HIPAA Violations for Noncompliance, Not Just Breaches

September 4, 2014

Even if your practice does not suffer a HIPAA breach of confidential patient data, being noncompliant can land you in hot water as well.

In light of the recent revelation of the breach of patient information at nearly 209 hospitals nationwide by Community Health Services, the need to comply with HIPAA has been brought to the forefront. By now it is common knowledge that breaches must be reported on both a state and national level. Yet, I have been involved in a myriad of conversations that highlight whether or not noncompliance alone triggers a violation. The answer is simple - it does.

The basis for my answer stems from the Federal Register, initially on February 16, 2006, then again on January 25, 2013. (71 Fed. Reg. 8424 (Feb. 16, 2006), as amended at 78 Fed. Reg. 5690 (Jan. 25, 2013). Section 160.306(a) of the CFR expressly states the following:

Right to file a complaint. A person who believes a covered or business associate [or subcontractor] is not complying with the administrative simplification provisions may file a complaint with the Secretary. (Emphasis added).

Notice that the provision says, "complying with administrative simplification provisions." It does not go on to reveal that only in the event of a breach can an issue of compliance be reported. This brings us to an all important compliance area of HIPAA - policies, procedures, and practices. These items are assessed by HHS against the standard of "willful neglect" to determine whether or not a violation exists. Hence, it does not behoove a practice to have "ostrich syndrome" and ignore gaps in compliance. Once identified, they need to be addressed because, "[t]he Secretary may conduct a compliance review to determine whether a covered entity or business associate [or subcontractor] is complying with the applicable provisions in any other circumstance." (78 Fed. Reg. 5690 (Jan. 25, 2013). In turn, this can trigger a request by HHS for records.

If a technical violation is found, according to Section 160.402(a), the Secretary "will impose a monetary penalty" if an administrative simplification provision has been violated. And, if more than one entity is involved, they all will be held responsible.

To sum it all up:

• Do not turn a "blind-eye" to compliance with HIPAA administrative simplification rules;

• A breach is not necessary in order to trigger an investigation;

• Compliance items form the basis for a HIPAA violation; and

• Make sure policies, procedures, and practices are documented.