In our last two posts we’ve evaluated HIPAA’s Privacy Rule and the Security Rule/Breach Notification Rule, which outline your duties under HIPAA. In our final post in this series, we’re going to take a close look at what happens if you violate, those rules, whether intentionally or inadvertently.
The Enforcement Rule
HIPAA’s Enforcement Rule is found in 45 C.F.R. Part 160, Subparts C, D, and E. Like with most government regulations, allegations of rule violations and non-compliance come in the form of a complaint to the agency, in this case the Department of Health and Human Services (HHS). HHS also has the authority to conduct a compliance review of your practice on its own accord without a complaint being filed.
Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing and investigating the HIPAA Privacy and Security Rules. Although the OCR is based in Washington D.C., there are regional field offices throughout the country that investigate HIPAA complaints and make initial determinations regarding alleged violations. Arizona is included within the Pacific region, headquartered in San Francisco.
If your practice is the subject of a HIPAA complaint, the Enforcement Rule outlines a number of responsibilities you have during the investigation:
- Provide records and compliance reports: You are obligated to keep records and submit compliance reports that will allow the Secretary to determine whether or not you are complying with the applicable provisions.
- Cooperate with complaint investigations and compliance reviews: In the event of a complaint or compliance review, you are obligated to comply with the investigation.
- Permit access to information: You are required to permit HHS and its agents to access your facilities, books, records, accounts and other sources of information during normal business hours. Under “exigent circumstances” where HHS is concerned documents may be hidden or destroyed, you must permit access at any time without notice.
HHS has the discretion to resolve the matter informally if it finds a violation, with the practice agreeing to take corrective action to resolve the issue. A majority of HIPAA noncompliance matters are resolved in this manner.
If the matter is not resolved informally, HHS will notify the covered party and allow them the opportunity to submit written evidence of any mitigating factors or affirmative defenses, which must be submitted within 30 days of the notice of violation. Based upon the information obtained by HHS in the investigation and the information submitted by the covered entity, HHS will then make a determination whether or not to impose a civil money penalty.
If HHS determines that a civil money penalty is appropriate, the covered entity will receive a Notice of Proposed Determination, which will include the statutory basis for the penalty, findings of fact, the reasons why the violation subjects the covered entity to a penalty, the amount of the proposed penalty, the circumstances considered in determining the amount of the penalty, and instructions for responding to the notice.
The civil money penalties for HIPAA violations vary according to when the violation occurred and the offending party’s degree of culpability. For violations occurring before February 18, 2009, you cannot be fined more than $100.00 per violation or in excess of $25,000.00 for identical violations during a calendar year.
For violations occurring after February 18, 2009, the potential fines go up drastically. If you are able to establish that a violation occurred unknowingly, even while exercising reasonable diligence, the minimum fine is $100.00 and the maximum fine is $50,000.00 for each violation. If the violation is due to willful neglect but corrected within 30 days, the minimum fine goes up to $10,000.00. For violations due to willful neglect that are not corrected within 30 days, the minimum fine is $50,000.00, up to a maximum of $1.5 million.
Substantial fines can be assessed even for unintentional breaches. In 2012, a small Phoenix-area cardiac surgery practice group was fined $100,000.00 for posting patients’ clinical and surgical appointments on a publicly-accessible internet-based calendar. In December 2013, a dermatology clinic in Concord, Massachusetts settled for a fine of $150,000.00 after an unsecured thumb drive containing the protected health information of 2,200 patients was stolen out of an employee’s truck.
Certain HIPAA violations can also be criminal offenses. If the complaint describes conduct that could be a criminal violation under 42 U.S.C. §1320d-6, it may be referred to the U.S. Department of Justice for a criminal investigation. If you knowingly obtain or disclose individually identifiable health information, you may also face criminal charges that carry a potential penalty of up to one year in prison. For offenses committed under false pretenses, you may face up to a $100,000.00 fine and up to five years in prison. If you obtain or disclose individually identifiable health information with the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm, you may face up to a $250,000.00 fine and up to ten years in prison.
Criminal prosecutions and convictions for HIPAA violations are relatively rare, but they do happen. In 2010, former UCLA surgeon Huping Zhou became the first healthcare provider to be convicted of a criminal HIPAA violation. Dr. Zhou was sentenced to four months in prison after he admitted to reading the electronic medical records of celebrities and others. In June of 2016, a respiratory therapist was convicted of illegally accessing the personal health information of 596 patients with the purpose of seeking and obtaining intravenous prescription drugs.
If you do not agree with the Notice of Proposed Determination, you have the right to request a hearing within 90 days of receipt of the notice by submitting a written request for a hearing. The hearing is overseen by an administrative law judge (ALJ). In the hearing process you have the right to be represented by an attorney, to conduct discovery, present and cross examine witnesses, present oral arguments, and submit written briefs.
After the hearing, the ALJ will issue a written decision based upon findings of fact and conclusions of law, in which he or she may affirm, increase, or reduce the penalties imposed by HHS. The decision becomes final unless it is appealed to the HHS Departmental Appeals Board within 30 days of the date of service of the decision.
The HIPAA rules and enforcement process can be complicated and overwhelming. If you have questions about your obligations under HIPAA, your compliance with the rules, or your rights in the enforcement process, contact an experienced healthcare attorney to help guide you through the labyrinth of federal regulations.