(January 25, 2012): Historically, home health agencies, physicians, clinics and other health care providers have associated the term "whistleblower" with the filing of a FalSe Claims Act case by an insider, former employee or other individual alleging to have direct knowledge of fraudulent billing conduct by a provider. As health care providers will soon find, individuals harmed by the wrongful breach of their Protected Health Information (PHI) will soon have an opportunity to share in any penalties against by Department of Health and Human Services (HHS), Office of Civil Rights (OCR). While not technically a "whistleblower" award program, the quasi-HIPAA whistleblower provisions included in recently-passed legislation may ultimately present many of the same incentives to individuals who are allegedly harmed as a result of a breach of their PHI.
I. Background of HIPAA Whistleblower Provisions:
Over the last few years, a number of health care providers and other "covered entities" (both large and small) have been audited and penalized by the government for improper breaches of protected health information. Enforcement actions taken have varied, ranging from mere warnings to criminal prosecution.
II. HITECH Raises the Bar for Providers:
The "Health Information Technology for Economic and Clinical Health Act" (HITECH) contains a number of significant privacy provisions impacting health care providers. Two of these provisions include: (1) The initiation of privacy audits by contractors working for the Department of Health and Human Services (HHS), Office of Civil Rights (OCR); and (2) The sharing of Civil Monetary Penalties assessed in response to an improper breach with the affected patients.
- Privacy Audits
As OCR has announced, the agency has initiated an audit program intended to help ensure that health care providers are complying with the various medical records privacy provisions laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). To do so, OCR has contracted with several nationally-recognized audit firms for the purpose of auditing health care provider compliance with HIPAA's privacy provisions.
When will audits begin? According to OCR, the initial audits of provider compliance with HIPAA / HITECH requirements began in November 2011. Once these initial audits are completed, OCR intends to focus the remaining audits on the issues and concerns identified in the contractors' first preliminary audits. At this time, all audits are anticipated to be completed by December 2012.
If prior "pilot" programs are any indication of how these audits will be handled, we anticipate that OCR will ultimately adopt an ongoing audit HIPAA / HITECH process, tasked with assessing the compliance of health care providers, covered entities and business associates. It is essential that you critically review your current practices - after you have been audited, it will likely be too late to avoid the imposition of penalties.
How will HIPAA / HITECH audits be conducted? According to OCR, organizations selected for audit will be notified by the agency of their selection. At that time, they will be asked to provide "documentation of their privacy and security compliance efforts." During this pilot period, each of the covered entities audited will receive a site visit. During the site visit, contractor representatives will be required to interview key personnel. The contractors will also review the covered entity's practices and determine whether their operations fully comply with HIPAA's / HITECH's privacy requirements. After completing the site visit, a draft report will be prepared which outlines how the audit was handled, the conclusions that were reached by the contractor and the remedial actions that were taken by the covered entity. The draft report will be shared with the covered entity prior to finalization and the covered entity will have a chance to respond to the contractor's findings.
- Sharing of Civil Monetary Penalties
In addition to the HIPAA audit protocol discussed above, HITECH includes a seemingly-innocuous section which commands the Secretary HHS to establish a methodology to distribute a percentage of Civil Monetary Penalties to individuals harmed by an improper breach of protected health information or another HIPAA violation. For instance, if a patient's medical records or other protected health information is inappropriately accessed or divulged to unauthorized persons and the OCR ultimately investigates the violation and assesses Civil Monetary Penalties against a provider or other covered entity in connection with the breach, the harmed patient may be eligible to receive a portion of the penalties collected by the government.
On its surface, such a clause seems reasonable - after all, why not compensate those who have been hurt by a wrongful disclosure or breach? However, this law (and its soon-to-be-created implementing regulations) will likely have extensive repercussions in reporting and enforcement of HIPAA violations. Giving patients a financial incentive to report wrongful disclosures and breaches of their protected health information will likely lead to increased reporting of incidents since harmed patients may now be eligible to share in any penalties collected. Similar laws which allow private individuals to receive a portion of penalties and other funds recovered, such as the False Claims Act (FCA), have been extremely successful in detecting and deterring fraudulent activity. While HITECH does not create a "private right of action" for HIPAA violations and is substantially different from the FCA, it is important to note that their basic principles are the same. By giving private citizens, with perhaps greater and more immediate knowledge of an issue than the government, a real reason to report a problem, these problems can be more quickly and effectively remedied.
In 1986, when the FCA was overhauled with new provisions that gave private citizens more power and a greater likelihood of collecting money, the FCA's usage skyrocketed. In what could be a very similar situation, affected individuals with the chance to receive a portion of fines and penalties will be far more likely to aggressively report and pursue these violations. For covered entities (comprising virtually all providers, billers and business associates), this means that implementing effective HIPAA privacy policies should be at the top of your compliance "to-do" list.
III. How Health Care Providers Should Respond:
Among their first steps, health care providers and other covered entities should:
- Ensure that patient protected health information is fully secured and protected.
- Take steps to prevent improper access by authorized parties.
- Ensure that anyone who accessing protected health information is properly logged so that patients can readily obtain an accounting or listing of anyone who has reviewed all or part of their records. This log should also document the purpose for assessing the record.
- Take steps to prevent the access of protected health information by authorized personnel for unauthorized reasons.
- Take steps to better ensure that no protected health information is inappropriately disclosed to third parties.
While the points outlined are essential, they are far from all-inclusive. It is imperative that you identify qualified counsel to assist you in meeting your HIPAA / HITECH obligations.
Further, when handling protected health information, health care providers must remain mindful of the "minimum necessary" rule. Health care providers, other covered entities and business associates who handling protected health information must only disclose the minimum information necessary for a requesting entity to properly do its job.
Ultimately, all health care providers, covered entities and business associates should take reasonable steps to help ensure that applicable HIPAA / HITECH provisions are fully met.