HIPAA Violations in Colorado Can Incur Serious Punishments

By Carole. C. Schriefer, R.N., J.D.

The Health Insurance Portability and Accountability Act (HIPAA) is a well known Federal regulation among Colorado health care professionals. However, did you know that not complying with HIPAA mandates can cost you thousands of dollars in fines? Did you know that non-compliance could land you behind bars? Health care professionals and facilities across Colorado should be aware of these legal provisions.

Don’t Become a White Collar Criminal.

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, who “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.

HIPAA Violations Can Cost Big Bucks.

The “American Recovery and Reinvestment Act of 2009”(ARRA), that was signed into law in 2009, establishes a tiered civil penalty for HIPAA violations. The Secretary of the Department of Health and Human Services (DHHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. However, the Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).

The following outlines the ARRA tiered civil penalty structure for HIPAA violations:

TIER 1

Violation:
Individual did not know that he/she violated HIPAA and by exercising reasonable diligence, would not have known.
Minimum Penalty: $100 per violation, with an annual maximum of
$25,000 for repeat violations. Note: This is the maximum penalty that can be imposed by the State Attorney General regardless of the violation.
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.

TIER 2
Violation:
HIPAA violation due to reasonable cause and not due to  willful neglect.
Minimum Penalty: $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.

TIER 3
Violation:
HIPAA violation due to willfull neglect but violation is corrected within the required time period.
Minimum Penalty: $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.

TIER 4
Violation:
HIPAA violation due to willful neglect and is not corrected.
Minimum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million.

Who Is Responsible For HIPAA Violations?

The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a covered entity is not directly liable under HIPAA, he/she can still be charged with conspiracy or aiding and abetting.

The Interpretation of “Knowingly.”

The DOJ interpreted the “knowingly” element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitutes an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.

Consequences Include Medicare Penalties As Well.

DHHS has the authority to exclude a health care provider in violation of HIPAA laws from the Medicare Program and any covered entity that is not compliant with the transaction and code set standards by October 16, 2003 (68 Fed. Reg. 48805).

This is a powerful tool. Medicare exclusion can be a death sentence for a health care provider.

Who Carries The Big Stick Enforcing HIPAA?

The HHS Office for Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid Services (CMS) enforce both the transaction and code set standards and the security standards (65 Fed. Reg. 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.

For more information on enforcement of the privacy standards, click here.

Comments?

Have you ever received discipline for a HIPAA violation? Do these penalties seem harsh to you? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (970) 416-7456.

About the Author: Carole C. Schriefer is a nurse-attorney with The Health Law Firm, which has a national practice. Its regional office is in the Denver, Colorado, area. www.TheHealthLawFirm.com The Health Law Firm, 155 East Boardwalk Drive, Fort Collins, Colorado 80525. Phone: (970) 416-7456.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Is Your Smart Phone HIPAA Compliant?

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Identity theft is at an all-time high, and the health care industry is at exceptional risk. It’s no mystery that a patient’s health file contains all the pertinent information required to successfully steal a person’s identity, including the “Big 3”; specifically, name, date of birth, and Social Security number.

Worse yet, with ever-increasing technological trends, hackers are capable of banking a quick buck before most of their victims even become aware they are vulnerable.

Technology is a Positive Thing.

Technology offers us the world at our fingertips. Smart phones and tablets are conveniently mobile and, therefore, constantly available to us for information obtaining, information storing, information sharing and other communicative purposes.

Furthermore, technology has provided us with ways in which our lives can be made easier and more manageable through various downloadable applications (apps). These apps provide us with ways to track weather, news, and even our fitness progress, as well as coupons accessible by a simple bar code scan, meditation for the stressful life, and even automatic on/off commands for light switches and dishwashers. Apps also offer hours of enjoyment to satiate our craving for entertainment, even in the “company” of others, without ever having to leave our home.

It’s no wonder that more and more employers, especially hospitals (where everything moves at a fast pace), are jumping on board with the convenience and efficiency that technology can bring to the workplace. Furthermore, by implementing a bring your own device (BYOD) policy (since most employees already have access to their own technological devices) employers can save a ton on not having to purchase the tools on their own.

In a survey conducted by Aruba Networks, Inc., an HP company, in 2012, it was found that a whopping 85% of health care facilities were already allowing staff to utilize personal technological devices in the workplace. What was once considered to be unprofessional, is now determined necessary in carrying out normal job responsibilities. Due to the life-or-death nature of health care, hospitals are relying on electronic devices for:

(a) urgency in decision-making;

(b) constant availability;

(c) immediate response; and

(d) more accurate data; to name a few.

BYOD takes this a step farther in making information readily available to any health care professional at any time from their personal device, avoiding the necessity to access a workplace device which is not portable.

But What Happens When Technology is Used Negatively?

Technology sounds wonderful.

However, we have essentially stored our entire lives (and in the instance of health care professionals, now our patients’ entire lives) on a mobile device. Mobile, as in it goes with us everywhere, and therefore, it’s always at risk. Furthermore, with the heightened adoption of BYOD, systems are at risk of malware attacks resulting from downloads from personal devices that have not engaged appropriate security measures.

Regardless of how the attack occurs (lost, stolen, or of the viral nature), health care providers are responsible for protecting the privacy of their patients per the federal Health Insurance Portability and Accountability Act (HIPAA).

A Tweet May Result in HIPAA Violation for One Florida Hospital.

Following an alleged fireworks incident that resulted in the amputation of an index finger for New York Giants defensive end Jason Pierre-Paul, a tweet surfaced from Adam Schefter, an ESPN NFL reporter. Schefter tweeted a picture of the Giants’ medical record which he allegedly acquired from Miami-based Jackson Health System, reportedly without the consent of Pierre-Paul. To read more on this case, click here.

Tweeting; another by-product of technology and the insurgence of social media platforms. It’s enticing to share intimate details of our every day lives, especially when they affect others; namely, celebrities. And our smart phones offer instant access to photographing, uploading, and sharing of this “juicy” information.

But while Schefter is not in violation of any laws, the Florida hospital very well may be. Fines for HIPAA violations can range anywhere from $100-$50,000 per violation with the imposition of a $1.5 million dollar cap per calendar year.

Is a photograph worth your career?

What Can You Do to Protect Your Device?

Some HIPAA violations via technology are clearly avoidable (i.e., not divulging photographs of patient records for tweeting). Others are somewhat less manageable unless you know how to safeguard yourself against a technological breach.

While HIPAA does not require encryption and other safeguards on mobile devices, many employers do. It is important to know what your specific hospital’s policies are regarding HIPAA compliance on your smart phone and/or tablet.

Additionally, here are some tips to keep you and/or your employees protected under HIPAA violations when utilizing your own mobile device:

(1) Use a password or other user authentication (many devices now allow the use of fingerprint identification to unlock the device);

(2) Install and enable encryption on your smart phone;

(3) Install and activate remote wiping and remote disabling (this will protect you in the event your smart phone or tablet is lost or stolen);

(4) Disable and do not install or use file sharing applications;

(5) Install and enable a firewall on your device;

(6) Install and enable security software (this should protect against malware attacks);

(7) Keep your security software up to date;

(8) Research mobile applications (apps) before downloading (never just assume an app is HIPAA compliant- even health related apps);

(9) Maintain physical control over your device at all times (it goes without saying that your device is at the least risk when it’s in your own hands);

(10) Use adequate security, including those listed above, to send or receive health information over public Wi-Fi networks; and

(11) Delete all stored health information before discarding, selling, donating or trading the mobile device!

If all else fails and you find yourself in the middle of an investigation for possible HIPAA violations, consult with an experienced health attorney right away. There can be civil fines as well as criminal charges imposed on you, in addition to action taken by your employer.

For more information on risk assessment for HIPAA violations, read our previous blog post here.

Comments?
Do you use your own mobile device for your workplace? Do you know if it’s HIPAA compliant? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Bowman, Dan. “Potential HIPAA Violation Could Land Hospital in Hot Water.” FierceHealthIT. 9 July 2015. Web. 8 Sept. 2015.

Cook, Stacy. “How to Maintain HIPAA Compliance With Mobile Devices: A Law Review Q&A.” Advisory.com. The Advisory Board Company, 27 June 2014. Web. 8 Sept. 2015.

“Growing Tech Trends: The Rise of BYOD in Hospitals.” Information Technology Blog. Information Technology Group, 29 Apr. 2015. Web. 8 Sept. 2015.

“How Can You Protect and Secure Health Information When Using a Mobile Device?” HealthIT.gov. n.d. Web. 8 Sept. 2015.

Kolbasuk McGee, Marianne. “Prison Term in HIPAA Violation Case: Are More Such Prosecutions on the Horizon?” InfoRisk Today. 20 Feb. 2015. Web. 8 Sept. 2015.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: HIPAA complaints, HIPAA violations, HIPAA attorney, mobile device, technology in healthcare, technology in the workplace, HIPAA privacy complaint investigation lawyer, breach of patient confidentiality, breach of medical privacy, OCR HIPAA investigation, HIPAA complaint defense, technology in hospitals, health attorney, defense attorney, The Health Law Firm, health law firm, electronic devices, Social Security number, technological breach, breach of patient information, safeguarding patient information, HIPAA compliance, smart phones in hospitals

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law Firm. All rights reserved.

By |2020-02-12T14:33:36-05:00May 15th, 2018|Categories: Health Law, HIPAA Compliance, HIPAA violation|Tags: |0 Comments
Go to Top