By Dennis M. Warren, JD

The provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA) represent one of the most pervasive government-imposed set of changes to the American health care delivery system since the creation of federally funded health care in 1966. It creates significant changes in the level of access and portability of health care insurance; mandates “administrative simplification” in health care claims processing through the standardization of electronic data exchange; and establishes a sweeping set of national standards for protecting the privacy of patient identifiable information in its “Privacy Rule.”

The Privacy Rule is the short title for the Standards for Privacy of Individually Identifiable Health Information, which took effect on April 14, 2001, and was the subject of “final modifications” announced by the Department of Health and Human Services (HHS) on August 14, 2002. Providers have until April 14, 2003, to be in full compliance.

But there is much more to HIPAA. One aspect of HIPAA that has received little attention is its dramatic impact on government enforcement actions against providers and the potential for its civil and criminal penalty provisions to replace government prosecutions under the Federal False Claims Act as the most dreaded form of federal compliance intervention. If you are not yet in compliance with HIPAA, you need to be aware of the risks you will face for violations of the Act, particularly its Privacy Rule.

HIPAA Enforcement Risks
One of HIPAA’s first and most significant impacts was to significantly expand the federal government’s power to investigate, prosecute, sanction, and penalize providers. This result flowed naturally from five of its provisions.

First, HIPAA created a whole new class of criminal federal health care offenses. This included recasting the violation, or the conspiracy to violate, of nine preexisting laws as new health care offenses. It created four new offenses relating to the delivery of, or billing for, health care services: health care fraud, false statements, embezzlement, and obstruction. These developments apply to claims submitted to both government and non-government financed health care programs.

Second, the Act allows the government to exclude a provider from participation in all federal health care programs, including Medicaid and Champus/Tricare, based on an indictment, not a conviction, for an alleged violation or an Office of Inspector General (OIG) determination that a provider engaged in misconduct.

Third, it provided for two new sources of funding for federal antifraud efforts. This has led directly to the expansion of preexisting oversight, auditing, and prosecutorial actions against providers and the hiring of hundreds of new federal investigators and prosecutors. For example, between October 1, 2001, and March 31, 2002, the OIG reported 250 criminal convictions, 106 civil actions, 1,366 provider exclusions, and $781 million in overpayment recovery.
Fourth, it created a centralized federal data bank of information on providers for use by regulators, investigators, and prosecutors called the Health Care Integrity and Protection Data Bank.

Finally, the Act introduced a series of new regulatory, civil, and criminal sanctions for the violation of its own provisions. It is this last feature that has the potential for becoming the most important enforcement development in health care in recent history.

Criminal Sanctions
HIPAA’s provisions impose serious criminal penalties on providers for noncompliance. It transforms certain types of conduct currently seen as administrative or civil violations into criminal acts. Once transformed into criminal offenses, these acts become the subject of severe monetary penalties and imprisonment, as well as mandatory exclusion from participation in all federally funded health care programs.

This combination of sanctions is a powerful tool for government regulators and prosecutors. It represents a virtual death sentence for any provider participating in government-financed health care programs. By comparison, the Federal False Claims Act contains no imprisonment provisions and does not invoke mandatory exclusion. However, both Acts share the common elements of providing regulators and prosecutors with a wide range of discretion to seek large penalties against health care providers based on broad statutory language that is frequently subject to unclear and unreliable interpretation.

Privacy Rule NonCompliance
Among HIPAA’s criminal sanctions, the provisions relating to the “wrongful disclosure” of individually identifiable health information are most striking. If you “knowingly” violate HIPAA’s privacy provisions you are in danger of criminal liability. “Knowingly” does not necessary mean that you disclosed information intentionally in violation of HIPAA. It merely means you disclosed information that the government later determined was a violation of the Privacy Rule.

A criminal violation occurs if you “knowingly” release individually identifiable health information without complying with, or in violation of, HIPAA’s provisions. This includes using or facilitating the use of a “unique health identifier,” obtaining individually identifiable health information, or disclosing individually identifiable health information to another person.

Intentions Count
HIPAA creates three categories of criminal sanctions, each with increasingly severe penalties, based on the alleged state of mind of the person accused. (See “HIPAA Privacy Rule Non-Compliance, Criminal Sanctions,” on page 37.)

The sanctions for noncompliance range from $50,000, and up to 1 year imprisonment, for each “knowing” violation, to $250,000, and up to 10 years imprisonment, for each act of noncompliance that is alleged to have occurred because the accused individual acted for commercial advantage, personal gain, or with “malicious harm.”

Criminal actions under HIPAA, similar to those brought under the Federal False Claims Act, will be handled by professional prosecutors in the various offices of the United States Attorney, not by HHS’ Office of Civil Rights. The category in which any act of non-compliance will be placed is within the discretion of a government prosecutor.

Examining The Risks
HIPAA’s “state of mind” standard for classifying alleged acts of noncompliance raises disturbing implications for providers when combined with a number of related provisions in the Act.

The “knowing” standard for violations is not defined and does not require criminal or wrongful intent. The Federal False Claim Act uses identical language and permits civil actions against providers when the government alleges that the providers were grossly negligent, reckless, or deliberately ignorant regarding the consequences of their actions.

This ability of the government to bring criminal cases on such broad allegations ensures that enforcement and much of the meaning of HIPAA’s Privacy Rule will develop on a case-by-case basis. The focus of what constitutes noncompliance will become a question of degree and one of interpretation.

What is clear, however, is that an affirmative obligation is placed on the provider to properly interpret the provisions of the Privacy Rule as it applies to the unique circumstances and conditions of its business. HIPAA’s “Minimum Necessary Rule” holds that a provider must make reasonable efforts to limit the use and disclosure of protected information to the minimum necessary to accomplish the intended purpose of the use or disclosure. What is “reasonable” and what is “minimally necessary” becomes part of the equation in determining whether a person has “knowingly” used or disclosed protected information in violation of the Act.

The answer to this equation will depend on the particular facts of a transaction and will invariably be a flashpoint for disagreement between prosecutors and providers. What happens, for example, if a provider releases protected information, believing the release to be acceptable, only to face an allegation later that the release violated the Privacy Rule? Will the provider’s belief that the release was acceptable demonstrate his or her lack of intent to violate HIPAA and prevent legal action? The answer will depend on whether the provider made reasonable efforts to limit the use and distribution of the information to the minimum necessary to accomplish the intended purpose of the use or disclosure. If these elements of HIPAA were not met by the provider, a “knowing” violation probably occurred.

Furthermore, because the sanctions in each category are for each alleged violation, if a provider is alleged to have engaged in four releases of protected information that are subsequently found to be “knowing,” the potential sanctions would be $200,000 and up to 4 years imprisonment. If the provider is alleged to have released the protected information on four occasions for “commercial advantage,” the potential sanctions would be $1,000,000 and up to 40 years imprisonment.

Finally, any person or entity that learns of actions by a provider that appear to violate the Privacy Rule may file a complaint with HHS’ Office of Civil Rights. Even if the person filing the report is not the subject of the protected information, the Office of Civil Rights is obligated to review the matter and initiate an investigation if warranted.

If the Office of Civil Rights determines that a HIPAA violation occurred, it may negotiate a corrective action plan with the provider, seek civil monetary penalties, or recommend criminal prosecution, depending on the facts of the case.

A civil monetary penalty of $100 for each act of noncompliance may be imposed, in lieu of criminal prosecution, for less serious cases. If multiple acts of noncompliance involve an “identical requirement or prohibition,” a maximum penalty of $25,000 may be imposed in any calendar year for such acts.

The liability risks for non-compliance with HIPAA, and particularly its Privacy Rule, should act as a powerful incentive for providers to devote the necessary time and resources to fully understand and fully implement the Act prior to the April 14, 2003, compliance deadline. Maintaining ongoing education and compliance efforts thereafter will be central to avoiding sanctions. Compliance with HIPAA is mandatory. The failure to acknowledge this reality and take the necessary steps now to be in full compliance will almost assuredly result in liability exposure in the future.

Dennis M. Warren, JD, is a consultant, educator, and legal counsel for medical supply manufacturers, suppliers, and associations. Contact his office in Sacramento, Calif, at (916) 447-9999.