The Health Information Technology for Economic and Clinic Health (HITECH) Act changed the ballgame for sanctions related to HIPAA violations.
The Act provides a tiered system for assessing the level and penalty of each violation. CMS, which enforces the HIPAA Security Rule, and the Office for Civil Rights, which enforces the HIPAA Privacy Rule, can supersede the following limits, but with a cap of $50,000 per violation and $1.5 million for the calendar year for the same type of violation. The different tiers are:
- Tier A is for cases in which offenders didn't realize they violated the Act and would have handled the matter differently if they had
- Minimum per violation: $100
- Maximum per calendar year: $25,000
- Tier B is for violations "due to reasonable cause, and not to willful neglect," though HHS still must define "reasonable cause"
- Minimum per violation: $1,000
- Maximum per calendar year: $50,000
- Tier C is for infringements that the organization corrected, but were due to willful neglect
- Minimum per violation: $10,000
- Maximum per calendar year: $250,000
- Tier D is for violations due to willful neglect that the organization did not correct
- Minimum per violation: $50,000
- Maximum per calendar year: $1.5 million
How does the sanction structure look at your facility? HIPAA requires covered entities to have a structured sanction policy in place.
The American Health Information Management Association addressed handling breaches internally in a recent practice brief.
AHIMA proposes two sanctioning models that demonstrate categories and mitigating factors:
- Categories of privacy incidents: The organization creates categories defining the significance and impact of the privacy or security incident to help guide corrective action and remediation steps.
- Multifactor model: The organization takes corrective action and bases remediation on the highest level of category indicated.
Privacy and security experts agree facilities should take a look at their internal sanctions.
"I would look at the wording in your policies and remove any examples of different violations," says Dena Boggan, CPC, CMC, CCP, who is HIPAA Privacy/Security Officer at St. Dominic Jackson Memorial Hospital in Jackson, MS. "We're focusing on the tiers and if things were unintentional or intentional. (HHS) did a pretty good job at explaining what the tiers were."
Some of the other highlights from the revamped internal sanctions policy at St. Dominic, a 500-bed, 3,500 employee system, is:
Tier setup. Much like HITECH, St. Dominic rewrote sanctions to reflect a tier system. It established a level of breach–such as intentional, unintentional, malicious intent, or personal gain.
Internal process. St. Dominic documents in its policy the steps it takes when it knows an employee accessed information inappropriately. "The worst thing to do is to not let them know how you're handling the process," Boggan says.
Use of "generally." Lawyers at St. Dominic suggested using "generally" when documenting what a sanction may be. "We wanted to give ourselves leeway," Boggan says. So instead of limiting themselves to a concrete fine, the word "generally" opens the door. For example, the offender is "generally" subject to disciplinary actions.
Sign them up. St. Dominic gets its employees to sign a nondisclosure form stating they will not inappropriately access PHI, and if they do there may be disciplinary actions.