HIPAA PRIVACY ENFORCEMENT ON THE RISE
In February 2009, as part of the economic stimulus legislation known as the American Recovery and Reinvestment Act, Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH not only provided federal incentives for medical care providers to accelerate implementation of electronic health records systems, but also broadened the categories of those responsible for protecting the patient health information contained in those records and significantly increased the penalties for HIPAA violations.
The original HIPAA Privacy Rule finalized in 2002 applied only to “covered entities” such as health care providers, health plans, health care clearinghouses and later, sponsors of drug discount cards under Medicare. The Department of Health and Human Services Office for Civil Rights (OCR) is responsible for civil enforcement of HIPAA privacy regulations. Under the original Privacy Rule, OCR lacked direct enforcement authority against the “business associates” of covered entities such as billing agencies, law firms and accountants. HITECH expanded the reach of HIPAA’s criminal and civil penalties to business associates, and increased those penalties.
Under the original HIPAA enforcement scheme, the maximum civil penalty was $25,000. A violator could avoid penalties altogether if the violator did not know of the violation, was not willfully negligent and corrected the issue within 30 days of discovery.
Under HITECH, civil penalties for HIPAA violations are subject to a four-tier system that increases penalties based upon level of culpability. The lowest tier imposes a minimum fine of $100 upon a violator, even if the violator did not know of the violation. The highest tier targets willful neglect and includes a maximum fine of $1.5 million per year. In addition to increasing the civil penalties, HITECH also clarifies that HIPAA’s criminal penalties apply to both covered entities and their employees.
The OCR has stepped up its efforts to uncover alleged violations and impose penalties upon violators under HITECH. OCR is also using its Privacy & Security Audit Program, under which it awarded a $9 million contract to one of the nation’s largest accounting firms to conduct random HIPAA privacy and security audits. While its current audit program is limited to health care providers, insurers and clearinghouses, OCR has indicated that future programs will include business partners.
OCR’s aggressive enforcement efforts should be noted. For example, OCR entered into a settlement with a small surgical center in Phoenix in April 2012 called Phoenix Cardiac Surgery, P.C. (PCS). In that settlement, PCS agreed to pay $100,000 and to take corrective action to implement policies and procedures to safeguard the protected health information of its patients.
The incident giving rise to OCR’s investigation was a report that PCS was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. During its investigation, OCR also found that PCS had been lax in implementing policies and procedures to comply with the HIPAA Privacy and Security Rules.
Specifically, OCR’s investigation revealed the PCS failed to implement adequate policies and procedures to appropriately safeguard patient information, failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules, failed to identify a security official and conduct a risk analysis, and failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic Protected Health Information.
In March 2012, OCR announced a settlement with Blue Cross and Blue Shield of Tennessee (BCBST), under which BCBST agreed to pay $1.5 million and enter into a corrective action plan to address its HIPAA compliance issues. The BCBST settlement resulted from an investigation triggered after a report was received indicating that a number of unencrypted BCBST hard drives that included patient records for over a million individuals were stolen from a leased facility in Tennessee.
The stolen hard drives contained recordings of customer service calls between BCBST representatives and over one million individuals. The hard drives were located in a network data closet on a leased facility BCBST had recently vacated. The drives contained unencrypted protected health information such as member names, social security numbers, diagnosis codes, dates of birth and health plan identification numbers. BCBST reported the breach to OCR as required, and OCR initiated an investigation that concluded the theft may have occurred as a result of BCBST’s failure to appropriately implement required Security Rule procedures.
After investigating, OCR concluded that BCBST had “failed to implement appropriate administrative safeguards to adequately protect information remaining at [its] leased facility by not performing the required security evaluation in response to operational changes” and failed “to implement appropriate physical safeguards by not having adequate facility access controls.”
In 2011, OCR undertook similar enforcement efforts that included, among other things, imposing a $4.3 million fine against Cignet Health for refusing to provide access to the medical records of patients and ignoring multiple letters and phone calls from OCR investigators. OCR also entered into a $1 million settlement against Massachusetts General Hospital, after an employee left records of over sixty patients on a subway. OCR also imposed a fine totaling $865,000 against the UCLA Health System after several employees viewed celebrity patients’ medical records without permission.
These and other enforcement proceedings by OCR make clear that covered entities and business partners should take HIPAA privacy and security regulations seriously and should ready themselves for potential audit before OCR and its auditors arrive at their doorsteps. Appropriate measures would include ensuring that HIPAA privacy and security protocols exist and are current with HITECH’s heightened privacy and security requirements, and that these security protocols are actually being followed by employees. Entities should also ensure that HIPAA policies, procedures and compliance efforts are documented, organized and easily accessible. The audit procedures released by the OCR suggest that auditors will be give little advanced warning and may require entities to produce documents for review within 10 days.
HIPAA CRIMINAL VIOLATION MADE EASIER TO ALLEGE
In addition to OCR’s civil enforcement of the HIPAA regulations, a recent decision may make it easier for the government to bring proceedings for criminal violations.
On May 10, 2012, in United States v. Zhou, the Ninth Circuit Court of Appeals held that an individual will not be protected from criminal liability for a violation of HIPAA’s prohibition against obtaining protected health information without authorization even if the individual does not know it is illegal to do so under HIPAA.
Zhou was a former research assistant at the UCLA Health System, who, after his employment terminated, accessed patient records without authorization on at least four occasions. The government charged Zhou with four criminal counts for knowingly obtaining and causing to be obtained individually identifiable health information under 42 U.S.C. §1320d-6(a)(2), which provides in part that a “person who knowingly and in violation of this part . . . obtains individually identifiable health information related to an individual” without authorization is guilty of a misdemeanor. The statute provides for a fine of not more than $50,000, imprisonment of not more than one year, or both for violations.
At the district court, Zhou moved to dismiss the proceeding contending that the information filed by the government did not allege that he knew that the statute prohibited him from obtaining the health information. When the district court denied Zhou’s motion to dismiss, he entered a conditional guilty plea, preserving the right to appeal the denial of his motion to dismiss.
On appeal, Zhou contended that the government’s allegations failed because the government did not explicitly allege that Zhou knew that obtaining the protected information was illegal. Thus, under Zhou’s interpretation, a defendant would be guilty of a violation only if he knew that obtaining the personal health information was illegal. The court rejected this argument, finding that it contradicted the plain language of HIPAA. According to the court, the word “and” in the phrase “a person who knowingly and in violation of this part….” unambiguously provides for two elements to a §1320d-6(a)(2) violation: (1) knowingly obtaining individually identifiable health information related to an individual, and (2) obtaining that information in violation of HIPAA. The court found that “knowingly” applies only to the act of obtaining the health information, so that the individual must know that he or she actually obtained the information.
The Zhou case should be a wake up call to entities and individuals who come in contact with personal health information under HIPAA, and should lead entities to undertake heightened efforts to review whether policies and protocols are HIPAA-compliant and to educate and train personnel on compliance.