Expanded coverage, beefed-up enforcement and significantly stiffer civil penalties for HIPAA violations are a few of the things health care attorneys and lawyers who represent vendors for the health care industry can look forward to in the coming months.
Some of the changes have already taken effect; others will soon.
The changes to the Health Insurance Portability and Accountability Act were passed under the HITECH (Health Information Technology for Economic and Clinical Health) Act as part of the economic stimulus legislation last year.
Steep new fines, which can reach $1.5 million, were clarified in a recently-published interim final rule that went into effect on Nov. 30, 2009.
“Certainly, the enhanced penalties raise the stakes in terms of compliance,” said Barbara J. Zabawa, a health law litigator at Whyte Hirschboeck Dudek SC in Madison. “I’ve been telling clients they need to be more vigilant in terms of policies and procedures.”
However, lawyers say the rule did not alter the statutory penalties which technically went into effect upon enactment in February 2009.
Under the changes, state attorneys general are authorized to bring civil suits on behalf of individuals whose data is breached by a HIPAA violation to recover statutory penalties and attorney fees.
Health care attorneys and those who represent health care vendors expect to see a heavier hand on enforcement as a result of the changes.
“I think the Office for Civil Rights is staffing up to take a more proactive approach to enforcement,” said Kelly Hagan, a health care attorney and shareholder at Shwabe, Williamson & Wyatt in Portland, Ore., noting that the statute calls for the fines collected to be put back into more enforcement.
In addition, the statute requires rules to be promulgated within three years to allow individuals harmed by a HIPAA violation to receive a percentage of any civil monetary penalty, said Amy Fehn, an associate at Wachler & Associates in Royal Oak, Mich., who represents health care providers.
Hefty fines & fuzzy definitions
The new penalties for HIPAA violations are tiered based on “reasonableness” or “willfulness”:
$100 minimum per violation if the covered entity was unaware of the violation and would not have known about it by exercising reasonable diligence.
$1,000 minimum per violation resulting from a “reasonable cause.”
$10,000 minimum per violation for “willful neglect” that is corrected.
$50,000 minimum per violation for “willful neglect” that is not corrected.
Fines for multiple violations of an identical provision max out at $1.5 million per calendar year.
But attorneys say the definitions are fuzzy.
For example, in order to show that a violation resulted from a “reasonable cause,” a covered entity would have to show that it was unreasonable to comply with the rule, said Fehn.
“That’s going to be a tough standard,” she said, adding that it might be possible to meet the standard if a covered entity did everything right but the violation occurred because of a rogue employee.
She also noted that while “willful neglect” could mean a conscious intentional failure, it could also mean “reckless indifference.”
“It’s a little fuzzy and I would think a little bit scary to small providers because that is the maximum penalty. Many small providers still don’t have policies in place. If you don’t have a policy, is that considered to be reckless indifference? You could be on the hook for $1.5 million,” cautioned Fehn.
Milwaukee health attorney Patrick J. Knight agreed that interpretation will be crucial when it comes to the impact on smaller providers.
“Clearly, there will be the ability to kill providers and entities with penalties,” said Knight, of Gimbel, Reilly, Guerin & Brown LLP.
Zabawa said that at this point her clients are focused on compliance plans, rather than the details of the sanctions.
She said covered entities and business associates are using the list of monetary penalties as a guide when forming compliance policies.
“If they are thinking about it, it’s how not to get exposed,” Zabawa said. “But I’m not sure they have dug down to the level of what the terminology in the statutes means as far as penalties.”
‘Business associates’ provision
Another change that will take effect February 2010 expands HIPAA to “business associates” of covered entities.
Attorneys who represent vendors to the health care industry should be warning their clients about the new HIPAA rules.
“To the extent that I’m a lawyer who represents one of those vendors, I need to know that my clients are now going to be directly subject to pretty onerous regulations,” said Hagan.
Many attorneys may not be aware of these requirements or that their clients fall under the expanded definition.
Examples of clients who might fall under this newly regulated category include IT providers, billing and phone services, third- party administrators of health plans, and document or data storage companies.
Knight said the change may result in a lot more “arm’s length” relationships between business associates and a provider.
“One side is afraid of what the other might do inadvertently, in terms of disclosure,” he said.
And attorneys who represent health providers, including med-mal defense attorneys, may themselves be unpleasantly surprised to find out they too are “business associates” under HIPAA.
“When lawyers are signing onto an agreement, we’d better follow our own advice,” Knight noted.