Subtitle A--Fraud and Abuse Control Program Sec. 201. Fraud and abuse control program. Sec. 202. Medicare integrity program. Sec. 203. Beneficiary incentive programs. Sec. 204. Application of certain health antifraud and abuse sanctions to fraud and abuse against Federal health care programs. Sec. 205. Guidance regarding application of health care fraud and abuse sanctions. Subtitle B--Revisions to Current Sanctions for Fraud and Abuse Sec. 211. Mandatory exclusion from participation in Medicare and State health care programs. Sec. 212. Establishment of minimum period of exclusion for certain individuals and entities subject to permissive exclusion from Medicare and State health care programs. Sec. 213. Permissive exclusion of individuals with ownership or control interest in sanctioned entities. Sec. 214. Sanctions against practitioners and persons for failure to comply with statutory obligations. Sec. 215. Intermediate sanctions for Medicare health maintenance organizations. Sec. 216. Additional exception to anti-kickback penalties for risk- sharing arrangements. Sec. 217. Criminal penalty for fraudulent disposition of assets in order to obtain Medicaid benefits. Sec. 218. Effective date. Subtitle C--Data Collection Sec. 221. Establishment of the health care fraud and abuse data collection program. Subtitle D--Civil Monetary Penalties Sec. 231. Social Security Act civil monetary penalties. Sec. 232. Penalty for false certification for home health services. Subtitle E--Revisions to Criminal Law Sec. 241. Definitions relating to Federal health care offense. Sec. 242. Health care fraud. Sec. 243. Theft or embezzlement. Sec. 244. False statements. Sec. 245. Obstruction of criminal investigations of health care offenses. Sec. 246. Laundering of monetary instruments. Sec. 247. Injunctive relief relating to health care offenses. Sec. 248. Authorized investigative demand procedures. Sec. 249. Forfeitures for Federal health care offenses. Sec. 250. Relation to ERISA authority.
One-time violations stay under $50k, but repeat violations within the same year can hold a fine of $1.5 million across all HIPAA violation categories, up substantially from the previous $250k minimum. The new penalty structure for healthcare data breaches aligns with recent data from the Ponemon Institute that found recurring healthcare data breaches are increasing among respondents, with 45 percent (up from 29 percent in 2010) reporting more than five incidents in the last two years. The average economic impact of healthcare data breaches has also increased by $400k to a total of $2.4 million since 2010. In addition to federal fines, investigation, legal, business downtime and decreased credibility all contribute to the economic loss suffered by businesses undergoing such healthcare data breaches. The increase in HIPAA violation fines are a direct response to the epidemic of repeat healthcare data breaches and the rising costs to the healthcare industry. What is essential to understand is that HIPAA’s standards and monetary penalties now apply to a wide range of healthcare vendors and their subcontractors. Even if you didn’t know you were violating HIPAA, you can still be penalized and charged accordingly. This means that if you support the healthcare industry or deal with patient data in any way, you should be up on the requirements of HIPAA to avoid significant government fees. In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Due Diligence An organization is in violation, but they have taken every possible step they could have foreseen to prevent that. Reasonable Cause The steps have been taken, but something was not addressed. For example, a company went into a HIPAA audit and provided a gap analysis, but something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect. Willful Neglect The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time. The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake.
Where do you fall
Where do you fall?HIPAA Civil Penalties ReviewBy Dr. Jose I. Delgado???? ? ??? ??
Health Insurance Portability Act &Accountability ACT (HIPAA)• Signed into law in1996• Protects PatientInformation• Definesrequirements ofelectronic records• Establishesmandatory fines forviolations
Title II – PreventingHealthCare Fraud• Fraud and Abuse Program• Civil Monetary Penalties• Revisions to Criminal Law
Monetary Penalties• Civil penalties– $100 for each violation ofthe law, to a limit of$1,500,000 per year forviolations of the samerequirement.• Criminal sanctions– $50,000 to $250,000 andone to ten yearsimprisonment.
Data Breaches PenaltyStructure – Civil PenaltiesViolation Type Each Repeat/yearDid Not Know $100 – $50,000 $1,500,000Reasonable Cause $1,000 – $50,000 $1,500,000Willful Neglect Corrected $10,000 – $50,000 $1,500,000Willful Neglect NotCorrected$50,000 $1,500,000
Didn’t know/Due Diligence• An organization is inviolation, but theyhave taken everypossible step theycould have foreseento prevent that.– Minimum fine: $100per incident– Maximum fine:$50,000 per violation
Reasonable Cause• The steps have been taken, but somethingwas not addressed. For example, a companywent into a HIPAA audit and provided a gapanalysis, but something wasn’t addressed yet.The violation is due to reasonable cause andnot willful neglect.– Minimum fine: $1,000 per incident– Maximum fine: $50,000 per violation
Willful Neglect (Correctsmistake)• The organization clearlyignores the HIPAA lawbut corrects its mistakewithin the given amountof time.– Minimum fine: $10,000per incident– Maximum fine: $50,000per violation
Willful Neglect(Doesn’t correct mistake)• The organization ignores the HIPAA law anddoes not correct their mistake.– Minimum fine: $50,000 per incident– Maximum fine: $50,000 per incident
Brief Self AnalysisRequirement Yes No1Conducted Privacy Gap Analysis2Conducted Security Gap Analysis3Corrected Deficiencies identified in Gap Analysis4Conducted Risk Assessment5Corrected Deficiencies identified in Risk Analysis6Trained employees7Have Policies and Procedures and they have been updated8Have Business Associate Agreements and the same have beenupdated in accordance with the Omnibus Rule9Has a designated Privacy Officer and proof of actions for thisposition10Has a designated Security Officer and proof of actions for thisposition
Self-Analysis Results• Any No answer may result in fines• Self Analysis covers less than 1% ofrequirements• Ignorance of the law is no excuse!!!
Criminal Penalties• Separate from Civil Penalties• May be in addition to the Civil Penalties• Responsibility of the Department of Justice• Misuses health information can be fined up to$250,000 and up to 10 years of imprisonment
Recommendations• If you are going to play, learn the rules• In case of doubts; look for assistance• I know where I fall; do you?www.TainoConsultants.comTaino Consultants Inc.Dr. Jose I. Delgado