HIPAA New Compliance Aggressive Enforcement

Buried within the Economic Stimulus Bill is the Health Information Technology for Economic and Clinical Health HITECH Act. In addition to billions for health information technology, HITECH contains far-reaching changes to privacy and security regulation under the Health Insurance Portability and Accountability Act HIPAA. The Internet is abuzz with analyses of these new provisions. But two aspects of these HIPAA changes bear more emphasis than they are receiving.

The first is new incentives for federal agency enforcement and the assessment of fines. Civil penalties collected in the future by the Office of Civil Rights (OCR) for privacy or security violations will be turned over to the agency to fund even greater enforcement efforts. If history is any guide, then OCR’s current complaint-driven, compliance-oriented approach to enforcement will shift quickly to a more aggressive and punitive strategy. This may be the single most important change wrought by the HITECH Act, and it is effective immediately.

The second aspect is the complex timing of HIPAA’s new requirements. We offer below a schedule for the phase-in of some of the more important new HIPAA obligations.

The Carrot
The HITECH Act provides approximately $31.2 billion for healthcare infrastructure and adoption of electronic health records (EHR). The Congressional Budget Office assumes that the Act will save federal healthcare programs an estimated $12 billion from higher EHR use, resulting in a net cost to the federal government of $19.2 billion.

The money largely flows from Medicare and Medicaid incentives to physicians and hospitals for the “meaningful use” of certified EHRs, including existing systems as well as new installations or upgrades. Non-hospital based physicians could receive up to $44,000 from Medicare or $64,000 from Medicaid, and hospitals with high Medicare and Medicaid volumes could receive up to $11 million. These incentives will be paid out over a 4- to 5-year period beginning in 2011.

The Stick
The HITECH Act expands HIPAA’s coverage, increases compliance obligations, and strengthens enforcement penalties. Descriptions of these changes can be found on listserves, websites, and other sources. But strangely absent, in our opinion, from nearly all these descriptions is subsection 13410(c) of the Act, “Distribution of Certain Civil Monetary Penalties Collected,” which was effective immediately on passage of the Act. The subsection provides:

    [A]ny civil monetary penalty or monetary settlement collected with respect to an offense punishable under this subtitle or [the civil monetary penalty provision of HIPAA] insofar as such section relates to privacy or security shall be transferred to the Office of Civil Rights for [HHS] to be used for purposes of enforcing the provisions of this subtitle and [the HIPAA privacy rules] * * *.

When HIPAA was enacted in 1996, it contained a similar provision dedicating civil penalties collected for fraud and abuse violations to federal agency enforcement efforts. The Fraud and Abuse Control Account was thereby established and the Office of Inspector General and U.S. Department of Justice quickly made fraud and abuse enforcement a top priority. In FY 1996, the Feds collected $205 million in fines and settlements for fraud and abuse violations. In FY 1997, that figure jumped to nearly a $1 billion. If OCR reacts to budgetary incentives in the same manner as OIG, we can expect a significant increase in proactive enforcement activity and the assessment of monetary penalties. Indeed, the HITECH Act will make monetary penalties mandatory in February 2011 if investigation reveals a “willful neglect” of compliance duties.

The Schedule
The general effective date for HITECH HIPAA provisions is February 17, 2010, a 12-month grace period. But exceptions swallow the general rule. The following chart roughs out effective dates for provisions of greatest interest to providers. Bear in mind that this list is not exhaustive and that Congress can change its mind or the Secretary of HHS may act sooner or later than anticipated.

Effective Immediately • Collected civil monetary penalties go to OCR
• Civil monetary penalties are increased substantially
• Civil action by state Attorneys General on behalf of aggrieved persons are authorized; statutory penalties and attorney fees are recoverable
On or Before
September 15, 2009
New security breach notification obligations effective
February 17, 2010 • Business associates are directly subject to HIPAA
• Limited Data Set standard for “minimum necessary,” except as necessary to the purpose of the disclosure
• Marketing communications further restricted
• Business associate agreements required for “courier” entities
• Employees of covered entities may have independent criminal liability
On or After
January 1, 2011
Accounting for treatment, payment, or healthcare operation (TPO) disclosures from EHR systems acquired after January 1, 2009; HHS may extend deadline by two years
On or Before
February 17, 2011
• New prohibitions on disclosure of PHI in exchange for remuneration
• Mandatory civil monetary penalties for violations involving “willful neglect”
On or before
February 17, 2012
Complainants will share in collected civil monetary penalties
On or After
January 1, 2014
Accounting required for TPO disclosures from EHR systems acquired before January 1, 2009; HHS may extend deadline by two years

via HIPAA New Compliance Aggressive Enforcement.