HIPAA penaltiesHeadlines everywhere are telling us all that the HIPAA penalties are being “slashed” or “capped” or “reduced”.  What is the real story and what does it mean to the rest of us?  Great time to talk about what you should consider if you think you will be facing any HIPAA penalties.

 

 

A 5 star review is all we ask from our listeners. Really.
1x
0:00
...
Free HIPAA Training

I have read and agreed to your Privacy Policy.


In this episode:

HIPAA penalties dropping – Ep 204

Today’s Episode is brought to you by:

Kardon 

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

David shout out to Carolinas Referral Group – Indian Land Chapter –  talk on BEC this week

June 13 Lunch and Learn with Medicus IT about Patient Record Release and Fees for Medical Practices – Link to register on the website.

Attending SecureWorld Atlanta – May 29/30 message me if you are going to be there.

Next HIPAA Boot Camp

Session #3 TBD

Somewhere and sometime after Labor Day

www.HelpMeWithHIPAA.com/bootcamp

 

Share us with one person this week!

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA


HIPAA penalties dropping

[8:50] HHS did make a big announcement that was officially published on April 30, 2019.  As always, there headlines all over the healthcare news sites and blogs letting you know that the penalties and fines are going down.  What does that really mean?  Is HHS going to “drop it like it’s hot”?  You know that we have to read the text to know that for sure.  Before you all rush to read the Federal Register yourselves, we thought a few tips concerning what we found would be helpful.

This notification is to inform the public that the Department of Health and Human Services (HHS) is exercising its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties… Current HHS regulations apply the same cumulative annual CMP limit across four categories of violations based on the level of culpability. As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act.

We have seen this first CMP chart for years now.  The HIPAA penalties structure in place since HITECH became law was this one:

 

Culpability

Minimum penalty/violation

Maximum penalty/violation

Annual limit

No Knowledge

$100

$50,000

$1,500,000

Reasonable Cause

1,000

50,000

1,500,000

Willful Neglect—Corrected

10,000

50,000

1,500,000

Willful Neglect—Not Corrected

50,000

50,000

1,500,000

The part of this structure we have all understood for years that also raised issues in legal debates was where the $1.5 million annual penalties cap came into play.  The law was originally interpreted to state that the annual limit was $1.5m for each of the four culpability tiers.  In their write up, the original definition from HHS stated that the intent of the lawmakers was this structure we have been used to working with so long.

The new interpretation of the law reads that whole thing differently.  It says the annual penalties limit is different for each tier not the same for each tier.  Therefore, from this point forward they will use this new calculation method.

 

Culpability

Minimum penalty/violation

Maximum penalty/violation

Annual limit

No Knowledge

$100

$50,000

$25,000

Reasonable Cause

1,000

50,000

100,000

Willful Neglect—Corrected

10,000

50,000

250,000

Willful Neglect—Not Corrected

50,000

50,000

1,500,000

The only part of this update that really bothers me is a logical thing.  On the first penalty tier, how can the maximum be $50,000 but the annual limit be $25,000?  That point will torture me simply because when I look at the chart it doesn’t make sense to me.  The same thing happens at one of my favorite restaurants.  Why did the air vent in one room end up in a completely illogical place?  Everything else lines up perfectly except that one vent which screams “Look at me, I don’t make sense!”.  However, this HIPAA penalties chart was copied directly from the Federal Register.  I can’t make it stop.  It will torment me like HIPPPPAA.

What others didn’t note is the simple line that says “HHS will use this penalty tier structure, as adjusted for inflation, until further notice.”  Remember we pointed out before that there is an inflation adjustment that occurs annually.  The current adjustment says that the max isn’t really $1.5m but actually over $1.7m.

Official HIPAA penalties that were published with these adjustments most recently by HHS in Oct 2018.

“The cost-of-living adjustment multiplier for 2018, based on the CPI-U for the month of October 2017, not seasonally adjusted, is 1.02041.”  Under these inflation adjustments, the HIPAA penalties prior to 2009 are even updated.  They started at $150 per violation and then went to $152.  Now they are at $155.  Not much but that was back when we didn’t have a serious enforcement rule.

New HIPAA penalties impact

How much will this change things in our world?  That is more of the crystal ball requirements of our job that sometimes we are good at and others we outright suck.

Less HIPAA compliance?

A lot of people have a great deal of concern that this announcement will make fewer people comply with HIPAA regulations.  The clear premise is that the majority of folks are only following standards because of the fines being levied.  I don’t know that I see that to be the case very much.  In fact, I tell most groups that fines and penalties are the least of their worries.  They need to worry about reputational damage, unprepared downtime, lost resources, lost business, and patient complaints first,  Then, the penalty kicks in.  You have to go through all the other pain before that and it is very statistically unlikely that you will ever pay one so far.  After that you get the pleasure of the CAP for a couple of years.

Yes, OCR had a record year but there still haven’t even been 30 settlements or fines announced in one year.  There are millions of businesses that make up the entire healthcare industry subject to HIPAA compliance.  I think the amount is so tiny you are more likely to win the lottery than be hit with an actual HIPAA fine in the big picture.

Also, most of the folks that are still ignoring HIPAA requirements don’t care about the fines anyway.  The ones that are following it worry about the reputation and damage to their patients more than fines and penalties.  Plus, those CAPs come into play without fines and penalties many times.

No more scary HIPAA penalties stories

I have told people for years that the penalties under HIPAA have, so far, been the least of their worries.  Even at the high rates, they were not applied in very many cases.  Yes, they were flashy but there were so few of them it was statistically unlikely for them to be applied to most cases.  I have never been the doom and gloom preacher of millions of dollars of HIPAA penalties are coming your way.  To me, it has been more an issue of protecting your patients, your business, and both of their futures.

This will be a great way to reset the discussion so it won’t be all about the scary HIPAA penalties presentations.  I never found those particularly helpful in the discussion of privacy and security requirements.  They were all about the stick.  I am a bigger fan of the carrot with a touch of stick to make the carrot more enticing.  Hopefully, this will be a positive side effect of the changes.

Possibly more realistic enforcement

Let’s look at the point they are using for the changes.  It goes back to culpability.  We all know that is a legal term in very strict definitions.  These are the reasons we hear things like, “What did the president know and when did he know it?”.   Legal discussions of the concept of culpability say something like this:

Blameworthy; involving the commission of a fault or the breach of a duty imposed by law.

The Federal Register rulemaking announcement included the terms defined in the HITECH act for those various levels of culpability.  It is hard to understand sometimes that it really does come down to what the specific intention and definition of the word “the” in a sentence as a question asked or a law means to judges and lawyers.  The 4 levels are legally defined as:

the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation: (1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision; (2) the violation was due to reasonable cause, and not willful neglect; (3) the violation was due to willful neglect that is timely corrected; and (4) the violation was due to willful neglect that is not timely corrected.

That breakdown lets us match the description of the tier with the definition.

No Knowledge – (1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision.  In the original HIPAA rules, this was your get out jail free card.  “I didn’t know man, I just didn’t know”, was the perfect defense to get you out of everything. Today, it just means you are in the low end of the penalties.  You can’t really say you didn’t know you needed to do HIPAA anymore.  What you can say is you had no idea this was happening AND you were paying attention AND doing what you were supposed to be doing.  This is where you should fall if you have a true culture of privacy and security in your organization.

Reasonable Cause – (2) the violation was due to reasonable cause, and not willful neglect.  This one means you knew you should be doing more but just never got it done.  Hopefully, most people that are doing little with their privacy and security programs will be judged to be in the category.  The idea here is you weren’t saying we refuse to do it.  But, we weren’t really getting it done effectively.

Willful Neglect—Corrected – (3) the violation was due to willful neglect that is timely corrected.  Now we get into the real problem folks.  These are the ones that were not doing anything HIPAA related of any substance.  But, once things go awry they jump into action and make a bunch of changes and show that they stick with them for a period of years or months.  If you are here it means you saw the light and got on track even though you weren’t there before.

Some people say you need to get all your list of risk management requirements done in 30 days.  The term “timely manner” is what matters most.  There is a 30-day response time frame that you should get your act in order, yes.  Can you build an entire program in 30 days?  No.  But, you can take immediate action that says you are now going to take things seriously within the first 30 days.

I have heard some attorneys recommend that you have them write all of your policies and procedures in 30 days if you have none.  That brings me back to you are doing paperwork and not implementing a program.  If you have no policies and procedures, yes, you must have some in place.  However, make a strategic plan to respond properly to actually protect the information and meet the requirements not just do the basic legal paperwork.

Remember, you need to show you did something in 30 days and that you are sticking to it.  I promise you, you can’t just do some paperwork and a quick training class in the first 30 days and be done.  You need to stay in this category.  The next one doesn’t even require them to talk to you or negotiate.

Willful Neglect—Not Corrected – (4) the violation was due to willful neglect that is not timely corrected.  Here are the ones that really need to be addressed with some strict enforcement.  So many of them have no idea what they don’t know.  Others know very well what they don’t know and aren’t doing what needs to be done.  They just don’t care at all.  Reference our 200th episode discussions.

Possible use of HIPAA penalties to improve compliance

When OCR announced their HIPAA penalties for 2018 set a record for enforcement info, they seemed very proud of it.  There were really just a small number of settlements this past year as there always have been but the enforcement money set records.

I think it may turn out to be a much more helpful enforcement tool.  It will allow them to come through on the first offense and make it clear they are paying attention but issue a small fine.  It saves them time and money as well as all of us.  If you get caught again and you haven’t taken care of the problem, things start to get a bit more intense in that investigation.

Using this new tiered approach lets them focus on the big offenders and provide resources, as needed, to the ones who really need help in my opinion.  The concept of positive reinforcement may be valuable here.  If you have a repeat offender it is much easier to move them up the tiers quickly.  It also lets you get your knuckles whacked the first time by the teacher.  If it happens again, you are going to the principal’s office for a big whooping.

HIPAA Penalties Lawsuit

This reduction announcement does come at an interesting time now that MD Anderson has filed a lawsuit appealing their $4.3m fine that was imposed last year.  It will be interesting to see how OCR responds to them with this change in interpretation of the law.  The whole complaint from MD Anderson has always been they weren’t that bad and they are being picked on.  Who knows how it will pan out.  You know we will be keeping an eye on it, though.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,
it’s about patient care.TM

Share This
HIPAA Boot Camp