Understanding HIPAA Enforcement: Trust, but Verify

by Gordon J. Apple, JD

Former President Ronald Reagan coined a phrase during the Cold War, “trust, but verify,” regarding treaties with the former Soviet Union. Today, as we ponder the enforcement environment likely to emerge over HIPAA, a more apt phrase may be “trust, don’t do much, and react to public pressure.”

HIPAA is new to healthcare and the issue of enforcement is particularly different to decipher. For the moment, the message from the Department of Health and Human Services (HHS) is that it “intends to seek and promote voluntary compliance with the rules promulgated to carry out the HIPAA provisions.” Yet as we travel down the HIPAA enforcement highway one thing is certain-nobody has a map.

Federal Responsibility for Enforcing HIPAA’s Provisions

Two groups at HHS will handle civil enforcement under HIPAA-the Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS). Criminal enforcement will be the responsibility of the Department of Justice, while privacy rule civil enforcement will be handled by OCR. Until recently, there has been a vacuum regarding the issue of HIPAA enforcement. On April 17, 2003, shortly after the April 14 deadline for privacy rule compliance, OCR issued an interim final rule that addressed procedures for the imposition of civil monetary penalties for violations of the privacy rule.¹ This interim rule is only the first installment of what will be termed the “enforcement rule” and does not address HHS’ policies for determining violations.

Civil enforcement of all other HIPAA regulations will be handled by CMS. In an August 2002 press release, HHS stated:

“CMS will create a new office to bring together its responsibilities under HIPAA, including enforcement. The new CMS office will establish and operate enforcement processes and develop regulations related to the HIPAA standards for which CMS is responsible. These standards include transactions and code sets, security, and identifiers for providers, insurers, and employers for use in electronic transactions. The office will report directly to the deputy administrator. The office also will conduct outreach activities to HIPAA covered entities such as healthcare providers and insurers to make sure they are aware of the requirements and to help them comply. Enforcement activities will focus on obtaining voluntary compliance through technical assistance. The process will be primarily complaint driven and will consist of progressive steps that will provide opportunities to demonstrate compliance or submit a corrective action plan.”

The interim final rule published by OCR reiterates that the government plans to help covered entities address any compliance issues that might arise. OCR will continue to provide guidance and technical assistance materials. As stated in the interim rule:

“This approach reflects the requirements in 45 CFR part 160, subpart C, that, to the extent practicable, OCR will seek the cooperation of covered entities in obtaining compliance with the privacy rule, and may provide technical assistance to help covered entities voluntarily comply with the rule. See 45 CFR 160.304. As further provided in 45 CFR 160.312(a)(2), OCR will seek to resolve matters by informal means before issuing findings of non-compliance, under its authority to investigate and resolve complaints, and to engage in compliance reviews.”

OCR’s interim final rule on the imposition of civil monetary penalties (CMPs) mirrors existing Office of Inspector General (OIG) regulations familiar to the healthcare industry in the fraud and abuse context. In the interim rule, HHS reiterates its position that CMPs may only be imposed on covered entities, noting that “it is the view of HHS that only covered entities are subject to the HIPAA provisions and rules.” This view is undoubtedly correct with respect to the civil side of HIPAA, but there remains an open question as to the application of HIPAA’s criminal provisions for wrongful disclosure of individually identifiable health information.

Civil Penalties Under HIPAA

Assuming that CMS and OCR really will be working to help foster voluntary compliance with HIPAA, it would appear that covered entities would have to work hard to be subject to CMPs or other civil enforcement penalties. The civil penalty section of the HIPAA statute clearly supports a cooperative rather than confrontational approach to civil enforcement. Statute 1176 [42 U.S.C. 1320d-5] (General Penalty for Failure to Comply with Requirements and Standards) states:

(a) General Penalty

(1) In general-Except as provided in subsection (b), the secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
(2) Procedures-The provisions of section 1128A (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.

(b) Limitations

(1) Offenses otherwise punishable- A penalty may not be imposed under subsection (a) with respect to an act if the act constitutes an offense punishable under section 1177.
(2) Noncompliance not discovered- A penalty may not be imposed under subsection (a) with respect to a provision of this part if it is established to the satisfaction of the secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision.
(3) Failures due to reasonable cause

(A) in general-Except as provided in subparagraph (B), a penalty may not be imposed under subsection (a) if-

(i) the failure to comply was due to reasonable cause and not to willful neglect; and
(ii) the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.

(B) Extension of period

(i) No penalty-The period referred to in subparagraph (A)(ii) may be extended as determined appropriate by the secretary based on the nature and extent of the failure to comply.
(ii) Assistance-If the secretary determines that a person failed to comply because the person was unable to comply, the secretary may provide technical assistance to the person during the period described in subparagraph (A)(ii). Such assistance shall be provided in any manner determined appropriate by the secretary.

(4) Reduction-In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) that is not entirely waived under paragraph (3) may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.

It would appear that Congress, in drafting these provisions, realized that it need to have civil penalties for HIPAA violations, but really did not want them imposed except in the very worst of circumstances. This friendly approach does not extend to HIPAA’s criminal provisions.

Criminal Enforcement of HIPAA

Covered entities ignore the criminal provisions of HIPAA at their extreme peril. The statutory language is very broad and its application very uncertain. One suspects that the story of HIPAA enforcement over time will be about how the healthcare community underestimated the fact that the friendly face of HIPAA has a dark side as well.

The Department of Justice (DOJ) will handle criminal enforcement under HIPAA.Most DOJ criminal cases will arise from referrals from OCR or CMS. If fraud and abuse enforcement is any guidepost, DOJ will likely warm to the criminal enforcement task rather slowly except for extreme violations of the statute.

The criminal provisions of HIPAA as stated in section 1177 [42 U.S.C. 1320d-6] are as follows:

(a) Offense-A person who knowingly and in violation of this part:

(1) uses or causes to be used a unique health identifier
(2) obtains individually identifiable health information relating to an individual
(3) discloses individually identifiable health information to another person shall be punished as provided in subsection (b)

(b) Penalties-A person described in subsection (a) shall:

(1) be fined not more than $50,000, imprisoned not more than one year, or both
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than five years, or both
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

It is tough, as well as foolhardy, to ignore the criminal provisions of HIPAA. The Latin term scienter means “with full knowledge or awareness” and will be key when it comes to HIPAA prosecutions. The “knowingly” standard in fraud and abuse litigation has evolved over time. There is no reason why the story will not be the same under HIPAA. However, one would think that legal counsel and their clients would not want to provide the test case. Further, even assuming that the term “person” is limited to covered entities and their work forces, other persons should not rest comfortably, because under the federal criminal conspiracy statute (18 U.S.C. ß371) it only takes two conspiring parties when it comes to violations of federal criminal law.

The HIPAA Complaint Process

The one thing healthcare providers can count on is that complaints will be filed about their privacy practices. Hopefully providers will know about a complaint because it has been filed in accordance with their notice of privacy practices. However, there are likely to be “stealth” complaints as well that will be filed directly with the government.

Recent press releases by privacy groups indicate that there will be national monitoring of how privacy complaints are being handled by the federal government. 45 CFR section 160.306(a) provides that any person (not just the subject of the PHI) may file a complaint with the secretary. OCR and CMS will have separate complaint processes.

In its December 2002 guidance, OCR outlined how it expects complaints to be handled.

“A person who believes a covered entity is not complying with a requirement of the privacy rule may file with OCR a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred. The secretary may waive this 180-day time limit if good cause is shown. (See 45 CFR 160.306 and 164.534.) OCR will provide further information on its Web site about how to file a complaint. Individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.”

CMS has developed an electronic form for transactions and code sets complaints. The complaint form can be found at: www.cms.hhs.gov/hipaa/hipaa2/support/correspondence/ complaint/securitychoice.asp. Given the level of complexity associated with the transactions and code sets, it is hard to imagine many complaints coming from patients. However, competitors are another matter.

Good risk management practices should be applied to complaint handling. The sooner complaints are handled and handled respectfully, the lower the likelihood that a minor problem will evolve into a compliance nightmare. HIPAA enforcement will evolve over time as the healthcare community, patients, and enforcement agencies go from thinking about the HIPAA administrative simplification regulations to actually living with them.

At the present time there is no road map for HIPAA enforcement. Nevertheless, patient privacy has been and will continue to be a very hot topic. Now that covered entities have the HIPAA standards as a floor of expectations for how healthcare information shall be used and disclosed, it is important to remember that sooner or later covered entities will be held to them.

Notes

¹ 68 Fed. Reg. 18895 (April 17, 2003) 45 CFR Part 160, Subpart E-Civil Monetary Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings

Gordon J. Apple, JD, is a member of the In Confidence Editorial Advisory Board and a lawyer in the law offices of Gordon J. Apple, PC. He can be reached at gapple@healthlawgeek.com.