By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law
The Office of Civil Rights (OCR), a division within the U.S. Department of Health and Human Services (HHS), is the federal organization responsible for investigating complaints and enforcing the Privacy and Security Regulations implementing the Health Insurance Portability and Accountability Act, commonly referred to as “HIPAA.”
As the COVID-19 pandemic seems to be leveling off and more employees are going back to the office, and into the field, HIPAA complaint investigations will definitely pick up. Furthermore, criminal prosecutions for violations of HIPAA have recently been on the rise as well.
OCR’s Investigations and Enforcement Actions.
OCR enforces the HIPAA Privacy and Security Regulations in several ways:
The first method it has is the receiving and investigating of HIPAA violation complaints. These can easily be filed online by going to https://www.hhs.gov/hipaa/filing-a-complaint/.
If you receive a notice from the OCR that it is investigating a HIPAA complaint against you, it will request a large number of various documents relating to the matter. It is crucial that you retain the services of an experienced health lawyer to assist you in responding. Often, it will not be necessary to provide all of the documents requested by OCR, if your attorney determines that certain legal grounds exist for avoiding this. Regardless, you should seek legal counsel, anyway, since both criminal and civil sanctions may result.
OCR Also Conducts Compliance Audits.
OCR conducts compliance reviews to determine if covered entities are in compliance. Covered entities include, for example, physicians, medical groups, nurse practitioners (in most cases), psychologists, mental health counselors (in most cases), pharmacists, health clinics (in most cases), assisted living facilities (ALFs), home health agencies (HHAs), hospitals, and many others.
OCR reviews the information that it gathers through its investigation or audit. In some cases, it may determine that the covered entity did not violate the Privacy Regulations or the Security Regulations. However, in the case of the covered entity’s violation, OCR may do any of the following:
Dismissing the matter or taking no further action.
Obtaining the Covered Entity’s agreement for voluntary compliance going forward.
Obtaining corrective action through a corrective action plan (CAP).
Negotiating a resolution agreement (RA).
Assessment of civil penalties (monetary fines).
Referral to the Department of Justice (DOJ) for further investigation and criminal prosecution.
In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity. It can then take further administrative or civil litigation action to enforce these if they are not paid.
Civil monetary penalties for HIPAA violations are determined based on a tiered civil penalty structure. The HHS secretary has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. HHS is prohibited from imposing civil monetary penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended at HHS’s discretion). So it is imperative to retain an attorney and get on top of the situation fast.
The range of penalties for civil violations.
HIPAA violation: Unknowing
Penalty range: $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations
HIPAA violation: Reasonable Cause
Penalty range: $1,000 – $50,000 per violation, with an annual maximum of $100,000 for repeat violations
HIPAA violation: Willful neglect but corrected (violation is corrected within the required time period)
Penalty range: $10,000 – $50,000 per violation, with an annual maximum of $250,000 for repeat violations
HIPAA violation: Willful neglect, not promptly corrected (violation is not corrected within the required time period)
Penalty range: $50,000 per violation, with an annual maximum of $1.5 million
Criminal penalties for violations.
In June 2005, DOJ clarified who can be held criminally liable under HIPAA. Its clarification included officers, employees, and other principles of business entities (corporations and companies) that are covered entities, including co-conspirators, aiders, and abettors of the acts.
Criminal violations of HIPAA are investigated and prosecuted by DOJ. As with the civil penalties, there are different criminal penalties based on the level of severity of the criminal violation.
Covered entities and specified other individuals who knowingly obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations to the HIPAA Regulations, face a fine of up to $50,000, as well as imprisonment for up to one (1) year.
Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five (5) years in prison.
Finally, offenses committed with a profit motive, in other words, with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment up to ten (10) years.
What is a “Covered Entity?”
One thing to remember is that HIPAA and its enforcing regulations only apply to “covered entities” with certain minor exceptions. The following are examples of “covered entities”:
Health plans (e.g., health insurers, HMOs, PPOs)
Health care clearinghouses
Health care providers who transmit claims in electronic form (this will cover almost all health facilities and health professionals)
Medicare prescription drug card sponsors
Individuals such as directors, employees, or officers of a covered entity (where the covered entity is not an individual) may criminally liable under HIPAA per the “corporate criminal liability” theory.
Criminal Penalties for HIPAA Violations.
Yes, there are criminal penalties, including prison for up to ten (10) years, possible for HIPAA violations.
To read an earlier blog I wrote on criminal penalties for HIPAA violations, please click here.
What is the Definition of “Knowingly?”
The DOJ interprets the required element of “knowingly” in the criminal liability section of HIPAA as requiring only knowledge of the actions that constitute an offense. Specific knowledge that an action is a violation of HIPAA is not required.
Can a HIPAA Violation Lead to Exclusion from the Medicare Program?
HHS has the authority to exclude from participation in Medicare any covered entity that was not compliant with certain HIPAA Regulations under certain circumstances. Call your healthcare lawyer for details on this.
For information on the effects of exclusion from any government-sponsored healthcare program on a doctor, nurse, dentist, or any other health provider, visit our website’s Health Law Articles and Documents page to view the OIG’s Special Advisory Bulletin.
The Administrative Simplification Act Simplifies it All.
The Administrative Simplification Act sought to clarify and simplify parts of HIPAA and increase specific penalties for violations. Title 42, United States Code, Chapter 7, Subchapter XI, Part C (Administrative Simplification Act).
The Administrative Simplification Regulations authorize a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permits fines of $250,000 and imprisonment for up to 10 years.
Misuse and Disclosure of “Unique Health Identifiers.”
The wrongful use of a unique health identifier can be charged as a violation of 42 U.S.C. § 1320d–6(a)(1) and (b)(1)), the penalty provision of which is set forth in 42 U.S.C. § 1320d–6(b)(1). “Unique health identifier” includes a patient’s name, address, social security number, insurance member ID number, description of health history, and description of the patient’s symptoms.
Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.
The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free: (888) 331-6620.
About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.
“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2021 The Health Law Firm. All rights reserved.
Leave A Comment