Medicare Compliance & Reimbursement

HHS still expects providers to pay for non-compliant behavior.

Providers that base their security rule compliance on the Office for Civil Rights' enforcement history could get slapped with civil money penalties, according to the Department of Health and Human Services.

That message came across loud and clear last month when HHS published the proposed enforcement rule in the Federal Register. The proposal will allow the Centers for Medicare and Medicaid Services to enforce the security rule in the same fashion as the Office for Civil Rights chose to do with the privacy rule - through provider education and voluntary compliance.

But providers shouldn't think that means they can loosen security rule policies, warns Patricia Markus, an attorney with Smith Moore in Raleigh, NC. The proposed rule allows CMS to apply CMPs of up to a $100 penalty per violation and up to $25,000 for identical violations within a calendar year.

Providers can receive separate CMPs for violating the security and privacy rules in the same occurrence, and providers can receive multiple penalties for multiple violations of the same requirement.

Hidden trap: The proposed rule also states that providers could be held liable for CMPs imposed on an affiliated covered entity.

Watch Tricky 'Person' Definition The proposed enforcement rule clarifies a few sticking points, notes John Parmigiani, VP of consulting services for Quick Compliance in Avon, CT. Notably, the rule states that the term "person" in the security rule refers to the organization as a whole, not individuals employed by the organization.

This is especially significant in cases where employees act against a provider's policies and procedures to knowingly inflict harm on patients, such as in the case of identity theft or selling financial data.

Smart strategy: Providers should make sure their risk planning lays out several tracking methods to ensure that staffers and business associates are on the up-and-up when it comes to protecting the privacy and security of patients' information. Remember: Even if a problem occurs with a business associate, providers can be held liable if they failed to ensure the associate's compliance, according to the proposed enforcement rule.

To read the proposed enforcement rule in the Federal Register, go to www.gpoaccess.gov/fr and search for "HIPAA." Then click on "HIPAA Administrative Simplification; Enforcement."