Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

HIPAA Audits and Compliance


HHS oversees compliance and enforces HIPAA’s sanctions for noncompliance through Office for Civil Rights (OCR) and works with the Department of Justice (DOJ) for criminal sanctions.  The beginning of the process is a complaint or compliance audit.  A patient has a right to complain to the Secretary that a covered entity is not complying with HIPAA rules; however, this right is within the patient’s discretion.[1]  Yet, even without a complaint, the Secretary must conduct compliance reviews.[2]

The HIPAA Omnibus Rule has changed the enforcement provisions.  Previously, the agency had discretion in choosing whether to investigate complaints or potential violation in cases where the Agency’s preliminary review reveals a possible violation due to willful neglect.  Now, the agency is required to initiate a formal investigation when a party appears to have exhibited willful neglect.  If an investigation is performed, it may include a review of pertinent policies, procedures, or practices of the covered entity and the circumstances of the alleged violation.  Documentation and evidence of compliance are key to ensuring no penalties and violations.

A review may determine that there was no violation, indicate a need to negotiate an informal resolution, or find there was a violation.  If there is a violation and a civil monetary penalty is issued, the covered entity can seek an administrative appeal.  If OCR finds evidence of potential criminal violations, the case will refer a matter to the DOJ for further investigation and possible criminal enforcement.  Notably, HITECH strengthened HIPAA by extending penalties to business associates who are in violation of their business association agreements.

I.  HIPAA Requires that a Health Care Provider Cooperate if an Investigation by OCR is Initiated:

HIPAA requires cooperation if a covered entity is investigated for compliance or a complaint.  First, a covered entity must provide records and compliance reports as necessary to enable the Secretary to determine if it has complied or is complying with the Act.  Next, a covered entity must cooperate with the Secretary’s investigation.  In this instance, it is often wise to involve counsel as early as possible.  Finally, the entity must permit access during normal business hours to its pertinent facilities, books, records, accounts, and other sources of information.  If there are exigent circumstances, such as records being hidden or destroyed, the Secretary does not need to wait for normal business hours.  If information is exclusively controlled by another entity, the covered entity must make documented efforts to obtain the information.[3]

II.  Civil Monetary Penalties (CMP) May be Imposed for a Violation of the Administrative Simplification Rule:

The Secretary may impose civil monetary penalties (CMPs) on a covered entity if he or she determines that the entity has violated an Administrative Simplification rule.[4]  The action must commence within 6 years of the violation or the Secretary is barred from entertaining it.[5]  A CMP is not an exclusive penalty.  The HIPAA Omnibus Rule also makes a covered entity liable for the violations of its business associates that are its agents.  It also adds a parallel provision providing for the liability of business associates for the acts of their subcontracting agents.

 III.  Significant Civil and Criminal Penalties May be Assessed Against a Health Care Provider in the Event of a HIPAA Breach:

HITECH amended HIPAA enforcement violations to include a tiered penalty structure and mandatory penalties for “willful neglect.”  As of 2009, HHS must base its penalty determination on the nature and extent of the violation and whether the violation has been corrected.  HHS must also consider whether the violator knew he or she was committing a violation and the level of correction within the organization.  The range of CMPs depends on whether an individual is a first time or a repeat violator.  Agencies sometimes may waive or reduce an excessive penalty or may settle a case if the entity becomes compliant.

 Civil Monetary Penalties Tiers

(For Violations on or After February 18, 2009)

A45 C.F.R. § 160.404 (b)(2)(i):  Applies if the covered entity or business associate did not know, and by exercising reasonable diligence would not have known, that the covered entity or business associate violated the law.  The penalty ranges from $100 to $50,000 per violation, except that the total imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
B45 C.F.R. § 160.404 (b)(2)(ii): Applies if the violation was due to reasonable cause and not to willful neglect.  The penalty is $1,000 to $50,000 per violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
C45 C.F.R. § 160.404 (b)(2)(iii): Applies for a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning the first date that the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred. The penalty is $10,000 to $50,000 per violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
D45 C.F.R. § 160.404 (b)(2)(iii): Applies if the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred.  The penalty is at least $50,000 per violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1.5 million.

 

Under the HIPAA Omnibus Rule, HHS does not have the authority to automatically impose the maximum CMP for any given violation.  Rather, the Secretary may consider aggravating or mitigating factors when determining the penalty, including:[6]

  • The nature of the violation, in light of the purpose of the rule violated;
  • The circumstances, including the consequences of the violation, including:
    • The time period during which the violation occurred,
    • The number of individuals affected;
    • Whether the violation caused physical harm;
    • Whether the violation hindered or facilitated an individual’s ability to obtain health care; and
    • Whether the violation resulted in financial harm;
  • The degree of culpability of the covered entity, including but not limited to:
    • Whether the violation was intentional; and
    • Whether the violation was beyond the direct control of the covered entity;
  • Any history of prior compliance with the Administrative Simplification provisions, including violations by the covered entity, including:
    • Whether the current violation is the same or similar to prior violations;
    • Whether and to what extent the covered entity has attempted to correct previous violations;
    • How the covered entity has responded to technical assistance from the Secretary provided in the context of the compliance effort; and
    • How the covered entity has responded to prior complaints;
  • The financial condition of the covered entity, including:
    • Whether the covered entity had financial difficulties that affected its ability to comply;
    • Whether the imposition of CMPs would jeopardize the ability of the covered entity to continue to provide, or to pay for, health care; and
    • The size of the covered entity;
  • Such other matters as justice may require.

Depending on the facts, the wrongful use or disclosure of individually identifiable health information may give rise to criminal liability.  Potential criminal cases are reviewed and prosecuted by the Department of Justice.  Under the law, if a person knowingly and in violation of HIPAA:

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section. For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization.[7]

Criminal penalties for a knowingly, wrongful disclosure of individually identifiable health information can include fines of not more than $50,000, imprisonment of not more than 1 year, or both.  Additionally, if the offense is committed under false pretenses, a person can be fined not more than $100,000, imprisoned not more than 5 years, or both.  If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a person may be fined not more than $250,000, imprisoned not more than 10 years, or both.[8]

 IV.  Defenses that May be Asserted by a Covered Entity or Business Associate in the Event of a HIPAA Breach:

There are several affirmative defenses available that are designed to encourage an entity to mitigate any violations; they provide flexibility in circumstances where compliance would be unreasonable.  Thus, the Secretary may not impose CMPs if:

  • The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation and by exercising reasonable diligence, would not have known that the violation occurred; or
  • The violation is due to “reasonable cause” and not willful neglect, and was corrected during either the 30-day period beginning on the date the liable covered entity knew, or by exercising reasonable diligence should have known, that the violation occurred or a period determined by the S Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care, and prudence, to comply with the administrative simplification provision.[9]

The Secretary also may not impose penalties if the act is punishable as a criminal violation under 42 USC 1320d-6, which establishes much higher penalties for the knowing wrongful disclosure of individually identifiable health information.

V.  Retaliation for the Reporting of HIPAA Non-Compliance is Prohibited.

Any person, including employees, can report allegations of non-compliance.  Retaliation against a whistleblower is strictly prohibited, meaning a covered entity may not fire, demote, discriminate, or otherwise treat adversely any employee who files a complaint.

If your organization is investigated by the OCR (or by a state entity charged with enforcing state privacy laws), it is essential that you engage qualified health care legal counsel to assist you in navigating through the complex response and settlement process.  For a free consultation, give us a call at: (202) 298-8750.

[1] 45 C.F.R. § 160.306.

[2] 45 C.F.R. § 160.308.

[3] 45 C.F.R. § 160.310.

[4] 45 C.F.R. § 160.402.

[5] 45 C.F.R. § 160.414.

[6] 45 C.F.R. § 160.408.

[7] 42 U.S.C. § 1320d–6(a).

[8] 42 U.S.C. § 1320d–6(b).

[9] 45 C.F.R. § 160.410.