The Department of Health & Human Services’ Office for Civil Rights (OCR) thinks employees are being abused when it comes to confidential information and HIPAA security. The result: OCR is conducting audits like crazy.
That was the stark warning given by Employment Attorney Jason Sheffield at the 29th Annual Benefits Forum & Expo in Nashville.
Part of the problems is the out-of-sight, out-of-mind mentality that’s pervasive among many employers. A number of firms incorrectly assume that if a plan is outsourced, the HIPAA compliance issues are out of their hands.
Of course that’s a faulty assumption in many cases, and employers can wind up owing a lot of money for having that mentality.
Single vs. Subsequent identical violations
Sheffield used the OCR’s new tiered enforcement schedule to show employers just how costly HIPAA violations could be.
Here are the major categories of HIPAA violations, as well as the costs for each initial violation:
- (A) Did Not Know — $100-$50,000
- (B) Reasonable Cause — $1,000-$50,000
- (C) Willful Neglect (Corrected) — $10,000-$50,000
- (D) Willful Neglect (Uncorrected) — Up to $50,000.
While these violations are costly on their own, it’s the subsequent identical violations per calendar year employers really have to watch out for. Reason: Subsequent identical violations carry $1.5 million fines in each of the four violation categories. There’s no range in the penalty; employers that get dinged here will get hit with a flat $1.5M penalty.
And that’s where the feds are hoping to make their money.
As Sheffield warned, if the auditors come once and find something, they’ll come back expecting to find the same problem again.
Haven’t updated for 2013 changes
That’s why HIPAA compliance — and having a designated HIPAA compliance officer — should be a top priority for employers, particularly self-funded plans. Many self-funded plans haven’t updated all their plan materials to comply with the updated 2013 privacy regs. And with the feds on the audit trail, it’s only a matter of time before that will catch up with them.
So what should employers do? One strong safeguard is conducting security risk assessments for all group health plans. Another underused tactic: In the request-for-proposal process, asking all brokers, insurers, vendors, etc., for a copy of their HIPAA policies and procedures.