- The Omnibus Rule: Changes to HIPAA / HITECH Enforcement and Penalties
- March 11, 2013
- Law Firm: Hinshaw Culbertson LLP - Chicago Office
The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly impacts the enforcement of the HIPAA through numerous means and mechanisms. The Final Rule strengthens HIPAA’s enforcement provisions and increases the penalties for HIPAA and HITECH violations.
HHS will investigate when a preliminary review indicates even a possible violation due to willful neglect and has the discretion to decide whether to conduct a compliance review (or complaint investigation) when an initial review of the facts indicates a degree of culpability less than willful neglect. If alleged violations come to HHS’ attention, through means such as the media, or a federal or state agency, the department can initiate a compliance review. HHS can resolve HIPAA violations through informal means, or, according to the department, "move directly to a civil money penalty without exhausting informal resolution efforts at [the] discretion of the Secretary of HHS, particularly in cases involving willful neglect violations." HHS will coordinate with the U.S. Department of Justice to refer cases involving possible criminal HIPAA violations.
Determination of Civil Monetary Penalties
The civil monetary penalty structure for violations is based on tiered levels of culpability. The categories of culpability and penalties are:
Violation Category-Section 1176(a)
Penalty for Each Violation
Maximum for All Violations of an Identical Provision in a Calendar Year
Did not Know
Willful Neglect: Corrected
Willful Neglect: Not Corrected
HHS has stated that it will not impose the maximum penalty in all cases. Rather, it will determine penalties on a case-by-case basis. The agency will consider the nature and extent of the violation, the nature and extent of the resulting harm, and the entity’s history of noncompliance when determining penalties. HHS has also stated that it will consider the financial position of the entity being examined. The phrase "previous indications of noncompliance" in the Final Rule describes the history to which HHS will be looking when determining penalties. This change in language is intended to allow HHS to consider prior noncompliance even when there is no formal finding of a violation.
Under the Final Rule, the affirmative defenses available to covered entities and business associates has been modified. There will be no imposition of a civil monetary penalty for any violation, other than one due to willful neglect, if the violation is corrected within 30 days from when the entity knows, or has constructive knowledge, of the violation. Under the Final Rule, if a criminal penalty has already been given for the violation, HHS may not give an additional civil monetary penalty to the entity.
The Final Rule includes several changes that will result in more aggressive enforcement and severe penalties, including the following:
- HHS no longer has discretion but now must initiate an investigation if preliminary review indicates a possible violation due to willful neglect; the discretion that remains is that the department can decide whether to initiate an investigation or compliance review where the preliminary review indicates a degree of culpability less than willful neglect.
- HHS is no longer required to attempt to resolve violations by informal means. The department now has discretion on whether to attempt to resolve violations by informal means.
Liability for Business Associates
Covered entities and business associates are liable for the acts of their business associate agents, under the federal law of agency, even if the covered entity has a business associate agreement in place. (45 C.F.R. 160.402) This rule applies to business associates and to their subcontractors. The determination of whether a business associate is an agent will be fact-specific, considering the terms of the business associate agreement and the totality of the circumstances regarding the relationship. Factors to consider in determining whether an agency relationship exists are:
- The time, place, and purpose of a business associate’s conduct;
- Whether a business associate engaged in a course of conduct subject to the control of the covered entity (or other business associate in a subcontractor relationship);
- Whether a business associate’s conduct is commonly done by a business associate to accomplish the service performed on behalf of a covered entity (or other business associate); and
- Whether the covered entity (or other business associate) reasonably expected that a business associate would engage in the conduct in question.
A business associate may still be considered an agent even when acting in violation of the business associate agreement, if acting for the benefit of the covered entity. HHS stated: "A business associate agent would likely be acting within the scope of agency if it impermissibly disclosed more than the minimum necessary information to a health plan for purposes of payment, even if the disclosure is contrary to clear instructions of the covered entity."
Under the Final Rule, given that even acts "contrary to clear instructions of the covered entity" can lead to liability of the covered entity, avoiding an agency relationship with business associates whenever possible, and including clear indemnification provisions when agency relationship exists, will be of utmost importance.