Employers who ignore or are only partially compliant with healthcare privacy issues could face greater government scrutiny and fines, says Philadelphia attorney Christopher Ezold.
This new focus on compliance applies to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA requires that a “covered entity” maintain the privacy of personal health information (PHI). Covered entities can include healthcare providers, health plans and health clearing houses and their business associates.
HIPAA does not apply to all employer-provided health insurance, but it does apply to employer-sponsored health plans and, therefore, to employers who sponsor those types of plans.
A partner at Philadelphia-based The Ezold Law Firm, P.C., which focuses on business, employment and healthcare law, Ezold warns that while enforcement of PHI rules have been lax in the past, the Department of Health and Human Services (HHS) has recently imposed penalties of more than $1 million against companies found in violation of HIPAA.
For example, on June 26, 2012, HHS announced that the Alaska Department of Health and Social Services agreed to pay a $1.7 million fine to settle possible violations.
On March 13, 2012, HHS announced Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million to settle potential HIPAA violations.
Smaller employers have also found themselves on the receiving end of a HIPAA audit. This is a strong reminder for businesses to revisit their compliance programs, Ezold said.
The HHS’s Federal Office for Civil Rights (OCR) has stepped up HIPAA audits of “covered entities” that are subject to HIPAA. OCR has now begun levying significant monetary penalties for violations of HIPAA’s privacy rule. In practice, OCR is not interested in small fines; it has levied penalties in the hundreds of thousands and even millions of dollars for what appeared at first glance to be small issues, according to Ezold.
“If OCR comes knocking, you may be able to avoid significant liability by showing that you have engaged in a good faith attempt to meet your obligations,” says Ezold.
He suggests holding an annual internal review to ensure that the privacy requirements are being met. OCR will not consider a once-and-done review to be sufficient; annual reviews provide better protection than merely doing an initial assessment.