HIPAA Compliance Strategies

Featured Health Business Daily Story April 14, 2009

HIPAA Covered Entities Face a Variety of New Enforcement Risks Under Recent Measures Enacted

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

For years, privacy advocates savaged the HHS Office for Civil Rights (OCR) for failing to enforce the privacy rule — it has yet to level a single dollar in fines — a situation many believe has led to lax compliance. Things picked up a bit when CMS, assigned to enforce the security rule, hired a contractor to conduct audits of covered entities (CEs).

So some cheered when the American Recovery and Reinvestment Act of 2009 (ARRA) provided for a doubling of fines for violators, and for the first time, gave state attorneys general (AGs) the authority to bring civil actions under HIPAA in district court.

The new law now requires CMS and OCR to conduct formal investigations of complaints where a preliminary inquiry of the incident shows that "willful neglect" is the cause.

"Privacy and security enforcement will get much more aggressive" under the Obama administration, says Washington, D.C., attorney Robert Hudock, with Epstein, Becker & Green. He expects a shift from the voluntary compliance approach that has marked enforcement so far to more fines and penalties.

Even at this early stage, M. Peter Adler, who leads the privacy, security and data protection division at the D.C.-based law office of Pepper Hamilton LLP, says he is warning clients that the combination of the new AG powers, increased fines and breach notification requirement have "ratcheted up" the prospects for enforcement. CEs that have been lax with compliance need to step up their activities, he says.

Since the privacy and security rules went into effect, CMS and OCR — which receive security and privacy complaints, respectively — have mostly conducted inquiries into the complaints and worked with CEs on corrective action plans.

But that is changing under ARRA. CMS and OCR have a much bigger stick — in the form of fines that now go up to $1.5 million per entity per calendar year.

Increased Fines, AG Powers Among the Changes

Not only are the fines doubled, but once OCR starts collecting fines, it can keep the money. This would conceivably give it the funds to hire more enforcement staff and the enforcement activities could snowball, like the period in the 1990s when HHS collected escalating fines for Medicare fraud-and-abuses cases.

As stated earlier, CMS and OCR will have to go after more cases than before, using the willful neglect standard. And with new AG powers, more cases may occur on the state level as well.

HIPAA did not grant individuals a private right of action, meaning individuals cannot sue if they are harmed by a privacy or security breach, a provision that privacy advocates have lobbied for. The provision in ARRA that allows AGs to bring cases was a compromise between those who wanted this private right of action and those who opposed it.

The authority comes with many strings attached, and experts wonder how it will work.

It is also not clear how much appeal these cases will have for AGs. Facing budget pressures, increasing workloads and little expertise in HIPAA issues, AGs by and large may forgo bringing cases.

Also, because the penalties they can impose are at the lowest level permitted and intense coordination with the federal government is required, they may not consider the payoff to the state to be worth the work involved.

"The law really doesn't set this out well. I expect that we will be seeing some regulation and guidance" from HHS, says Adler.

AGs Must Work With HHS

Giving the AGs this power reflects Congress's realization that the feds themselves "can't enforce everything all the time. What I think they tried to do was put more arrows in the [enforcement] quiver," he says.

The law states that when an AG "has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a [privacy and security provision], the attorney general of the state…may bring a civil action on behalf of such residents of the state in a district court of the United States of appropriate jurisdiction."

This is very broad wording that is likely to be interpreted differently by different AGs. The purpose of the state action would be to "enjoin further such violation by the defendant; or to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2)."

The allowable fines that AGs can impose for HIPAA violations are up to $100 for each violation not to exceed $25,000 for identical violations in a calendar year. These are significantly less than what the feds can impose through the tiered penalties.

Before bringing such action, the AG has to "serve prior written notice of any action," and provide a copy of the complaint, except "in any case in which such prior notice is not feasible, in which case the state shall serve such notice immediately upon instituting such action." This requirement could slow down a state action, and there are no specifics about whether HHS has to actually respond to the complaint before it can be pursued, or if only notice is required.

No action can be brought by an AG if HHS is already doing so, and the law allows HHS to jump into an AG's case at any time — another reason AGs might not want to get involved. The law states that HHS may "intervene in the action; upon so intervening, [can] be heard on all matters arising therein; and [can] file petitions for appeal."

AGs 'Scratching Their Heads'

John Christiansen, an information technology and privacy attorney in Seattle, says he personally phoned four AGs and asked what they thought about their new authority. He characterizes their overall response as "head-scratching." The AGs said they "didn't ask for this and don't know if they want it," he says.

The AGs told him they have no expertise in investigating or prosecuting HIPAA violations and are facing budget cuts that will make addressing their current priorities a struggle, leaving little funding for new ones. They also aren't viewing possible cases "as a cash cow" that could bring their state money in the form of fines against transgressors, he tells RPP.

Justin Allen, Arkansas's deputy attorney general, told RPP his office is not sure how it would move forward with this new regulatory power. "We welcome the authority, as we always do, from the government or Congress to investigate and bring action to protect consumers," Allen says.

He speculates that, at least at first, actions would be prompted by citizen complaints. The AG's office would have to determine if a case is "worth the time, expense and effort," which Allen says is the same sort of evaluation given other types of cases.

Cases would be handled by the health bureau within the AG's office, he says. Arkansas is just one of seven states that have a dedicated health care staff. The head of the bureau told Allen she was "aware of the ARRA and the [AG] provision," but that no plan of action had yet been formalized. Allen says he expects there will be discussion on the topic in the future among the various AGs and within the members of the National Association of Attorneys General.

Allen says he is aware of only one HIPAA-type complaint that the Arkansas office has received during the tenure of the current attorney general, Dustin McDaniel (D), who took office in 2007. "To the extent that our office decides to publicize this new authority, that may pick up," he says.

Fears of Multiple State Actions

Allen says the health care bureau has worked on a variety of cases, including fraudulent Medicare Advantage sales techniques, and is currently investigating claims related to off-label marketing of pharmaceutical drugs.

So far, the national AG association says the group has not formed a task force, work group or taken any other formal actions related to this provision. And this lack of unified thinking is what is worrisome, experts and CEs say, and may spark some dramatic, high-profile cases by AGs who may wish to make a name for themselves or hold up one CE as an example to others.

"There are some states that are very aggressive on a number of issues," acknowledges Martha Sewell, a partner in the Raleigh, N.C., office of Kilpatrick Stockton, LLP, who specializes in HIPAA compliance. "You run the risk in those states that they might adopt a similar approach with this. There is certainly publicity to be garnered by going after 'bad guys.' AGs might focus on just the most egregious cases, but that is unknown now." That's exactly what one senior privacy official at a CE with hundreds of locations in Texas fears. Should the company have a breach, the executive, who asked that his name and company not be identified, fears that AGS in states where the aggrieved individuals reside could all bring charges.

"We now have the possibility of action coming against us from multiple sources based upon their individual interpretation of their authority," he tells RPP.

And he says he's fairly certain, given how active Texas's AG has been in prosecuting violations of state data security laws, that this pattern will continue with HIPAA issues. RPP's calls to the Texas AG's office were not returned.

Warning to CEs, BAs

Perhaps most unprepared for increased scrutiny are business associates (BAs), as until ARRA they faced no direct actions by the federal government. Yet under ARRA, they face all the same penalties as CEs.

Historically, many breaches are due to lapses by business associates, not covered entities. Before the new law, the most they risked was being terminated by the CE whose data they failed to protect. Now CEs must report to the news media and HHS any breach by the BA (or the CE itself) that affects 500 or more people, and take the heat from any negative publicity.

A breach of any size could also prompt a state AG to take action — against both the BA and the CE.

The new breach requirement and the prospect of state enforcement are sure to heighten tensions between covered entities and business associates, and CEs need to do a better job of ensuring their BAs are compliant to avoid violations, attorneys tell RPP. Christiansen says he often has been less impressed with how CEs have overseen BAs to date. "When I go and do an assessment of compliance, I would also ask, 'Where are your BA agreements?' and sometimes they cannot be located," he says. Once he has an opportunity to review them, "I find they are signed by different people all over the hospital, and I find weasel words like 'We are going to put safeguards in place,' but no specifics," he says.

That situation is what leads to breaches and other violations, and the stakes are higher now, he adds.

Under ARRA, BAs have a year from the date the law was signed to comply with the new requirements, so they would also not be subject to penalties until that time. However, for CEs, the penalties apply to all violations that occurred from Feb. 17 onward.

Advertise With AIS

Privacy

Site Map