As most healthcare providers know, HIPAA requires that covered entities or business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“ePHI”) held by the covered entity or business associate. Providers who receive Meaningful Use incentive payments from the Centers for Medicare and Medicaid Services (“CMS”) for implementing electronic health record (“EHR”) systems into their practices or operations are also likely aware of the fact that one of the many requirements for these incentive payments is to conduct a HIPAA security risk analysis annually. Now, perhaps more than ever before, both CMS and the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) is demonstrating the importance of ensuring that these risk analyses are performed, or providers can face dire consequences. Below are the top reasons to conduct a thorough HIPAA security risk analysis.
1. Avoid HIPAA Fines and Penalties: HIPAA fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. In the last year alone, we’ve seen several healthcare providers get fined millions of dollars for failing to properly conduct a HIPAA risk analysis. Advocate Health Care paid $5.5 million to OCR in connection with failing to perform a risk analysis. Oregon Health & Science University paid $2.7 million in penalties for failing to perform a risk analysis covering all ePHI within its enterprise. University of Mississippi Medical Center paid $2.75 million for failing to address known security risks. All three of these providers were also subject to Corrective Action Plans, which involve intensive government oversight of their information protection operations for several years.
2. Achieve EMR Meaningful Use and Receive Incentive Payments: As discussed in an earlier blog post, the Office of Inspector General has recommended that CMS address and recover the estimated $729 million in faulty payments by determining which providers did not actually meet the “Meaningful Use” criteria. CMS has already begun targeted risk-based audits in an effort to identify the inappropriate incentive payments. Clearly, new focus is being placed on the EHR incentive program and each provider is at risk for review or audit of their EHR use to ensure only proper payments were made. If you have not performed a HIPAA security risk analysis annually, as required by the Meaningful Use program, you may have received improper Meaningful Use payments from CMS.
Providers who have received an incentive payment or plan to make self-attestations about their use of an EHR should carefully review their eligibility for the incentive payment and maintain adequate support for their certifications of meaningful use. Federal regulations require documentation be kept for six years that supports the demonstration of meaningful use of EHRs required for the incentive payments.
3. Avoid Potential False Claims Act Liability for Improper Meaningful Use Payments: As demonstrated by the U.S. Department of Justice’s (the “DOJ”) recent settlement with the electronic health record vendor eClinicalWorks for $155 million (discussed in more detail here), False Claims Act liability can attach to providers certifying to Meaningful Use requirements without performing the mandated annual HIPAA security risk analysis. If the annual risk analysis has not been performed, the provider is not entitled to the EHR incentive payments for meaningful use. In the event a provider discovers an improper incentive payment, there are voluntary refund avenues available to diffuse the enforcement risk associated with these overpayments from CMS.
4. Protect Your Patients’ Health Information and Your Reputation: Your reputation as a healthcare provider is built on trust. This trust inherently assumes your patients’ sensitive health (and financial) information is adequately protected, and that risks and vulnerabilities that threaten that protection are meaningfully addressed. Should you have a significant breach or security incident, your patients will know about it. In part because you are legally obligated to inform them, but it could also become headline news. Performing thorough HIPAA security risk analyses ensures that you are doing everything you can to protect your patients’ ePHI, which protects your reputation as their trusted healthcare provider.
5. Avoid Investigative and/or Litigation Costs Associated with Non-Compliance: With any enforcement action comes heightened costs, including but not limited to fines, penalties, treble damages, and potential imprisonment. For example, under the False Claims Act, a provider could be liable for penalties up to $21,563 per claim wrongfully submitted, in addition to treble the amount received/billed to the government. As earlier noted, under HIPAA, fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.Under certain circumstances, individuals involved in submitting the claims could personally be held liable (criminally or civilly) as well. Voluntarily refunding improper EHR incentive payments is a much cheaper avenue to take. Similarly, incurring the expense of a qualified risk analysis vendor will always be cheaper and less troublesome than an OCR fine or an investigation into your HIPAA compliance.
If you need to evaluate a potential EHR incentive payment for Meaningful Use refund to CMS, or if you need assistance in conducting a HIPAA security risk analysis, please contact Julie Sullivan at 303.749.7255 or your usual Husch Blackwell attorney. For more information on HIPAA risk analyses in general, check out Julie Sullivan’s presentation here.
 45 CFR 164.308(a)(1)(ii)(A).