Attorneys General are Also Allowed to Issue HIPAA Violation Fines

Since the HITECH Act (Section 13410(e) (1)) was introduced in February 2009, state attorneys general are authorized to make HIPAA-covered entities responsible for the compromise of the PHI of state locals and may submit civil actions to the federal district courts. In case of HIPAA violations, penalties may be issued as much as $25,000 for each violation category, for every calendar year. The minimum applicable penalty is $100 for every violation.

A covered entity that encountered a data breach impacting residents in several states may be required to pay HIPAA violation penalties to attorneys general in several states. Not many states have issued penalties to HIPAA-regulated entities for violating the HIPAA Regulations. They are California, Connecticut, the District of Columbia, Massachusetts, Minnesota, Indiana, New Jersey, New York, and Vermont.

In the past years, attorneys general worked together and issued penalties for HIPAA violations to address big data breaches that have impacted individuals throughout America. They have pooled their resources together and taken a part of any resolutions or civil monetary penalties. Although just a few states have used their authority to require penalties for HIPAA violations, that doesn’t indicate HIPAA violations are not punished. Numerous states issued financial penalties for comparable violations of state regulations.

Are HIPAA Violations Criminal?

If a HIPAA-covered entity or business associate breaks HIPAA Rules, civil penalties may be enforced. If healthcare companies do not comply with the HIPAA, it is normally the employer that gets fined, however not at all times. When healthcare experts knowingly acquire or use protected health information (PHI) for purposes that aren’t allowed by the HIPAA Privacy Rule, they could be criminally accountable for the HIPAA violation based on the criminal enforcement condition of the Administrative Simplification subtitle of HIPAA.

The Department of Justice prosecutes criminal HIPAA violations, particularly those committed by individuals that have intentionally broken HIPAA Rules. There were a number of incidents that have led to large fines and jail sentences.

Criminal HIPAA violations consist of theft of patient data for monetary gain and improper disclosures with the intention to cause damage. Insufficient understanding of HIPAA rules isn’t an acceptable excuse. A person that “knowingly” breaks the HIPAA means the person knew what makes up the offense, not that there’s the absolute knowledge that he or she is breaking HIPAA Rules.

Criminal Penalties for HIPAA Violations

Criminal penalties for HIPAA violations have three distinct tiers with particular terms and an associated fine. A judge decides the penalties according to the facts of every specific case. Like with OCR, various general factors will have an effect on the penalty given. When a person made profits from the PHI access, theft, or disclosure, all money acquired may be returned, besides the payment of a penalty.

There are three tiers of criminal penalties for HIPAA violations. These are as follows:

Tier 1: Reasonable cause or without knowledge of violation – About 1 year in prison

Tier 2: Acquiring PHI under false pretenses – About 5 years in prison

Tier 3: Acquiring PHI for personal profit or with malicious intention – About 10 years in prison

In the past months, there’s been an increase in the number of workers found to be viewing or stealing PHI for different motives. The price of PHI on the black market is high, and this may be a big appeal for several people. It is consequently important that controls are set up to restrict the possibility for people to steal patient information, and to have systems and policies to make sure to identify improper PHI access and theft promptly.

All employees with access to PHI due to their work duties must be educated about the HIPAA criminal penalties and the result of violations, such as loss of job and potentially a long jail sentence and a big penalty.

State attorneys general are going after data theft and penalizing people found to have broken HIPAA Privacy Rules. A jail sentence for stealing HIPAA data is consequently very likely.

Knowing about changes in HIPAA for better compliance

The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill made quite a few amendments to the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.

The most important and noticeable changes include the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions along with changes in penalties to be imposed in case of breach of HIPAA.

With changes in HIPAA, the penalties can now be imposed on covered entities along with individuals in position to the previous law where penalties could only be imposed on covered entities. As such, if someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Also, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

Protected health information can be released by covered entities without authorization only for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

With new laws, patients will have a greater ability to try to find out who has accessed their protected health information. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

In order to make sure that they are HIPAA compliant, the covered entities should keep an eye on releases from HSS about changes, consult with their legal representative, make sure that their designated privacy officer is properly trained and that he or she is training their employees and keep their lines of communication open with business associates and make sure any contracts they have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

The scope of HIPAA Security Rules

HIPAA security rules deal with health information that is maintained or transmitted electronically. This rule emphasizes on the security framework for those entities that deal with medically sensitive information.  As such, they apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).

According to the Security rule, all HIPAA entities must provide a security plan with safeguards in the following areas:

Administrative safeguards: As per HIPAA Security Rule, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. It should also designate a security official who is responsible for developing and implementing its security policies and procedures.

Physical safeguards: A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

Technical safeguards: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

HIPAA Security Rule is especially applicable to HIPAA compliant web designers and web-hosting providers. HIPAA entities looking for secure solutions must make sure that whatever solutions they implement must comply with the security specifications defined in the rule.

What auditors should keep in mind while Security Rule Audits?

HIPAA security audits require the auditor to pay attention to the prevailing general conditions or stipulations that may impact the audit plan, as well as how existing controls and methods address each of the 42 security standards. In terms of IT, auditors need to review the organization’s use of appropriate controls to ensure the protection of personally identifiable health information. The following list provides useful information auditors should keep in mind during Security Rule audits:
•    The HIPAA Security Rule is tied directly to the HIPAA Privacy Rule and incorporates elements of the Privacy Rule through cross referencing. For instance, the requirement found in paragraph 164.530 of the Privacy Rule deals with policies and procedures, including IT, and is carried forward in the Security Rule in its requirement for appropriate policies and procedures and in the retention period for them.
•    The Security Rule’s scope is corporatewide and applies to the implementation of security standards in all relevant business processes, not just IT.
•    The Security Rule represents a minimum set of security standards organizations must have in place for compliance. Many businesses have processes and requirements that are unique to the way they do their work. As a result, appropriate additional IT controls and procedures should be in place.
•    The Privacy and Security rules incorporate the extension of adopted IT and other standards to business partners through the formal Business Associate Agreement process. This is a formal standard stated in both rules. The standards for privacy and security are found in the Privacy Rule and Security Rule, respectively.
•    The standards found in the Security Rule and the company’s implementation of corresponding IT and other controls must be based on the results of periodic risk assessments conducted by the company. The results of these risk assessments will help the auditor determine the effectiveness of companywide information security efforts to protect business assets.

Is your sensitive medical data secured with your web application?

Big organizations often need web applications to handle and manage their medical information but with strict HIPAA compliance Rules, the healthcare providers need to ensure that they are entrusting their sensitive PHI data to vendors and partners who are as vigilant as they themselves are in protecting PHI. As such when choosing your web designer for management of data, you should take certain precautions.

Firstly, get detailed information about your prospective web designer and also the favt whether or not he has developed any other applications that are meant to handle medical information. HIPAA guidelines must be ensured and this aspect must be kept in mind by the application developers must keep in mind. Keep costs low by building HIPAA compliance into your application from the start.

Also, choose a web hosting company that has previous experience with HIPAA compliant web applications. In this way, you would choose a company that has experience providing an extra level of security required by the provisions in HIPAA.

If your business is governed by HIPAA guidelines, the best business practice would be to ensure that your vendors follow the same standards. Responsible vendors will already have HIPAA guidelines in place. These include a discernible HIPAA processes backed by a HIPAA manual, regular HIPAA training for all employees and a designated privacy officer to oversee the entire process.

Knowing about Patient Safety and Quality Improvement Act

The regulation implementing the Patient Safety and Quality Improvement Act of 2005 (PSQIA) was published on November 21, 2008, and became effective on January 19, 2009.

PSQIA establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information called patient safety work product. Patient safety work product includes information collected and created during the reporting and analysis of patient safety events.

PSQIA authorizes HHS to impose civil money penalties for violations of patient safety confidentiality.  PSQIA also authorizes the Agency for Healthcare Research and Quality (AHRQ) to list patient safety organizations (PSOs).  PSOs are the external experts that collect and review patient safety information.

The confidentiality provisions will improve patient safety outcomes by creating an environment where providers may report and examine patient safety events without fear of increased liability risk.  Greater reporting and analysis of patient safety events will yield increased data and better understanding of patient safety events.

OCR works in close collaboration with the Agency for Healthcare Research and Quality (AHRQ) which has responsibility for listing patient safety organizations (PSOs), the external experts established by the Patient Safety Act to collect and analyze patient safety information.

Knowing about Advanced Encryption Standard (AES)

HIPAA data encryption standards require health care providers, health insurance companies and business associates who transmit, store or access protected health information in electronic form to utilize a standardized level of data encryption. The Advanced Encryption Standard (AES) is Federal Information Processing Standards (FIPS) approved cryptographic algorithm used to protect electronic data and is quite prevalent in the healthcare industry to secure data-at-rest, data-in-motion and data-in-transit.

Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES).

Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. AES algorithm is a symmetric block cipher which can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.

To be in compliance with Government regulations many software applications are rapidly incorporating the AES algorithm into current and future products.

Exceptional cases when PHI may be disclosed by healthcare professionals

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has Privacy Rule to ensure the protection of a patient’s health information. However, there are certain exceptions to the confidentiality:

1. If a state or federal law authorizes medical disclosures, then the HIPAA privacy rule does not apply. For instance, if paternity of a child is contested and a man is refusing to pay child support, a court may order that the man’s medical record containing genetic information be disclosed to determine the paternity of the child.

2. In case of pandemics, Health care professionals would be authorized to disclose health information of persons infected with the disease to public health authorities to control the disease. The HIPAA Privacy Rule, therefore, does not protect a person’s health information when the person has a communicable disease or if the person’s health must be disclosed for public safety reasons.

3. Again, in cases where a health professional believes that the person may harm themselves or someone else, such as threats to commit suicide or to harm another person, the health care professionals can report incidents to the proper authorities and hopefully prevent harm from happening.

4. “Administrative” disclosures are disclosures made to various agencies such as collection agencies when medical bills are unpaid or the U.S. Department of Veteran Affairs so that the agency can determine a veteran’s eligibility for benefits. Other agencies, such as health oversight agencies, may have access to health information for audit and investigative reasons. Additionally, funeral directors, coroners, medical examiners and certain researchers who have institutional board review approval can access health records.

The five titles which make up HIPAA

The HIPAA law was enacted to improve the efficiency and effectiveness of the American health care system. The law includes administrative simplification provisions to establish standards and requirements for the electronic transmission of certain health care information. It also requires organizations exchanging information for health care transactions to follow national implementation guidelines.

To meet these goals, federal transaction and code set rules have been issued:

•    Requiring use of standard electronic transactions and data for certain administrative functions
•    Standardizing the medical codes that providers use to report services to insurers
•    Creating specific identification numbers for employers (Standard Unique Employer Identifier [EIN]) and for providers (National Provider Identifier [NPI])

HIPAA is a legislative act made up of these five titles:

Title I covers health care access, portability and renewability, which requires that both health plans and employers keep medical coverage for new employees on a continuous basis, regardless of preexisting conditions. Losing or switching jobs can be difficult enough if there is no possibility of lost or reduced medical insurance.

Title II involves preventing health care fraud and abuse, administrative simplification and medical liability reform, which allows for new definitions of security and privacy for patient information, and closes loopholes that previously left patients vulnerable. This section also provides a framework for reduced administrative costs through key electronic standards for healthcare transactions, as well as identifiers for employers, individuals, health plans and medical providers.

Title III deals with tax-related health provisions, which initiate standardized amounts that each person can put into medical savings accounts. These can be funded with pre-tax dollars, and provide an added measure of security.

Title IV deals with application and enforcement of group health plan requirements. This section offers detailed information about the provisions of this insurance reform, and gives specific explanations across a wide range of the bill’s terms. It also covers the portability of group health plans, together with access and renewability requirements.

Title V details a broad list of regulations and special rules and provides employers with revenue offsets, thus increasing HIPAA’s financial viability for companies, and spelling out regulations on how they can deduct life-insurance premiums from their tax returns.

Civil and Criminal penalties for HIPAA violations

The authorities have made it a point that a strict penalty is imposed on healthcare providers in case HIPAA laws are violated. When the personal health information of any patient is unlawfully transferred from one source to another, the law imposes both, criminal and civil penalties. The civil penalties for HIPAA violations include:

The American Recovery and Reinvestment Act has designed a tiered civil penalty setup for HIPAA violations and the Secretary of the Department of Health and Human Services is allowed discretionary powers when it comes to determining the amount of the penalty based on the extent and the nature of the violation and the harm occurred due to the violation. The Secretary is refrained from imposing penalties if the violation is corrected within a month (the duration may be elastic). The penalties are:

Ignorance of the individual (and guilty of reasonable diligence was not aware of the violation):
Minimum penalty: $100 per violation, with an annual fine of $25 000 for repeat violation. It can be imposed by the State Attorneys General)
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million

HIPAA Violation due to reasonable cause and not willful neglect
Minimum penalty: $1000 per violation with an annual maximum of $100,000 for repeat violations
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million

Violation caused due to willful neglect and the violation should be corrected within the required time period
Minimum penalty: $10,000 per violation with an annual maximum penalty of $250,000for repeat violations
Maximum Penalty: $50,000 per violation, with an annual maximum of $1.5 million

HIPAA Violation is due to willful neglect and not corrected
Minimum Penalty: $50,000 per violation with an annual maximum penalty of $1.5 million
Maximum Penalty: $50,000 per violation with an annual maximum of $1.5 million

The Department of Justice is very clear about what kind of neglect comes under criminal penalties. Covered entities and specified individuals who violate the Administrative Simplification Regulations, may face a penalty which may go up to $50,000 and imprisonment for a year. Offenses that include the charges of “false pretenses” may be increased up to $100,000 fine with 5 years in prison. And the charges with the intent to sell, transfer or use individually identifiable health information for malicious harm or personal gain or individually identifiable health information and so on may attract fines up to $250,000 and imprisonment for up to ten years.