There has been a recent and sharp uptick in the investigation and prosecution of HIPAA violations, as well as in the severity of penalties imposed. For example, in 2016, a non-profit Pennsylvania technology firm was fined $650,000 by the US Department of Health and Human Services Office for Civil Rights (“OCR”) after an employee’s iPhone was stolen from a car. The iPhone contained protected health information (“PHI”) from several clients without encryption or password protection. Also in 2016, a Massachusetts hospital was fined $650,000 by OCR for its failure to implement proper security policies to prevent a cyberattack that exposed PHI for more than 1,500 patients. The hospital was forced to report an overall fiscal loss for the first time in years due to the breach. And, in 2017, OCR fined a New York hospital more than $300,000 after it discovered that health information was improperly transmitted to patients’ employers.
These regulatory actions are indicative of OCR’s emphasis on ensuring that health care providers, and entities that provide services to health care providers, comply with the provisions of HIPAA and its 2009 amendment, the HITECH Act.
Importantly, the need for HIPAA compliance has continued to grow exponentially as the business of health care evolves. The role of technology and innovation in the delivery of health care is booming, and non-traditional businesses such as software vendors, cloud data providers, and mobile application developers may well find themselves subject to HIPAA’s provisions and penalties.
Businesses involved in the health care marketplace that handle PHI—either directly as covered entities like hospitals or insurers, or tangentially as business associates such as technology providers or third party consultants—must be aware of the requirements of HIPAA and pitfalls of noncompliance. Here are 5 basic HIPAA considerations for businesses to consider in evaluating their need for a legal compliance strategy.
1. What types of businesses must comply with HIPAA?
Both “covered entities” (health care providers, insurers, and clearinghouses) and “business associates” (billing companies, lawyers, consultants, software vendors, technology firms, etc. who create, receive, maintain, or submit PHI) must comply with the requirements of HIPAA. Subcontractors hired by business associates that handle PHI may also be subject to HIPAA, depending on their role. Health care businesses must carefully evaluate how they obtain health information and what they do with it to determine whether HIPAA applies. For example, a wellness mobile application provider that mines and stores patient health information from clinics and/or providers is likely is subject to the requirements of HIPAA.
2. How do businesses comply with the requirements of HIPAA?
HIPAA is generally divided into two categories—privacy and security. The rules governing privacy deal with the use, access, or disclosure of health information; meanwhile, the rules governing security govern how health information is stored and protected. Both require a comprehensive legal strategy to protect against violations and sanctions. For example, privacy provisions mandate that entities like doctors, pharmacies, and third-party record companies understand how and when to disclose PHI upon a legally proper request. Conversely, the rules governing security require that both health care providers and their contractors develop written policies and procedures for technical and procedural safeguards of health information, and then train employees appropriately. In addition, private business associate agreements between covered entities and business associates, or business associates and subcontractors, are required by law.
3. What are potential penalties for violations of HIPAA?
If penalties are assessed, they can be severe. OCR may find violations of HIPAA after self-reporting investigations or in response to audits. Both civil and criminal penalties may apply, and will vary depending on the specific facts. A hospital, for example, with proper procedures in place that did not know that an employee accidentally left a patient file in public, may be assigned a fine as low as $100 for the breach. However, if the hospital had no policy to train employees on how to handle PHI, the minimum fine could jump to $10,000. And, if the hospital did not correct the training problem within 30 days after it learned of the breach, the minimum fine could skyrocket to $50,000. Further, if intent or fraud were found, criminal fines between $50,000 and $250,000 could be levied along with jail time. Businesses should know that fines are determined based on the number of individuals whose health information is involved in each violation. Thus, one stolen laptop with PHI for 500 patients could be considered 500 separate violations of HIPAA. In addition to these penalties, the HITECH act enables state attorneys general to sue and recover up to $25,000 for each violation plus attorneys’ fees.
4. What should a business do when a breach is suspected?
HIPAA and HITECH specifically require that health care entities self-report any breach of unsecured health information to the Department of Health & Human Services, the affected patients, and in some instances, the media. Penalties may be increased if the affected company fails to do so within required time frames. Businesses must also be aware that security incidents where there is an unauthorized attempt to access, use, disclose, modify, or destroy PHI may require reporting to either to the covered entity under a business associate agreement or to individuals and OCR under the breach notification rule. With the rising threat of malware and ransomware cyberattacks—such as the massive cybersecurity breach that occurred in England’s hospitals in May 2017—health care companies must be extremely vigilant with their security and reporting policies and procedures.
5. Are there other laws related to the protection and disclosure of PHI?
Many states have laws in place to protect against wrongful disclosure of health information. HIPAA preempts state laws that offer less protection, but state laws that are more protective continue to apply. For example, Maryland’s Confidentiality of Records Act is more restrictive than HIPAA in several areas, including protections afforded to mental health records. Health care businesses, therefore, need to comply not only with federal law, but often with state laws that will vary depending on where the business is located.
As the health care industry continues to expand and modernize, it is essential that companies who handle health information develop a comprehensive strategy to comply with the various laws governing this area, and implement legally compliant policies and procedures. For questions or assistance, please contact Greg Garrett.
This alert has been prepared by Tydings for informational purposes only and does not constitute legal advice.