The Health Insurance Portability and Privacy Act (HIPAA) governs the use of Protected Health Information (PHI), and failure to comply with the requirements of the policy can be a costly mistake.
As an employer who sponsors a health plan, it is important to fully understand your responsibilities under the act, as failing to do so can result in severe penalties, says Jessica Galardini, president and COO of JRG Advisors, the management arm of ChamberChoice.
“As an employer, you may think that HIPAA doesn’t apply to you,” says Galardini. “But if you are an employer that also sponsors a health plan, ignorance of the law could lead to fines and even jail time.”
Smart Business spoke with Galardini about what plan sponsors need to know about HIPAA and how to ensure that you remain compliant.
What is the HIPAA Privacy Rule?
As required by the Health Insurance Portability and Accountability Act of 1996, the U.S. Department of Health and Human Services (HHS), in December 2000, released final federal regulations that govern the use and disclosure of personally identifiable health information — the HIPAA Privacy Rule. In most cases, the deadline for compliance with the HIPAA Privacy Rule was April 14, 2003. The rule was then updated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which took effect in 2010.
The HIPAA Privacy Rule directly regulates health plans, health care clearinghouses and health care providers that conduct certain transactions electronically, and indirectly regulates plan sponsors.
What information is governed by the HIPAA Privacy Rule?
The HIPAA Privacy Rule governs personal health information, which is defined as information that is oral, written or electronic; individually identifiable; created or received by a covered entity; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
What are plan sponsors required to do?
The compliance requirements indirectly imposed upon a plan sponsor by the HIPAA Privacy Rule vary based on whether or not the plan sponsor has access to PHI. A plan sponsor that offers a fully insured group health plan will be minimally impacted by the HIPAA Privacy Rule if its access to health information is limited to the following plan sponsor functions:
- Assisting employees with claim disputes as permitted by the employees’ written authorization.
- Receiving Summary Health Information (SHI) for purposes of obtaining premium bids or modifying, amending or terminating the plan.
- Conducting enrollment and disenrollment activities.
A plan sponsor that has access to PHI in order to perform plan administration functions must amend the plan documents to include a description of permitted uses and disclosures of PHI by the plan sponsors; certify to the group health plan that the plan documents have been amended; and comply with all of the administrative requirements contained within the HIPAA Privacy Rule.
What are the administrative requirements of the HIPAA Privacy Rule?
In general, the HIPAA Privacy Rule requires plan sponsors with access to PHI, together with the group health plan, to comply with all of the administrative requirements contained within the HIPAA Privacy Rule. For a summary of requirements, contact your benefits advisor or visit www.hhs.gov.
What are the penalties if an organization fails to comply with the HIPAA Privacy Rule?
Failure to comply with the HIPAA Privacy Rule may result in civil or criminal penalties. HIPAA’s civil penalties were increased by the HITECH Act but may not apply if the violation is corrected within 30 days. For violations in which the individual is not aware that the violation has occurred, the minimum penalty remains $100 per violation, up to $25,000 per calendar year for identical violations.
If the violation is due to reasonable cause, the minimum penalty is $1,000 per violation, up to $100,000 per calendar year. For corrected violations that are caused by willful neglect, the minimum penalty is $10,000 per violation, up to $250,000 per calendar year.
The maximum civil penalty for any type of violation and the minimum penalty for uncorrected violations caused by willful neglect is $50,000 per violation, up to $1.5 million per calendar year for identical violations.
The criminal penalties are:
- $100 per violation, up to $25,000 per year, per standard, for disclosures made in error.
- $50,000 and/or one year in prison for knowingly obtaining or disclosing PHI.
- $100,000 and/or up to five years in prison for obtaining information under false pretenses, and $250,000 and up to 10 years in prison for obtaining PHI with an intent to sell, transfer, or use it for commercial advantage, personal gain or malicious harm.
Taking the time to understand the rules will ensure that your organization is complying as it should under the law.
Jessica Galardini is president and COO of JRG Advisors, the management arm of ChamberChoice. Reach her at (412) 456-7231 or email@example.com.
Insights Employee Benefits is brought to you by ChamberChoice
The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill, contains the HITECH Act that amends the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.
“When HIPAA was first enacted, the health care industry was paper driven,” says Jeff Porter, a director with Kegler, Brown, Hill & Ritter. “HITECH is addressing some long-standing issues with HIPAA, as well as some newer issues that have arisen as a result of the advent of electronic health records and the online transfer of health information.”
Among the significant changes are the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions. In addition, penalties can now be imposed on individuals as well as entities.
Smart Business asked Porter for more information about the changes to HIPAA.
Who is covered by HIPAA?
You or a legal representative can determine whether you are a covered entity. The website for the U.S. Department of Health & Human Services (HSS.gov) and the Office of Civil Rights (OCR) provide good guidance in this regard. Covered entities typically include hospitals, nursing homes, medical offices that provide treatment and bill for those services, health insurance plans, and health care clearinghouses (e.g., companies that convert health records and other information into the coding necessary for billing and research). If you are a business associate of a covered entity (e.g., a medical billing firm or a home health care agency), and you are obtaining information for a purpose the covered entity might use it for, you fall under the HIPAA provisions which apply to business associates.
What changes have been made regarding penalties for noncompliance?
The penalties have changed in a couple of significant ways. First, in regard to enforcement, previously penalties could only be imposed on covered entities – now penalties can be imposed on individuals as well. If someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Second, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.
What is the impact on state privacy laws?
Although many believe that HIPAA is the sole controlling authority related to patient privacy, it does not however preempt state privacy laws and regulations. If provisions in the state privacy laws are more restrictive, then those provisions apply in addition to HIPAA. For example, Ohio has some of the stricter state privacy laws in regard to disclosure of protected health information. These laws have to be evaluated and reviewed to determine what additional actions might be needed in terms of notification and disclosures. The question for the future is whether states with these stricter privacy measures will impact exchange of health information with other states. In coming years, if we are going to have more free-flowing medical information, these issues will need to be addressed.
What is considered protected health information?
Protected health information is identifiable information related to treatment of a patient and that is maintained by a covered entity. In certain circumstances covered entities can release this information without authorization, for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.
What is a permissible disclosure?
Information can be disclosed if a patient authorizes it. Information must be disclosed by a protected entity if the HHS requests that information as part of an investigation. Permitted disclosures also include treatment information (to help treat a patient); information used to seek payment; or information used in the health care operations category if that information will improve the quality of care overall or part of the business overall.
Do patients have any new rights?
Patients will have a greater ability to try to find out who has accessed their protected health information. Past experience is that most patients never request such information. However, there will now be a greater ability for patients to request an accounting of disclosures. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.
How can covered entities best keep up with the changes and protect themselves?
1) Keep an eye on releases from HSS about changes. 2) Consult with your legal representative. 3) Make sure your designated privacy officer is properly trained and that he or she is training your employees. 4) Keep open lines of communication with business associates and make sure any contracts you have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.
JEFF PORTER is a director with Kegler, Brown, Hill & Ritter. Reach him at (614) 462-5418 or firstname.lastname@example.org.
With penalties for violation of the Health Insurance Portability and Accountability Act soaring, companies need to make sure they are doing everything possible to protect themselves and make sure their employees and business associates understand the law.
And while it may seem obvious that HIPAA rules apply to health care providers such as hospitals and physicians, covered entities also include group health plans that are self-insured, says Patricia F. Jacobson, a partner in the Health Care and Business Services Group at Stark & Knoll Co., L.P.A. The company itself is not a covered entity, but the health plan may be.
“You have to assume that, at some point, if you’ve got protected health information in your enterprise, a breach is going to occur, and you have to prepare accordingly,” says Jacobson. “The best way to do that is to audit yourself and determine what mechanisms are in place and who’s in charge of minimizing the potential for breaches.”
Smart Business spoke with Jacobson about how your company may be at risk and how to take steps to minimize your exposure.
What kinds of companies are subject to HIPAA compliance?
The scope of HIPAA has expanded. Any company that is a health care provider is considered a covered entity. If a company has a self-insured health plan — whatever the industry — that plan is also a covered entity.
Formerly, only covered entities were subject to penalties. However, with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the law now also applies to ‘business associates,’ defined as any company hired to do a job that exposes that entity to the protected health information of the covered entity’s patients or employees covered by the health plan. This includes management companies, third party administrators, certain software vendors, debt collectors, law firms, accounting firms or medical billing companies. A plumbing, electrical or construction company hired to work in an office is not required to access Protected Health Information, so they are not ‘business associates.’
How has HITECH changed the penalties for disclosing personal health information?
HITECH has dramatically increased the penalties for failure to comply with the law. When HIPAA went into effect, the penalties were $100 per offense up to a maximum of $25,000. The civil penalty that applies if a company had no way to know that information was released is a minimum of $100, but the maximum has risen to $50,000. The second tier, in which a company had reasonable cause for the disclosure, but no ‘willful neglect’ now starts at $1,000 per violation. Penalties for the next tier, where there was ‘willful neglect’ but a timely correction, start at $10,000. And if the breach resulted from willful neglect, which was not timely corrected, the penalty starts at $50,000 per violation. Multiple violations can entail civil penalties up to $1.5 million per year. Criminal penalties of up to 10 years in prison can also result.
And because the dollars collected by the Office of Civil Rights for offenses are used for further enforcement, you are going to see a lot more enforcement.
How can a covered entity or business associate protect itself?
Health care providers and health plans, and their business associates, must be vigilant about changes in HIPAA Privacy and Security Rules. For self-insured health plans, make sure that there is an impenetrable firewall between the employer’s HR division and the people who run the health plan, so there is no chance of anyone using health information for employment decisions. To do that, maintain separate personnel and recordkeeping. Second, periodically educate your employees on the importance of the privacy and security of protected health information.
Third, implement strict policies and procedures. If your policies and procedures are lax, you could be accused of willful neglect if protected health information gets out. Once you have these in place for administrative purposes, physical purposes and technical security, make sure they are known to everyone who is concerned with this data and monitor it on a periodic basis.
Finally, conduct a self-audit with the help of a health care attorney. What you don’t know can hurt you. Your legal adviser can help you determine if you are a covered entity or a business associate, what kind of information you use and have access to, and whether you have the required business associate agreements in place. It’s all about measuring who you are, what you are, how you do it and then managing those aspects of your enterprise.
Will doing an audit and creating strict policies and procedures protect a business if a breach occurs?
You need to have compliance plans in place and adhere to them so you can point to them, and you can say you have a compliance officer and you have a HIPAA security person who are responsible for monitoring and keeping things ship shape.
It’s very, very important that you not only have those things but that you actually use them. To ensure they are used, make sure your policies and procedures are simple and easy to follow. You don’t want to go overboard and create a monster that you can’t ever implement, because if you have policies and procedures and you don’t comply with what you’ve put in motion, you’re going to be in more trouble. And if they are simple and capable of being followed, it’s far less likely that you’ll ignore them.
Consult with a legal expert to get started on a self-audit and make sure your company is compliant. Whether you’re an executive at a hospital or of a manufacturing firm with a self-insured health plan, you need to be cognizant of the risks and monitor your business practices periodically to make sure you are staying up to speed.
Patricia F. Jacobson is a partner in the Health Care and Business Services Group at Stark & Knoll Co., L.P.A. Reach her at (330) 572-1334 or PJacobson@stark-knoll.com.