The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires every Covered Entity that knows or should know of a breach of Protected Health Information (PHI) to notify the individuals affected by the breach as well as report the incident to the Federal government. While a breach affecting less than 500 individuals does not require immediate reporting to the Secretary of the U.S. Department of Health and Human Services, an annual report must be provided no later than 60 days after the end of the calendar year during which the breach occurred, and must include a detailed accounting of each breach.
Therefore, Covered Entities that have experienced a breach in 2016 are required to report to the Secretary by March 2, 2017. Failure to timely report may result in civil money penalties. Civil money penalties range from a low of $100 to as much as $1,500,000. Covered entities may also face other, non-monetary penalties, such as exclusion from participation in Medicare.
Frier Levitt assists clients with all aspects of HIPAA compliance, including breach notification and reporting to the Federal government. Equally important, however, is the review and revision of HIPAA plans and policies. In 2016, the Office for Civil Rights (OCR) entered into more resolution agreements, and issued costlier fines, for violations of HIPAA than ever before. Compared to 2015, the total fines assessed for violations of HIPAA in 2016 were almost triple, netting more than $23 million in civil money penalties, which included the largest fine assessed against any single entity of $5.5 million.
Covered entities and business associates alike must ensure compliance with HIPAA privacy and security rules, including proper breach reporting and appropriate risk analysis modification. OCR, through recent settlements, has demonstrated its propensity to impose significant fines on entities that fail to implement appropriate safeguards, independent of the number of affected individuals or the content of the specific PHI included in a particular breach. Covered entities, business associates, and sub-contractors are well advised to have robust compliance plans in place, which must be updated as necessary to comply with the applicable federal and state laws.
Any report of a breach may prompt an OCR investigation of an entity’s privacy and security practices. Contact Frier Levitt to ensure that your business appropriately reports any 2016 HIPAA breach in timely compliance, and to review your policies and risk analysis for adherence to HIPAA laws and regulations.
