What to Expect After a HIPAA Violation
By Greg Freeman
Discovering a HIPAA violation in your organization inevitably causes anxiety about what will follow and how bad the consequences can be. Understanding the process and what to expect can ease some of the worry and help you manage the process to the best possible resolution.
Responsibility for enforcement of the HIPAA Privacy and Security rules falls under the Office for Civil Rights (OCR). This enforcement takes several forms, including investigation of filed complaints, conducting compliance reviews of covered entities, and performing education and outreach, explains Lynne Rinehimer, a manager with symplr, a healthcare operations company based in Houston.
Additionally, OCR works with the Department of Justice (DOJ) when a referral for possible criminal violations of HIPAA is required. HIPAA violations may result in civil monetary penalties, the development of Corrective Action Plans, and/or settlement agreements. Civil monetary penalties for a HIPAA violation are determined based on a four-tiered structure. Factors for determining the appropriate tier include the covered entity’s knowledge of the violation, whether there was willful neglect on the part of the covered entity, and whether the covered entity took steps to correct the violation within 30 days, Rinehimer says. Penalties can range from a minimum Tier 1 penalty of around $100 to a maximum Tier 4 penalty of approximately $2 million. Penalties are modified each year to factor in cost of living increases.
“Individuals and organizations also can be found criminally liable for violating the HIPAA requirements. Criminal penalties have a three-tiered structure that looks to knowledge of the violation, whether PHI [protected health information] was obtained under false pretenses, and whether PHI was disclosed for personal gain or with malicious intent,” Rinehimer explains. “Tier 1 criminal penalties can result in up to one year in prison, Tier 2 up to five years, and Tier 3 up to 10 years. Additionally, fines can range from $50,000 to $250,000.”
Steps to Minimize Penalties
When it comes to minimizing penalties, that comes down to awareness, diligence, and a proactive approach, Rinehimer says. Key goals include ensuring the organization has created an environment that encourages reporting of incidents or violations by its employees, establishing an infrastructure to address those incidents or violations promptly, and maintaining an awareness of changes in law or requirements.
Identifying violations will require the involvement of the employee population. Ensure there are multiple avenues of communication available to them, including methods like a hotline, web forms, and a designated email address they can report with, Rinehimer advises. Train employees on their roles in identifying violations, and methods available to them, and reassure them that there will not be retribution for reporting. Educate employees on the potential penalties the organization faces when HIPAA violations occur and are not addressed timely and adequately.
“Stay aware. I frequently go to the OCR website and look in their newsroom section, which highlights settlements and links to new guidance,” Rinehimer says. “You can also look to the OCR’s Wall of Shame, which lists all breaches reported within the previous 24 months that are under investigation. Learn from the experiences of other organizations and apply those lessons to your organization.”
Also, make sure you are documenting “absolutely everything,” including the investigation and all steps taken when a breach or other incident occurs, and proactive steps like education and risk analysis, Rinehimer advises. Ensure all necessary policies and procedures are in place and that they are reviewed and updated per a defined schedule of review and made readily available to employees.
“Issues happen. No organization will ever be perfect,” Rinehimer says. “To reduce potential penalties if a violation does occur, these are the type of activities that will minimize those penalties, hopefully keeping the organization firmly in a bottom tier.”
Expect a Data Request
If OCR decides to investigate an incident, it will contact the individual noted as the contact person on the online submission, says Layna Cook Rush, CIPP/US, CIPP/C, shareholder with Baker Donelson law firm in Baton Rouge, LA. It is recommended that HIPAA-regulated entities engage the assistance of qualified counsel to assist with the online submission and communications with OCR. During the initial contact, OCR may send a data request. In some instances, OCR acknowledges receipt of the breach notification and indicates the data request will be forthcoming.
“The investigation starts with the data request from OCR. The data request typically includes requests for information related to the entity’s risk analysis, risk mitigation plans, HIPAA-related policies and procedures, and the facts and circumstances related to the entity’s investigation of the incident and notification processes,” Rush explains. “Covered entities will have to provide documentation of their HIPAA compliance, including copies of relevant policies and procedures and evidence of security controls that were in place at the time of the incident to meet the HIPAA Security Rule standards.”
The biggest mistake a HIPAA-regulated entity can make is to ignore an OCR data request, Rush says. Entities should make timely, accurate, and complete responses to the data requests.
The length of the process is contingent on OCR’s workload and the completeness of the entity’s response to the data request, Rush notes. Often upon review of the responses, OCR will issue supplemental requests. These additional requests will lengthen the time frame for resolution.
OCR submissions have increased significantly over the last few years, so in some instances, it may take 18 to 24 months to receive OCR’s conclusions regarding the incident.
“Most regulated entities are not familiar with the OCR investigation process because breaches that impact 500 individuals or more are not routine. The entity may have staff members who are familiar with the HIPAA rules and the compliance obligations, but it is unlikely that an entity has staff who have been involved in numerous breaches and OCR investigations,” Rush notes. “Most entities have very little knowledge of how the process works. The best practice is for a regulated entity to have qualified breach counsel on retainer and included in the incident response plan.”
When you become aware of a breach, the absolute worst thing you could do is ignore it, says Jody Erdfarb, JD, partner with Wiggin and Dana in Stamford, CT. It is tempting, she says.
“I’ve seen it happen because people are busy running their businesses and caring for their patients, which is good. It’s really easy to downplay a report from someone you think may not be credible, like maybe a disgruntled former employee, or a disgruntled patient who has an axe to grind with you,” Erdfarb says. “But it is so important to take every single indication that there might be some sort of security risk super seriously and run it down. The risk of not doing that is enormous. There are per day penalties that could accumulate.”
Stop the Bleeding
If noncompliance with HIPAA is discovered, stopping any further breach is critical, says Milada Goturi, JD, partner with Thompson Coburn in Washington, DC. Implement any improvement in the policies and procedures to prevent a recurrence of the incident and educate employees on those improvements.
“You want to demonstrate voluntary compliance, and that’s done by promptly addressing the issue, making the corrections, making updates to the procedures if needed, ensuring that the patients are timely notified, and ensuring that the staff is educated,” Goturi says.
Upon learning of a potential violation, a first step is to perform a risk assessment to determine if an actual violation has occurred, says Mark R. Ustin, JD, partner with Farrell Fritz in Albany, NY. In some cases, it is unclear. For example, a file room may have been left unlocked, but it is unclear whether anyone saw the files in the room.
The risk assessment needs to be conducted reasonably and in good faith and should consider the information involved, Ustin says. Is it even PHI? Also, consider the nature of the person to whom the disclosure was made. Were they not authorized to see the information? Assess the nature of the disclosure. Did anyone see the disclosed information?
“Even where disclosure would otherwise not be allowed, a disclosure will not constitute a violation if it only involved an unintentional, good faith acquisition of the information by a member of a provider’s workforce acting within the scope of their authority, or the inadvertent disclosure between authorized individuals in the same healthcare arrangement,” Ustin explains. “There is even an exception for disclosures to an unauthorized individual where they would not reasonably have been able to retain the information. For example, a patient who is not a healthcare provider who inadvertently sees another patient’s lab report.”
Once you determine a violation has occurred, you then need to figure out the extent of the violation. That will affect what you need to do next, Ustin says. Once you determine that a HIPAA violation has occurred, notify patients by first-class mail or email (if they have consented to be notified in this way) within 60 days of the date on which the breach is confirmed.
“This is important. It is not 60 days from the breach, but rather, 60 days from the end of your investigation,” Ustin says. “But that presupposes that your investigation was done reasonably and in good faith.”
Entities also must notify HHS by filling out a breach report form on the HHS website. If the breach affects fewer than 500 people, notification to HHS only needs to occur within 60 days after the end of the year in which the breach occurred. If 500 people or more are affected, HHS must be notified within 60 days of the breach. In such cases, you also need to notify regional media outlets within the same period.
“It is also good practice to post a notice of the breach on your website for at least 90 days,” Ustin says. OCR often will accept voluntary compliance or corrective action as a sufficient response to a reported violation, he notes.
The best way to minimize potential penalties is to ensure you have a robust compliance program before any breach occurs, involving data encryption, regular employee training, regular updates to systems and software, adequate oversight of vendors, multifactor authentication, adequate physical security, and proper data destruction protocols, Ustin says. You also should correct indications of noncompliance through voluntary corrective actions as quickly as possible.
Failure to take corrective action and instances of willful neglect will result in the largest penalties. “Be wary of the natural inclination to downplay the severity of a breach. Keep in mind that investigations of potential breaches must be conducted ‘reasonably,’ and ‘in good faith,’” Ustin says. “They cannot simply be used to excuse or delay compliance.”
Discovering a HIPAA violation in your organization inevitably causes anxiety about what will follow and how bad the consequences can be. Understanding the process and what to expect can ease some of the worry and help you manage the process to the best possible resolution.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.