Over the last few years, a number of health care providers and other “covered entities” (both large and small) have been audited and penalized by the government for improper breaches of protected health information. Enforcement actions taken have varied, ranging from mere warnings to criminal prosecution.

II.   HITECH Raises the Bar for Providers

The “Health Information Technology for Economic and Clinical Health Act” (HITECH) contains a number of significant privacy provisions impacting health care providers.  Two of these provisions include:  (1) The initiation of privacy audits by contractors working for the  Department of Health and Human Services (HHS), Office of Civil Rights (OCR); and (2) The sharing of Civil Monetary Penalties assessed in response to an improper breach with the affected patients.

• Privacy Audits

As OCR has announced, the agency has initiated an audit program intended to help ensure that health care providers are complying with the various medical records privacy provisions laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  To do so, OCR has contracted with several nationally-recognized audit firms for the purpose of auditing health care provider compliance with HIPAA’s privacy provisions.

When will audits begin? According to OCR, the initial audits of provider compliance with HIPAA / HITECH requirements began in November 2011. Once these initial audits are completed, OCR intends to focus the remaining audits on the issues and concerns identified in the contractors’ first preliminary audits. At this time, all audits are anticipated to be completed by December 2012.

If prior “pilot” programs are any indication of how these audits will be handled, we anticipate that OCR will ultimately adopt an ongoing audit HIPAA / HITECH process, tasked with assessing the compliance of health care providers, covered entities and business associates. It is essential that you critically review your current practices – after you have been audited, it will likely be too late to avoid the imposition of penalties.

How will HIPAA / HITECH audits be conducted? According to OCR, organizations selected for audit will be notified by the agency of their selection. At that time, they will be asked to provide “documentation of their privacy and security compliance efforts.” During this pilot period, each of the covered entities audited will receive a site visit. During the site visit, contractor representatives will be required to interview key personnel. The contractors will also review the covered entity’s practices and determine whether their operations fully comply with HIPAA’s / HITECH’s privacy requirements. After completing the site visit, a draft report will be prepared which outlines how the audit was handled, the conclusions that were reached by the contractor and the remedial actions that were taken by the covered entity. The draft report will be shared with the covered entity prior to finalization and the covered entity will have a chance to respond to the contractor’s findings.

• Sharing of Civil Monetary Penalties

In addition to the HIPAA audit protocol discussed above, HITECH includes a seemingly-innocuous section which commands the Secretary HHS to establish a methodology to distribute a percentage of Civil Monetary Penalties to individuals harmed by an improper breach of protected health information or another HIPAA violation. For instance, if a patient’s medical records or other protected health information is inappropriately accessed or divulged to unauthorized persons and the OCR ultimately investigates the violation and assesses Civil Monetary Penalties against a provider or other covered entity in connection with the breach, the harmed patient may be eligible to receive a portion of the penalties collected by the government.

On its surface, such a clause seems reasonable – after all, why not compensate those who have been hurt by a wrongful disclosure or breach? However, this law (and its soon-to-be-created implementing regulations) will likely have extensive repercussions in reporting and enforcement of HIPAA violations. Giving patients a financial incentive to report wrongful disclosures and breaches of their protected health information will likely lead to increased reporting of incidents since harmed patients may now be eligible to share in any penalties collected.  Similar laws which allow private individuals to receive a portion of penalties and other funds recovered, such as the False Claims Act (FCA), have been extremely successful in detecting and deterring fraudulent activity. While HITECH does not create a “private right of action” for HIPAA violations and is substantially different from the FCA, it is important to note that their basic principles are the same. By giving private citizens, with perhaps greater and more immediate knowledge of an issue than the government, a real reason to report a problem, these problems can be more quickly and effectively remedied.

In 1986, when the FCA was overhauled with new provisions that gave private citizens more power and a greater likelihood of collecting money, the FCA’s usage skyrocketed. In what could be a very similar situation, affected individuals with the chance to receive a portion of fines and penalties will be far more likely to aggressively report and pursue these violations. For covered entities (comprising virtually all providers, billers and business associates), this means that implementing effective HIPAA privacy policies should be at the top of your compliance “to-do” list.

III.   How Health Care Providers Should Respond

Among their first steps, health care providers and other covered entities should:

• Ensure that patient protected health information is fully secured and protected.
• Take steps to prevent improper access by authorized parties.
• Ensure that anyone who accessing protected health information is properly logged so that patients can readily obtain an accounting or listing of anyone who has reviewed all or part of their records. This log should also document the purpose for assessing the record.
• Take steps to prevent the access of protected health information by authorized personnel for unauthorized reasons.
• Take steps to better ensure that no protected health information is inappropriately disclosed to third parties.

While the points outlined are essential, they are far from all-inclusive.  It is imperative that you identify qualified counsel to assist you in meeting your HIPAA / HITECH obligations.

Further, when handling protected health information, health care providers must remain mindful of the “minimum necessary” rule.  Health care providers, other covered entities and business associates who handling protected health information must only disclose the minimum information necessary for a requesting entity to properly do its job.

Ultimately, all health care providers, covered entities and business associates should take reasonable steps to help ensure that applicable HIPAA / HITECH provisions are fully met.

• Extended the whistleblower protection provisions to cover both “contractors” and “agents” in addition to employees who allege that they were subjected to retaliation when they tried to put an end to False Claims Act violations by their employer.  Prior to the recent amendments, the whistleblower provisions only typically applied to actual employees of health care providers.  Now, both “contractors” and “agents” may avail themselves of the Act’s whistleblower protections.
• Revised the definition of “obligation” to expressly include knowingly retaining mere overpayments despite the fact that a CMHC may have accidentally been overpaid.  Providers may now be liable under the False Claims Act, regardless of whether the overpayment was caused as a result of a mistake.  Providers may now find themselves subject to liability under the False Claims Act, including its penalty and damages provisions even though the overpayment accidentally occurred.
• Expanded the scope of Civil Investigative Demands (CIDs) to now make it easier for DOJ to use these investigative tools.  Additionally, the changes enhanced the ability of DOJ to issue CIDs.  From a practical standpoint, this will make it much easier for DOJ prosecutors to initiate investigations into potential False Claims Act violations.

Should you have any questions regarding these issues, don’t hesitate to contact us.  For a complementary consultation, you may call Robert W. Liles or one of our other attorneys at 1 (800) 475-1906.

Iowa Senator Chuck Grassley last week introduced a wide-ranging bill to prevent fraud,

Senator Grassley outlined his plan to:

• Deter fraud with enhanced screening to improve the governments ability to keep fraudulent providers from participating in these programs from the start;
• Limit tax dollars lost to fraud by giving the government more time to evaluate the legitimacy of Medicare providers before payment is required when fraud, waste and abuse is suspected that is allowed under the existing pay-and-chase model;
• Strengthen the governments ability to detect fraud with better disclosure requirements;
• Enhance coordination among federal agencies responsible for fighting fraud, including sharing data sources; and,
• Improve enforcement capabilities by expanding the range of activity subject to penalties and toughening existing penalties.

“This bill brings together common sense, bipartisan initiatives to fight fraud, waste and abuse in taxpayer-sponsored health care programs, which all face serious budgetary challenges”, Senator Grassley said.

Notably, this proposed legislation includes portions of bipartisan legislation Grassley introduced months ago to fortify the Federal False Claims Act (FCA). These measures are a response to Federal court decisions that have significantly limited the scope and applicability of the FCA. Senator Grassley, who was the original principal author of many whistleblower laws passed in 1986, argues that this would restore Congress’ original intent.  In the past few decades, over $22 billion have been returned to the U.S. Treasury from FCA-related litigation and settlements. The FCA is the primary civil enforcement tool used by the U.S. Department of Justice in addressing civil health care fraud violations and concerns.

Should you have any questions regarding these issues, don’t hesitate to contact us.  For a complementary consultation, you may call Robert W. Liles or one of our other attorneys at 1 (800) 475-1906.