Employers who sponsor health plans must prepare for compliance with revised rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). On January 25, 2013, the Office of Civil Rights of the U.S. Department of Health and Human Services (HHS) published the final rule, also referred to as the “Omnibus Rule,” amending various provisions of the HIPAA privacy and security rules. Generally, the changes made under the Omnibus Rule are based on statutory changes under the previously enacted Health Information Technology for Economics and Clinical Health Act (HITECH), as well as the Genetic Information Nondiscrimination Act of 2008 (GINA).
Specifically, the Omnibus Rule incorporates the penalty tier structure promulgated under HITECH, as reflected in the table below:
|Violation Category||Per Violation Penalty||Annual Cap|
|Did Not Know||$100-$50,000||$1,500,000|
|Willful Neglect-Timely Corrected||$10,000-$50,000||$1,500,000|
|Willful Neglect-Not Timely Corrected||$50,000||$1,500,000|
This penalty structure is applicable for violations occurring after February 18, 2009, but additional changes to HHS’ enforcement authority has been incorporated under the Omnibus Rule and will become effective March 23, 2013.
In determining the amount of the penalty, HHS will consider the surrounding facts and circumstances (e.g. nature of violation, frequency of violation, etc.). No penalty may be imposed, however, for a violation that occurred for reasons other than due to willful neglect if the violation is corrected within 30 days of the date on which the plan (or agent) knew, or should have known, of the violation. For a violation that occurs due to willful neglect, a penalty MUST be imposed by HHS; however, a reduced penalty will apply if the violation is corrected within the applicable 30-day period. It is entirely plausible that health plans that fail to adopt and implement HIPAA policies and procedures in accordance with the Omnibus Rule will be subject to the highest tier of penalties in the event of an unauthorized use or disclosure of health information. Although these penalties are imposed against the health plan, they will generally be paid by the employer (or its liability insurer).
It is therefore imperative for health plans to implement HIPAA policies and procedures and require quick communication of violations to the privacy or security officer. In the event (or, more likely, when) a violation occurs, the health plan should act quickly to correct the violation and adequately document the correction process, including a description of the violation, the date on which the violation occurred, the date on which the plan (or agent) obtained knowledge of the violation and the steps that are being taken by the plan to avoid a similar violation in the future.
For more information on the effect of the Omnibus Rule on group health plans and other covered entities, join our complimentary webinar on April 4, 2013.