By Pension and Benefits Editorial Staff
Although it is good news for providers that HIPAA penalty caps have declined for certain violations, it does not mean that HIPAA enforcement will slow or that state attorney generals might not become more active. In a Health Care Compliance Association (HCCA) webinar, “OCR Lowers Annual Penalty Caps for Certain HIPAA Violations,” presented by Adam Greene, J.D., MPH, Partner at Davis Wright Tremaine, LLP, OCR actions and trends, consequences of changes in HIPAA penalties, what future HIPAA enforcement might look like, as well as steps to reduce penalties, were topics that were covered in-depth.
OCR actions and trends. A HIPAA breach is not a “go get your checkbook” event generally, Greene mentioned. Most OCR enforcement, 68 percent (as of July 2019) resulted in administrative closure. So far in 2019, OCR only has had three cases with a financial settlement. The other OCR enforcement actions resulted in no violations found, corrective action, or technical assistance. “OCR doesn’t fish for penalties left and right on HIPAA, although we can’t say that they won’t start putting in penalties,” Green cautioned.
A trend that needs to be watched is state attorneys general banding together in HIPAA actions, according to Greene. In 2019, the number of state attorney general settlements have increased, as have joint actions. The Tennessee Attorney General and 15 other state attorneys general reached a HIPAA data breach settlement in July of this year. Similarly, the Montana Attorney General and 29 other state attorneys general reached a HIPAA data breach settlement in the same month.
Changes to HIPAA penalties. As of April 2019, the new structure for HIPAA enforcement penalties reduced the penalty amounts, except for cases of willful neglect not timely corrected. Greene mentioned that corrections should be made in under 30 days. Also, if an entity can show that its violation was not due to willful neglect that was not timely corrected, it can make a huge difference. Keeping documentation is one of the keys to showing that neglect was not willful.
Reducing risk of penalties. A number of steps can be taken in order to reduce the risk of HIPAA penalties. According to Greene, the following actions need to be taken:
- Maintenance of documentation of reasonable approaches towards compliance.
- When a violation is discovered, collect evidence such as affidavits, to show that the violation was not previously known.
- Find reasonable cause by looking for factors that were outside of the organization’s control (i.e., weather events).
- Demonstrate timely concern—within 30 days.
- Cooperate with OCR—a cooperative approach, rather than adversarial, generally leads to a better outcome.
Future of OCR enforcement. According to Greene, in the future, OCR will likely continue to bring substantial penalties to a small minority of cases. OCR also (1) may increase financial enforcement, such as in future audit programs; (2) will place greater emphasis on level of culpability when determining penalties; and (3) will likely still resolve substantial majority of cases involving potential violations through voluntary corrective action or technical assistance.
Right of access and lack of risk analysis will be priorities for OCR going forward, according to Greene. "Over last year, they’ve been talking about right of access. Also, lack of risk analysis is usually a top priority for OCR, and lack of encryption will continue to be an enforcement priority," Greene said.
SOURCE: Health Care Compliance Association webinar, "OCR Lowers Annual Penalty Caps for Certain HIPAA Violations.”
Interested in submitting an article?
Submit your information to us today!Learn More