On January 25, 2013, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”). Because the Final Rule covers a broad range of topics, we will be issuing a series of articles in our HIPAA Impact Series to provide further analysis on these topics. The focus of this article is the Final Rule’s impact on the HIPAA Enforcement Rule.
Background
Prior to HITECH, one of the most common criticisms of HIPAA was the lack of enforcement by HHS. As a result of several key changes by HITECH and an October 20, 2009 Interim Final Rule (“Interim Final Rule”), HHS has increased its enforcement of HIPAA. Since the enactment of HITECH, there have been numerous settlements for alleged HIPAA violations, with settlement amounts ranging from $50,000 to upward of $4 million. The Interim Final Rule strengthened HIPAA enforcement in several ways. Most notably, the Interim Final Rule created a new tiered civil monetary penalty structure with penalty amounts ranging from $100 to $1,500,000 depending on an entity’s perceived culpability for the HIPAA violation.1 The Interim Final Rule also expanded HIPAA enforcement ability to state attorneys general and allowed for sharing of penalties with individuals harmed by a HIPAA violation, among other changes.
The Final Rule further enhances HIPAA enforcement and made several important changes to the HIPAA Enforcement Rule that support increased and consistent enforcement of HIPAA violations, particularly in instances involving willful neglect. The Final Rule also made technical changes to the Enforcement Rule in order to implement the direct application of HIPAA to business associates.
Mandatory Investigations and Penalties for Willful Neglect
The Final Rule clarifies when the Secretary of HHS (“Secretary”) has discretion in determining when to investigate potential HIPAA violations. Under the Final Rule, if a preliminary review of the facts in a complaint indicates a possible violation due to willful neglect, the Secretary is required to investigate the complaint. The same is true for compliance reviews. If the facts indicate a possible violation due to willful neglect, the Secretary must conduct a compliance review. For any complaints or compliance reviews where the facts do not indicate a possible violation due to willful neglect, the Secretary has the discretion of whether to further investigate or review.
Notably, the Final Rule also expands the Secretary’s discretion to choose between informal resolution and formal resolution of investigations or compliance reviews by simply changing the word “will” to “may” in one subsection of the Enforcement Rule.2 Although this may seem innocuous at first glance, the purpose of that change is to allow the Secretary to move directly to a civil monetary penalty and formal enforcement without first exhausting informal resolution efforts, particularly in cases involving willful neglect violations. Prior to the Final Rule, the Secretary was required to attempt to resolve noncompliance through informal means.
Determination of Civil Monetary Penalties
The Final Rule retains the increased and tiered range of penalties for civil HIPAA violations introduced by HITECH and implemented in the Interim Final Rule. The Final Rule also revises the definition of “reasonable cause,” which is the basis for the second of the four tiers of penalties, to include violations due to circumstances: (i) that would make it unreasonable for a covered entity or business associate to comply, despite ordinary business care and prudence; and (ii) where a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with willful neglect. Because the required state of mind was not addressed in the previous definition of the term, this revision was intended to clarify the mens rea associated with the second penalty tier.
The Final Rule also details the factors that will be considered in determining the amount of any civil money penalty. These factors, which can be either aggravating or mitigating, include:
- The nature of the violation;
- The nature and extent of the resulting harm;
- The history of prior compliance with HIPAA; and
- The financial condition of the covered entity or business associate.
Other noteworthy changes to this section include that the Secretary may consider: (i) the number of individuals affected when determining the nature of the violation; and (ii) the reputational harm when determining the nature and extent of the harm. With respect to prior HIPAA compliance history, the Final Rule broadened the Secretary’s review to permit consideration of previous indications of noncompliance rather than solely previous violations.
Affirmative Defenses
The Final Rule clarifies the affirmative defenses available to covered entities and business associates under the Enforcement Rule. Specifically, if a criminal penalty has been imposed on a covered entity or business associate for an act in violation of HIPAA, the Secretary may not also impose a civil money penalty on the covered entity or business associate for that same act. The Final Rule also adds that, for any violations occurring on or before the date HITECH became law (i.e., prior to February 18, 2009), the Secretary is not permitted to impose a civil money penalty where the violation is due to circumstances that would make it unreasonable for the covered entity to comply with the applicable HIPAA standard, despite ordinary business care and prudence, and is not due to willful neglect. For violations occurring on or after February 18, 2009, it remains an affirmative defense under the Final Rule that the violation is not due to willful neglect and was corrected within 30 days of learning of the violation or such additional period as determined by the Secretary.
Direct Liability of Business Associates
In order to effectuate the direct application of HIPAA to business associates, the Final Rule inserted the term “business associate” where appropriate throughout the Enforcement Rule.
Practical Takeaways
The Final Rule indicates that HHS will continue its active enforcement of HIPAA. In order to reduce the chances of an enforcement action under HIPAA, we recommend covered entities and business associates undertake the following steps as soon as possible:
- Audit current HIPAA policies, procedures and practices for compliance with the Final Rule;
- Review and revise HIPAA policies, procedures and practices as necessary to ensure compliance;
- Review relationships with business associates and ensure appropriate safeguards, including business associate agreements, are in place within the required timeframes;
- Revise breach notification policies and procedures and breach response plans;
- Have a response plan in place for any HIPAA investigations or compliance reviews by HHS or the state attorney general;
- Update Notices of Privacy Practices and ensure the revised notices are properly posted and distributed; and
- Provide continuing education to workforce members on any revised policies and procedures.
For additional information, please contact Mark Swearingen at 317.977.1458 or mswearingen@wp.hallrender.com, Kendra Conover at 317.977.1456 or kconover@wp.hallrender.com or your regular Hall Render attorney.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. View our HIPAA Impact Series and sign up to receive updates by visiting www.hallrender.com/impact.
1 For any HIPAA violations that occur after February 17, 2009, the minimum civil monetary penalties are tiered as follows: (1) $100 per violation, with an annual cap of $25,000, for violations where the person did not know that such person committed a violation; (2) $1,000 per violation, with an annual cap of $100,000, for violations due to reasonable cause and not to willful neglect; (3) $10,000 per violation, with an annual cap of $250,000, for violations due to willful neglect that are corrected within 30 days of the date the person knows (or should have known) about the violation; and (4) $50,000 per violation, with an annual cap of $1,500,000, for violations due to willful neglect that are not corrected within 30 days.
2 See 45 C.F.R. § 160.312(a)(1).
