The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) as amended by the HIPAA Omnibus Rule in 2013 define the regulations for the private and secure management of health information. Covered entities and business associates that neglect adhering to these regulations can face rigid sanctions from a multitude of agencies, including the U.S. Department of Health and Human Services (HHS), its Office for Civil Rights (OCR), the Federal Trade Commission and state Attorneys General.

Each regulatory agency can impose fines against covered entities and business associates that fail to document, investigate and remedy HIPAA and HITECH violations. Without the proper compliance planning, covered entities and business associates can be slammed with heavy financial penalties and regulatory oversight, as happened to Cignet Health of Prince George's County in Maryland.

Learning from the Past

According to Healthcare ITNews, Cignet denied 41 patients access to their medical between September 2008 and October 2009, a right guaranteed by the HIPAA Privacy Rule. Cignet further failed to cooperate with OCR's investigation of the patients' complaints and with HHS' subpoena for the records, which was enforced by the District Court.

The court levied a $1.3 million fine against Cignet for failing to grant access to the patients' records, and an additional $3 million for willful neglect of the HIPAA Privacy regulations.

The time for proper HIPAA and HITECH compliance planning is now.

Training Modules Available

"HIPAA and HITECH, Pathway to Compliance" is a four-part do-it-yourself instructional series that guides its users in drafting a HIPAA/HITECH Compliance Plan. Each part provides regulatory information and resources necessary to build a customized plan. Documentation developed in this series can be used when faced with OCR investigations and/or audits to demonstrate compliance efforts.

In this series, Patricia Wynne, Esq., CIPP, a seasoned HIPAA/HITECH subject matter expert familiar with the day-to-day challenges of compliance, presents guidelines for drafting a Compliance Plan that are easy to understand and practical to implement - not bogged in technical jargon. Each course is one hour in length and includes case studies and questions to enhance learning, as well as resources that can be downloaded and used in the compliance planning process. Now is the time to build your HIPAA/HITECH Compliance Plan with the professional insight of Merit Career Development.

HIPAA and HITECH, Pathway to Compliance on Udemy
Click here to access Part 1: Policies & Procedures
Click here to access Part 2: Complaints & Breaches
Click here to access Part 3: Assessments & Risk Analysis
Click here to access Part 4: Workforce Training

HIPAA and HITECH, Pathway to Compliance on Arbington
Click here to access Part 1: Policies & Procedures
Click here to access Part 2: Complaints & Breaches
Click here to access Part 3: Assessments & Risk Analysis
Click here to access Part 4: Workforce Training

The HITECH law puts a cap on fines that the Department of Health and Human Services (HHS) can assess for HIPAA violations at $1.5 million per incident per year. However, other federal, state and regional regulatory agencies have authority to impose fines for violations of the HIPAA privacy and security standards, and can do so simultaneously for the same offense.

Health insurer, Triple-S Management Corporation (Triple S) of San Juan, was recently fined $6.8 million by the Puerto Rico Health Insurance Administration (PRHIA) for improperly handling protected health information (PHI) of 13,336 of its beneficiaries who were dual-eligible for Medicare and Medicaid. Accreditation requirements to sell insurance in Puerto Rico required Triple S to sign a contract agreeing to maintain compliance with HIPAA or face fines and additional sanctions for violations.

The breach resulted from a September 20, 2013 incident where Triple S mailed out pamphlets to its beneficiaries with their Medicare numbers visible from the outside. Medicare numbers are unique client identifiers deemed PHI when held by or on behalf of a HIPAA covered entity. As a result of the HIPAA violations, the PRHIA assessed a $6.8 million fine and called for Triple-S to suspend dual-eligibility enrollment, notify affected individuals of their right to end their enrollment, and implement a corrective action plan to prevent future breaches.

Cooperation is Key

In this case, the fine was assessed at $500 for each of Triple S’ 13,336 affected beneficiaries in accordance with the contract Triple S signed with PRHIA. An additional $100,000 was assessed for its failure to cooperate with PRHIA’s investigation into the incident, providing misleading information, and, in response to some requests, not supplying any information to PRHIA at all, as reported by 4Medapproved HIT Security in HIPAA Enforcement Blind Spots (March 3, 2014).

The fines levied against Triple-S put Covered Entities and Business Associates on notice about their absolute obligation of full compliance with HIPAA and implementing proper procedures for reporting and investigating breaches. This is an essential part of HIPAA compliance planning. Further, Covered Entities and Business Associates need to be aware of the concurrent authority of the Federal Trade Commission (FTC) to address HIPAA violations. The FTC can exercise regulatory oversight through corrective action plans for up to 20 years for HIPAA violations. Complying with HIPAA privacy and security standards is the right thing to do for your healthcare practice and/or business—but most important, for your patients and clients.