HIPAA Gets 'Teeth'

Memories of HIPAA Compliance likely have long faded for many HR and benefits professionals. You distributed your Privacy Notices, trained your staff, conducted a 'risk assessment' of your information systems under the Security Rule, and formally adopted a thick binder of HIPAA Privacy and Security policies. HIPAA, like Y2K, has come and gone, and health plan compliance has turned to bigger and more pressing issues, right?

Not quite. Recent news stories about the theft of millions of veterans' personal data from the Veterans Administration is a timely reminder about the importance of protecting the confidential data an organization maintains regarding beneficiaries of its health plans. In addition, the Final Rule on HIPAA Enforcement became effective on March 16, 2006, setting out comprehensive rules for all aspects of the enforcement process. These rules have more 'teeth' than was expected, and speculate that this enforcement structure will mean more rigorous enforcement, including imposition of civil penalties, by the HIPAA regulators, the Department of Health and Human Services (HHS). The new rules also make clear that avoiding HIPAA complaints about your health plan is not enough to evade HIPAA enforcement action: HHS now can initiate 'compliance reviews' based on any information suggesting noncompliance that comes to its attention, including media reports.

Now is an excellent time to review your health plan's protection of the privacy and security of individually identifiable health information (known as Protected Health Information, or PHI) created or maintained by the plan. Adopting a HIPAA-compliance monitoring plan is a way to catch problems before they become serious, and to demonstrate that your plan is serious about meeting its compliance obligations.

New Enforcement Rule

The final rule provides details about the investigation process, the factors HHS will look to in deciding whether to assess civil monetary penalties (CMP), and how the regulators will determine CMP amounts. Besides penalties, HHS can also use informal means to remedy violations, including 'demonstrated  compliance' (presumably, giving the covered entity an opportunity to demonstrate that it complies with all applicable HIPAA requirements) and corrective action plans. (Note: While the HIPAA statute provides for criminal sanctions, the final rule does not does not address any criminal penalties, because the criminal provisions are enforced by the Department of Justice (DOJ), not HHS. To date, two individuals have been prosecuted for criminal violations of HIPAA's privacy requirements.) The rule also lays out certain procedural protections for covered entities to contest or appeal civil penalty determinations. If HHS assesses such a penalty, the health plan may, within 90 days, request a hearing in front of an Administrative Law Judge (ALJ). Either side may appeal an ALJ decision to the HHS Departmental Appeals Board (DAB) within 30 days of the decision.

In calculating the penalty that HHS may impose, the rules are pretty open-ended and give the regulators a great deal of discretion. The HIPAA statute limits penalties to no more than $100 for 'each violation,' and no more than $25,000 each calendar year for 'identical violations.' A one-time compliance failure that affected a large number of employees (for instance, a computer glitch that caused PHI from the health plan to be posted on a publicly available Web site) conceivably could be considered multiple violations, for each employee's PHI that was improperly disclosed, resulting in a large penalty amount. The rule also includes the concept of 'continuing violations' that extend over time. Failing to implement certain policies governing access to electronic PHI consistent with the Security Rule, for instance, could be considered an ongoing violation, with an identical violation (and potential fine) occurring each day that the violation continued.

The final Enforcement Rule also outlines numerous factors that go into to HHS's assessment of fines. These factors weigh intangibles, such as the harm (physician or financial) caused by the violation and the degree of culpability of the covered entity as well as the covered entity's compliance history and financial condition. These factors give HIPAA regulators great latitude in deciding how much penalty to impose. Also, many violations can have 'ripple effects,' increasing the possible fines. For instance, a situation where an employee improperly accesses PHI about a health plan participant for a non-plan related purpose may seem an isolated incident. But the incident could reflect a failure to properly train (one violation), a lack of appropriate safeguards (another violation), and inadequate access controls for an information system (yet another violation). It is easy to see how potential fines can snowball, even based on seemingly minor incidents.

Reducing Exposure

If some commentators' predictions are correct, the publication of the final Enforcement Rule could be a turning point in HIPAA enforcement, and those covered entities that saw HIPAA compliance as a 'one time event' rather than an ongoing obligation may be in for a rude awakening. However, several provisions in the new rule give cause for hope that a rigorous and effective compliance program could save your health plan from significant penalties.

As noted above, one factor that goes into determining the amount of penalty imposed is the degree of the covered entity's culpability, including whether the violation was intentional and whether it was beyond the direct control of the covered entity. If your health plan has a compliance plan that includes regular audits and compliance monitoring, that could go a long way toward demonstrating that any violation was out of the plan's control. Similarly, the final rule allows covered entities to mount 'affirmative defenses' to the imposition of penalties. HHS cannot impose penalties if a covered entity demonstrates that it did not know the violation occurred, and by exercising reasonable diligence could not have known about the violation. Covered entities also have an affirmative defense if the failure to comply was due to reasonable cause rather than willful neglect and is corrected within a certain time period. An effective compliance program can help a health plan establish these affirmative defenses. In addition, being able to demonstrate to HHS that you are taking reasonable steps to monitor compliance can help persuade HHS that any violation should be addressed through informal means, rather than through penalties.

The new enforcement rule should be a strong incentive to develop a HIPAA compliance monitoring plan ' a way to evaluate your health plan's compliance with all applicable HIPAA standards. Plans need to audit the mechanisms they developed for complying with all the HIPAA Privacy and Security standards, to assess whether these mechanisms are actually effective in helping the plan achieve and maintain compliance. The Privacy and Security officers together should develop and oversee the compliance monitoring plan, and should ensure that results are communicated to upper management, that appropriate corrective action plans are implemented and, where appropriate, disciplinary actions are imposed.

Depending on the size of the health plan, HIPAA compliance monitoring could include annual 'audit work plans' laying out audit priorities for the coming year, or could simply include a listing of regular monitoring tasks. However, the compliance monitoring plan should be a written document, and every individual involved in compliance monitoring should be trained to document in writing their efforts and any outcomes. If your organization has an existing corporate compliance program, HIPAA monitoring can be included within that program, or housed in your general compliance office/legal department.

A health plan's compliance monitoring plan should address the following questions:

• Privacy Notices: Is the health plan's Privacy Notice distributed to new enrollees at the time of enrollment (eg, in the enrollment package or in other mailings)? If the health plan maintains a web-site that employees access for information about the plan, is the Privacy Notice prominently posted on the site? Did the plan 'remind' plan participants about the availability of the Privacy Notice by April 14, 2006?
• Training: Are new benefits em-ployees trained on the requirements of HIPAA Privacy and Security? Do you keep records documenting the training programs run for such employees, such as having employees sign statements certifying they attended the training?
• Use of PHI for Employment Purposes: Do you have an appropriate 'firewall' between your health plan and other human resources functions? Particularly for companies with relatively small human resources/benefits staff, do your employees know about the prohibition on using information obtained or created by the health plan for other employment-related purposes?
• E-mails: Are you careful about disclosing PHI in e-mails that travel over open networks, unencrypted? Do employees use common-sense precautions to limit the amount of PHI used in e-mails?
• Information Security: Has your HIPAA security risk assessment been updated to incorporate any new software, applications, or information technology systems purchased by your company? Does your Security Officer keep up to date on developments in information technology, and monitor warnings and reports regarding external PHI security threats such as viruses and worms?
• Business Associates: Do you have the appropriate contractual language in place with all your vendors that potentially access PHI from the health plan? This can include brokers, attorneys and IT consultants, as well as third party administrators or pharmacy benefits managers. Have these agreements all been updated for HIPAA Security?
• Privacy Complaints/Security Incidents: Have you reviewed records logging any privacy complaints or security incidents? How were these situations investigated? What sort of documentation was maintained? If there have been any complaints or security incidents, do they suggest a pattern that should be addressed?
• Minors/Personal Representatives: How do your human resources/benefits staff handle complicated questions relating to disclosing minors' health information to parents, or disclosing a spouse's information to the other spouse? Are they aware of the HIPAA and state law limits on doing so?
• Physical Safeguards: Are records containing identifiable information secured, such as in locked file cabinets or offices? Are records containing PHI generally removed from view on desks, computer screens, etc.?
• Telecommuting: Do human resour-ces/benefits personnel ever work from home? If so, what sort of safeguards does your company use to protect paper records taken home with employees, transmitted to a home computer or communicated over a VPN?
• Documentation: Do you document the steps taken to monitor and audit compliance? This can include written audit work plans, regularly completed checklists, or simple 'notes to the file' indicating what you did, when you did it, and what you found.

Following Up on Compliance

Of course, a HIPAA compliance monitoring program is only as good as the follow-up efforts you put into remedying any identified problems. Failing to address identified and documented problems can lead to an increased liability risk. Part of your program should include developing corrective action plans to address what you find through the audit process, monitoring how any fixes are implemented, and documenting how problems ar resolved. Be prepared to revise policies and procedures or reeducate your workforce if compliance monitoring indicates some aspect of your HIPAA compliance plan isn't working, or that your existing policies aren't being followed. If your monitoring does identify problems, revise your training materials to incorporate these 'lessons learned,' and consider additional training on any trouble spots revealed through your monitoring.

Conclusion

The recently finalized HIPAA Enforcement Rule may signal a new era of HIPAA enforcement. Given the HIPAA regulators' vast authority and the significant penalties that can be imposed under these rules, a compliance monitoring plan can be a cost-effective way to reduce your health plan's potential exposure. Monitoring for HIPAA compliance need not be a time-intensive process: HIPAA compliance, like HIPAA implementation, should be scaleable to the size of the plan and its resources, and in many cases a simple written monitoring plan, a few checklists and written documentation of your efforts should be sufficient. Larger health plans may want to consider working with a consultant or outside counsel for major compliance audits, and developing more extensive written documentation, such as annual work plans. In all cases, follow-up and documentation are key to avoiding the 'bite' of HIPAA enforcement.

Jennifer Willcox, a member of this newsletter's Board of Editors, is an attorney in the Health Care and Employee Benefits departments at Wiggin & Dana, a New Haven, CT-based law firm.

Memories of HIPAA Compliance likely have long faded for many HR and benefits professionals. You distributed your Privacy Notices, trained your staff, conducted a 'risk assessment' of your information systems under the Security Rule, and formally adopted a thick binder of HIPAA Privacy and Security policies. HIPAA, like Y2K, has come and gone, and health plan compliance has turned to bigger and more pressing issues, right?

Not quite. Recent news stories about the theft of millions of veterans' personal data from the Veterans Administration is a timely reminder about the importance of protecting the confidential data an organization maintains regarding beneficiaries of its health plans. In addition, the Final Rule on HIPAA Enforcement became effective on March 16, 2006, setting out comprehensive rules for all aspects of the enforcement process. These rules have more 'teeth' than was expected, and speculate that this enforcement structure will mean more rigorous enforcement, including imposition of civil penalties, by the HIPAA regulators, the Department of Health and Human Services (HHS). The new rules also make clear that avoiding HIPAA complaints about your health plan is not enough to evade HIPAA enforcement action: HHS now can initiate 'compliance reviews' based on any information suggesting noncompliance that comes to its attention, including media reports.

Now is an excellent time to review your health plan's protection of the privacy and security of individually identifiable health information (known as Protected Health Information, or PHI) created or maintained by the plan. Adopting a HIPAA-compliance monitoring plan is a way to catch problems before they become serious, and to demonstrate that your plan is serious about meeting its compliance obligations.

New Enforcement Rule

The final rule provides details about the investigation process, the factors HHS will look to in deciding whether to assess civil monetary penalties (CMP), and how the regulators will determine CMP amounts. Besides penalties, HHS can also use informal means to remedy violations, including 'demonstrated  compliance' (presumably, giving the covered entity an opportunity to demonstrate that it complies with all applicable HIPAA requirements) and corrective action plans. (Note: While the HIPAA statute provides for criminal sanctions, the final rule does not does not address any criminal penalties, because the criminal provisions are enforced by the Department of Justice (DOJ), not HHS. To date, two individuals have been prosecuted for criminal violations of HIPAA's privacy requirements.) The rule also lays out certain procedural protections for covered entities to contest or appeal civil penalty determinations. If HHS assesses such a penalty, the health plan may, within 90 days, request a hearing in front of an Administrative Law Judge (ALJ). Either side may appeal an ALJ decision to the HHS Departmental Appeals Board (DAB) within 30 days of the decision.

In calculating the penalty that HHS may impose, the rules are pretty open-ended and give the regulators a great deal of discretion. The HIPAA statute limits penalties to no more than $100 for 'each violation,' and no more than $25,000 each calendar year for 'identical violations.' A one-time compliance failure that affected a large number of employees (for instance, a computer glitch that caused PHI from the health plan to be posted on a publicly available Web site) conceivably could be considered multiple violations, for each employee's PHI that was improperly disclosed, resulting in a large penalty amount. The rule also includes the concept of 'continuing violations' that extend over time. Failing to implement certain policies governing access to electronic PHI consistent with the Security Rule, for instance, could be considered an ongoing violation, with an identical violation (and potential fine) occurring each day that the violation continued.

The final Enforcement Rule also outlines numerous factors that go into to HHS's assessment of fines. These factors weigh intangibles, such as the harm (physician or financial) caused by the violation and the degree of culpability of the covered entity as well as the covered entity's compliance history and financial condition. These factors give HIPAA regulators great latitude in deciding how much penalty to impose. Also, many violations can have 'ripple effects,' increasing the possible fines. For instance, a situation where an employee improperly accesses PHI about a health plan participant for a non-plan related purpose may seem an isolated incident. But the incident could reflect a failure to properly train (one violation), a lack of appropriate safeguards (another violation), and inadequate access controls for an information system (yet another violation). It is easy to see how potential fines can snowball, even based on seemingly minor incidents.

Reducing Exposure

If some commentators' predictions are correct, the publication of the final Enforcement Rule could be a turning point in HIPAA enforcement, and those covered entities that saw HIPAA compliance as a 'one time event' rather than an ongoing obligation may be in for a rude awakening. However, several provisions in the new rule give cause for hope that a rigorous and effective compliance program could save your health plan from significant penalties.

As noted above, one factor that goes into determining the amount of penalty imposed is the degree of the covered entity's culpability, including whether the violation was intentional and whether it was beyond the direct control of the covered entity. If your health plan has a compliance plan that includes regular audits and compliance monitoring, that could go a long way toward demonstrating that any violation was out of the plan's control. Similarly, the final rule allows covered entities to mount 'affirmative defenses' to the imposition of penalties. HHS cannot impose penalties if a covered entity demonstrates that it did not know the violation occurred, and by exercising reasonable diligence could not have known about the violation. Covered entities also have an affirmative defense if the failure to comply was due to reasonable cause rather than willful neglect and is corrected within a certain time period. An effective compliance program can help a health plan establish these affirmative defenses. In addition, being able to demonstrate to HHS that you are taking reasonable steps to monitor compliance can help persuade HHS that any violation should be addressed through informal means, rather than through penalties.

The new enforcement rule should be a strong incentive to develop a HIPAA compliance monitoring plan ' a way to evaluate your health plan's compliance with all applicable HIPAA standards. Plans need to audit the mechanisms they developed for complying with all the HIPAA Privacy and Security standards, to assess whether these mechanisms are actually effective in helping the plan achieve and maintain compliance. The Privacy and Security officers together should develop and oversee the compliance monitoring plan, and should ensure that results are communicated to upper management, that appropriate corrective action plans are implemented and, where appropriate, disciplinary actions are imposed.

Depending on the size of the health plan, HIPAA compliance monitoring could include annual 'audit work plans' laying out audit priorities for the coming year, or could simply include a listing of regular monitoring tasks. However, the compliance monitoring plan should be a written document, and every individual involved in compliance monitoring should be trained to document in writing their efforts and any outcomes. If your organization has an existing corporate compliance program, HIPAA monitoring can be included within that program, or housed in your general compliance office/legal department.

A health plan's compliance monitoring plan should address the following questions:

• Privacy Notices: Is the health plan's Privacy Notice distributed to new enrollees at the time of enrollment (eg, in the enrollment package or in other mailings)? If the health plan maintains a web-site that employees access for information about the plan, is the Privacy Notice prominently posted on the site? Did the plan 'remind' plan participants about the availability of the Privacy Notice by April 14, 2006?
• Training: Are new benefits em-ployees trained on the requirements of HIPAA Privacy and Security? Do you keep records documenting the training programs run for such employees, such as having employees sign statements certifying they attended the training?
• Use of PHI for Employment Purposes: Do you have an appropriate 'firewall' between your health plan and other human resources functions? Particularly for companies with relatively small human resources/benefits staff, do your employees know about the prohibition on using information obtained or created by the health plan for other employment-related purposes?
• E-mails: Are you careful about disclosing PHI in e-mails that travel over open networks, unencrypted? Do employees use common-sense precautions to limit the amount of PHI used in e-mails?
• Information Security: Has your HIPAA security risk assessment been updated to incorporate any new software, applications, or information technology systems purchased by your company? Does your Security Officer keep up to date on developments in information technology, and monitor warnings and reports regarding external PHI security threats such as viruses and worms?
• Business Associates: Do you have the appropriate contractual language in place with all your vendors that potentially access PHI from the health plan? This can include brokers, attorneys and IT consultants, as well as third party administrators or pharmacy benefits managers. Have these agreements all been updated for HIPAA Security?
• Privacy Complaints/Security Incidents: Have you reviewed records logging any privacy complaints or security incidents? How were these situations investigated? What sort of documentation was maintained? If there have been any complaints or security incidents, do they suggest a pattern that should be addressed?
• Minors/Personal Representatives: How do your human resources/benefits staff handle complicated questions relating to disclosing minors' health information to parents, or disclosing a spouse's information to the other spouse? Are they aware of the HIPAA and state law limits on doing so?
• Physical Safeguards: Are records containing identifiable information secured, such as in locked file cabinets or offices? Are records containing PHI generally removed from view on desks, computer screens, etc.?
• Telecommuting: Do human resour-ces/benefits personnel ever work from home? If so, what sort of safeguards does your company use to protect paper records taken home with employees, transmitted to a home computer or communicated over a VPN?
• Documentation: Do you document the steps taken to monitor and audit compliance? This can include written audit work plans, regularly completed checklists, or simple 'notes to the file' indicating what you did, when you did it, and what you found.

Following Up on Compliance

Of course, a HIPAA compliance monitoring program is only as good as the follow-up efforts you put into remedying any identified problems. Failing to address identified and documented problems can lead to an increased liability risk. Part of your program should include developing corrective action plans to address what you find through the audit process, monitoring how any fixes are implemented, and documenting how problems ar resolved. Be prepared to revise policies and procedures or reeducate your workforce if compliance monitoring indicates some aspect of your HIPAA compliance plan isn't working, or that your existing policies aren't being followed. If your monitoring does identify problems, revise your training materials to incorporate these 'lessons learned,' and consider additional training on any trouble spots revealed through your monitoring.

Conclusion

The recently finalized HIPAA Enforcement Rule may signal a new era of HIPAA enforcement. Given the HIPAA regulators' vast authority and the significant penalties that can be imposed under these rules, a compliance monitoring plan can be a cost-effective way to reduce your health plan's potential exposure. Monitoring for HIPAA compliance need not be a time-intensive process: HIPAA compliance, like HIPAA implementation, should be scaleable to the size of the plan and its resources, and in many cases a simple written monitoring plan, a few checklists and written documentation of your efforts should be sufficient. Larger health plans may want to consider working with a consultant or outside counsel for major compliance audits, and developing more extensive written documentation, such as annual work plans. In all cases, follow-up and documentation are key to avoiding the 'bite' of HIPAA enforcement.

Jennifer Willcox, a member of this newsletter's Board of Editors, is an attorney in the Health Care and Employee Benefits departments at Wiggin & Dana, a New Haven, CT-based law firm.