HIPAA penalties issued in proposed rules
The
Secretary of Health and Human Services (HHS) issued proposed rules on April 18,
2005 imposing civil monetary penalties (CMP) for entities that violate the
Administrative Simplification Provisions (ASP) of HIPAA. The rules clarify the procedures for
investigations, hearings, and the violations of civil money penalties that
apply to all the HIPAA Privacy Rules that can be imposed from the issued date,
April 18, 2005.
The
proposed rules elaborate and clarify the procedure for investigations,
hearings, and the imposition of civil monetary penalties. As outlined within
the proposed rules, penalty determinations will be based on the number of
impermissible actions or failures, the number of persons affected and the
amount of time (in days) during which the violation occurred. The amount of civil monetary penalties may
not be more than $100 for each violation or in excess of $25,000 for identical
violations during a calendar year.
The
HHS Office for Civil Rights (OCR) has resolved thousands of alleged privacy
violations without levying any fines.
As of February 28, 2005, OCR Director, Rick Campanelli stated complaints
had been filed against 11,280 covered entities since the April 2003 effective
date of the privacy rule. Of those, 63
percent have been resolved, which means either a cooperative covered entity
fixed its problems under OCR's supervision or the complaint wasn't a privacy
violation. OCR is still investigating 37 percent of the 11,280 complaints.
In
the past, violations were only imposed due to individuals filing
complaints. However, the issued
proposed rules clarify that random reviews (audits) may be done to determine if
a covered entity is in compliance.
These random audits and compliance determinations will be made by the
Offices of Civil Rights, (OCR), Medicare and Medicaid Services
and the Office of HIPAA Standards (OHS).
OCR
has referred more than 175 alleged privacy violations to the Department of
Justice for potential criminal prosecution.
The Justice Department reviews the cases and passes them to the US
Attorney in the jurisdiction where the alleged violation took place. If that office determines a violation has
taken place it would proceed.
In
the event a complaint or error cannot be resolved, civil money penalties will
be imposed and criminal penalties will apply.
A civil money penalty cannot be imposed for a violation older than six
years.
The
proposed rules have broadened definitions of the following:
1.
Person
is now defined as "a natural person, trust or estate, partnership, corporation,
professional association, corporation or other entity, public or private". This would expand who could be found in
violation of the rules and be imposed the penalties.
2.
Added
to the list of "Covered Entity" is a prescription drug card sponsor who needs
to be in compliance with the rules and regulations to avoid penalties.
The
top five most common types of complains are:
1.
Impermissible
disclosures, e.g. gossiping to a friend outside the hospital about the medical
condition of a neighbor who is a patient.
2.
Lack
of adequate safeguards, e.g. leaving files around, not protecting PHI on
computer screens.
3.
Refusal
or failure to provide access to (or a copy of) medical records.
4.
Disclosure
of more than the minimum necessary protected health information.
5.
Failure
to include valid language in patient authorizations for PHI disclosures.
If you are struggling with your HIPAA
Compliance program, contact Infinisource for more information on this or other
employee benefit administration and compliance issues at 800-779-6384 or visit
our website, www.benefitsolved.com.
###
In this Issue:
News Room sign-up
sheet | Archive |
