What is Willful Neglect Under HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), spells out rules for the privacy and protection of health information. The HIPAA Privacy and Security Rules establish standards for implementing physical, administrative, and technical safeguards to ensure that Protected Health Information (PHI) is handled with the utmost confidentiality and integrity.
The failure to adhere to the regulations established under HIPAA can lead to criminal and civil penalties, followed by progressive disciplinary actions. These penalties apply to healthcare entities, as well as individuals.
The reckless or intentional failure to comply with the rules set forward under HIPAA is called “Willful Neglect.” Violations, as a result of willful neglect, can carry severe penalties, civil or criminal depending on the exact facts of the case.
Case in point
In early 2011, the HHS (The Department of Health and Human Services) levied a fine of $4.3 million on an entity named Cignet Health Center for willful neglect. What’s unique about this case is that the entity was not fined for breach of privacy.
Instead, the penalties were applied due to the entity’s inability to submit 41 patient requests for access to health information. A $3 million fine was applied for the entity’s refusal to cooperate with the investigation.
This particular case is evidence of the HHS’s commitment to enforcing HIPAA in its entirety and not just the privacy provisions. It also indicates the government’s perspective on “claims of ignorance” and the refusal to cooperate with investigations.
In 2013, the Department of Health and Human Services published the compulsory Phase 1 on-site audit results. Their report pointed out that around 47 of 59 healthcare providers and 20 of 35 healthcare plans could not offer accurate and complete risk analyses.
Phase II audits generally focus on covered entities, such as specialists. These audits are not carried out on-site. Instead, they deal with documentation. The goal is to identify common errors in the first audit and reinforce the importance of risk analysis.
In a presentation called “Compliance for Success: OIG and HIPAA,” which was presented to the American Society of Interventional Pain Physicians, it was found that almost all cases of willful neglect reported by the government carried fines ranging from $50,000 to $2.3 million.
Around 50% of these cases had nothing to do with breaches. Instead, they were related to the lack of written HIPAA policies and procedures, HIPAA training certificates for employees, and written risk assessments.
The American Psychological Association has pointed out that many small-scale practices have often been at the receiving end of the HHS’s wrath, despite enforcement being focused on large providers. Simply put, the government will not tolerate violating HIPAA statutes from any provider, big or small.
What are the penalties?
The penalties for HIPAA violations are divided into two categories – civil and criminal. These penalties apply to all healthcare providers and their BAs.
Section 13410(D) of the HITECH Act, which came into effect on February 18, 2009, revised section 1176(a) of the Social Security Act. It establishes four violation categories in line with increasing levels of criminal responsibility. Four tiers of penalties with progressive penalties for each type of violation, and a maximum penalty fine of $1.5 million.
Here is the breakdown of penalties for civil violations for covered entities and individuals:
- If the HIPAA statutes were violated due to ignorance, a penalty ranging from $100 to $50,000 could be levied on said entity/individual per violation. A maximum of $1.5 million per year can be applied for violating identical provisions.
- If HIPAA statutes were violated for a reasonable cause, a penalty ranging from $1,000-$50,000 could be levied upon them for each violation. A maximum of $1.5 million per annum can be levied for violating identical provisions.
- HIPAA violations due to willful neglect that are corrected within the given time carry a penalty ranging from $10,000-$50,000 per violation. A maximum of $1.5 million per annum can be applied for violating identical provisions.
- HIPAA violations due to willful neglect that are not corrected within the given time carry a penalty of $50,000 or more per violation. A maximum of $1.5 million per annum can be applied for violating identical provisions.
Penalties for criminal violations entail a potential jail sentence of up to ten years for violating the HIPAA statutes for ‘malicious reasons or personal gain,’ ‘under false pretenses,’ and ‘with reasonable cause or unknowingly.’
Who are the Watchdogs?
Barring the HHS, covered entities and their BAs are required to monitor themselves and each other. Contrary to popular belief, most violations are not uncovered during audits. Instead, complaints primarily come from disgruntled employees and patients.