The HIPAA Privacy, Security, and Breach Notification Rules1 apply to healthcare providers who engage in certain electronic transactions, healthcare clearinghouses, and health plans, including employee group health plans with 50 or more participants or that are administered by a third party.2 Covered entities must comply with HIPAA for the following reasons:
1. Civil Penalties Are Mandatory for Willful Neglect. The Office for Civil Rights (“OCR”) is required to impose HIPAA penalties if the covered entity acted with willful neglect, i.e., with “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA requirements.3 The following chart summarizes the tiered penalty structure4:
Conduct of covered entity or business associate |
Penalty |
Did not know and, by exercising reasonable diligence, would not have known of the violation |
$100 to $50,000 per violation; |
Violation due to reasonable cause and not willful neglect |
$1,000 to $50,000 per violation; |
Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violation |
Mandatory fine of $10,000 to $50,000 per violation; |
Violation due to willful neglect and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation |
Mandatory fine of not less than $50,000 per violation; |
A single action may result in multiple violations. According to HHS, the loss of a laptop containing records of 500 individuals may constitute 500 violations.5 Similarly, if the violations were based on the failure to implement a required policy or safeguard, each day the covered entity failed to have the required policy or safeguard in place constitutes a separate violation.6 Not surprisingly, penalties can add up quickly. And the government is serious about the new penalties: the OCR has imposed millions of dollars in penalties or settlements since the mandatory penalties took effect.7 State attorneys general may also sue for HIPAA violations and recover penalties of $25,000 per violation plus attorneys’ fees.8 Future regulations will allow affected individuals to recover a portion of any settlement or penalties arising from a HIPAA violation, thereby increasing individuals’ incentive to report HIPAA violations.9
The good news is that if the covered entity does not act with willful neglect, the OCR may waive or reduce the penalties, depending on the circumstances.10 More importantly, if the covered entity or business associate does not act with willful neglect and corrects the violation within 30 days, the OCR may not impose any penalty; timely correction is an affirmative defense.11
2. HIPAA Violations May Be A Crime. Federal law prohibits any individual from improperly obtaining or disclosing protected health information (PHI) from a covered entity without authorization; violations may result in the following criminal penalties12:
Prohibited Conduct |
Penalty |
Knowingly obtaining or disclosing PHI without authorization. |
Up to $50,000 fine and one year in prison |
If done under false pretenses. |
Up to $100,000 fine and five years in prison |
If done with intent to sell, transfer, or use the PHI for commercial advantage, personal gain or malicious harm. |
Up to $250,000 fine and ten years in prison |
Physicians, hospital staff members, and others have been prosecuted for improperly accessing, using or disclosing PHI.
3. Covered Entities Must Self-Report HIPAA Breaches. The risk of penalties is compounded by the fact that covered entities must self-report HIPAA breaches of unsecured PHI to the affected individual, HHS, and, in certain cases, to the media.13 In 2013, the Omnibus Rule modified the Breach Notification Rule to eliminate the former harm analysis; now a breach of PHI is presumed to be reportable unless the covered entity or business associate can demonstrate a low probability that the data has been compromised through an assessment of specified risk factors.14 Reporting a HIPAA violation is bad enough given the costs of notice, responding to government investigations, and potential penalties, but the consequences for failure to report a known breach are likely worse: if discovered, such a failure would likely constitute willful neglect, thereby subjecting the covered entity or business associate to the mandatory civil penalties.15
4. Potential for a Private Cause of Action. HIPAA does not expressly create a private cause of action for injured individuals; however, plaintiffs may attempt to use HIPAA to establish the standard of care owed in a negligence claim. In addition, individuals may also sue under common law tort theories such as invasion of privacy, negligent infliction of emotional distress, or public disclosure of private facts. Even if the covered entity ultimately prevails, the covered entity may face the costs of defending the suit.
Given the increased penalties, lowered breach notification standards, and expanded enforcement, it is more important than ever for covered entities to comply or, at the very least, document good faith efforts to comply, to avoid a charge of willful neglect, mandatory penalties, and civil lawsuits. The following are key compliance actions that covered entities should take.
1. Assign HIPAA responsibility. Covered entities must designate persons to serve as their HIPAA privacy and security officers, and document the designation in writing.16 The privacy and security officers are responsible for ensuring HIPAA compliance. To that end, they should be thoroughly familiar with the requirements of the HIPAA Privacy17, Security18, and Breach Notification Rules.19 The OCR maintains a very helpful website to assist covered entities in complying with the rules, http://www.hhs.gov/ocr/privacy/.
2. Know the use and disclosure rules. The basic privacy rules are relatively simple: covered entities may not use, access, or disclose PHI without the individual’s valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception.20 Unless they have agreed otherwise, covered entities may use or disclose PHI for purposes of treatment, payment, or certain health care operations without the individual’s consent.21 In addition, covered entities may use or disclose PHI for certain purposes so long as the individual has not objected, including use of certain PHI for facility directories, or disclosure of PHI to family members or others involved in the individual’s care or payment for their care, and the provider believes the disclosure is in the individuals’ best interests.22 HIPAA contains numerous exceptions that allow disclosures of PHI to the extent another law requires disclosures or for certain public safety and government functions, including reporting of abuse and neglect; responding to government investigations; or disclosures to avoid a serious and imminent threat to the individual.23 Even though HIPAA would allow a disclosure, the covered entity generally cannot disclose more than is minimally necessary for the intended purpose.24 Covered entities generally must take reasonable steps to verify the identity of the person to whom the disclosure may be made.25 The OCR has published a helpful summary of the Privacy Rule athttp://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf, although the summary has not been updated to reflect changes in the recent Omnibus Rule.
3. Know individuals’ rights. HIPAA grants individuals certain rights concerning their PHI. Among others, individuals generally have a right to request limitations on otherwise permissible disclosures for treatment, payment, and healthcare operations26; request confidential communications at alternative locations or by alternative means27; access or obtain copies of their PHI, including e-PHI28; request amendments to their PHI29; and obtain an accounting of impermissible and certain other disclosures of PHI.30 Covered entities must know and allow individuals to exercise their rights. One health system was fined $4.3 million for, among other things, failing to timely respond to individual requests to access their PHI.31
4. Implement and maintain written policies. HIPAA requires covered entities to develop and maintain written policies that implement the Privacy, Security, and Breach Notification Rule requirements.32 According to HHS, maintaining the required written policies is a significant factor in avoiding penalties imposed for “willful neglect.”33 Rite Aid paid $1,000,000 to settle HIPAA violations based in part on its failure to maintain required HIPAA policies.34 If they have not done so, covered entities should update their privacy and breach notification policies to comply with the new Omnibus Rule provisions issued in 2013.
5. Develop compliant forms. HIPAA requires that certain documents used by covered entities satisfy regulatory requirements as described below. Covered entities should ensure that their HIPAA forms comply, although the OCR has suggested that technical non-compliance would likely not constitute willful neglect.35
a. Authorizations. HIPAA authorizations to use or disclose PHI must contain certain elements and required statements to be valid.36
b. Notice of privacy practices. Covered entities must provide individuals with a notice of privacy practices that describes how the entity will use the individual’s PHI and contains certain required statements.37 The OCR has published model privacy notices on its website, http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html, although most covered entities would likely prefer to use their own forms.
c. Other forms. Although not required, covered entities may develop other forms to ensure compliance with individual rights, such as individual requests to access PHI, amend records, or obtain an accounting of disclosures.
6. Execute appropriate business associate agreements. Although HIPAA now applies directly to business associates, HIPAA still requires covered entities to execute “business associate agreements” with their business associates before disclosing PHI to the business associate.38 Business associates are generally those outside entities who create, receive, maintain, or transmit PHI on behalf of the covered entity.39 The Omnibus Rule expanded the definition of “business associates” to include data storage companies, entities that provide data transmission services if they require routine access to PHI, and subcontractors of business associates.40 If they have not done so recently, covered entities should immediately identify their business associates and ensure appropriate agreements are executed with them.
Breach of the business associate agreement exposes the business associate to contract claims by the covered entity in addition to HIPAA penalties. Covered entities are generally not liable for the actions of their business associates unless the covered entity knows of a pattern of activity or practice of the business associate that constitutes a material violation of the business associate’s obligation and fails to act to cure the breach or end the violation,41 or the business associate is acting as the agent of the covered entity.42 To avoid liability, covered entities should ensure that business associates are acting as independent contractors, not agents of the covered entity.43
7. Perform and document a risk analysis. The HIPAA Security Rule applies to PHI maintained in electronic form, e.g., data on computers, mobile devices, USBs, etc.44 Covered entities must conduct and document a risk analysis of their computer and other information systems to identify potential security risks and respond accordingly.45 HHS has provided an on-line risk assessment tool that covered entities may use to perform their analysis; it is available at the following location: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool. The OCR has published additional guidance for the risk analysis at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf. Covered entities should periodically review and update their risk analysis. A Massachusetts dermatology practice recently agreed to pay $150,000 for, among other things, failing to conduct an adequate risk assessment of its systems, including the use of USBs.46
8. Implement required safeguards. HHS recognizes that individual privacy cannot be absolutely protected; accordingly, HIPAA does not impose liability for “incidental disclosures” so long as the covered entity implemented reasonable administrative, technical, and physical safeguards designed to protect against improper disclosures.47 The Security Rule contains detailed regulations specifying safeguards that must be implemented to protect e-PHI.48 The Privacy Rule is less specific; it simply requires that covered entities implement reasonable safeguards.49 The reasonableness of the safeguards depends on the circumstances, but may include, e.g., not leaving PHI where it may be lost or improperly accessed; checking e-mail addresses and fax numbers before sending messages; using fax cover sheets; etc.
9. Train workforce. Having the required safeguards, policies, and forms is important, but covered entities and business associates must also train their workforce members to comply with their policies and document such training.50 HIPAA requires that new employees receive training within a reasonable period of time after hire, and as needed thereafter.51 According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.52
10. Respond immediately to any violation or breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate any privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA.53 It may also require covered entities to terminate an agreement with a business associate due to the business associate’s noncompliance.54 Second, prompt action may minimize or negate the risk that the data has been compromised, thereby allowing the covered entity or business associate to avoid self-reporting breaches to the individual or HHS.55 Third, a covered entity or business associate can avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.56
11. Timely report breaches. If a reportable breach of unsecured PHI occurs, covered entities must notify the individual within 60 days.57 If the breach involves less than 500 persons, the covered entity must notify HHS by filing an electronic report no later than 60 days after the end of the calendar year.58 If the breach involves 500 or more persons, the covered entity must file the electronic report when it notifies the individual.59 If the breach involves more than 500 persons in a state, the covered entity must notify local media.60 The written notice to the individual must satisfy regulatory requirements concerning the manner and content of the notice.61
12. Document actions. Documenting proper actions will help covered entities defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years from the date that the document was last in effect.62
13. Beware more stringent laws. In evaluating their compliance, covered entities must also consider other federal or state privacy laws. To the extent a state or other federal law is more stringent than HIPAA, covered entities should comply with the more restrictive law, including conditions of participation or licensing regulations that may apply to certain facilities.63 In general, a law is more stringent than HIPAA if it offers greater privacy protection to individuals, or grants individuals greater rights regarding their PHI.64
CONCLUSION.
Covered entities must comply with HIPAA or face draconian penalties. As many businesses have recently learned, even seemingly minor or isolated security lapses may result in major fines and business costs. Fortunately, however, covered entities may avoid mandatory fines and minimize their HIPAA exposure by taking and documenting the steps outlined above. Covered entities may use this outline to evaluate and, where needed, upgrade their overall HIPAA compliance.
145 CFR part 164.
245 CFR § 160.103, definition of “covered entity.”
345 CFR § 160.401 and 164.404.
445 CFR § 160.404.
5See 78 FR 5584 (1/25/13).
645 CFR §160.406; 78 F.R. 5584 (1/25/13).
7The OCR’s website contains data summarizing HIPAA enforcement activities, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html.
842 USC § 1320d-5(d); see also OCR training for state attorneys general at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/index.html.
9See 78 FR 5568 (1/25/13).
1045 CFR § 160.308(a)(2) and 160.408.
1145 CFR § 160.410.
1242 USC § 1320d-6.
1345 CFR § 164.400 et seq.
1445 CFR § 164.402; 78 FR 5641 (1/25/13).
1575 FR 40879 (7/14/10).
1645 CFR §§ 164.308(a)(2) and 164.530(a).
1745 CFR part 164, subpart E (§§ 164.500-164.534).
1845 CFR part 164, subpart C (§§ 164.302-164.318).
1945 CFR §164.502, Subpart D (§§ 164.400-414).
2045 CFR §164.502
2145 CFR §§164.506 and 164.522(a).
22See 45 CFR § 164.510.
2345 CFR § 164.512.
2445 CFR §§ 164.502(b) and 164.514(d).
2545 CFR § 164.514(h).
2645 CFR § 164.522(a).
2745 CFR § 164.522(b).
2845 CFR § 164.524.
2945 CFR § 164.526.
3045 CFR § 164.528.
31See Press Release at http://www.hhs.gov/news/press/2011pres/02/20110222a.html.
3245 CFR §§ 164.316(a), 164.404(a), and 164.530(f).
33See 75 FR 48078-79.
34See Press Release at http://www.hhs.gov/news/press/2010pres/07/20100727a.html.
3575 FR 40878 (7/14/10)
3645 CFR § 164.508(c).
3745 CFR § 164.520.
3845 CFR §§ 164.308(b) and 164.502(e).
3945 CFR § 160.103.
4045 CFR § 160.103.
4145 CFR § 164.504(e)(1).
4245 CFR § 160.402(c).
4378 FR 5581.
4445 CFR § 164.103.
4545 CFR § 164.308(a)(1).
46See Press Release at http://www.hhs.gov/news/press/2013pres/12/20131226a.html.
4745 CFR § 164.502(a)(1); see Guidance athttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html.
4845 CFR §§ 164.308 to 164.316 and Appendix A to 45 CFR part 164, subpart C.
4945 CFR § 164.530(c).
5045 CFR § 164.530(b); see also 45 CFR §§ 164.308(a)(5) and 164.414(a).
5145 CFR § 164.530(b).
5275 FR 40879.
5345 CFR § 164.530(d)-(f).
5445 CFR §§164.314(a)(2) and 164.504(e)(2).
5545 CFR § 164.402.
5645 CFR § 160.410.
5745 CFR § 164.404.
5845 CFR § 164.408(c).
5945 CFR § 164.408(b).
6045 CFR § 164.406.
6145 CFR § 164.404(c)-(d).
6245 CFR §§ 164.316(b), 164.414(a), and 164.530(j).
6345 CFR § 160.203.
6445 CFR § 160.202.