While the Affordable Care Act has dominated healthcare news, medical identity theft and the enforcement of stronger federal health privacy regulations could become just as big a story. HIPAA is a federal law protecting personal health information. Late in 2013, new federal regulations increased healthcare industry burdens, but also made many other businesses directly liable for compliance with HIPAA rules covering protected health information (PHI). The most dramatic change is that HIPAA “business associates” are now liable for HIPAA compliance and subject to heightened federal scrutiny, including random audits, significant civil money penalties and criminal prosecution.
Business associates are vendors who provide services to HIPAA “covered entities” involving the creation, receipt, maintenance or transmission of PHI. Covered entities are healthcare providers; health plans, including employer-sponsored plans; and healthcare clearinghouses.
Many types of vendors, whether they know it or not, are HIPAA business associates based on services they provide involving PHI. Some examples include software vendors and consultants, IT vendors, claims processors, collection and billing agencies, accountants, lawyers, data storage providers, benefit and practice managers, and management consultants.
Now, the U. S. Department of Health and Human Services (HHS) is issuing stern warnings that HIPAA enforcement is ramping up. HHS has trained the Attorneys General of all states to prosecute HIPAA violations and is starting random enforcement audits in 2015.
Why all this attention now? One reason is that medical identity is a prime target of identity thieves. In April 2014, the FBI reported that medical identities—used to obtain prescription drugs and commit insurance fraud—sell for $50 on the black market, compared to $1 for a credit card or Social Security number. The Justice Department will prosecute HIPAA violations when PHI is stolen to commit fraud or embarrass or threaten a person or healthcare entity. The maximum jail sentence for a HIPAA crime is 10 years.
Another reason is the rapid growth of PHI data breaches. In just one 12-month period between September 2013 and September 2014, the number of major PHI data breaches reported to HHS doubled.
Business associates and covered entities are liable for civil money penalties for violations by their agents, including workforce members and subcontractors. Civil money penalties for a HIPAA violation are based on the degree of fault that caused the violation. The range of penalties are as follows:
- Unknowing Violation. The organization did not know of the violation. Penalty: From $100 to $50,000. Maximum for violations of same provision in calendar year: $1,500,000.
- Reasonable Cause. The organization committed a violation with reasonable cause – no willful neglect. Penalty: From $1,000 to $50,000. Maximum for violations of same provision in calendar year: $1,500,000.
- Willful Neglect – Corrected. The organization committed a violation due to willful neglect and corrected within 30 days of discovering the violation. Penalty: From $10,000 to $50,000. Maximum for violations of same provision in calendar year: $1,500,000.
- Willful Neglect – Not Corrected. The organization committed a violation due to willful neglect but did not correct it within 30 days of discovering the violation. Penalty: $50,000. Maximum for violations of same provision in calendar year: $1,500,000.
HIPAA is a patient-centered law that protects a person’s PHI, whether held by a large organization with substantial resources or a small organization with few resources. There are literally millions of small organizations at risk for HIPAA compliance. However, HIPAA can be mastered by any organization by learning and following the manageable, logical steps to implement its compliance program. iBi