A Masochist’s Guide to Getting a Huge, Painful HIPAA Penalty: HIPAA & HITECH Act Blog by Jonathan P. Tomes

A cynic might wonder whether some covered entities, and now business associates, want to become famous (perhaps infamous would be a better word) and break the record for a HIPAA penalty or settlement in lieu thereof. Well, if you are so inclined, don’t fret. Here, as opposed to my normal blog posts on how to avoid what I call “HIPAA hassles,” is my guidance on the surest ways not only to get on the Department of Health and Human Services (“HHS”) so-called “Wall of Shame,” which lists HIPAA breaches, but also to incur the largest possible financial HIPAA penalty. The top three methods to achieve this notoriety are failing to perform written risk analysis, playing fast and loose with portable devices, and failing to adopt reasonable and appropriate written policies and procedures to protect your health information based on the written risk analysis.

You are really going to have to go some, however, to beat the current recordholder, Anthem, Inc., an independent licensee of the Blue Cross and Blue Shield Association and the second largest health insurer in the country. Topping Anthem’s $16 million settlement would require hard work (or perhaps determined failure to put in the compliance work).

That scenario brings us to the single best way to challenge Anthem’s record: Fail to perform a thorough written risk analysis. One of Anthem’s compliance failures was a violation of 45 C.F.R. § 164.308(u)(1)(ii)(A)―that is, failure to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of electronic protected health information (“EPHI”). This ground is by far the most common issue leading in whole or in part to a civil money penalty (“CMP”) or settlement in lieu thereof. And, just think, if you never conduct the initial compliant risk analysis, you won’t have to worry about updating it under the Evaluation Standard, 45 C.F.R. § 164.308(a)(8). Blue Cross/Blue Shield of Tennessee’s $1.5 million settlement pales next to Anthem’s for failing to update their risk analysis when they moved their IT to a new leased location.

Ok, so maybe you’ve already done your written risk analysis and have even updated it properly. What’s the next best way to get yourself on the Wall of Shame or to have to write that painfully large check to HHS? Play fast and loose with your laptops and other portable devices! Although not having performed a written risk analysis is the single biggest category of HIPAA violations, loss or theft of a portable device is the most common occurrence leading to a CMP or settlement in lieu thereof (“SILT”―that is, a material deposited as a sediment, such as mud, slime, or ooze). Failure to perform a risk analysis of such portable devices and to implement reasonable and appropriate security measures, such as encryption, can get you that big CMP or SILT. Although encryption is addressable, not required, when wouldn’t encryption be reasonable and appropriate for a mobile device, considering the risk of loss or theft? So you could hit both of the top two categories by not performing a risk analysis of your portable devices! See HHS.gov, “Stolen Laptops Lead to Important HIPAA Settlements,” at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/concentra-health-services/index.html.

The next category of the big three is failure to have written, implemented, and enforced policies and procedures to protect your individually identifiable health information (and to train your workforce on them). Another ground for Anthem’s record-breaking (lack of) performance was violation of 45 C.F.R. § 164.312(a)―that is, failure to implement sufficient technical policies and procedures for electronic information systems that maintain EPHI and to allow only authorized persons/software programs to access that EPHI.

Of course, you can certainly up your chances of causing your HIPAA penalty to sail past the $16 million mark if you combine all three of these major categories of HIPAA violations, as some covered entities have, often adding failure to train to the other three.

Further, if you really want a challenge, you could try to beat the $16 million mark by committing a less common type of violation that has led to a CMP or a SILT in the past. The honorable mentions go to these violations:

  • Failure to have a written business associate agreement in place.
  • Failure to cooperate with the HHS Office for Civil Rights (“OCR”) in an investigation of HIPAA violations.
  • Unauthorized disclosures to the press.
  • Disposing of PHI without shredding paper records or destroying electronic data.

And there are certainly others. What will the next one be?

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business―in other words, the opposite point of view of Jon’s tongue-in-cheek blog item above. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbookor https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.

If you would like to hear a webinar by Jon Tomes on this topic (well, the flipside actually―that is, how to avoid the HIPAA penalties), consider signing up for his upcoming webinar on the topic “How to Avoid Seven-Figure HIPAA Civil Money Penalties and Other Disasters” at https://www.edupliance.com/webinar/how-to-avoid-seven-figure-hipaa-civil-money-penalties-and-other-disasters. This webinar is scheduled for Tuesday, May 21, 2019, noon to 1:30 pm CT.

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.

seo by: k.c. seo