Profile dots that separate navigation elements Practice Areas dots that separate navigation elements Attorneys dots that separate navigation elements Events dots that separate navigation elements ntracts dots that separate navigation elements Knowledge Center
Careers dots that separate navigation elementsContact
Knowledge Center
navigation arrow NEWS & HIGHLIGHTS
navigation arrow ARTICLES
navigation arrow NEWSLETTERS
 
Knowledge Center Search
Choose any combination of search options
to form your search.
KEYWORD 
OR, search by the terms below
ATTORNEY 
PRACTICE AREA 
 
Photo of library stacks and ceiling
 
  
 

HIPAA ENFORCEMENT AFTER THE RECOVERY ACT

On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (the "Recovery Act").  Title XIII of the Recovery Act is known as the Health Information Technology for Economic and Clinical Health Act ("HITECH").  Among other provisions, HITECH makes several changes to the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Due to the significance of those changes, we will be issuing a series of articles providing an analysis of each of those changes in detail.  This is the first in a series of seven such articles. 

One of the most common critiques of HIPAA is that it is not adequately enforced.  HITECH made several changes to HIPAA designed to improve its enforcement. It is important to note that most of these enforcement changes became effective when HITECH became law. 

Revised and Increased Civil Monetary Penalties

Civil violations of HIPAA will now be subject to a broader and more severe range of penalties.  Prior to HITECH, civil monetary penalties for violating HIPAA were $100 per violation, with a cap of $25,000 for all violations of an identical requirement or prohibition during a calendar year.  These penalties would not apply if the violator did not know (or by exercising reasonable diligence would not have known) of the violation, or if the failure to comply was due to reasonable cause and was corrected within thirty (30) days. 

HITECH eliminated those exceptions and established new minimum and maximum penalties for HIPAA violations, effective upon the enactment of HITECH.  Thus, for any violations of HIPAA that occur after February 17, 2009, the new maximum penalty is $50,000 per violation, with a cap of $1,500,000 for all violations of an identical requirement or prohibition during a calendar year.  The new minimum civil monetary penalties are tiered based upon the entity's perceived culpability for the HIPAA violation, as follows:

$100 per violation, with an annual cap of $25,000, for violations where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation;

  • $1,000 per violation, with an annual cap of $100,000, for violations due to reasonable cause and not to willful neglect;
  • $10,000 per violation, with an annual cap of $250,000, for violations due to willful neglect that are corrected within thirty (30) days of the date the person knows (or should have known) that the violation occurred; and
  • $50,000 per violation, with an annual cap of $1,500,000 for violations due to willful neglect that are not corrected within the thirty (30) day period. 

The Secretary of Health and Human Services ("Secretary") will base its penalty determination on the nature and extent of both the violation and the harm caused by the violation.  The Secretary still will have the discretion to impose corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) that such person committed a violation. 

Due to the severity of these penalties, covered entities should reassess their compliance with HIPAA as soon as possible.  Additionally, covered entities should review their HIPAA policies and procedures, workforce training materials, and any other documents that reference HIPAA enforcement to ensure that they are updated accordingly.

State Attorney General Enforcement

Prior to HITECH, the Secretary was the sole enforcement agency for civil violations of HIPAA. Now, under HITECH, state attorneys general are authorized to bring civil actions against persons who violate HIPAA if the attorney general has reason to believe that the violation threatens or adversely affects any resident of the state.  The attorney general must file the action in the United States District Court for the appropriate jurisdiction, and must provide the Secretary with prior notice of the action, where feasible.  The Secretary will have the right to intervene and be heard in the action, and to file petitions for appeal.  The state attorney general cannot bring an action as long as an action for the same violation is pending by the Secretary. 

State attorneys general may impose injunctions against further violations of HIPAA, as well as monetary damages of up to $100 per violation, with a cap of $25,000 for all violations of an identical standard in a calendar year.  In considering the amount of damages, the court, like the Secretary, may consider the nature and extent of both the violation and the harm caused by the violation.  A person found liable may also be required to pay the attorney fees and court costs incurred by the state in bringing the action. 

These provisions of HITECH also became effective upon the passage of the Act.  Therefore, covered entities should be cognizant of this additional enforcement mechanism, particularly in states where attorneys general have shown a propensity for actions against health care entities. 

Sharing of Penalties with Persons Harmed

Under HIPAA, individuals do not have a private right of action, i.e., the right to sue covered entities for breaching their obligations under HIPAA.  HITECH does not create a private right of action, but it does give financial incentives to complainants.  Individuals who are harmed by HIPAA violations may now be able to share in any monetary penalties or settlements collected as a result of those violations.  This is similar in concept to qui tam relators, who often are the initiators of cases alleging fraud in the health care industry.  While these provisions became effective for any HIPAA violations occurring after February 17, 2009, the Secretary has up to three (3) years to issue a regulation establishing a methodology by which the monetary penalties or settlements will be shared.

These provisions will make it more enticing for individuals to allege HIPAA violations.  Covered entities should use this as an opportunity to improve the manner in which they respond to and handle HIPAA complaints so as to minimize the incidence of claims reported to the Secretary or state attorney general to the extent possible.

Mandatory Investigations and Penalties for Willful Neglect

Prior to HITECH, the Secretary had the discretion to determine whether or not to investigate a HIPAA complaint and impose civil monetary penalties.  However, HITECH reduced that discretion in cases of willful neglect.  Accordingly, if a preliminary investigation of the facts in a complaint indicates a possible HIPAA violation due to willful neglect, HITECH requires the Secretary to investigate the complaint, and to impose civil monetary penalties for violations due to willful neglect.    These provisions will go into effect on February 17, 2011.  The Secretary is required to issue regulations regarding this process by August 17, 2010. 

Covered entities should ensure that they have established and effectively implemented appropriate HIPAA policies and procedures to reduce the risk that a violation of HIPAA could be categorized as resulting from willful neglect.

Civil Enforcement of Criminal Matters

HIPAA currently provides for the Secretary to refer potential criminal violations of HIPAA to the United States Department of Justice ("DOJ") for prosecution.  Historically, the Secretary's referral of the violation to the DOJ ended the Secretary's involvement in the matter.  However, pursuant to HITECH, if the DOJ has not prosecuted an individual for alleged criminal violations of HIPAA, the HHS Office for Civil Rights ("OCR") may still investigate and impose civil monetary penalties where appropriate.

The changes to HIPAA enforcement in HITECH make it clear that the government intends to make HIPAA enforcement a priority as more and more federal funds are allocated toward the implementation of electronic health records.  Since most of these enforcement changes already are in effect, covered entities should reassess their HIPAA policies, procedures, and practices, and make any changes necessary to ensure compliance with HIPAA.   If your organization has questions about the changes to HIPAA enforcement or needs assistance assessing HIPAA compliance and implementing appropriate corrective actions, please contact us.

To register for the complete Impact Series: HIPAA goes HITECH, please visit:

hallrender.com/impact

HIPAA Impact Series: HIPAA goes HITECH

  1. Increased Enforcement (3/30/09)
  2. Breach Notification Requirements (04/13/09)
  3. Changes to Business Associate Agreements and Duties (04/27/09)
  4. Changes to the Minimum Necessary Rule (05/11/2009)
  5. Changes to Fundraising, Marketing, and other Restrictions on Disclosure (05/25/09)
  6. Changes to Accounting of Disclosures Requirements (06/08/09)
  7. How Changes to HIPAA Impacts HIEs, RHIOs, etc. (06/22/09)

If you need additional information about this topic, please contact your regular Hall Render attorney or:

Mark J. Swearingen at (317) 977-1458 or mswearingen@hallrender.com

This information is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

 

HIPAA Enforcement after the Recovery Act is the first of seven articles in the HIPAA goes HITECH series.To register for future Hall Render Impact Series articles, please visit hallrender.com/impact

as distributed March 30, 2009 

HIPAA goes HITECH authors:

Elizabeth Callahan-Morris

Charise R. Frazier

Monica C. Hocum

Margaret Marchak

Melissa L. Markey

Mark J. Swearingen
Printer-friendly version: Download
 
Click here to return to the Impact Series homepage.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

© 2002-2010. Hall, Render, Killian, Heath & Lyman, P.C. All Rights Reserved.