Health Care Alert Periodic HIPAA “Checkups”: Preventive
advertisement
Health Care Alert March 2009 Author: Patricia C. Shea patricia.shea@klgates.com +1.717.231.5870 K&L Gates comprises approximately 1,900 lawyers in 32 offices located in North America, Europe, and Asia, and represents capital markets participants, entrepreneurs, growth and middle market companies, leading FORTUNE 100 and FTSE 100 global corporations, and public sector entities. For more information, please visit www.klgates.com. Periodic HIPAA “Checkups”: Preventive Medicine Could Save Your Assets HIPAA requires covered entities, including employer-sponsored health plans, to conduct periodic compliance “checkups” to ensure ongoing compliance in a continually changing technological world. Checkups result in good HIPAA hygiene and minimize the risk of incurring civil money penalties for violations. Recently, the importance of conducting these periodic HIPAA checkups became more critical because the American Recovery & Reinvestment Act (“ARRA”) has significantly increased penalties for HIPAA violations. These penalties may now reach up to $1,500,000 for all identical violations combined per year. The American Recovery & Reinvestment Act of 2009 ARRA was signed by President Obama on February 17, 2009. Although many aspects of ARRA will amend HIPAA now and in the future, one particularly onerous provision is effective immediately – the increase in the civil money penalties for HIPAA violations. Previously, civil penalties for violations of the same HIPAA requirement were assessed at $100 per violation, up to $25,000 for violations of identical requirements per year. Now, ARRA redefines those potential civil money penalties according to the following categories: Type of Violation Violation in which it is established that the person did not know and would not have known even when exercising reasonable diligence Violation resulting from reasonable cause and not because of willful neglect Violation resulting from willful neglect that is corrected within 30 days of discovery Violation resulting from willful neglect that is not corrected within 30 days of discovery Minimum Civil Penalty $100 per violation, not to exceed $25,000 for violations of identical requirements per year Maximum Civil Penalty $50,000 per violation, not to exceed $1,500,000 for all such violations of identical requirements per year $1,000 per violation, not to exceed $100,000 for violations of identical requirements per year $10,000 per violation, not to exceed $250,000 for violations of identical requirements per year $50,000 per violation, not to exceed $1,500,000 for all such violations of identical requirements per year $50,000 per violation, not to exceed $1,500,000 for all such violations of identical requirements per year $50,000 per violation, not to exceed $1,500,000 for all such violations of identical requirements per year Unspecified Health Care Alert The Secretary of Health and Human Services still has discretion when determining penalties and may elect to use corrective action without a penalty in those cases where the person, or entity, who commits the violation did not know – and by exercising reasonable diligence would not have known – about a violation. Whether this flexibility should offer comfort to noncompliant covered entities is uncertain, especially since the Department of Health and Human Services (“HHS”) had made it perfectly clear well before ARRA’s passage that covered entities should be monitoring their compliance efforts to make sure they continue to meet compliance standards. In addition, HHS receives a boost from ARRA in enforcing these provisions. ARRA gives the state Attorneys General the power to bring civil actions in federal court on behalf of their residents who have been, or may be, harmed by a practice in violation of HIPAA. This means that these state officials may respond to individual complaints or independently investigate HIPAA compliance when they believe that one or more residents of that state have been or are threatened or adversely affected by any person who violates HIPAA. The Attorneys General have the power to seek to enjoin the practice or to obtain damages on behalf of their residents in an amount of $100 per violation multiplied by the number of violations, which in an automated systems world, can add up quickly. The Act limits the amount to $25,000 per violation, but ARRA also allows a court to award the state reasonable attorney fees. Making the Case for Preventive Medicine Most covered entities were required to comply with HIPAA’s administrative, technical, and physical requirements for safeguarding electronic protected health information (called the “Privacy and Security Rules”) no later than April 20, 2005. Many covered entities took measured and informed steps to comply, and they implemented well-thought out programs. Unfortunately, many of these covered entities have not revisited or updated these programs since they were implemented four years ago. technology that can further safeguard electronic protected health information. Indeed, continual innovations in electronic technology repeatedly replace yesterday’s modalities and their capabilities. These new devices allow greater flexibility and ease in transmission of electronic information. Unfortunately, covered entities may fail to appreciate the risks associated with this upgraded technology if corresponding appropriate measures to secure the electronic information they maintain and transmit are not implemented. Special Difficulties for Employer Covered Entities Employers who are subject to HIPAA may be especially vulnerable to noncompliance because of confusion about precisely when an employer is a HIPAA covered entity. Generally, employers are subject to the Privacy and Security Rules when they are performing a task related to the administration of the employer-sponsored health benefit plan, such as assisting an employee with a claim denial. Employers may also not realize the extent to which they use, maintain, or transmit electronic protected health information or the extent to which this use, maintenance or transmission may have changed over time. This is especially true for those employers who have not performed a risk assessment as required by HIPAA. Conducting a Checkup All covered entities should have procedures in place that require them to periodically examine their HIPAA compliance, especially their compliance with Security Rule requirements. Sometimes these procedures are invoked in response to a HIPAA violation. In such a case, the procedures may require that the covered entity investigate the violation and make changes to help ensure that future such violations do not occur. Less clear, however, is how frequently covered entities should proactively assess their HIPAA compliance programs against new risks and threats in the environment rather than waiting for a violation to invoke the review process. HIPAA’s regulations envision ongoing changes in technology and corresponding changes to compliance efforts to address newly discovered system weaknesses and to implement new March 2009 2 Health Care Alert Recommendations Covered entities need to be constantly monitoring their HIPAA compliance programs and can no longer afford to put this activity on hold. The government will regard any program with violations that has not received regular evaluation to constitute willful neglect, carrying the highest possible penalties. HHS is required to actively enforce HIPAA given the mandate in ARRA that the Secretary of HHS conduct compliance audits. In this new environment, covered entities should consider the following: 1. Do you periodically review your HIPAA privacy and security policies and procedures to determine if they reflect actual practice? 2. Have you conducted a risk assessment regarding electronic protected health information? 4. Do you update your HIPAA compliance documentation to reflect the changes that you make in response to new threats and new protection opportunities? The health care team at K&L Gates is available to assist clients with establishing and implementing periodic security and privacy reviews to minimize the significant risks posed by ARRA’s new enforcement provisions and penalties. For further information, please contact: Ruth E. Granfors, Harrisburg Jonathan K. Henderson, Dallas Mary Beth F. Johnston, Research Triangle Park Anthony R. Miles, Seattle Carol A. Pratt, Portland Patricia C. Shea, Harrisburg 3. Do you routinely revisit the initial, or subsequent, risk assessment to address environment changes or problems? K&L Gates comprises multiple affiliated partnerships: a limited liability partnership with the full name K&L Gates LLP qualified in Delaware and maintaining offices throughout the U.S., in Berlin and Frankfurt, Germany, in Beijing (K&L Gates LLP Beijing Representative Office), in Singapore (K&L Gates LLP Singapore Representative Office), and in Shanghai (K&L Gates LLP Shanghai Representative Office); a limited liability partnership (also named K&L Gates LLP) incorporated in England and maintaining our London and Paris offices; a Taiwan general partnership (K&L Gates) which practices from our Taipei office; and a Hong Kong general partnership (K&L Gates, Solicitors) which practices from our Hong Kong office. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners in each entity is available for inspection at any K&L Gates office. This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. ©2009 K&L Gates LLP. All Rights Reserved. March 2009 3
