Author: Judi Newman
Buried in the Health Information Technology section of ARRA was legislation that will forever change how your agency handles information for your employee benefits clients. Following the HIPAA Privacy and Security Rules is not optional. As state attorney generals become more aware of how to pursue noncompliance by business associates the greater your chance of an audit.
Note: The following article provides information on HIPAA and its possible implications for agents. The views expressed are those of the author and do not necessarily reflect the views or interpretations of IIABA. As with any law, in order to ensure proper, legal compliance, we encourage you to consult with appropriate qualified counsel before implementing HIPAA regulations in your operations.
IMPORTANT: IIABA has developed an Executive Summary of the Privacy Rule Implementing HIPAA’s Privacy Requirements, and a Memorandum on Final HIPAA Privacy Regulations which was written by our outside counsel. IIABA members may access them by going to www.independentagent.com and clicking on the "Legal Advocacy" menu item on the left.
"Agent faces fines and penalties that could reach $1.5 million…"
Substantive Changes to the HIPAA Statute & Regulations
The American Recovery and Reinvestment Act of 2009 (ARRA) changed HIPAA. Major changes were made in “How Business Associates Must Comply with HIPAA” and “Clarification in Who Is a Business Associate.” These changes are all part of ARRA Title XIII, Health Information Technology.
Business Associates
Prior to the passage of ARRA and the HITECH ACT, covered entities – such as health plans – were required to fully comply with the standards and requirements of HIPAA. However, prior to ARRA, business associates were not directly subject to governmental enforcement action: the only remedy available against a business associate was for a covered entity to terminate the arrangement or sue for breach of contract.
So, who is a Business Associate?
Note: If the following graphic is not rendered in a legible format on your monitor, print this page and it should be. If that doesn't work, click here to download a full page version of the decision tree.
Under Section 13401 of ARRA, business associates are now required to directly comply with most provisions of the HIPAA Security Rule. With respect to compliance with the Privacy Rule, under Section 13404 of ARRA, business associates must comply with the Privacy Rule and also must comply with any changes to the Privacy Rule that were part of ARRA.
The Really Big Change
ARRA and HITECH now requires that business associates will now be held directly accountable by federal or state authorities for any failure to comply with HIPAA as amended by ARRA or applicable regulations.
Changes to HIPAA Enforcement
The ARRA includes a number of changes to HIPAA’s enforcement provisions:
Direct Accountability for Business Associates. Sections 13401 and 13404 of ARRA provide that business associates can be held accountable by federal and state authorities for failure to comply with any applicable provisions of the Privacy and Security Rules.
Application of Criminal Penalties. Section 13409 of ARRA clarifies that HIPAA’s criminal penalties can be enforced against individuals, including (but not limited to) employees of a covered entity.
Section 13410(a) of ARRA clarifies that The Secretary of the Department of Health and Human Services (HHS) and state attorneys general can pursue a civil HIPAA violation in cases where criminal penalties could attach but the Department of Justice declines to pursue the case. This Section requires HHS to impose a civil monetary penalty if a violation is found to constitute willful neglect of the law.
Distribution of Civil Monetary Penalties
Section 13410(c) of ARRA requires that any civil monetary penalties or settlements collected for HIPAA violations must be transferred to HHS Office of Civil Rights to be used for enforcement purposes. (Currently, any civil penalties or settlements go to the general treasury.).
Tiered Increase in Civil Monetary Penalties
The current HIPAA statute sets civil penalties at $100 per violation, with an annual maximum of $25,000 for violations of the same requirement. Section 13410(d) of ARRA sets a new-tiered penalty structure, based on the level of the HIPAA violation, which tops out at $50,000 per violation and an annual maximum of $1.5 million. The HHS still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm.
Violation |
Penalty per Violation |
Annual Maximum |
| Tier A - Did not know |
$100 |
$25,000 |
| Tier B - Reasonable cause, not willful neglect |
$1,000 |
$100,000 |
| Tier C - "Willful Neglect," corrected |
$10,000 |
$250,000 |
| Tier D - "Willful Neglect," uncorrected |
$50,000 |
$1,500,000 |
Authorization for State Attorneys General Enforcement.
Before ARRA a handful of states authorized their attorneys general to enforce federal consumer protection laws (including HIPAA). Section 13410(e) of ARRA expressly authorizes all state attorneys general to enforce HIPAA in federal district court, which means that attorneys general in all states can enforce the law even if there is no state authorizing statute. The penalties imposed are limited to the former statutory maximum: $100 per violation and $25,000 annually for repeat violations of the same provision. When enforced and penalties imposed a portion of the penalty will go to the attorney general’s office.
Summary
Buried in the Health Information Technology section of ARRA was legislation that will forever change how your agency handles information for your employee benefits clients. Following the HIPAA Privacy and Security Rules is not optional. As state attorney generals become more aware of how to pursue noncompliance by business associates the greater your chance of an audit. After all, it will mean dollars for the state’s coffers.
Claiming ignorance and what you are required to do will not be an acceptable defense to avoid fines and penalties. Keep in mind, that while you may have general liability and errors and omissions coverage, unless your policy has been amended to extend the coverage for fines and penalties, you are on your own.
By Judith H. Newman, President of Phaze II Consulting, Inc. Judi has worked on site with professional agents and brokers engaged in the sale and service of Employee Benefits to assist in their HIPAA HITECH compliance project. Phaze II Consulting, Inc. also provides consulting services to independent insurance agencies in matters of management issues, operations, planning, valuations and customized projects for individual clients.
Contact Judi Newman at 800-638-0657 or judinewman@aol.com for questions about business associate issues or for other assistance with your HIPAA HITECH compliance plan.
Copyright © 2010 by Phaze II Consulting, Inc. Used with permission.
All rights reserved. No part of this article may be reproduced in any form or
by electronic or mechanical means without permission from the publisher.