HIPAA Fines Get Heavy: Major Fines for Late Reporting

-->April 18, 2017Billing & Compliance Alerts

    By Justin Vaughn, MDiv, CPC

     In the first quarter of 2017, the Department of Health and Human Services (HHS) sent a further signal that it is serious about HIPAA compliance and enforcement.  We have seen for some time now that HHS is set on a path to detecting and deterring would-be violators of the Privacy Rule, and has issued significant sanctions where infractions were found.  While such sanctions have been issued in the past for a variety of Rule violations, the government has never before prosecuted and punished an entity for an untimely reporting of a PHI (protected health information) breach—until now.

    Earlier this year, the heavy hammer of the federal government came down on Presence Health, an Illinois healthcare system encompassing 11 hospitals and 27 LTACs.  It was determined that the entity violated the HIPAA provision requiring disclosure of a PHI breach within 60 days to HHS’s Office of Civil Rights (OCR), the local media, and the applicable patients, where such breach involves more than 500 individuals.  In the Presence case, one of its facilities lost a hard-copy OR schedule, containing the names and health information of 836 patients.  The entity was 40 days late in reporting the breach to the aforementioned recipients.

    The fine that was ultimately assessed against Presence Health was massive— $475,000—and appears to be based primarily on the delay in notification of the breach, rather than the breach itself.  Again, this is the first time the government has issued a fine based on the reporting deadline requirement.  The fine in this case amounted to $11,875 for each day Presence was late in notifying HHS of the breach.

    The takeaways for our independent groups are as follows:

    1. The government is serious about finding and fining HIPAA violators.
    1. You need to ensure your practice has a set of privacy and security policies and procedures (P&Ps), which is mandated by law.
    1. You need to name a privacy officer and security officer, who are tasked with overseeing your HIPAA compliance program (eg, providing training on P&Ps, performing risk assessments, recommending penalties for violators, being responsible for breach notification, etc.).
    1. Make sure all breaches of PHI are (a) properly assessed, i.e., determine if they are subject to reporting or not, and (b) reported in a timely fashion, where reporting is required.

    It appears the government is going after the larger entities such as hospitals and health systems at this point, but we must assume they will eventually make their way down to the smaller group level.  The wise policy is to move now on the actions enumerated above to demonstrate to a potential government auditor that you are serious about HIPAA compliance, and to minimize the threat of an unlawful breach of PHI in the first place.  Toward this end, you may want to seek the assistance of a healthcare attorney or a qualified HIPAA consultant who can provide a complete set of HIPAA P&Ps, risk assessment, required forms, and training.

    There’s an old song from the sixties that asserted:  “He ain’t heavy; he’s my brother.”  Well, these days we’re dealing with Big Brother, and he’s getting awfully heavy.

    • MEDAC – Committed to Continuing Client Education •