HIPAA compliance has been a part of the regulatory landscape of healthcare since the privacy rules became effective in 2003. Since that time, most providers have taken steps to develop their compliance plans, including distributing notices of privacy practices, obtaining authorizations for release of information as needed, and obtaining business associate agreements from third parties. Since the initial rules went into effect, providers needed to update and revise their policies, notices and other forms, to accommodate the changes included in the HITECH amendments and the related changes in the securities standards.
The Federal Office of Civil Rights is assigned the primary enforcement responsibility for enforcing HIPAA violations. As of September 30, 2015, the HHS reports that it had received over 120,000 complaints of which 90% have been resolved. HHS also reports that it had collected over $22.8 million dollars in fines and sanctions from those violations. While not statistically reported in the September 30th summary, there have been over a dozen criminal prosecutions for various HIPAA violations.
Because the statute and regulations have been in effect for over a decade, some practices may not pay as much attention to HIPAA compliance as they should.
Change in Enforcement Emphasis.
In the early years of HIPAA, the position of the government was that it would work with practices with the goal of achieving compliance rather than focus on more punitive measures or sanctions. That approach started to change with the adoption of the HITECH amendments where the size of penalties increased dramatically. Currently, the statute provides that a HIPAA sanction for the lowest tiered violation is $100 per violation with a maximum of $25,000. A second tiered violation has a minimum sanction of $1,000 with a maximum of $100,000. The third tier has a minimum sanction of $10,000 with a maximum sanction of $250,000, and a maximum sanction of $50,000 per violation, with a maximum of $1,500,000 in addition to other penalties which may include mandatory compliance plans and criminal penalties.
As part of its 2015 action plan, HHS has reported that it intends to increase the level of HIPAA enforcement. Most importantly, HHS reports that rather than simply responding to complaints, HHS will take a more aggressive position in conducting HIPAA audits of providers, whether or not a specific complaint has been asserted against that provider. As in other settings where the government has announced a plan for health care related audits, we anticipate that larger providers will initially be targeting for HIPAA audits, but there will also be random audits of all types of health providers. If HHS were to detect a pattern of violations in a particular practice area, we would anticipate a more aggressive audit strategy to follow.
Other Enforcement Authority.
Under the HITECH amendments, in addition to enforcement actions by the federal government, the statute specifically authorizes that the Attorney General of each state has the statutory authority to pursue civil actions for violations of the statute. We expect this to increase particularly where public reports of breaches occur. The states can recover penalties to be paid to the state and may include funds for patients.
Direct Patient Claims.
Occasionally, a patient will assert that they have a HIPAA claim and threaten to sue a provider for a claimed HIPAA violation. A patient is not permitted to file a lawsuit directly against a provider for a HIPAA violation. Because the statute specifically provides that enforcement authority for HIPAA is assigned to the federal government (or the state’s Attorney General), and because the statute does not specifically authorize a patient to file a direct complaint, the law provides that the patient does not have a “private cause of action” for which a patient can file a suit directly against the provider. A patient may file a complaint with the Office of Civil Rights and it is up to the OCR to pursue the claim if at all. Most times, a patient complaint will lead to the OCR sending a copy of the complaint to the provider and request the provider submit copies of its compliance manual documents and provide its account of the events.
Common Law Claims.
In 1999, the Ohio Supreme Court recognized an independent claim for the “unauthorized, unprivileged disclosure to a third party of non-public medical information.” This case was decided prior to the publication of the privacy rule regulations and before the effective date of those regulations. The courts have concluded that the Biddle doctrine remains effective and is not pre-empted by the HIPAA regulations. In short, a patient could assert a claim under the Biddle theory, which might be similar to HIPAA, but cannot use a violation of the HIPAA rules as the basis for a finding of liability under Biddle.
That statement might seem confusing and in fact it is. In the recent case of Sheldon v. Kettering Health Network, the Court of Appeals was faced with a HIPAA-like claim against a hospital system. An administrator at the hospital had improperly accessed electronic health records of his former spouse and had shared that information with another employee whom he was dating at the time. Upon discovery of the disclosure, the former spouse sued her ex-husband and the hospital. The patient later dismissed the claim against her ex-husband and pursued the claim exclusively against the hospital. The Court of Appeals held that the hospital could not be held liable for the actions of their employee under the Biddle theory because the employee’s conduct was not in furtherance of the business of the hospital. If the hospital employee had obtained the information at the direction of the hospital and was directed to share it with others, the hospital could potentially be responsible, but in this case, the court concluded that because the employee was acting outside the scope of his job responsibility, that his employer could not be held responsible for that breach under the Ohio common law theory.
The Sheldon decision is important for health care providers. From time to time, hospitals and practices have employees who access information for their own purposes or out of curiosity and the Sheldon case provides an additional level of protection of those employers from civil liability.
HIPAA Compliance Action Steps.
Even though HIPAA does not provide a private cause of action directly against providers by patients, and the Sheldon case provides additional protection for employers, practices still should focus on some steps to protect themselves against future claims or even government enforcement activities.
- Dust-Off the Compliance Manual. Many practices may have created their manual in 2003 and have failed to update or review the manual in the past decade. At a minimum, the manual should have been updated to include the HITECH changes in 2009. Make sure you continue to pass out the Notice of Privacy Practices.
- Update your Forms. The Notice of Privacy Practices, Authorization and Business Associate Agreements all needed to be updated under the HITECH amendments. You should verify that you have a current form Business Associate Agreement in effect with all third parties as needed. A 2003 version BAA will not likely be compliant. Remember it is the obligation of the provider to obtain signed authorizations and BAAs as opposed to the party requesting information providing those to you.
- Staff Training. HIPAA training should be a regular part of new employee orientation, and regular in-service training to make sure that your staff is complying with the Privacy and Security Rules, and with the passage of time, have not gotten lax in their diligence to protect patient information. Professionals need to set the example by following the rules.
- Investigations of Potential Breach. Under HITECH, any claimed breach requires the provider to conduct an investigation. The investigation may result in a finding of no breach, but if so, the practice should still maintain records of the review and conclusion on those issues. Sometimes, the result is a decision that some re-education of employees is appropriate, or other times more serious steps may need to be taken, including self-disclosure to the government.
While most practices are extremely conscientious in protecting confidentiality of patients’ records, in today’s time of a hectic pace of most practices, errors may occur if your staff does not continue to be vigilant in their compliance. Early efforts to do so will prevent the practice having significant problems down the road.
If you would like copies of the Biddle or Sheldon decisions or have any questions regarding HIPAA compliance, please contact Scott P. Sandrock at (330) 253-4367.