A news report caught my eye, “HIPAA Enforcement Swings from Voluntary Compliance to Punishment for Violation of Privacy and Security Laws as States Join Federal Enforcement Under Federal Mandate.”
Well, first of all HIPAA is *NOT* voluntary! The folks in the Office for Civil Rights (OCR) and Centers for Medicare and Medicaid Services (CMS) enforcement offices will tell you that. However, the lack of any fines or penalties to date certainly makes this seem like a law for which compliance is voluntary.
“States are ordered to actively investigate and prosecute both providers as well as business associates effective January 1, 2007. States are required to create a False Claims Division and keep the overwhelming majority of fines recovered.”
There are some thought-provoking topics covered in this report. Namely the relationship between the new guidelines for the False Claims Act (that go into effect January 1, 2007) and HIPAA compliance issues for CEs participating in Medicaid programs.
A significant motivator for compliance is that beginning in 2007, “whistleblowers” for violators of the new guidelines will be awarded 15% – 25% of any associated fines, depending upon the situation. This could definitely motivate employees, former employees, and patients/customers to report what they believe are HIPAA violations when they may not have to date.
This could bring the Department of Justice (DOJ) into the HIPAA compliance and enforcement mix.
State Attorney General’s False Claims Act Divisions may also now be involved with HIPAA enforcement, likely along with other state agencies.
The report singles out “lack of email security, audit trails and administrative controls expose information and leave the provider and their business associates to liability. The investigation might be overt or covert and may be started by complaints of patient service, quality, poor documentation, claim of medically unnecessary testing, over use of diagnostic testing, preformed procedures not supported by appropriate documentation and the like. State enforcers will be rewarded with a share of the double and triple damages awards.”
In reality noncompliance of any of the HIPAA Privacy Rule and/or Security Rule requirements exposes all covered entities (CEs), not just providers, to liabilities, as it always has. However, with significantly more enforcement groups able to pursue noncompliance and apply fines and penalties, as the report claims, CEs and business associates (BAs) needs to be more diligent than in the past with their compliance efforts.
It is worth checking the new False Claims Act guidelines to see what it in fact states. Remember, as you read this you will likely need to reference back to the actual False Claims Acts regulation itself.
Hmmm…a rather dry and hard to interpret piece of reading, isn’t it? It is not overtly tied to HIPAA at all; the key aspect relating it to CEs is the Medicaid particiption issue. I can see how most CEs would not realize the impact of this new requirement.
I would not necessarily interpret the new guidelines in the same way as the report.
The new requirements appear to have the most direct impact on states by requiring them to pass new laws and to establish the new False Claims Act Division, which includes the requirement to establish rewards for “qui tam relators” (the whistleblowers). It will also shine the compliance spotlight more brightly upon CEs and BAs that participate in and receive monies for the Medicaid program.
Having a good controls program, by implementing HIPAA Privacy Rule and Security Rule requirements, would help to prevent the fraud discussed within the guidelines, as well as demonstrate due diligence.
The National Conference of State Legislatures provides guidance to states for implementing the new requirements.
After spending some time searching for some posted legal advice to CEs regarding the impact of the new requirements, I could really find nothing good to pass along. I’m frustrated; I want to know more about this!
I have found, though, there have been some significantly large penalties the DOJ has applied under the False Claims Act; so this could create quite a huge change in HIPAA compliance with the DOJ getting involved with penalty decisions…going from a smack on the hand to potential beheading. Here are a few of the recent penalties:
*
“Age Refining to Pay United States $9 Million to Resolve False Claims Act Allegations WASHINGTON — Age Refining Inc., the company’s former affiliate, Age Transportation, and Albert Gonzalez, the founder and chairman emeritus of Age Refining have agreed to pay the United States $9 million and reform its business practices as part of a settlement to resolve allegations of false certification in connection with government contracts.”
“Tenet Healthcare Corporation to Pay U.S. more than $900 Million to Resolve False Claims Act Allegations WASHINGTON ‚Äì Tenet Healthcare Corporation, operator of the nation’s second largest hospital chain, has agreed to pay the United States more than $900 million for alleged unlawful billing practices, Assistant Attorney General Peter D. Keisler of the Civil Division and U.S. Attorney Debra Wong Yang of the Central District of California in Los Angeles announced today.”
“Corporate Express Pays United States $5.02 Million to Resolve False Claims Act Allegations WASHINGTON, D.C. ‚Äî Corporate Express Office Products has paid the United States $5.02 million to settle allegations that it submitted false claims when it sold office supply products manufactured in countries not permitted by the Trade Agreements Act to United States government agencies, the Justice Department announced today.”
It is worth noting the new False Claims Act guidelines will not only impact HIPAA, but other laws and regulations as well that are involved with Medicaid programs.
As with all legal issues, be sure to discuss this with your organization’s legal counsel to determine how it will impact your organization and help you to plan for any necessary changes or activities to prepare for the potential impacts.
Tags: awareness and training, False Claims Act, HIPAA, Information Security, IT compliance, policies and procedures, privacy