Stay on Top of Changing Regulations: HIPAA Privacy Enforcement Taking on Greater Emphasis

The Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in February 2009, extended civil and criminal penalties for violations of HIPAA beyond covered entities—healthcare providers, payers and healthcare clearinghouses—to business associates* and others. Under HITECH, business associates or even individual employees of the covered entity may be subject to criminal fines and imprisonment for HIPAA privacy violations as follows:

Criminal Violation Minimum Penalty
Tier 1 Knowingly** obtaining or disclosing individually identifiable health information Fine of up to $50,000, up to 1 year imprisonment, or both
Tier 2 Offenses committed under false pretenses Fine of up to $100,000, up to 5 years imprisonment, or both
Tier 3 Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm Fine of up to $250,000, up to 10 years imprisonment, or both

*A business associate is a person or entity that performs functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A covered entity is a health care provider, payer or health care clearinghouse.

**The Department of Justice (DOJ) interprets “knowingly” as requiring only knowledge of the actions performed. However, specific knowledge that the action violates HIPAA is not required.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published final rules for privacy, security, breach notification and enforcement on January 25, 2013. Compliance will be required for privacy and security changes 180 days following publication in the Federal Register. Reporting and enforcement mechanisms are being put in place to gather data and begin to monitor compliance.

Breaches of protected health information must be reported. According to a report by the HHS Office for Civil Rights, breaches affected more than 5.4 million people in 2010. Breaches involving 500 or more individuals made up less than 1% of reports yet impacted 99% of people whose information was compromised. The largest breaches occurred as a result of theft.

HHS has awarded a contract to KPMG to establish an audit protocol and begin auditing business associates' and covered entities' compliance with the HIPAA privacy standards as amended by HITECH. The audits will include site visits, interviews with leadership, evaluation of the consistency of process to policy, and observation of compliance.

McKesson Provides Tools to Help Address the Migration to ICD-10

With the new compliance date from the Centers for Medicare & Medicaid (CMS), there's urgency to keep moving forward with preparations for migrating to the ICD-10 code sets by the transition on October 1, 2014. ICD-10 migration will have extensive impact on both the clinical and financial departments of your organization. McKesson offers resources to help in your compliance efforts:

While the size of the HIPAA rule for ICD-10 pales in comparison to the Stage 2 Meaningful Use final rules, the organizational impact for transition is equally as significant. McKesson encourages providers to remain focused to the ICD-10 migration, since coding drives reimbursement. If you find you need help on your migration activities, McKesson offers ICD-10 services to help you assess your ICD-10 readiness, develop your roadmap, and manage risk and implementation.