Understanding HIPAA Enforcement: Best Practices for Avoiding Penalties

By Robin McManigal | Practice Area Expert 

The landmark Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub.L.No. 104-191) signed into law by President Clinton on August 21, 1996, was a  comprehensive piece of legislation that sought to modernize the flow of healthcare information and regulate how personally identifiable information (PII)  maintained by healthcare entities should be protected. In the more than two decades since that time, HIPAA has been the source of headline-making federal investigations, high-stakes litigation, and detailed compliance plans.

For healthcare executives and their lawyers, perhaps the most significant provisions of HIPAA are contained in the Administrative Simplification Rules, which were implemented under 42 U.S.C. §§ 1320d to 1320d-9 . These rules cover four areas:

1. Privacy standards for PHI
2. Security standards for electronic PHI (ePHI)
3. Breach notification requirements
4. Electronic transactions and code sets standards

Many employers that sponsor group health plans and are involved in plan administration may be subject to all or most of these results. They are not to be taken lightly; penalties for non-compliance can be severe.

Enforcement Procedures

It was my privilege to recently host a LexisNexis webinar, “HIPAA — Understanding Enforcement, Penalties & Research Strategies,” in which we examined the four key areas of HIPAA administrative simplification rules and unpacked the various rules requirements that healthcare entities need to follow.

These requirements break down into several categories of federal enforcement:

• Privacy rule, security rule and breach notification rule (PHI Administrative Simplification Rules) — Each of these rules concern aspects of ensuring individual privacy, security, and the proper use and disclosure of protected health information. The HHS has the responsibility of enforcing these rules. However, the HHS delegated administrative simplification rule enforcement responsibilities to its Office for Civil Rights (OCR). The OCR often engages in enforcement activities following a complaint made to the HHS or from a compliance review. After investigation, if the OCR determines that a HIPAA violation occurred, the matter may be resolved on an informal basis which could require the covered entity or business associate to demonstrate compliance and agree to participate in a corrective action plan. If however, the violation can’t be resolved on an informal basis, it will move forward on a formal basis and allow the entity or business associate to provide mitigating factors. After reviewing any response submitted, the OCR holds the power to determine if civil monetary penalties (CMP) are warranted by issuing a notice of proposed determination (NOPD). The NOPD includes a number of factors, including the proposed penalty. The amount imposed by the OCR for a HIPAA violation is subject to numerous factors covered by 45 CFR 160.408. There are also limitations to HIPAA civil penalties.
• Transaction rule — This rule deals with establishing uniform standards around the electronic data interchange (EDI) of healthcare information when conducting standard transactions (. Standard transactions involve the EDI exchange of healthcare data such as when a healthcare provider sends a claim to an insurance company to request payment for services rendered. . The HHS also has the responsibility of enforcing the transactions rule. But similar to the PHI administrative simplification rules, the HHS also delegated transaction rule enforcement to the Centers for Medicare and Medicaid Services (CMS). The CMS investigates complaints and noncompliance with the transactions rule. It often provides technical assistance and seeks the cooperation to achieve compliance. 

Best Practices for HIPAA Compliance

Healthcare entities and their business associates can help avoid HIPAA violation penalties by following some important best practices. These nine tips are extracted from HIPAA Enforcement and Penalties, a practice note published by Lexis Practical Guidance:

1. Conduct an internal audit by engaging with an independent auditor who has expertise in HIPAA compliance.
2. Conduct annual self-audits to periodically confirm that the audit review remains up-to-date with the latest HIPAA rules.
3. Adopt procedures to comply with HIPAA requirements and maintain documentation of all of your protocols.
4. Develop HIPAA training materials for personnel handling protected health information and safeguarding HIPAA data security.
5. Conduct a risk assessment to determine compliance with the HIPAA security rules, using the HHS online risk assessment tool.
6. Review business associate agreements to make sure that compliant contracts are in place with all third-party service providers who create, handle, transmit or otherwise have access to personal health information.
7. Review cybersecurity insurance policies to make sure that your organization is covered for liability protection in the event of cybersecurity breaches.
8. Cooperate with OCR auditors if an investigation takes place, promptly producing all requested documentation and truthfully responding to any questions.
9. Act promptly as soon as there is any indication that a HIPAA administrative simplification violation may have occurred, taking steps immediately to remediate.

These nine action items are not only best practices for a healthcare entity from a business perspective, they should also put the organization in a good position if OCR initiates a HIPAA audit. These pro-active steps can be the difference between substantial penalties and no penalty.

Legal Information Tools

The Lexis Practical Guidance team has assembled a number of important resources to help legal professionals navigate the complex challenges associated with HIPAA compliance.

The HIPAA Resource Kit includes Practical Guidance materials in the form of detailed practice notes such as the HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules and; HIPAA Enforcement and Penalties; checklists; templates; and specific clauses that can be used in keeping healthcare entities HIPAA-compliant. It also includes a HIPAA regulatory enforcement tracker which highlights recent guidance and enforcement actions taken by the OCR; short instructional videos narrated by legal experts in the field, and a PowerPoint presentation that can be used for training employees on HIPAA compliance.

Experience Lexis Practical Guidance on Lexis+ with a free 7-day trial.