Posts Tagged penalty

HHS Lowers Annual Limits of Penalties for HIPAA Violations

HHS Lowers Annual Limits of Penalties for HIPAA Violations

Published in the Federal Register on April 30, 2019, the Department of Health and Human Services (“HHS“) issued a notification to inform the public that HHS is exercising its discretion in how it applies regulations concerning the assessment of civil money penalties (“CMPs“) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“), as such provision was amended by the Health Information Technology for Economic Clinical Health Act (the “HITECH Act“).

In February 2009, Congress enacted the HITECH Act which, among other things, strengthened HIPAA enforcement by increasing minimum and maximum potential CMPs for HIPAA violations. Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:

  1. the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
  2. the violation was due to reasonable cause, and not willful neglect;
  3. the violation was due to willful neglect that is timely corrected; and
  4. the violation was due to willful neglect that is not timely corrected.

Although the HITECH Act set forth different annual penalty caps for each tier (for all violations of an identical requirement or prohibition in a single year), HHS determined that the language of the penalty provisions was conflicting and allegedly referenced two levels of penalties for three of the four tiers. As a result, HHS concluded that the most logical reading of the law was to apply the highest annual cap of $1.5 million to each tier of violation and that such interpretation was consistent with Congress’ intent to strengthen enforcement.

On January 25, 2013, HHS adopted a final rule that applied the annual limit of $1.5 million to all tiers of violation types, as shown in the chart below:

Upon further review by the HHS Office of the General Counsel, HHS has now determined that the better reading of the HITECH Act is to apply annual limits as shown in the chart below:

HHS is expected to engage in future rulemaking to revise the penalty tiers to better reflect the text of the HITECH Act. Until further notice, HHS stated that it will use the new tier structure shown in the chart immediately above, as adjusted for inflation.

Article contributed by Anthony Romano, a partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is an official partner with the Medical Association. 

Posted in: HIPAA

Leave a Comment (0) →

HIPAA Illiteracy Is Considered Willful Neglect

HIPAA Illiteracy Is Considered Willful Neglect



Unsure of your practice’s vulnerabilities?




Judge Rules in Favor of OCR and Requires $4.3 Million in Penalties for HIPAA Violations

OCR’s investigation found that MD Anderson had written encryption policies and risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high-risk findings, MD Anderson failed to encrypt its inventory of electronic devices containing ePHI.


Easily Avoid Penalties for HIPAA Violations

Protect your reputation, practice and patient’s information. MD Anderson knew of their vulnerabilties and high risk findings, but failed to act.

Avoid Willful Neglect and the associated HIPAA penalties starting with a Confidential Risk Assessment.

Attend your no-obligation risk analysis review and have a PCIHIPAA Senior Compliance Officer review your HIPAA risk assessment and suggest HIPAA compliant solutions to your vulnerabilities.



Not protecting the privacy and security of your patient information leads to non-compliance fines, data breaches and reputational risk.

Practices are responsible for patient’s protected health information no matter the consequences.


Let PCIHIPAA know you are a member of the Medical Association of the State of Alabama and claim:

  1. Complimentary 2018 HIPAA Risk Assessment Now MandatorySection 164.308(a)(1)(ii)(A)
  2. A 23-Page Risk Analysis Report
  3. A Free 30-Minute HIPAA Risk Consultation
  4. 1 Year of Free Identity Restoration Protection



Get on the path to compliance in less than 60 days


PCIHIPAA  |  Products & Services  |  800-588-0254  |

PCIHIPAA takes the guesswork out of HIPAA Compliance.
We make sure HIPAA and PCI Compliance is simple and easy to manage.
We work with 1,000’s of practices like yours.
A+ rating with the BBB.

Posted in: HIPAA

Leave a Comment (0) →

The HIPAA Horizon: What Changes Can We Look Forward to in the Near Future?

The HIPAA Horizon: What Changes Can We Look Forward to in the Near Future?

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA). Specifically, this entity is charged with ensuring that HIPAA-covered entities adhere to the HIPAA Privacy, Security and Breach Notification Rules.

On Jan. 30, 2017, Pres. Trump issued an order referred to as the “Executive Order for Reducing Regulation and Controlling Regulatory Costs.”  This became known as the “2-for-1 Executive Order.” This order required all federal agencies to cut two existing regulations for every proposed new regulation.

Many health care compliance professionals have been interested to learn how HHS OCR would respond to this challenge. There was significant curiosity about how this mandate would change the way HHS OCR was able to protect patient rights and whether they would be able to continue to develop regulations to protect the confidentiality, integrity and availability of patient records during a period of when ransomware scares and identity theft challenges are more and more prevalent.

It appears the industry has received their answer. At the HIPAA Summit, OCR Director Roger Severino announced, “The HHS Office for Civil Rights is planning to make some changes to the HIPAA Privacy Rule and enforcement regulations but will ask first for input from the health care sector and the public before making possible modifications.”

The proposed rule or Notice of Proposed Rule Making (NPRM) is the official document that announces and explains the agency’s plan to address a problem or accomplish a goal. All proposed rules must be published in the Federal Register to notify the public and to give them an opportunity to submit comments. The proposed rule and the public comments received on it form the basis for the final rule.[1]

HHS OCR has not officially posted the notice of proposed rulemaking for 2018, however, compliance professionals have been given a heads up on what to expect this year. HHS OCR is planning to submit notice of proposed rulemaking (NPRM) in at least the following three areas:

Good Faith of Health Care Providers. This would allow health care providers to share information with an incapacitated patient’s family members without patient authorization so long as the health care provider believes in “good faith” that making the disclosure is in the best interest of the patient.

Request for Information on Distribution of a Percentage of Civil Monetary Penalties or Monetary Settlements to Harmed Individuals. Historically, money collected from HIPAA fines and settlements have not been shared with the individual whose information was compromised. HHS OCR will be seeking comments on what the public thinks will be the best way to allow “victims” of HIPAA violations to be able to share in the money the agency receives as a result of enforcement actions.

Changing Requirements to Obtain Acknowledgment of Receipt of Notice of Privacy Practices. HIPAA-covered entities are currently required to have patients sign an acknowledgment form, which confirms they have been provided with a copy of the entity’s Notice of Privacy Practices. Entities are required to keep copies of those acknowledgment forms for a period of six years. However, patients also have the right to refuse to sign the acknowledgment form, and providers cannot refuse service based on a patient’s refusal to sign the acknowledgment. Potentially, this requirement may be stricken from the regulations or altered to alleviate the administrative burden associated with the current requirement.

In addition to proposed rulemaking, HHS OCR intends to provide long-awaited guidance to the health care industry specifically on encryption, social media and texting.

[1] “A Guide to the Rulemaking Process,” Office of the Federal Register.

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →

Twenty States File Lawsuit against Government for the Affordable Care Act

Twenty States File Lawsuit against Government for the Affordable Care Act

Twenty states, including Alabama, have formed a coalition to file a lawsuit against the government claiming that the Affordable Care Act is now unconstitutional.

According to the lawsuit, the states are claiming that since the GOP eliminated the tax penalty associated with the individual mandate, ObamaCare itself is no longer constitutional.

The Tax Cuts and Jobs Act, signed into law by President Donald Trump on Dec. 22, 2017, eliminated the tax penalty of the ACA, without eliminating the individual mandate itself, according to the lawsuit filed in U.S. District Court in the Northern District of Texas.

In 2012, the Supreme Court ruled 5-4 that ObamaCare’s individual mandate was constitutional because Congress has the power to levy taxes. The lawsuit points to that part of the ruling in its argument that the law is no longer constitutional.

“Following the enactment of the Tax Cuts and Jobs Act of 2017, the country is left with an individual mandate to buy health insurance that lacks any constitutional basis,” the lawsuit states. “Once the heart of the ACA — the individual mandate — is declared unconstitutional, the remainder of the ACA must also fall.”

In its current form, the ACA imposes rising costs and transfers an enormous amount of regulatory power to the federal government, according to a statement by Texas Attorney General Ken Paxton and Wisconsin Attorney General Brad Schimel, who are leading the 20-state coalition lawsuit.

The lawsuit was filed by the attorneys general for the states of Wisconsin, Alabama, Arkansas, Arizona, Florida, Georgia, Indiana, Kansas, Louisiana, Missouri, Nebraska, South Carolina, South Dakota, Tennessee, Utah, West Virginia, Texas, and by the governors of Maine and Mississippi.

The Medical Association is closely monitoring the lawsuit and will report more information as it becomes available.

Posted in: Legal Watch

Leave a Comment (0) →

New Video Shows Physicians How to Avoid Medicare Payment Penalties

New Video Shows Physicians How to Avoid Medicare Payment Penalties

The Quality Payment Program (QPP) is the new physician payment system created by MACRA and is administered by the Centers for Medicare and Medicaid Services (CMS). Because the QPP is new this year, the Medical Association of the State of Alabama and the AMA want to make sure physicians know what they have to do to participate and the QPP’s “Pick-Your-Pace” options for reporting. This is especially important for those physicians who have not participated in past Medicare reporting and programs and may be less knowledgeable about the steps they can take to avoid being penalized under the QPP.

The AMA and the Federation stressed to CMS the importance of establishing a transition period to QPP and, as a result, physicians only need to report on at least one quality measure for one patient during 2017 in order to avoid a payment penalty in 2019 under the Merit-based Incentive Payment System (MIPS).

A new short video developed by the AMA, “One patient, one measure, no penalty: How to avoid a Medicare payment penalty with basic reporting,” offers step-by-step instructions on how to report so physicians can avoid a negative 4 percent payment adjustment in 2019. On this website,, there are also links to CMS’ quality measurement tools and an example of what a completed 1500 billing form looks like.


Return to Pick-Your-Pace home page

Posted in: MACRA

Leave a Comment (0) →

Are You a Medicare Provider Without an EHR?

Are You a Medicare Provider Without an EHR?

You can still avoid the MIPS 4 percent penalty by participating this year!

In 2017 the TEST portion of MIPS allows a provider to submit one Quality measure (previously known as PQRS) for less than a 90 day period to potentially avoid a 4 percent MIPS penalty (to be incurred in 2019) on Medicare Part B claims. One example of this is G8427 – Current Medications Documented. Every office typically documents a patient’s Current Medications. If you submit this code on your claims, even if only for a short period of time, you will be participating in the test portion of MIPS and may avoid a 4 percent penalty on Medicare Part B in 2019.

Remember, you will need to do this for every TIN/NPI combination in your practice.

The graph below shows a broad overview of the current MIPS attestation guidelines. Each line gives a brief summary of the four different attestation paths an office can choose from for 2017. Based on your 2017 participation, the above information references the row with one star and explains the simple criteria required this year to easily avoid a 4 percent penalty which incurred in 2019.

Need help understanding these new MIPS requirements? Contact MediSYS today at 1 (334) 277-6201 or email questions to Our staff has been assisting practices with various CMS incentive programs since their inception. We combine years of experience with ongoing support and detailed expertise for our clients at no additional support charges.


For information on MediSYS electronic health records and practice management solutions as well as outsourcing CCM services, please contact MediSYS at and visit the website at MediSYS is an official partner with the Medical Association.


Posted in: MVP

Leave a Comment (0) →