What is Willful Neglect Under HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act of 1996, spells out rules and regulations for the privacy and protection of individually identifiable health information. The HIPAA Privacy Rule and the HIPAA Security Rule establish standards related to the implementation of physical, administrative, and technical safeguards to ensure that PHI or Protected Health Information is handled with the utmost confidentiality and integrity.
The failure to adhere to the regulations established under HIPAA can lead to criminal and civil penalties, followed by progressive disciplinary actions. These penalties apply to to healthcare entities, as well as individuals.
The reckless or intentional failure to comply with the rules set forward under HIPAA is what is referred to as “Willful Neglect.” Violations, as a result of willful neglect, can carry severe penalties, civil or criminal depending on the exact facts of the case.
Case in point
In early 2011, the HHS (The Department of Health and Human Services) levied a fine of $4.3 million on an entity named Cignet Health Center for willful neglect. What’s unique about this case is that the entity was not fined for breach of privacy.
Instead, the penalties were applied as a result of the entity’s inability to submit 41 patient requests for access to health information. $3 million of the fine was applied for the entity’s refusal to cooperate with the investigation carried out by the OCR (Office for Civil Rights).
This particular case is evidence of the HHS’s commitment to enforcing HIPAA in its entirety and not just the privacy provisions. It is also indicative of the government’s perspective on “claims of ignorance” and the refusal to cooperate with investigations.
The HHS, in 2013, published the results of compulsory Phase 1 onsite audit. Their report pointed out that around 47 of 59 healthcare providers and 20 of 35 healthcare plans were unable to offer accurate and complete risk analyses.
Phase II audits generally focus on covered entities, such as specialists. These audits are not carried out onsite. Instead, they deal with documentation. The goal is to identify common errors in the first audit and reinforce the importance of risk analysis.
In a presentation called “Compliance for Success: OIG and HIPAA” which was presented to the American Society of Interventional Pain Physicians, it was found that almost all cases of willful neglect reported by the government carried fines ranging from $50,000 to $2.3 million.
Around 50% of these cases had nothing to do with breaches. Instead, they were related to the lack of written HIPAA policies and procedures, HIPAA training certificates for employees, and written risk assessments.
The American Psychological Association has pointed out that a large number of solo and small-scale practices have often been at the receiving end of the HHS’s wrath, despite enforcement being focused on large providers. To put it simply, the government will not tolerate violation of the HIPAA statues from any provider, big or small.
What are the penalties?
The penalties for HIPAA violations are divided into two categories – civil and criminal. These penalties apply to all healthcare providers and their BAs.
Section 13410(D) of the HITECH Act, which came into effect on February 18, 2009, revising section 1176(a) of the Social Security Act, establishes four violation categories in line with increasing levels of criminal responsibility, four corresponding tiers of penalties with progressive penalties for each type of violation, and a maximum penalty fine of $1.5 million.
Here is the breakdown of penalties for civil violations:
- If the covered individual or entity violated the HIPPA statutes due to ignorance, a penalty ranging from $100 to $50,000 could be levied on said entity/individual per violation. A maximum of $1.5 million per year can be applied for violating identical provisions.
- If the covered entity/individual violated the HIPAA statues for a reasonable cause, a penalty ranging from $1,000-$50,000 can be levied upon them for each violation. A maximum of $1.5 million per annum can be levied for violating identical provisions.
- HIPAA violations due to willful neglect that are corrected within the given time carry a penalty ranging from $10,000-$50,000 per violation. A maximum of $1.5 million per annum can be applied for violating identical provisions.
- HIPAA violations due to willful neglect that are not corrected within the given time carry a penalty of $50,000 or more per violation. A maximum of $1.5 million per annum can be applied for violating identical provisions.
Penalties for criminal violations entail a potential jail sentence of up to ten years for violating the HIPAA statutes for ‘malicious reasons or personal gain,’ ‘under false pretenses,’ and ‘with reasonable cause or unknowingly.’
Who are the Watchdogs?
Barring the HHS, covered entities and their BAs are required to monitor themselves and each other. Contrary to popular belief, most violations are not uncovered during audits. Instead, complaints primarily come from disgruntled employees and patients.