The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires every Covered Entity that knows or should know of a breach of Protected Health Information (PHI) to notify the individuals affected by the breach as well as report the incident to the Federal government. While a breach affecting less than 500 individuals does not require immediate reporting to the Secretary of the U.S. Department of Health and Human Services, an annual report must be provided no later than 60 days after the end of the calendar year, during which the breach occurred, and must include a detailed accounting of each breach.
Therefore, Covered Entities that have experienced a breach in 2015 are required to report to the Secretary by March 1, 2016. Failure to comply with HIPAA regulations may result in civil money penalties of as much as $1,500,000.00 as well as exclusion from participation in Medicare.
Frier Levitt assists clients with all aspects of HIPAA compliance, including breach notification and reporting to the Federal government. Equally important, however, is the review and revision of HIPAA plans and policies. In 2015, OCR imposed significant fines on entities for HIPAA violations based predominately on the entities’ failure to maintain appropriate safeguards for PHI, rather than on the specific damage resulting from a particular breach. In one instance, a teaching hospital was fined $750,000 for a seemingly limited breach that included neither financial information nor social security numbers. However, during OCR’s investigation, it was determined that the hospital exhibited widespread noncompliance and an overall failure to afford appropriate protection to its ePHI. Additionally, an insurance conglomerate was fined $3,500,000 primarily based on its failure to implement appropriate administrative, physical, and technical safeguard to protect the privacy of its beneficiaries’ PHI, its failure to conduct a thorough risk analysis, and its lack of appropriate business associate agreements with its subcontractors. These violations, which elicited investigation after the reporting of a breach, would have been avoided with the enforcement of an appropriate HIPAA plan and manual that underwent periodic review.
Covered entities and business associates alike must ensure that they are in proper compliance with HIPAA privacy and security rules. OCR, through recent settlements, has demonstrated its propensity to impose significant fines on entities that fail to implement appropriate safeguards, independent of the number of affected individuals and the content of the specific PHI included in the particular breach. Covered entities, business associates, and sub-contracts are well advised to have robust compliance plans in place, which are updated as necessary to comply with the applicable federal and state laws, and these plans must be adhered to by providers and staff alike.
Any report of a breach may prompt an OCR investigation of an entity’s privacy and security practices. Contact Frier Levitt to ensure that your business appropriately reports any 2015 HIPAA breach in timely compliance, and to review your HIPAA policies and risk analysis for adherence to HIPAA laws and regulations.
