The Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, 78 Fed. Reg. 5566 (Jan. 25, 2013), stiffen the penalties for HIPAA and HITECH violations.
The tighter enforcement net includes the following:
- HHS will investigate when a preliminary review indicates even a possible (as opposed to probable) violation due to willful neglect. HHS retains discretion to decide whether to conduct a compliance review (or complaint investigation) where a preliminary review of the facts indicates a degree of culpability less than willful neglect.
- HHS can either investigate complaints, or, if alleged violations come to HHS attention through, say, a media report or another federal or state agency, then HHS can initiate a compliance review.
- HHS has discretion to resolve indicated HIPAA violations by informal means, or, according to HHS, “move directly to a civil money penalty without exhausting informal resolution efforts at her discretion, particularly in cases involving willful neglect violations.”
- HHS coordinates with the Department of Justice to refer cases involving possible criminal HIPAA violations and how the Department has worked with the FTC to coordinate enforcement actions for violations that implicate both HIPAA and the FTC Act. Further, the Department will be working closely with State At
Civil Monetary Penalties
- Culpability matters. There are key definitions of “reasonable cause,” “reasonable diligence,” and “willful neglect.”
- Reasonable cause means: “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.” (45 CFR 164.402)
- Covered entities and business associates are liable for the acts of their business associate agents, under the federal law of agency, even if the CE has a BA agreement in place. (45 CFR 160.402)
HHS gives a fair amount of analysis as to whether someone is an agent:
- An analysis of whether a business associate is an agent will be fact specific, taking into account the terms of a business associate agreement as well as the totality of the circumstances involved in the ongoing relationship between the parties.
- The essential factor in determining whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. The right or authority to control the business associate’s conduct also is the essential factor in determining whether an agency relationship exists between a business associate and its business associate subcontractor. Accordingly, this guidance applies in the same manner to both covered entities (with regard to their business associates) and business associates (with regard to their subcontractors).
- The authority of a covered entity to give interim instructions or directions is the type of control that distinguishes covered entities in agency relationships from those in non-agency relationships. A business associate generally would not be an agent if it enters into a business associate agreement with a covered entity that sets terms and conditions that create contractual obligations between the two parties. Specifically, if the only avenue of control is for a covered entity to amend the terms of the agreement or sue for breach of contract, this generally indicates that a business associate is not acting as an agent. In contrast, a business associate generally would be an agent if it enters into a business associate agreement with a covered entity that granted the covered entity the authority to direct the performance of the service provided by its business associate after the relationship was established. For example, if the terms of a business associate agreement between a covered entity and its business associate stated that “a business associate must make available protected health information in accordance with § 164.524 based on the instructions to be provided by or under the direction of a covered entity,” then this would create an agency relationship between the covered entity and business associate for this activity because the covered entity has a right to give interim instructions and direction during the course of the relationship.
- An agency relationship also could exist between a covered entity and its business associate if a covered entity contracts out or delegates a particular obligation under the HIPAA Rules to its business associate. As discussed above, whether or not an agency relationship exists in this circumstance again would depend on the right or authority to control the business associate’s conduct in the performance of the delegated service based on the right of a covered entity to give interim instructions.
- While these principles are well established under the Federal common law of agency, we again note that any analysis regarding scope of agency depends on the facts of each circumstance. Several factors are important to consider in any analysis to determine the scope of agency: (1) The time, place, and purpose of a business associate agent’s conduct; (2) whether a business associate agent engaged in a course of conduct subject to a covered entity’s control; (3) whether a business associate agent’s conduct is commonly done by a business associate to accomplish the service performed on behalf of a covered entity; and (4) whether or not the covered entity reasonably expected that a business associate agent would engage in the conduct in question.
- The terms, statements, or labels given to parties (e.g., independent contractor) do not control whether an agency relationship exists. Rather, the manner and method in which a covered entity actually controls the service provided decides the analysis. As mentioned above, an analysis of whether a business associate is an agent will be fact specific and consider the totality of the circumstances involved in the ongoing relationship between the parties. We note here several circumstances that are important. The type of service and skill level required to perform the service are relevant factors in determining whether a business associate is an agent. For example, a business associate that is hired to perform de-identification of protected health information for a small provider would likely not be an agent because the small provider likely would not have the expertise to provide interim instructions regarding this activity to the business associate. Also, an agency relationship would not likely exist when a covered entity is legally or otherwise prevented from performing the service or activity performed by its business associate. For example, the accreditation functions performed by a business associate cannot be performed by a covered entity seeking accreditation because a covered entity cannot perform an accreditation survey or award accreditation. We also note that a business associate can be an agent of a covered entity: (1) Despite the fact that a covered entity does not retain the right or authority to control every aspect of its business associate’s activities; (2) even if a covered entity does not exercise the right of control but evidence exists that it holds the authority to exercise that right; and (3) even if a covered entity and its business associate are separated by physical distance (e.g., if a covered entity and business associate are located in different countries).
- Tiers of Penalties. HITECH established tiers of increasing penalty amounts for violations based on increasing levels of culpability associated with each tier. The Final Rule has a tiered system. (45 CFR 160.404; see table below) HHS will not necessarily impose the maximum, but will review case by case.
|Table 2—Categories of Violations and Respective Penalty Amounts Available|
|Violation category—Section 1176(a)(1)||Each violation||All such violations of an identical provision in a calendar year|
|(A) Did Not Know||$100-$50,000||$1,500,000|
|(B) Reasonable Cause||1,000-50,000||1,500,000|
|(C)(i) Willful Neglect-Corrected||10,000-50,000||1,500,000|
|(C)(ii) Willful Neglect-Not Corrected||50,000||1,500,000|
The penalties apply to violations that began after February 18, 2009 (there is another penalty scheme for violations that began before that date). In determining the penalty, HHS takes into account: the nature of the claims and the circumstances under which they were presented; the degree of culpability, history of prior offenses and financial condition of the person presenting the claims; and such other matters as justice may require. (45 CFR 160.408).
HHS can also impose penalties under the Patient Safety and Quality Improvement Act of 2005 (PSQIA) for violations of patient safety confidentiality.
Note that there is a 30-day cure period for willful neglect violations.
See our full series of articles:
The healthcare privacy and security requirements of HIPAA and HITECH can be daunting. Even small healthcare offices can be subject to federal and state privacy and confidentiality compliance rules. For healthcare legal and regulatory expertise, contact the HIPAA and HITECH legal team at the Cohen Healthcare Law Group.