HIPAA Regulatory Alert

HHS increases penalties for HIPAA violations

It's not just the organization at risk, but individual staff members

The U.S. Department of Health and Human Services has published an interim final rule incorporating provisions of the Health Information Technology for Clinical and Economic Health (HITECH) Act related to HIPAA violations that significantly increase the penalties it can levee against employers and health care providers.

Before the HITECH Act, businesses could incur a maximum fine of $100 for a single violation and $25,000 for all identical violations of the same provision. Now, however, there is a series of tiered minimum fines for individual claims and a $1.5 million maximum fine when a group of employees is affected.

HIPAA compliance executives and consultants have been quick to react to the new interim rule. "The new penalties are scary, and I think it really has all of us wanting to go back and review our HIPAA policies and procedures," says Kathy Westhafer, RHIA, CHPS, program manager, clinical information at Christiana Care in Wilmington, DE. "Even though we knew they were going to do this anyway, it has created real urgencies."

But Cassi Birnbaum, RHIA, CPHQ, director of health information at Rady Children's Hospital of San Diego, was much more sanguine. "Being from California, we have already had to be held to a much higher standard, so we really have a leg up," she explains. "In comparison to ours, it actually looks mild; we're not exactly shaking in our boots." However, she adds, "It can be very frightening if in the past you've just been held to minimal HIPAA penalties."

"I think the biggest issue is that a variety of things have come together," adds Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, who heads a Shaumburg, IL-based consulting firm that bears her name. "First of all, HITECH brings an enforcement rule that increases the size of the penalties; there's more at stake if there is an egregious violation. But there is a tiered approach that still enables a person who just didn't understand, or who tried hard to do what's right and still got in trouble, to be able to have a corrective action plan and perhaps lesser penalties than someone who does things with malicious intent. And this has been made clearer."

The new rule also makes clear, she continues, that it's not just the organization that is at risk, but if an individual member of the workforce does something wrong, they themselves can be held accountable. "You still have to train people, monitor them, and so on, and it's likely that if an individual gets in trouble, the organization will, too; but an individual who does something maliciously will see consequences — where in the past the organization would suffer the consequences directly from the government," Amatayakul says.

Three categories of violations

The interim rule spells out three different classes of violations:

"(A) In the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D);

"(B) in the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D);

"(C) in the case of a violation of such provision in which it is established that the violation was due to willful neglect — (i) if the violation is corrected as described in subsection (b)(3)(A),\1\ a penalty in an amount that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D)."

While the minimum penalty varies with each category, the maximum is the same in all cases: $1.5 million. With such significant dollar amounts at stake, it's critical to understand exactly what is meant by each of these types of violations.

For "category A," Amatayakul offers this hypothetical: "Let's say the breach was from a paper-based record — somebody looked at it or overheard something or saw somebody [famous] in the hospital. They did not have malicious intent, but somehow there was a breach."

There is no way to absolutely say you can monitor everybody who works on a paper-based record, she continues. "Obviously, training needs to be done, and the government will be looking at the extent to which you did train people, gave them examples of this type of breach, told them it was wrong, and secured the information in such a manner as to make it more difficult to casually see something you shouldn't," Amatayakul shares. "Even in an electronic environment there could be a person who has legitimate access to the information — maybe a nurse who takes care of the patient — but they happened to tell somebody something they shouldn't have."

A "category B" violation, Amatayakul continues, "might be where a VIP is in-house and a person comes to learn of their alias or snoops. There is no malicious intent, like selling a story to the National Enquirer; they are just curious, but they know they shouldn't be doing this, so the penalty would be stiffer."

For the most serious type of violation, "category C," the onus falls much more heavily on the organization.

"This would be more a case of an organization not having very strong access controls," Amatayakul suggests. "They did HIPAA training the first time it was enacted, but never did any more training. Or, they have a policy on sanctions but they don't do anything about it."

The interim rule does provide for a time period in which corrective action can be taken, and such actions can reduce the penalties.

Your corrective action plan, says Westhafer, "is really part of reviewing your policies and procedures and setting things up so you know what the remediation plan is up front. I almost think of it like disaster planning — you think about what things can go wrong, and as you go through your policies and procedures, and what the protocol is going to be for each type of violation, so you're a step ahead."

Hospitals, she continues, should be used to this type of preparation. "We get surveyed all the time from The Joint Commission and others, so we know if a situation arises, we're pretty used to jumping in and we know we have to take care of it quickly," Westhafer notes.

"We have developed a grid," says Birnbaum. "We wanted to make sure to have community-wide standards so we did it in conjunction with other privacy officers in San Diego, and in fact just updated it to clarify the reporting process and responsibilities." Under the policy, for example, for a first-time inadvertent breach, verbal counseling is given; if there is a subsequent trend, it will result in a final written warning.

"The big thing for us is the need to consistently apply the policy to all members of the workforce," says Birnbaum. "You can't be more lenient with 'Suzie Q' just because you like her."

She adds that even though she provides education at the time of new employee orientation, "We now have an additional course that is a new requirement for every workforce member — including medical staff. Also, we've passed around the policy so people will know the repercussions of violations."

"It's more likely than not the OCR [The Office for Civil Rights, which handles HIPAA enforcement] will look a little more carefully at whether the corrective action plan is appropriate, and they may move to a civil monetary penalty if they feel it is not strong enough or it is not the only thing that should have been done," offers Amatayakul. "In the past, they just sort of assumed everybody would do a corrective action plan and gave everybody an opportunity. They were nice, and helped you overcome the issue."

Now, she says, "They're under the gun to be a little bit tougher. Not only is the OCR under the gun to be more proactive, but there is an incentive for them to give out civil money penalties because they get to keep some of the money; they can also turn some of it over to the individual who is harmed."

In the past, she says, the OCR didn't have the staff to go after violators as aggressively. "They were cranking out these letters, asking facilities to come up with a plan," she recalls. "Now, with a little bit more money, and now with [HIPAA] security under OCR (in addition to privacy) they are likely to be a positive force. They want you to do the right thing, and it makes them feel better if they help the [harmed] individual."

In terms of how they will view corrective action plans, she adds, "They will look for more specific evidence that this was done, and that action was taken." Whether you have acted on your plan, she stresses, has now become more important. "People in that situation [of being found in violation] need to come up not just with a specific plan, but with evidence they put it into action," Amatayakul warns.

[For more information, contact:

  • Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, Margret\A Consulting,LLC, Phone: (847) 895-3386. E-mail: Margret@Margret-A.com.
  • Cassi Birnbaum, RHIA, CPHQ, Director of Health Information, Rady Children's Hospital of San Diego, CA. Phone: (858) 966-4095. E-mail: cbirnbaum@rchsd.org;
  • Kathy Westhafer, RHIA, CHPS, Program Manager, Clinical Information, Christiana Care. Phone: (302) 327-3815, E-mail: kwesthafer@christianacare.org.]