Posts Tagged HHS

HHS Lowers Annual Limits of Penalties for HIPAA Violations

HHS Lowers Annual Limits of Penalties for HIPAA Violations

Published in the Federal Register on April 30, 2019, the Department of Health and Human Services (“HHS“) issued a notification to inform the public that HHS is exercising its discretion in how it applies regulations concerning the assessment of civil money penalties (“CMPs“) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“), as such provision was amended by the Health Information Technology for Economic Clinical Health Act (the “HITECH Act“).

In February 2009, Congress enacted the HITECH Act which, among other things, strengthened HIPAA enforcement by increasing minimum and maximum potential CMPs for HIPAA violations. Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:

  1. the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
  2. the violation was due to reasonable cause, and not willful neglect;
  3. the violation was due to willful neglect that is timely corrected; and
  4. the violation was due to willful neglect that is not timely corrected.

Although the HITECH Act set forth different annual penalty caps for each tier (for all violations of an identical requirement or prohibition in a single year), HHS determined that the language of the penalty provisions was conflicting and allegedly referenced two levels of penalties for three of the four tiers. As a result, HHS concluded that the most logical reading of the law was to apply the highest annual cap of $1.5 million to each tier of violation and that such interpretation was consistent with Congress’ intent to strengthen enforcement.

On January 25, 2013, HHS adopted a final rule that applied the annual limit of $1.5 million to all tiers of violation types, as shown in the chart below:

Upon further review by the HHS Office of the General Counsel, HHS has now determined that the better reading of the HITECH Act is to apply annual limits as shown in the chart below:

HHS is expected to engage in future rulemaking to revise the penalty tiers to better reflect the text of the HITECH Act. Until further notice, HHS stated that it will use the new tier structure shown in the chart immediately above, as adjusted for inflation.

Article contributed by Anthony Romano, a partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is an official partner with the Medical Association. 

Posted in: HIPAA

Leave a Comment (0) →

Record Year for HIPAA Enforcement

Record Year for HIPAA Enforcement

In the current environment of regulation reduction, it is notable that the Department of Health and Human Services (HHS) received a record $28.6 million dollars in publicized settlements and judgments for HIPAA violations in 2018.  These numbers surpass previous years with the closest year on record being 2016 in which HHS collected $23.5 million dollars. These numbers reflect that HIPAA enforcement actions are on the rise.

There are several factors that are leading to this increase in fines:

  1. A lack of understanding about what encompasses an adequate HIPAA Risk Assessment;
  2. Failure to attain Business Associate Agreements when applicable;
  3. Failure to comply with physical, technical and administrative safeguards to secure protected health information (PHI); and
  4. Failure to implement encryption solutions or alternative adequate measures.

It is important to note that this record-setting total does not encompass all of the enforcement action taken by HHS against covered entities in 2018.  These numbers simply represent larger, more notable settlements and judgments.  In fact, HHS took corrective action against countless health care providers, health plans and business associates last year and it does not appear that these numbers will decrease in 2019.  As of February 22, 2019, HHS has officially begun investigating over 50 entities for large scale breaches.  For more information on these investigations of breaches of 500 individuals or more, visit the Wall of Shame on the HHS website. Pursuant to the HITECH Act of 2009, the Secretary of HHS is required to post information about entities who breach the PHI of 500 people or more to demonstrate transparency to health care consumers.

Health care providers can take action to reduce their risk by doing the following:

  1. Performing annual Risk Assessments;
  2. Identifying Business Associates and entering into adequate Business Associate Agreements;
  3. Creating and updating HIPAA policies and procedures;
  4. Ensuring that employees and staff members receive up-to-date training; and
  5. Proactive monitoring of electronic systems containing PHI.

This uptick in penalties illustrates that HHS is serious about their mandate to protect the privacy and security of PHI.  Their record demonstrates that they can be successful at attaining multi-million dollar settlements with health care entities and health plans that don’t comply with HIPAA regulations.  This is a good time for health care providers and HIPAA Business Associates to review their compliance programs to ensure that they are meeting the requirements. In HIPAA compliance, the lack of a specific strategy to secure PHI is an actionable failure that could result in a large fine and a loss of goodwill with the entity’s customers, its patients.  If you are unsure about whether your HIPAA compliance program is adequate or if you know that it is time to update your policies, procedures and training, consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Speak Up! HHS Wants to Hear from YOU!

Speak Up! HHS Wants to Hear from YOU!

The Department of Health and Human Services Office of Civil Rights wants to hear from health care providers, business associates and members of the public about how they can best modify HIPAA regulations. On Dec. 12, 2018, OCR issued a Request for Information, asking the public for comments on how the regulations can best facilitate continuity of care and decrease regulatory burdens.

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

They are looking for feedback in the following areas:

  • Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, or require covered entities to disclose PHI to other covered entities.
  • Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices, to reduce burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual’s awareness of his or her rights.

Additionally, OCR is encouraging health care providers, business associates and members of the public to answer 54 questions that relate to their experiences working with health care data to determine which aspects of the regulations are necessary and which may be overly burdensome.

The RFI can be viewed by clicking on the following link: https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27162.pdf

The deadline for comment is Feb. 12, 2019.  OCR has provided the following methods to submit comments:

  • Federal eRulemaking Portal. You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS–OCR– 0945–AA00. Follow the instructions for sending comments.
  • Hand-Delivery or Regular, Express, or Overnight Mail: S. Department of Health and Human Services, Office for Civil Rights, Attention: RFI, RIN 0945– AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.

Instructions: All submissions received must include ‘‘Department of Health and Human Services, Office for Civil Rights RIN 0945–AA00’’ for this RFI. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided.

As a compliance professional, I will be submitting comments on areas that impact my clients on Feb. 8, 2019.  If you have questions or concerns, feel free to contact me, and I’ll be happy to discuss your concerns or include your inquiry in my comments. I can be reached toll-free at 1-888-959-9501 or at Samarria@dunsongroup.com.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

HHS Seeks Comments on Easing Stark Law Burdens

HHS Seeks Comments on Easing Stark Law Burdens

The Centers for Medicare & Medicaid Services has requested public input on how the physician self-referral law, or Stark Law, may be interfering with care coordination. To help accelerate the transformation to a value-based system that includes care coordination, HHS has launched a Regulatory Sprint to Coordinated Care. The Regulatory Sprint is focused on identifying regulatory requirements or prohibitions that may act as barriers to coordinated care, assessing whether those regulatory provisions are unnecessary obstacles to coordinated care, and issuing guidance or revising regulations to address such obstacles and, as appropriate, encouraging and incentivizing coordinated care.

On June 25, 2018, HHS published in the Federal Register a Request for Information seeking comments on the structure of arrangements between parties that participate in alternative payment models or other novel financial arrangements and the need to revise or expand exceptions to the Stark Law. CMS states “CMS is aware of the effect the physician self-referral law may have on parties participating or considering participation in integrated delivery models, alternative payment models, and arrangements to incent improvements in outcomes and reductions in cost.” CMS has also engaged stakeholders through comment solicitations in several recent rulemakings. In 2017, through the annual payment rules, CMS asked for comments on improvements that can be made to the health care delivery system that reduce unnecessary burdens for clinicians, other providers, and patients and their families.

CMS is interested in the public’s thoughts on issues that include the structure of arrangements between parties that participate in alternative payment models or other novel financial arrangements, the need for revisions or additions to exceptions to the physician self-referral law, and terminology related to alternative payment models and the physician self-referral law. Specifically, CMS requested stakeholders’ thoughts on important definitions and/or concepts such as defining “commercial reasonableness,” “fair market value” and “take into account the volume or value of referrals” by a physician.

While the Request for Information does not mean HHS will make any changes to Stark, it is encouraging that CMS recognizes the many roadblocks Stark causes to legitimate arrangements involving physicians.

The Request of Information is available online at https://federalregister.gov/d/2018-13529.

Jim Hoover is a partner at Burr & Forman LLP practicing exclusively in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: Legal Watch

Leave a Comment (0) →

The HIPAA Horizon: What Changes Can We Look Forward to in the Near Future?

The HIPAA Horizon: What Changes Can We Look Forward to in the Near Future?

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA). Specifically, this entity is charged with ensuring that HIPAA-covered entities adhere to the HIPAA Privacy, Security and Breach Notification Rules.

On Jan. 30, 2017, Pres. Trump issued an order referred to as the “Executive Order for Reducing Regulation and Controlling Regulatory Costs.”  This became known as the “2-for-1 Executive Order.” This order required all federal agencies to cut two existing regulations for every proposed new regulation.

Many health care compliance professionals have been interested to learn how HHS OCR would respond to this challenge. There was significant curiosity about how this mandate would change the way HHS OCR was able to protect patient rights and whether they would be able to continue to develop regulations to protect the confidentiality, integrity and availability of patient records during a period of when ransomware scares and identity theft challenges are more and more prevalent.

It appears the industry has received their answer. At the HIPAA Summit, OCR Director Roger Severino announced, “The HHS Office for Civil Rights is planning to make some changes to the HIPAA Privacy Rule and enforcement regulations but will ask first for input from the health care sector and the public before making possible modifications.”

The proposed rule or Notice of Proposed Rule Making (NPRM) is the official document that announces and explains the agency’s plan to address a problem or accomplish a goal. All proposed rules must be published in the Federal Register to notify the public and to give them an opportunity to submit comments. The proposed rule and the public comments received on it form the basis for the final rule.[1]

HHS OCR has not officially posted the notice of proposed rulemaking for 2018, however, compliance professionals have been given a heads up on what to expect this year. HHS OCR is planning to submit notice of proposed rulemaking (NPRM) in at least the following three areas:

Good Faith of Health Care Providers. This would allow health care providers to share information with an incapacitated patient’s family members without patient authorization so long as the health care provider believes in “good faith” that making the disclosure is in the best interest of the patient.

Request for Information on Distribution of a Percentage of Civil Monetary Penalties or Monetary Settlements to Harmed Individuals. Historically, money collected from HIPAA fines and settlements have not been shared with the individual whose information was compromised. HHS OCR will be seeking comments on what the public thinks will be the best way to allow “victims” of HIPAA violations to be able to share in the money the agency receives as a result of enforcement actions.

Changing Requirements to Obtain Acknowledgment of Receipt of Notice of Privacy Practices. HIPAA-covered entities are currently required to have patients sign an acknowledgment form, which confirms they have been provided with a copy of the entity’s Notice of Privacy Practices. Entities are required to keep copies of those acknowledgment forms for a period of six years. However, patients also have the right to refuse to sign the acknowledgment form, and providers cannot refuse service based on a patient’s refusal to sign the acknowledgment. Potentially, this requirement may be stricken from the regulations or altered to alleviate the administrative burden associated with the current requirement.

In addition to proposed rulemaking, HHS OCR intends to provide long-awaited guidance to the health care industry specifically on encryption, social media and texting.

[1] “A Guide to the Rulemaking Process,” Office of the Federal Register.

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to HHS.gov, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.

##

 

 

 

About PCIHIPAA
PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at OfficeSafe.com and PCIHIPAA.com.

Posted in: MVP

Leave a Comment (0) →

Medical Association Applauds U.S. Rep. Tom Price, M.D., for HHS Secretary

Medical Association Applauds U.S. Rep. Tom Price, M.D., for HHS Secretary

MONTGOMERY – The Medical Association of the State of Alabama applauds the nomination of U.S. Rep. Tom Price for secretary of the U.S. Department of Health and Human Services.

“Congressman Price is a strong advocate for preserving the patient-physician relationship, which includes fighting for patients’ rights as well as preserving physician autonomy,” said Medical Association President David Herrick, M.D. “Dr. Price has worked with our Medical Association leadership for many years on the national level to deregulate medicine and ease the administrative burdens placed on physicians. We feel that as a physician, Dr. Price understands firsthand what the health care system needs to get back on track so our physicians can focus more on treating their patients and less on red tape.”

For nearly 20 years, Dr. Price worked in private practice as an orthopaedic surgeon. Before coming to Washington he returned to Emory University School of Medicine as an Assistant Professor and Medical Director of the Orthopedic Clinic at Grady Memorial Hospital in Atlanta, teaching resident doctors in training. He received his Bachelor and Doctor of Medicine degrees from the University of Michigan and completed his Orthopaedic Surgery residency at Emory University.

Should Dr. Price be confirmed as secretary of the U.S. Department of Health and Human Services, he would be the first physician to serve in that position since 1989 and the third physician in the 63-year history of the department. The Medical Association strongly feels physician leadership of HHS and in the President’s Cabinet would provide the necessary perspective that has been lacking in the health care decisions of our country.

Posted in: Advocacy

Leave a Comment (0) →