Posts Tagged HITECH

HHS Lowers Annual Limits of Penalties for HIPAA Violations

HHS Lowers Annual Limits of Penalties for HIPAA Violations

Published in the Federal Register on April 30, 2019, the Department of Health and Human Services (“HHS“) issued a notification to inform the public that HHS is exercising its discretion in how it applies regulations concerning the assessment of civil money penalties (“CMPs“) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“), as such provision was amended by the Health Information Technology for Economic Clinical Health Act (the “HITECH Act“).

In February 2009, Congress enacted the HITECH Act which, among other things, strengthened HIPAA enforcement by increasing minimum and maximum potential CMPs for HIPAA violations. Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:

  1. the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
  2. the violation was due to reasonable cause, and not willful neglect;
  3. the violation was due to willful neglect that is timely corrected; and
  4. the violation was due to willful neglect that is not timely corrected.

Although the HITECH Act set forth different annual penalty caps for each tier (for all violations of an identical requirement or prohibition in a single year), HHS determined that the language of the penalty provisions was conflicting and allegedly referenced two levels of penalties for three of the four tiers. As a result, HHS concluded that the most logical reading of the law was to apply the highest annual cap of $1.5 million to each tier of violation and that such interpretation was consistent with Congress’ intent to strengthen enforcement.

On January 25, 2013, HHS adopted a final rule that applied the annual limit of $1.5 million to all tiers of violation types, as shown in the chart below:

Upon further review by the HHS Office of the General Counsel, HHS has now determined that the better reading of the HITECH Act is to apply annual limits as shown in the chart below:

HHS is expected to engage in future rulemaking to revise the penalty tiers to better reflect the text of the HITECH Act. Until further notice, HHS stated that it will use the new tier structure shown in the chart immediately above, as adjusted for inflation.

Article contributed by Anthony Romano, a partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is an official partner with the Medical Association. 

Posted in: HIPAA

Leave a Comment (0) →

Speak Up! HHS Wants to Hear from YOU!

Speak Up! HHS Wants to Hear from YOU!

The Department of Health and Human Services Office of Civil Rights wants to hear from health care providers, business associates and members of the public about how they can best modify HIPAA regulations. On Dec. 12, 2018, OCR issued a Request for Information, asking the public for comments on how the regulations can best facilitate continuity of care and decrease regulatory burdens.

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

They are looking for feedback in the following areas:

  • Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, or require covered entities to disclose PHI to other covered entities.
  • Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices, to reduce burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual’s awareness of his or her rights.

Additionally, OCR is encouraging health care providers, business associates and members of the public to answer 54 questions that relate to their experiences working with health care data to determine which aspects of the regulations are necessary and which may be overly burdensome.

The RFI can be viewed by clicking on the following link:

The deadline for comment is Feb. 12, 2019.  OCR has provided the following methods to submit comments:

  • Federal eRulemaking Portal. You may submit electronic comments at by searching for the Docket ID number HHS–OCR– 0945–AA00. Follow the instructions for sending comments.
  • Hand-Delivery or Regular, Express, or Overnight Mail: S. Department of Health and Human Services, Office for Civil Rights, Attention: RFI, RIN 0945– AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.

Instructions: All submissions received must include ‘‘Department of Health and Human Services, Office for Civil Rights RIN 0945–AA00’’ for this RFI. All comments received will be posted without change to, including any personal information provided.

As a compliance professional, I will be submitting comments on areas that impact my clients on Feb. 8, 2019.  If you have questions or concerns, feel free to contact me, and I’ll be happy to discuss your concerns or include your inquiry in my comments. I can be reached toll-free at 1-888-959-9501 or at

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Meaningful Use and the Costs of Noncompliance

Meaningful Use and the Costs of Noncompliance

It is something of an understatement to note that the U.S. health care legal landscape is currently experiencing a degree of transition and uncertainty. There is no shortage of changes to discuss, debate, and, perhaps, grow apprehensive about. One development that has been the radar of many physicians for several years now – and brought into new relief by more recent changes such as the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) – is the Meaningful Use concept introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

“Meaningful Use” relates to physicians’ use of certified electronic health records (EHR) technology in the interest of interoperability and efficient electronic exchange of health information. The Centers for Medicare & Medicaid Services (CMS) offers an incentive program which offers incentive payments to eligible professionals and eligible hospitals who join and comply. Participation involves making “Meaningful Use Attestations” regarding compliance. Both compliance and noncompliance with Meaningful Use goals can represent a significant cost to physicians: compliance, as bringing a practice’s technological infrastructure up to the appropriate standards does not come cheaply; noncompliance, as those who choose not participate in CMS’s incentive program, face reductions in their Medicare and Medicaid payments. These reductions equal a 3 percent decrease in 2017.

It appears that noncompliance with Meaningful Use standards carries more of a bite than some observers may have thought. In June of 2017, the Office of the Inspector General (OIG) released a report that Medicare made hundreds of millions of dollars’ worth of incentive payments to Meaningful Use attesters who failed to meet the necessary requirements. The OIG estimated a total of approximately $730 million dollars in inappropriate payments – more than ten percent of the total payments. CMS’s blunder largely resulted from its failure to conduct adequate documentation review, thus rendering the self-attestations of professionals prone to abuse. Note, too, that CMS is not the only authority to make inappropriate EHR incentive payments: the OIG faulted Texas in August 2015 for making such wrongful payments in an amount over $15 million through its Medicaid program.

This does not, of course, amount to a windfall for the physicians who received the wrongful payments. The OIG’s recommendation to CMS includes directing CMS to recover the wrongful payments it has identified (a small sample of the total), and to seek to identify, and then recover, the rest of the inappropriately directed federal funds. As is characteristically the case, government overpayments cannot be retained by the recipient. Thus, the takeaway from CMS’s improper Meaningful Use largesse should not be an observation that the government has, up till now, not been adequately reviewing Meaningful Use documentation. Instead, it should be that one can, of course, expect such mistakes to be corrected when discovered and that it is even more important to get Meaningful Use compliance correct now. What has been done in the past by a physician may not actually have sufficed. Additionally, part of OIG’s recommendation to CMS was to educate eligible clinicians on proper Meaningful Use documentation requirements. Physicians should look for and take advantage of such education.

This need to double down on one’s Meaningful Use efforts comes at a time when the reimbursement system is shifting to MACRA. The Medicare EHR Incentive Program is no longer a standalone program –it has been combined through MACRA with the Physician Quality Reporting System and the Physician Value-based Payment Modifier into a single program, the Merit-based Incentive Payment System (MIPS) under the Quality Payment Program (QPP). Although hospital and Medicaid Meaningful Use programs are unaffected by MACRA, clinicians will make their Medicare Meaningful Use attestations through the QPP. This program still focuses on the use of Certified EHR Technology to support interoperability and healthcare quality objectives. The meaningful use measures are calculated and compensated somewhat differently under MIPS; one significant change is that a hybrid scoring system has replaced the previous all-or-nothing approach.

Although the manner of reporting Meaningful Use has changed somewhat, it has not become either less important or markedly simpler. Getting up to speed on the technological, administrative, and reporting features of establishing Meaningful Use now – when there is some clemency as far as timing goes worked into the transition period – is certainly advisable. The need to establish the goals of interoperability, efficiency, and care coordination that Meaningful Use seeks to advance is a need that is unlikely to diminish. The fact that CMS is now beginning to seek hundreds of millions of dollars in wrongful incentive payments only highlights that Meaningful Use compliance is an issue worth following in the always changing health care landscape.

Chris Thompson is an attorney with Burr & Forman LLP. Chris practices exclusively in the firm’s Health Care Practice Group. Burr & Forman, LLP, is an official Bronze Partner with the Medical Association.

Posted in: MACRA

Leave a Comment (0) →

What is a Business Associate Agreement, and Why Should You Care?

What is a Business Associate Agreement, and Why Should You Care?

Health care providers are primarily concerned with the treatment and wellbeing of their patients. They gather and maintain tremendous amounts of protected health information[1]  (PHI) throughout the treatment process and commonly share that PHI with third parties who assist them with carrying out their work. This process of sharing PHI with a third party, non-workforce member, may create a business associate relationship. With the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, medical practices are now required to identify business associate relationships and enter into Business Associate Agreements (BAAs). Failure to comply can led to heavy fines imposed by the Department of Health and Human Services.

A common challenge to compliance with this regulation is assessing whether an individual or entity falls within the definition of a Business Associate.  To make this determination, medical practices are required to identify third parties who create, receive, maintain, or transmit PHI on behalf of the covered entity, including subcontractors. After documenting this process, an appropriate BAA must be executed to govern the relationship and to protect any PHI.

BAAs are contracts that dictate how a Business Associate must use, disclose and safeguard PHI, as well as the covered entity’s responsibilities to the Business Associate. At a minimum, the BAA must include the following provisions:

  • Establish the permitted and required uses and disclosures of PHI by the Business Associate;
  • Provide that the Business Associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;
  • Require the Business Associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
  • Require the Business Associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  • To the extent the Business Associate is to carry out a covered entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation;
  • Require the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  • At termination of the contract, if feasible, require the Business Associate to return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the covered entity;
  • Require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and
  • Authorize termination of the contract by the covered entity if the Business Associate violates a material term of the contract. Contracts between Business Associates and their subcontractors are subject to these same requirements.[2] (DHHS, 2013)

Don’t Think This Applies to You? Think Again!

Business Associate relationships are voluminous in medical practices.  More often than not, the modern medical practice will have multiple relationships that require a BAA. A few examples may include:

  • Tech support for an Electronic Health Record (EHR)
  • Data storage services
  • Repair services for copiers with hard drives
  • Data destruction
  • Cloud hosting
  • CPA firms that provide accounting services
  • Independent medical transcription services
  • Claims processing

Business Associates May Face Penalties as Well

In June of 2016, Catholic Health Services of the Archdiocese of Philadelphia settled with HHS for $650,000 when it was discovered that they may have violated the HIPAA Security Rule. CHCS provided management and information technology services to the nursing home company creating a Business Associate relationship. HHS alleged that the theft of a CHCS iPhone without password protection compromised the PHI of numerous nursing home residents.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Medical practices should be eager to institute BAAs where appropriate as they shift liability to the Business Associate for the inappropriate conduct of the Business Associate. Medical practices should not allow any relationship with contractors to exist without first analyzing the need for a Business Associate Agreement. If not, the medical practice could be required to perform breach notification or pay litigation costs for the actions of the Business Associate. It is paramount that your medical practice attain BAAs when necessary and have a system in place to track them. A proper tracking system will notify you when BAAs expire. Additionally, a proper tracking system will ensure that nothing slips through the cracks.  Understand that if during an audit it is determined that your medical practice lacks the necessary BAAs, has expired BAAs or that they don’t have the required provisions, your entity could be fined for non-compliance with the HITECH Act.

It is important to note that there are a number of exceptions to the Business Associate Agreement requirement that may apply. Some exceptions include conduits, workforce members and janitors. To protect your practice, you should have a qualified professional perform a risk analysis to determine if a BAA is necessary and to fashion a BAA to the specific relationship.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

[1] PHI includes many common identifiers, like a patient’s name, date of birth, address, social security number, full-face photo or any other personal identifiers.

[2] Department of Health and Human Services. (2013) Business Associate Agreement Contracts. Retrieved from

Posted in: Liability

Leave a Comment (0) →