The Department of Health and Human Services (HHS) delivered their annual report to congress and noted there have been significant increases in HIPAA complaints and large breaches. They also noted that there have not been increases in appropriations during the same time frame. The Office for Civil Rights (OCR) requested that the HITECH civil monetary penalty caps be increased in the HHS FY 2023 Discretionary A-19 Legislative Supplement that was sent to Congress.
The Annual Report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the Secretary of HHS during calendar year 2021 and the actions taken in response to those breaches. It also highlights the continued need for regulated entities to improve compliance with the HIPAA Security Rule requirements, including:
- risk analysis and risk management
- information system activity review
- audit controls
- access controls
The OCR Director Melanie Fontes Rainer stated, “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”
The OCR is in charge of enforcing the HIPAA Rules. They start my investigating written complaints and conducting reviews to determine if the covered entity or business associates failed to comply with the HIPAA Rules. The OCR will only act upon complaints that meet certain requirements. These include:
- The violation must occur after the HIPAA Rules have been required.
- The complaint must be filed against an entity that is required to adhere to the HIPAA Rules.
- The complaint must describe the activity that violated the HIPAA Rules.
- The complaint must be filed within 180 days of the occurrence. The OCR may waive this requirement if the individual shows good cause for being unable to file within the time frame requirement.
The OCR must determine whether the complaint is eligible for enforcement action. If the case is not within the OCR’s jurisdiction, the case will be closed. If the complaint is eligible for enforcement action, the OCR often provides technical assistance to resolve the case without further investigation.
In addition, OCR’s compliance activities include conducting audits and providing education and support with the HIPAA Rules. When necessary, the OCR has authority to issue subpoenas to encourage cooperation with an investigation.
The OCR may also initiate a compliance review investigation when they learn that the breach was caused by the covered entity’s business associate and open a compliance review of the business associate.
The HIPAA Rules provide that the Secretary may open compliance review investigations of covered entities and business associates based on an event or incident brought to OCR’s attention, such as through the media, referrals from other agencies, or based upon patterns identified through multiple complaints alleging the same or similar violations against the same entity. Multiple complaints of the same or similar violations demonstrate systemic compliance deficiencies. These are typically investigated under one transaction for the purpose of achieving compliance.
Once an investigation is initiated, the OCR will collect evidence through witness statements, interviews, requests for reports from the entity, and site visits. It is required by law that all entities involved must cooperate. If the event implicates criminal activity, the OCR may refer the complaint to the Department of Justice (DOJ). Keep in mind, if the DOJ declines the case, the OCR may review for potential civil violations and investigate the case.
Sometimes the OCR may determine there isn’t enough evidence to support the entity violated the HIPAA Rules. In these cases, the OCR will send a letter closing the case and explaining the results of the investigation.
In the cases where the OCR determines that the covered entity or business associate was not in compliance the OCR will generally try to resolve the case by obtaining voluntary compliance through corrective action which may include a resolution agreement.
When the OCR discovers non-compliance due to willful neglect or where the scope and scope warrants additional enforcement action, the OCR will pursue a resolution agreement with a payment settlement amount. This also includes a corrective action plan (CAP). The OCR is willing to negotiate the terms of the resolution agreement and the payment amount may be reduced from the amount that they are actually liable for. The amount is based on the entity’s ability to pay, keep in mind, that may be quite different than what the entity thinks. Also, in most cases the resolution agreement includes the requirement to fix the issues and to be monitored for a period of time.
Civil Money Penalties (CMP)
If the entity involved is not able to reach a satisfactory agreement to resolve the issues or if the entity violates the resolution agreement, the OCR may pursue formal enforcement action. If a CMP is proposed the entity may request a hearing in which a Departmental administrative law judge decides if the CMP is warranted based on the evidence presented. Answering this is very important, if the entity does not request a hearing within 90 days of the OCR’s proposed determination, the OCR will issue a final determination and impose a CMP.
The HITECH Act requires HHS to perform periodic audits of covered entities and business associates to ensure they are compliant with the HIPAA Rules. These are known as random audits since they are not initiated by any incident.
The OCR did not initiate any audits in 2021 and is currently developing the criteria for implementing future audits.
What this means is… make sure your compliance efforts are documented and organized to ensure you will survive an audit without penalties.
If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”