Home Health & Hospice Week
Now The Fine Will Fit The HIPAA Crime — Or At Least Violation
Don’t forget to add inflation updates to the final fine amount. Experiencing a HIPAA breach may be more likely than ever before, but at least the cost of one is becoming less punishing — unless it involves willful neglect that’s not corrected. That’s because the feds are drastically reducing penalty caps for HIPAA violations, active immediately. Background: The Department of Health and Human Services published the “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties” in the Federal Register on April 30. Acting on HITECH Act provisions, HHS determined that current CMP caps for HIPAA violations do not differentiate accordingly with the levels of culpability under the four Tiers, indicates an HHS release. Under the current HIPAA Enforcement Rule, HHS “applies an annual upper limit of $1.5 million for each of the four culpability tiers,” reminds the notice However, that kind of one-fine-fits-all methodology doesn’t seem fair and contributes to the feds’ reasoning. “HHS modified this approach and will now apply a different annual cap to each Tier, thus making the Tiers more meaningful and softening the financial impact of HIPAA violations that fall into the lower Tiers,” explain attorneys H. Carol Saul and Madison Pool with Arnall Golden Gregory, in online analysis of the notice. Tier 1 (No Knowledge) violations now will carry a CMP level up to $25,000, Tier 2 (Reasonable Cause) $100,000, and Tier 3 (Willful Neglect: Corrected) $250,000. Tier 4 (Willful Neglect: Not Corrected) will remain at $1.5 million. According to HHS, CMP caps needed to be updated to align with culpability levels outlined in the HITECH Act. In simple terms, it didn’t seem fair that a covered entity (CE) who unknowingly committed a HIPAA violation (Tier 1) should have the same annual limit and financial accountability as a CE who willfully neglected to correct actions that led to a HIPAA violation (Tier 4). “While most of the annual maximums have been reduced, the concept of tying the penalty to the level of culpability has been in the law all along, and the former $1.5 million annual limit for any type violation didn’t reflect that,” says Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems in Charlotte, Vermont. “But keep in mind that the maximums are for any one violation type, and in an incident, there are usually several rules at play, so the maximums can easily be multiplied.” New Limits = More Scrutiny? The reduced limits are sure to come as a relief to providers worried about the financial aftershocks of a breach, but experts warn that providers aren’t off the HIPAA compliance hook. In fact, the changes signal to many that the HHS Office for Civil Rights is placing more importance on following through on risk management than ever before. And CEs racking up violations must prepare themselves for heightened scrutiny of their compliance planning. “If an organization does not do a sufficient job of addressing the rules, an incomplete compliance effort, such as ignoring repeated recommendations to reduce risks, can easily be seen as a more culpable situation,” Sheldon-Dean warns. This puts “the entity into a higher penalty bracket, and the new distinction between penalty levels may provide a greater opportunity for HHS to reasonably use the ‘willful neglect’ levels of penalty.” That’s why it may be more fiscally savvy to put your money into risk assessment and analysis upfront instead of after the fact. Tip: “The costs of non-compliance are usually far greater than the costs of compliance with HIPAA — the rules are, for the most part, common-sense based,” says Sheldon-Dean. And, he reminds providers not to forget about inflation when calculating annual limits. “Also, keep in mind that all of the penalty levels have had their numbers adjusted by a roughly 14 percent cost-of-living adjustment, so that the $1.5 million maximum for a Tier 4 penalty is now $1,711,533,” Sheldon-Dean cautions. Bottom line: For the past 13 years, IBM and the Ponemon Institute have published an annual “Cost of a Data Breach Study,” and as the risks have increased, so have the costs. Last year’s results concluded that “the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million,” notes the study. “The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148.” The 2019 report is expected sometime this summer. Watch for: In the rule, HHS also noted “that it would engage in future rulemaking ‘to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act,’” note attorneys George Breen and Patricia Wagner with Epstein Becker & Green in online analysis. “With these changes, organizations with robust privacy and security compliance programs (with strong reporting mechanisms) may see an advantage of being in the lower penalty tiers in the event a violation occurs,” Breen and Wagner point out. Note: Review the “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties” at www.govinfo.gov/content/pkg/FR-2019-04-30/pdf/2019-08530.pdf.
Home Health & Hospice Week
- Patient-Driven Groupings Model:
Majority Of HHAs Expect To Decrease Therapy Under PDGM, Survey Says
Providers also plan to drop therapists — both contract and directly employed. The elimination of [...] - Therapy:
Consider These Strategies When Devising Your PDGM Plan
Cutting therapy brings serious compliance risks, industry leader warns. Home health agencies can’t afford to [...] - HIPAA:
Now The Fine Will Fit The HIPAA Crime — Or At Least Violation
Don’t forget to add inflation updates to the final fine amount. Experiencing a HIPAA breach [...] - Human Resources:
Create Or Bolster Your Employee Handbook Now
A well-written handbook can ensure consistency. Now’s the time to make sure you have a [...] - Industry Note:
New PEPPER Reports Expected Next Month
Sign up for training on how to use the free benchmarking info. Next month you’ll [...] - Industry Note:
Check Your RAP Numbers
PEPPER reports aren’t the only Medicare sources for seeing how you stack up to your [...] - Industry Note:
Prepare For Switch To HETS
The first step of the elimination of ELGA, ELGH, HIQA, and HIQH inquiries is here. [...] - Industry Note:
CMS Continues Its Medicaid Fraud-Fighting Campaign
A year into its Medicaid Program Integrity Strategy, the Trump administration is ready to claim [...] - Industry Note:
HHS Awaits Permanent Inspector General
The Department of Health & Human Services has yet to fill its Inspector General position [...] - Industry Note:
Watch For Safe Harbor Rule This Month
In addition to fireworks and the highly anticipated 2020 home health payment proposed rule, July [...] - Industry Note:
Heed NPWT Change
If you bill for Negative Pressure Wound Therapy (NPWT) Using a Disposable Device, don’t overlook [...] - Industry Note:
Tap Free Video Training
If watching videos is your preferred mode of education, HHH Medicare Administrative Contractor CGS has [...] - Industry Note:
Note Appeals Changes
On July 8, multiple changes to Medicare appeals rules will take effect. Those revisions range [...] - Industry Note:
State To Give Home Care Workers Back Pay
At press time, more than 49,000 Illinois home care workers were scheduled to get back [...] - Industry Note:
Former Hospice Owner Sentenced In Arkansas
A former hospice owner has been sentenced in state court to five years in prison [...] - Industry Note:
Fight Readmissions With Nutrition
If you’re trying to whittle down your hospital readmission rates, you may want to look [...]
