HITECH Business Associate Rule Tool Section 6: Penalties for Business Associate Noncompliance – UPDATED 02/05

• PLEASE SEE SECTION 1 FOR INFORMATION ABOUT USING THIS TOOL

OCR may impose civil monetary penalties on both CEs and BAs for violations of any of the requirements of the Privacy or Security Rules.

Where more than one CE or BA is responsible for a violation each may be subject to CMPs. Organizations  are liable for their employees’ and other agents’ acts “in accordance with the federal common law of agency.” This liability probably extends to BAs which are acting as agents.

For CMP purposes a “violation” is determined based on an “obligation to act or not act” under a regulatory provision, or in other words regulatory “requirements or prohibitions.” Where a given requirement or prohibition is repeated in both a general and a specific form in different provisions in the same subpart, only one violation is counted. Continuing violations, such as failure to have a BAC when required, are counted as a separate violation for each day they continue.

There are four penalty tiers of penalty, as follows:

• The lowest tier provides for a minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about. “Reasonable diligence” is defined as “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.”
• The second tier provides for a minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect”.  “Reasonable cause” is defined in as a situation where there are “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.”
• The third tier provides for a minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect”. “Willful neglect” is defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition.
• The fourth tier provides for a minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” that are not remedied within thirty days of the date that the CE or BA knew or should have known of the violation.
• All tiers are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year.

These provisions are summarized in the following table.

Factors affecting the possible penalty amount for each violation include the following:

• “The nature of the violation, in light of the purpose of the rule violated.
• “The circumstances, including the consequences, of the violation, including but not limited to: (1) The time period during which the violation(s) occurred; (2) Whether the violation caused physical harm; (3) Whether the violation hindered or facilitated an individual’s ability to obtain health care; and (4) Whether the violation resulted in financial harm.”
• “The degree of culpability of the covered entity, including but not limited to: (1) Whether the violation was intentional; and (2) Whether the violation was beyond the direct control of the covered entity.”
• “Any history of prior compliance with the administrative simplification provisions, including violations, by the covered entity, including but not limited to: (1) Whether the current violation is the same or similar to prior violation(s); (2) Whether and to what extent the covered entity has attempted to correct previous violations; (3) How the covered entity has responded to technical assistance from the Secretary provided in the context of a compliance effort; and (4) How the covered entity has responded to prior complaints.”
• “The financial condition of the covered entity, including but not limited to: (1) Whether the covered entity had financial difficulties that affected its ability to comply; (2) Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity to continue to provide, or to pay for, health care; and (3) The size of the covered entity.”
• “Such other matters as justice may require.”

Civil penalties may not be imposed for an act which may be punishable under the HIPAA criminal penalty provisions, which the CE or BA has the burden of raising and proving as an affirmative defense. A CE or BA may also affirmatively defend itself by proving that a violation was “not due to willful neglect” and corrected either within 30 days of the first date on which the CE or BA ”knew, or by exercising reasonable diligence would have known, that the violation occurred,” subject to extension at DHHS discretion.

The following examples demonstrate how violations may be determined.

Example 1:  Unauthorized access to PHI

• BA  allows unauthorized employee to access PHI on 20 individuals in a single computer file
• Unauthorized access to PHI of 20 individuals = 20 violations
• If BA  could not have known about this violation in the exercise of due diligence (which seems unlikely): $100/violation = $2,000 penalty
• If BA  permitted this due to reasonable cause (it is not clear this would be possible): $1,000/violation = $20,000 penalty
• If BA  permitted this due to willful neglect (was recklessly indifferent to employee access activities): $500,000/violation = $1.5 million penalty ($10 million, capped)

Example 1 variation:  Assume unauthorized access is discovered during log review as part of OCR investigation of unrelated complaint two years after event

• BA  failed to notify CE for two years
  • One or 20 separate continuing violations? 730 violations (2 x 360) or 14,600 violations (2 x 365 x 20)
  • BA failed to notify OCR within 60 days of end of calendar year of breach
    • One continuing violation for ten months: 300 violations
    • “Could not have known:” Probably not acceptable
    • “Reasonable cause:” Probably not acceptable
    • Willful neglect, not corrected: $500,000/violation
    • $3 million penalty
    • 730 x $500,00 = $3.65 billion, capped at $1.5 million
    • 300 x $500,000 = $1.5 billion, capped at $1.5 million

Example 2:  Defective business associate contract

• BA enters into five BACs with lower-tier BAs authorizing PHI uses not permitted by upstream BAC, including safeguards provision not adapted for HITECH requirements
• 5 violations each of 2 separate provisions = 10 violations
• If CE  could not have known about this violation in the exercise of due diligence (which seems very unlikely): $100/violation = $1,000 penalty
• If CE permitted this due to reasonable cause (which probably is not possible): $1,000/violation = $10,000 penalty
• Probably would be held BA permitted this due to willful neglect: $500,000/violation = $1.5 million penalty
  • 10 x $500,000 =  $5 million, capped at $1.5 million
• Plus, probably at least one violation per transaction or event involving use or disclosure of PHI by lower-tier BA not authorized by violator’s upstream BAC

Example 3:  Negligent disposal of media

• BA re-sells 100 used computers without scrubbing hard drives containing PHI on 1,000 individuals.
• Potential violations:
  • Security Rule media re-use specification (100 violations)
    • Didn’t know:      $10,000
    • Reasonable cause:          $100,000
    • Willful neglect:  $1.5 million ($50 million, capped)
  • Security Rule information access management standard (100 or 1,000 violations ? – assume 1,000)
    • Didn’t know:      $10,000 ($100,000, capped)
    • Reasonable cause:          $100,000  ($1 million, capped)
    • Willful neglect:  $1.5 million ($50 million, capped)
  • Probable violation of BAC PHI use and disclosure prohibition (1,000 violations)
    • Didn’t know:      $25,000 ($100,000, capped)
    • Reasonable cause:          $100,000  ($1 million, capped)
    • Willful neglect:  $1.5 million ($500 million, capped)
  • Probably also presumed security breach if PHI was not properly encrypted
    • Didn’t know:      $25,000 ($100,000, capped)
    • Reasonable cause:          $100,000  ($1 million, capped)
    • Willful neglect:  $1.5 million ($500 million, capped)
  • Total
    • –        Didn’t know:                      $70,000
    • –        Reasonable cause:          $400,000
    • –        Willful neglect:                  $6 million

CMP Case Examples

The following are examples of OCR CMP actions:

Providence Health & Services.  The first regulatory action to obtain a financial resolution for HIPAA violations occurred after the theft of computer hard drives storing unencrypted information about over two hundred thousand individuals. The health care provider gave public notice and notified DHHS and took mitigating and corrective actions. OCR and Providence entered into an agreement under which Providence undertook a corrective action plan and paid a $100,000 financial settlement (not a CMP).

Cignet Health.  41 patients of this four clinic health care provider filed complaints with OCR that Cignet would not grant them access to their records. Cignet ignored OCR’s investigative requests. OCR obtained a court order for production of the records, to which Cignet responded by producing records on some 4,500 patients, rather than the relevant 41. OCR imposed CMPs of $4.3 million, largely based on continuing violations for failing to provide individuals with record access and failing to cooperate with OCR.

CVS and Rite Aid.  OCR and the Federal Trade Commission (“FTC”) pursued joint (but separate) actions against these pharmacy chains for disposing of health care information in unsecured dumpsters. CVS settled for $2.25 million and Rite Aid for $1 million. It is not clear how the settlement amounts were determined.

Blue Cross Blue Shield of Tennessee.   This health insurer experienced the theft of 57 hard drives containing unencrypted information on over one million individuals. It agreed to a corrective action plan and a settlement payment of $1.5 million.

Phoenix Cardiac.  This small physician practice permitted its physicians to use unencrypted, standard commercial email and cloud-based online calendaring for communications and scheduling which included unencrypted PHI. OCR imposed a fine of $100,000 and a corrective action plan.

A CMP Hypothetical

An understanding of the potential severity of CMPs might be helped by review of a hypotheticals.

Assume the Oops! Clinic has decided to improve patient outreach (and perhaps patient care) by implementing an online portal through which patients can schedule appointments, provide information about their health status (e.g. glucometer readings for individuals with diabetes, blood pressure readings) and arrange to pay for care. From a patient care and administrative perspective this is probably a good thing.

The Oops! security official is also the clinic’s CIO, it’s been a few years since he’s reviewed HIPAA’s security requirements, and he’s under pressure to get the portal up and running. He therefore arranges to outsource the system to a third party, Inept BA LLC. Since it’s a technical contract and the CFO gripes about unnecessary legal expenses, the CIO figures he can handle it within his authority and Oops! enters into a standard services agreement with Inept BA. This standard agreement does not include the required elements for a BAC.

Inept BA and the CIO implement the portal and set it up so that patients can register online using their name and address as shown in the Oops! records. 500 patients choose to do so. For convenience, the system is set up so any of the 75 members of the Oops! staff can access information in any patient’s portal account. System logging is enabled but never reviewed as nobody really has the time. Secure socket layer encryption is implemented for online transmissions but stored data encryption is inconvenient and costs money and so is not implemented.

The system goes live on June 14, 2013. All appears to be going well. Then, in May 2016 the Oops! administrative systems are hacked, and the vulnerability is traced to the portal system. Because the hack affected patient financial data and other PHI, the CIO notifies the Oops! law firm, which advises him to notify OCR. He does so, and on June 14, 2012 OCR knocks on the door. The ensuing OCR investigation finds the following violations:

The estimated total number of violations therefore exceeds 31,295, of 14 different requirements or prohibitions. Aggravating factors include the fact that some of the violations certainly created the vulnerability which led to the security breach, potentially causing patients financial harm, and that inadequate staff and patient access controls could have caused inaccurate data to be used for patient care.

In the ensuing proceedings, OCR took the position that the violations were attributable to willful neglect (third or fourth tier CMPs) by both Oops! and Inept BA. Oops! and Inept BA each blamed the other, and both tried to prove the violations were really due to reasonable cause (second tier).

At best, Oops! could wind up facing CMPs on the order of $7 million, while at worst CMPs could be at least $21 million. Inept BA will get off a little more lightly, as it was not responsible for Oops! security administrative and “little security rule” violations, but still faces millions in possible CMPs.

• GO TO NEXT SECTION
• GO TO SECTION 2:  TABLE OF LINKS

© 2013 John R. Christiansen