Office of Civil Rights Discusses Two HIPAA Enforcement Tools - Will These "Red Light Cameras" Deter New HIPAA Violations?
Elizabeth Litten writes:
The federal Office of Civil Rights (“OCR”) has publicized two tools that are available for OCR and individual State Attorneys General (“SAGs”) to deter and catch HIPAA privacy and security breaches that are similar to the red light cameras designed to deter and catch traffic violations.
If a Covered Entity (“CE”) or Business Associate (“BA”) has already experienced a breach of Protected Health Information (“PHI”), it has probably already taken (or has been required by regulators to take) steps to prevent future breaches. However, all CEs and BAs should be aware of the tools available to the federal and state governments to check HIPAA compliance, investigate potential breaches, and bring enforcement actions for a variety of HIPAA violations, including, but not limited to, PHI breaches.
Linda Sanches, OCR Senior Advisor and the lead on HIPAA Compliance Audits, recently presented on the progress of the 2012 HIPAA Privacy and Security Audit Program (the “Audit Program”) being conducted for OCR by KPMG, Inc. One stated objective of the Audit Program is to “[e]ncourage renewed attention to compliance activities.” The Audit Program is being conducted utilizing Generally Accepted Government Auditing Standards (aka “Yellow Book Standards”).
While OCR states that the Audit Program is not meant to be “punitive,” it also notes that the Audit Program currently being conducted will “feed into decisions” related to future audits. OCR lists “Non-Compliance Risks” as including loss of contracts, criminal and civil investigation, federal penalties and state fines, public harm and reputational risk, legal costs, and costs of notification.
In particular, three of the tips to avoid the painful and expensive consequences of HIPAA violations, which were listed on the last slide of Ms. Sanches’ presentation, struck me as particularly noteworthy for their obviousness and simplicity:
1) Determine your various lines of business that are affected by HIPAA.
2) Map/Flow PHI movement within your organization, as well as flows to/from third parties.
3) Find all of your PHI.
Yes, if you are a CE or BA and don’t know where your PHI resides or travels, you may already be on the road to HIPAA violations without even realizing it.
As another enforcement tool, OCR has published guidance for SAGs looking to investigate HIPAA violations and drum up revenue for the state and individuals affected by the violations. CEs and BAs can view this guidance and see how states can investigate and prosecute potential HIPAA violations, as well as how OCR and SAGs can estimate potential penalties that may be imposed:
SAG Penalty Estimate
•Amount of penalty = [number of violations] X [up to $100] per violation; and
• A SAG may obtain damages as high as $100 per violation and up to $25,000 for violations of the same requirement in a calendar year.
OCR Penalty Estimate
• OCR may collect civil money penalties of up to $50,000 per violation, depending on the
level of culpability; and
• The calendar year OCR maximum is $1.5 million, for a single CE, for violation of identical provisions.
One example of HIPAA violations, which did not involve a PHI security breach, worthy of SAG prosecution involves a pharmacy’s
disclosure of the PHI of 1,500 customers to a business associate, which the pharmacy paid to make a treatment communication on its behalf. The pharmacy did not limit the PHI it disclosed to the minimum necessary, and did not include the required information about this practice in its notice of privacy practices that the pharmacy distributed to all 1,500 customers.
The unfortunate pharmacy in this example is described as having otherwise compliant HIPAA policies and procedures, but is subject to a state penalty of $50,000 and an OCR penalty of up to $3 million.
The astronomical penalties that are potentially assessable by OCR and SAGs for HIPAA violations should act as a red light or at least a bright amber light of caution to those who may already be approaching or on the road to HIPAA violations. All CEs and BAs should heed the OCR warnings and guidelines.
(Elizabeth G. Litten, Esq., author of this entry, is a partner with Fox Rothschild LLP, based in our Princeton, NJ office. She has concentrated her practice in health law for more than 20 years, with a focus on representing New Jersey-licensed providers and payers and counseling clients on federal health care issues. She is a regular contributor to the firm’s HIPAA, HITECH and Health Information Technology blog.)