Order Reprints

By Karen Gentry | MiBiz
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

WEST MICHIGAN — Employers need to be concerned about stepped up HIPAA enforcement actions likely to result in monetary settlements.

The Health Insurance Portability and Accountability Act of 1996 has moved passed the compliant stage into the enforcement stage. The U.S. Department of Health & Human Services Office of Civil Rights has created a new deputy director position to oversee enforcement. HIPAA, enacted in 1996, protects health insurance coverage for workers and their families when they change or lose their job and established national standards for electronic healthcare transactions and aims to encourage the widespread use of electronic medical records. HIPAA addresses security and privacy of health data.

Norbert Kugele, partner with Warner Norcross & Judd LLP and chair of the firm’s HIPAA task force, said the new HITECH amendments to HIPAA increased the penalties and required HHS to go out and conduct audits.

“In the years leading up to this, there hasn’t been much formal enforcement activity,” Kugele said. “There’s never been a civil money penalty assessed against anybody. For the very first time, civil money penalties have been assessed.”

He said the new officer in charge of HIPAA enforcement told attendees at the National HIPAA Summit that there will be more settlements coming down the road. The HITECH amendment also allows HHS to keep any monies collected to help fund more enforcement activity.

Kugele said three recent cases are examples of the increased enforcement. The most significant action involved Maryland-based Cignet Health. The healthcare company was slapped with a $4.3 million civil penalty. Kugele said HHS received a number of complaints from individuals that Cignet wasn’t responding to requests for access to their medical records. After an HHS investigation, Cignet refused to cooperate and didn’t respond to subpoenas for records resulting in a $1.3 million penalty and a $3 million penalty for refusal to cooperate with the HHS investigation.

Kugele noted companies can be assessed penalties of $50,000 per day, but are capped at $1.5 million per year.

Another enforcement case involving Massachusetts General Hospital resulted in a $1 million resolution agreement. In that case, an employee took some paper records home to work on at night and left the records on a subway the next day. The records were never recovered. Kugele said the underlying problem was that the hospital didn’t have any policies and procedures in place governing the removal of records from the hospital, including who could take records home and for what purpose.

In another case that was under the radar, Washington Inc. agreed to pay a $35,000 penalty and put in a corrective action plan due to allegations the management services company was using protected health information for marketing purposes without obtaining authorization from patients. Kugele said the company agreed to comply with HIPAA and “take certain actions within a given time frame.”

Tim Tornga, a partner with Mika Meyers Beckett & Jones PLC, advises employers to be aware of their obligations in creating a security policy, educating the workforce and periodically revisiting the policy, and tightening up procedures.

“Technology changes may require different responses to keep that information secure,” Tornga said. “The whole goal is to keep protected health information secure so that it doesn’t get disclosed beyond the patient or other authorized parties. Information can’t be made available to anyone other than the individual without the permission of the individual.”

Tornga’s and his colleagues dealt recently with an office where an employee took photocopies of some checks and then took money from some of those accounts. HIPAA became a factor in that case because names and account information fall under protected health information. Tornga said HIPAA’s security provisions include a three-step response — individuals known to be affected have to be notified and if those affected reach the threshold of around 500 people, the media has to be notified. Regardless of the number, a report needs to be filed with HHS. Tornga’s client needed to know what their immediate response was, and secondly they needed to reexamine their privacy policies and security procedures.

Tornga’s practice with HIPAA mostly centers on healthcare plans and the employers who sponsor the healthcare plans.

“They need to have a privacy policy in place and that has a couple of other components to it,” Tornga said. “Then they have to evaluate and implement the appropriate security measures to prevent the misuse of protected health information.”

Tornga said HIPAA enforcement now allows individuals who see a breach in his or her own healthcare information to bring direct action against the plan provider as well as to complain to the federal agency.

Mark Crawford, VP of business development for Battle Creek Health System, said HIPAA compliance is about much more than policies and procedures and begins with an organizational commitment to being patient-centered.

“We exist to serve the best interest of our patients — and valuing their dignity, privacy and confidentiality are not simply legal priorities, but are strategic and missional priorities as well,” Crawford told MiBiz.

BCHS has an extensive compliance program with multiple policies and procedures to manage the range of HIPAA issues.

“It is important to understand HIPAA compliance as impacting everything from technology to vendor relationships to research to grievance processes to the range of caregivers who can or cannot access information,” Crawford said.

At BCHS, every new employee learns about HIPAA as part of a mandatory orientation program. Employees also take part in annual education and testing to assure they understand HIPAA rules and the impact they have on patient care, Crawford said. Protecting patient information is the right thing to do, and a legal requirement.

“We back up the training and policies with an extensive corporate compliance program to test and improve our systems,” Crawford said.

  Order Reprints

TAGS:

• battle creek health system
• healthcare
• hipaa
• human resources
• mark crawford
• mika meyers beckett & jones
• norbert kugele
• tim tornga
• warner norcross & judd
• west michigan