HIPAA Compliance Strategies

Featured Health Business Daily Story Feb. 12, 2010

‘Willful Neglect’ Is Difficult to Pin Down, but Can Result in Enormous HIPAA Penalties 

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

Until this year, HIPAA civil monetary penalties (CMPs) represented something of an empty threat to covered entities because the fines were almost never imposed. Yet with the signing of the HITECH Act, which ups enforcement using a tiered penalty system, and the recent government push toward accountability, the possibility of a HIPAA violation has become a much scarier thought.

A privacy breach due to “willful neglect” that was corrected within 30 days and affected 100 individuals, which would have cost an organization $10,000 in prior years, will now cost a minimum of $1 million.

Covered entities (CEs) — and also business associates, who are now subject to civil and criminal penalties as of this month — need to know what actions (or lack thereof) can push them into the “willful neglect” category, which carries the most severe fines. They may be surprised to learn that routine inaction or procrastination by busy organizations could be categorized as enormously costly willful neglect.

The interim final rule regarding enforcement, published in the Oct. 30, 2009, Federal Register, uses the same language as the previous enforcement rule, stating: “Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”

One step below willful neglect on the CMP tier is “reasonable cause,” which is defined as “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.”

Brian Annulis, attorney with Meade & Roach in Chicago, says reasonable cause applies in situations when a covered entity has appropriate policies and procedures in place, but those policies and procedures are not followed — for instance, an employee does not set up password protection on a computer — and a breach ensues. He cites the Aug. 25, 2009, Blue Cross Blue Shield Association (BCBSA) security breach, in which a laptop containing confidential information for as many as 850,000 health care providers was stolen out of an employee’s car. The employee had violated company regulations by downloading an unencrypted version of the information onto a personal laptop. As Annulis sees it, since the CE had formal policies and procedures regarding encryption, a breach such as that one should not constitute willful neglect.

The most obvious demonstration of willful neglect would be when a covered entity has no preventative policies and procedures in place and a breach occurs. Annulis notes that seven years into HIPAA compliance, it’s unlikely that a CE or BA would have no formal protocol.

Greg Young, the privacy officer at Mammoth Hospital in California, however, believes that many small doctors’ offices and clinics still lack policies and procedures because they “don’t feel it’s necessary or don’t want to spend the money. They just want to take care of their patients, not realizing that part of taking care of patients is taking care of their information.” For instance, he recalls walking into a local doctor’s office where the receptionist’s computer screen faced outward toward the waiting room.

Don’t Leave Policies on a Shelf

“The greatest danger” for an organization, according to former director of OCR Richard Campanelli, now an attorney with Baker & Daniels LLP, is having policies and procedures that no one is enforcing and that employees are not educated about. “A policy on a shelf is not going to be very helpful — it won’t be helpful in protecting privacy and security, and it won’t be helpful in responding to an investigation,” he says. Once a violation occurs, the fact that the policy exists signals to OCR that the organization knows what it should be doing and has chosen not to comply.

For example, says Campanelli, if a covered entity is “experiencing problems debugging the access-control software it implemented” but never solves the issue, the covered entity shows that it “knows its basic obligation and knows it has a fundamental problem.” The CE is willfully neglecting its duties by giving up on that problem.

Annulis and Bob Coffield, an attorney with Flaherty, Sensabaugh & Bonasso, PLLC, both say that if an organization experiences a breach due to reasonable cause but does not take care of the security problem and consequently suffers a second breach, the scenario would be classified as willful neglect. At that point, the organization has demonstrated “reckless indifference.”

Document Actions and Nonactions

For example, Annulis says, if a CE found out it “had a glitch in [its] electronic medical record system that allowed for remote access and someone was able to get in and peek around, and following that [the CE] didn’t do anything to fix it,” the next violation moves up the CMP ladder. “It’s like, ‘fool me once, shame on you; fool me twice, shame on me’ — you have to learn from it,” says Annulis.

There are still some gray areas, however, which require case-by-case analysis. For instance, says Annulis, if one employee out of 1,000 loses a personal digital assistant (PDA), a CE could argue that it’s not engaging in willful neglect by not requiring password protection on all PDAs. But if it has “1,000 employees and 10% of employees misplace or lose PDAs on a monthly basis,” Annulis says, that’s a different story. “The facts and circumstances of this particular situation are relevant.”

The same goes for the destruction of PHI. “If it’s one slip of paper [that’s not destroyed], does that happen? Yes,” says Coffield, of Charleston, W.Va. “But if it’s a pattern situation when the policy specifies you can’t do that and it’s been brought to the attention of the privacy officer,” then that is likely to constitute willful neglect.

According to Coffield, when a privacy officer becomes aware of a complaint, he or she should always take “some action, even if it’s documentation of no action and the basis and reason for doing so.” Having evidence of an attempt at compliance is sure to save some heartache if HHS comes knocking.

Young emphasizes the importance of documenting employee education efforts, as well. “It’s not enough to say, for instance, that we had a staff meeting. Who was at that staff meeting? What was discussed? It doesn’t take much time, it’s just a habit you need to get into and do for every single training.” An ex-cop, Young also encourages privacy officers and other management personnel to “get out of the office, get on the floor and walk around and see what people are doing,” which he likens to being on patrol.

If a breach does occur, OCR will look at the individual circumstances, says Campanelli, and take into account an organization’s efforts at implementing safeguards. “Having procedures in place, training people in those procedures, and taking action when you find a problem — that’s the best position you can be in,” Campanelli says.

Advertise With AIS

Privacy

Site Map