Feds may increase enforcement with HITECH, seek high penalties

Large penalties could be used as leverage in fraud and abuse cases

After one year of HITECH, risk managers are realizing that this rule is serious business. The stakes are higher, and there is reason to believe that federal prosecutors will use HITECH more aggressively in 2010 than they did during its first year.

The Health Information Technology for Economic and Clinical Health Act, known as HITECH, was enacted as part of the American Recovery and Reinvestment Act of 2009 and modified the Health and Human Services secretary's authority to impose civil monetary penalties for violations under the Health Insurance Portability and Accountability Act (HIPAA) occurring after Feb. 18, 2009. HITECH significantly increased the penalty amounts the secretary may impose for violations of the HIPAA rules.

Prior to the HITECH Act, the secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan, or clearinghouse also could bar the secretary's imposition of a civil monetary penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil monetary penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil monetary penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

What does all this mean for risk managers? Nothing good. With the passage of HITECH, the federal government upped the penalties for breaches of security and privacy, but the legislation also put them in tiers, explains Lisa L. Dahm, JD, LLM, health director of continuing legal education and adjunct professor at the South Texas College of Law in Houston.

"So, not only is there now a higher risk because of the penalties that can be associated, but the conduct itself has changed," she says. "It used to be that if you just kind of ignored HIPAA and didn't feel like complying, you would be penalized the general amount, $100 per violation up to a maximum of $25,000 per calendar year. Now, there are levels of penalties and culpability."

For simple "did-not-know" errors, honest mistakes, the standard penalty still is $100 for each identical violation, Dahm says. So, if you make the identical error — such as entering the wrong code — on 20 claims, that still will count as one violation. The scary part comes when you're penalized for multiple violations or if your error wasn't so benign.

Under HITECH, health care providers are held accountable for the nature of the error, she says. HITECH exacts higher penalties for willful neglect, as opposed to making an honest mistake, she says.

"This signals that, with everything going on now with health care, one of the ways that the government is trying to pay for that is through the increased sanctions," Dahm says.

Better investigators now

Dahm says the government is targeting health care providers much more now than in the past. She used to tell health care providers not to panic if government agents came looking at their medical records, because, in most cases, the investigators didn't really know what they were looking for.

"Now they do, because for the past 10 years the government has been hiring people who have the knowledge, the billers and coders who know where to look," she says. "Now, when they ask for your records, it's not an FBI agent who hardly knows what he's looking at. It's a former coder or biller who is going to know exactly what to look for."

In addition to fraud and abuse, Dahm suspects that prosecutors will pursue HIPAA violations more aggressively than in the past, partly because the potential penalties are higher and that can be used as a bargaining chip.

"There is reason to think that the government is going to go after HIPAA violations as seriously as it does fraud and abuse," she says. "We're going to see U.S. attorneys saying they'll find you guilty of $400 million worth of fraud and abuse, and they'll toss in another $1.5 million of HIPAA violations. Then, they'll offer to throw out the HIPAA violations and hold fast on the fraud and abuse. That's their leverage as a U.S. attorney. They haven't done that yet, but now it makes sense."

Dahm notes that the tactic will be easy to employ, because virtually every covered entity is in violation of HIPAA at some point.

"Not because they want to, but just because it happens," she says. "People don't necessarily intend to submit a false claim either, but it just slips through sometimes. Fortunately, under the fraud and abuse laws, you have to knowingly commit fraud to incur a big penalty. Under HIPAA, you don't have that protection."

Reaching out to the IT department is a good idea, Dahm says. Don't assume they know what they're doing when it comes to HITECH compliance or that they understand the size of the potential penalties. Business associates also can put the health care provider at risk if they fail to comply.

HIPAA is being used more to punish the criminal mismanagement of information, says Robert D. Belfort, JD, a partner with the law firm Manatt Phelps in New York City. The HITECH provisions have been used in the past year against intentional misuse of information, and Belfort says it is important for risk managers to be able to separate the health care provider from such egregious acts.

"The risk manager must establish compliance programs that position them to show that individuals were acting outside their training, authority, and direction, so that the institution won't be held responsible criminally and the penalties will be imposed only on the individual," he says. "So far, we haven't seen any criminal cases where the companies have been charged, and I think that is because the organizations involved were able to show that they are providing training; and the actions of the individual were not reflective of the organization's culture on the whole and, in fact, violated express directions given to the employee."

To make that case, the health care provider must have a solid paper trail showing that the employee was properly trained and that the incident does not signify a systemic problem in the organization.

"The organizations that avoided criminal prosecution were able to show that the behavior was very much at odds with their organization's culture and standards," he says.

HITECH is a powerful enforcement tool, but it can be used against even the simplest violation, so don't forget that privacy breaches don't have to involve a high-tech scenario. The high penalties possible with HITECH were aimed mostly at willful or egregious privacy breaches, such as the loss of a laptop computer with thousands of unprotected files, says Pamela E. Hepp, JD, an attorney with the law firm Buchanan Ingersoll in Pittsburgh, but old-fashioned paper often is the culprit.

Most HIPAA violations are on a small scale, with one patient involved, she says.

"The cases often are related to providers still using paper records and the piece of paper being misplaced and falling into the wrong hands, or perhaps bad behavior by employees accessing records that they shouldn't have," Hepp says. "There is a lot of emphasis on electronic security and encryption, but there are still a lot of instances in which paper records are not being protected adequately."


For more information on HITECH compliance, contact:

• Robert D. Belfort, JD, Partner, Manatt, Phelps & Phillips LLP, New York City. Telephone: (212) 830-7270.

• Lisa L. Dahm, JD, LLM, Health Director of Con- tinuing Legal Education and Adjunct Professor, South Texas College of Law, Houston. Telephone: (713) 646-1873. E-mail: ldahm@stcl.edu.

• Pamela E. Hepp, JD, Counsel, Buchanan Ingersoll & Rooney PC, Pittsburgh. Telephone: (412) 562-1418. E-mail: pamela.hepp@bipc.com.