HIPAA mandates the privacy of private health care records. HIPAA is a serious issue, both financially and in the risk-management aspect, for health care providers. Providers need to delegate annual funds to the defense of regulatory audits proactively – before the actual adverse action occurs. Because it’s not an “if;” it’s a “when,” when you accept Medicare/caid. In the Medicare/caid world, HIPAA violations can catastrophically render a company dead for an infraction. In the current days of technical, daily advances and allegations of cybersecurity breaches, health care providers must be cognizant of cyber criminals, their intent, their modus operandi, and what personal/company information is valuable to such criminals. The HIPAA statutes are vague and lack detailed explanations as to penalties.
In 2018, the Office for Civil Rights (OCR) issued a record-breaking $28 million in fines for HIPAA violations. The number of health care providers currently under investigation by HHS, in 2019, will be another record-breaking number.
As more and more data is maintained on computer systems, the more and more accessible the information becomes to potential scammers. In 2017, the number of cyber attacks increased exponentially to 5,207. There is actually an itemization as to how many of the attacks were germane to health care; health care breaches accounted for 8.5% of all breaches. 2.3 billion health care records have been exposed. This isn’t new. In 2015, the most healthcare records ever were breached. 113 million healthcare records were exposed that year. Now, in 2019, we may witness an all-time-high.
Human error is the number 1 reason for HIPAA violations. Employees gossiping and disclosing private health care information among each other is another culprit, along with social media and lack of training.
The largest individual HIPAA settlement was reached in October 2018, when OCR fined health insurer Anthem $16 million.
The oxymoron is that the government (Medicare/caid) and private payors are pushing for collaborative health care and the sharing of health care records amongst varying providers. Yet the possible HIPAA breaches increase with collaboration.
In April 2019, HHS randomly selected 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for Compliance Reviews. The CMS Division of National Standards, on behalf of HHS, has launched a volunteer Provider Pilot Program to test the compliance review process.
The Trump administration has interpreted HIPAA penalties differently than the Obama administration did. Now HHS will apply a different cumulative annual CMP limit for the four penalties tiers in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
There are four tiers of HIPAA violation severity outlined in the HITECH Act, based on the violator’s level of culpability:
Under the Obama administration, the annual limit for each tier was $1.5 million.
HIPAA penalties are appealable and with the disparate amount of penalties, it is well worth the time and expense to appeal.
Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.
But…what’s in YOUR contract can be legally deadly.
Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:
Regulatory and Clinical Coverage Policy Compliance
Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.
Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.
Does your EHR program update every month?
You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?
You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!
You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.
This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.
Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.
You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.
HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.
I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.
Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.
Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.
Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.
So, what’s in YOUR contract?
We can add one more “oops” to the Department of Health and Human Services (DHHS) repertoire of “oopses.” I am reminded of Captain Edward Smith when he banged the Titanic into an iceberg. Talk about an “oops” moment. Not to mention the lives lost, hitting that iceberg cost $7.5 million in ship building costs back in 1909.
DHHS hit another iceberg yesterday. How much will this “oops” costs?
DHHS made its “oops” by sending 48,752 new Medicaid cards to the WRONG people. Oops! Medicaid cards have HIPAA protected information on them, such as names, Medicaid numbers and dates of birth.
Let me tell you a little about HIPAA. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It was signed into law by Bill Clinton, Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Why is this important? This act also provides significant penalties if privileged information is disseminated.
Hence the DHHS Medicaid card debacle. Iceberg, ahoy! “Oops I did it again!”
The questions are (1) how much will NC be penalized for the dissemination of so much private information; and (2) will NC actually have to pay the penalty?
Recently, HIPAA was revamped. Beginning September 2013, HIPAA became even more stringent with harsher penalties and began to apply to more people (including law firms). For example, prior to September 2013, my firm Williams Mullen treated my documents received from clients the same as all other privileged information in our firm. Obviously, almost everything at a law firm is confidential. Now I have to lock my door (we had to install a lock) anytime I leave my office, even for lunch. Bright yellow flags have been added to all my files that contain privileged health information (PHI), which is every file. My partners cannot access my documents on our computer network system unless granted access. I feel like Edward Snowdon.
I also remember a story about a nurse who worked at a hospital. Her husband was admitted into the ER while she was on her shift and she looked up his condition on the computer. She was fired for violating HIPAA.
How bad can it be?
The feds imposed a penalty of $4.3 million against Cignet Health of Prince George’s County, MD, for HIPAA violations in 2011. Oops!
And, in light of the “new HIPAA,” last week, DHHS disseminates privileged information to 48,752 people.
What are the penalties for violating HIPAA?
There are four violation categories (1) did not know; (2) reasonable cause; (3) willful neglect-corrected; and (4) willful neglect-not corrected. Here are the penalties:
Assuming DHHS’ HIPAA violation is the least severe, “did not know,” DHHS could be liable for $100-$50,000 per violation. Here, there are, at least, 48,752 violations. So we are talking a penalty anywhere from $4,875,200 to a number bigger than my calculator allows.
Thankfully for DHHS and, ultimately, our tax dollars, there are caps to HIPAA penalties. There is a $1.5 million cap per calendar year.
However, DHHS could be liable for multiple violations of multiple provisions and a violation of each provision can be counted separately. So, theoretically, DHHS could be liable for multiple violations of up to $1.5 million cap for each violation, which would result in a total penalty well above $1.5 million.
The other question is whether the federal government will hold a state liable for such HIPAA violations. I don’t know the answer to this, but it would seem fundamentally unfair if HIPAA applies to people and companies, but not the state.
Then, again, how many of you want our tax dollars going toward paying these HIPAA penalties?
You can also see this story on WRAL. (Yes, I was interviewed 🙂 )
Will Aldona Wos also have a $7.5 million “oops” like Captain Smith? Because, regardless who committed the “oops,” Wos is captain of the ship. It is believed that Capt. Smith went down with the Titanic.