HIPAA violations may result in penalties of $100 to $50,000 per violation, depending on the conduct at issue. If the violation results from “willful neglect” the party is subject to mandatory fines of $10,000 to $50,000 per violation.
A single data breach may result in numerous violations. For example, the loss of a laptop containing PHI of 2,000 patients may constitute 2,000 violations. Additional penalties may be assessed if the breach resulted from failure to implement required policies or practices. To make matters worse, covered entities must self-report breaches of unsecured protected health information (PHI) to the affected individual and HHS.
The good news is that a covered entity may avoid HIPAA penalties if it does not act with “willful neglect” and corrects the violation within 30 days.
Here are seven tips for avoiding “willful neglect” penalties, especially those arising from breaches of electronic PHI:
1. Conduct or update your security risk assessment required by the security rules. This is a first step in identifying and preventing potential security breaches. In 2014, HHS made available a risk assessment tool to help providers conduct and document their own risk analysis.
2. Implement the administrative, technical, and physical safeguards required by the HIPAA security rule. Most physician practices have polices required by the privacy rule, but comparatively few have properly addressed the safeguards required by the security rule. Implementing the required safeguards is necessary not only for regulatory compliance; it is also simply a good business practice given the potentially disastrous consequences of system failures or cybercrimes. Again, the government’s HealthIT website, HealthIT.gov, contains helpful tools and guides that practices may use to achieve compliance.
3. Execute business associate agreements (BAAs) with business associates. A good BAA is not only required by HIPAA; it will also help insulate the practice from HIPAA liability if its business associate violates HIPAA. Ensure the BAA confirms that the business associate is acting as an independent contractor, not an agent of the practice.
4. Train your employees and monitor their performance. According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee. Unfortunately, there is no similar guarantee that policies and training will protect a provider from liability for state privacy claims: An Indiana jury recently returned a $1.44 million verdict against Walgreens based on an employed pharmacist’s privacy violations despite Walgreens’ policies and training. Thus, physician groups need to ensure their training is effective.
5. Respond immediately to any suspected breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA. Second, an entity may be able to prevent the data from being compromised by taking swift action, thereby avoiding the obligation to self-report HIPAA violations. Third, a covered entity or business associate may avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days. Corrective action may include modifying policies, implementing additional safeguards, disciplining employees, and providing additional training.
6. Report breaches in a timely manner. While the initial action resulting in the breach may not have been willful, the failure to timely report a reportable breach as required by the rules may constitute willful neglect. Under HIPAA, the unauthorized access, use, or disclosure of unsecured PHI is presumed to be reportable to the individual and HHS unless the covered entity can demonstrate there is a low probability that the data has been compromised based on factors such as the type of PHI disclosed; the recipient of the PHI; whether the PHI was actually accessed or disclosed; and steps taken to mitigate any breach.
7. Document your actions. Documenting proper actions will help providers defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.
Although there is no guarantee that these steps will protect against breaches, they will help physician groups mitigate resulting liability under the HIPAA rules.