The HITECH Act extended HIPAA enforcement authority to State Attorney Generals. As part of a cooperative enforcement effort, last year the HHS Office of Civil Rights (OCR) provided all expense paid training to the staff of the AGs. Yesterday, OCR posted the contents of last year’s State Attorney General HIPAA training for all of us to see.
One of the finer points that this author picked up from the training materials is that OCR retains the sledgehammer with massive penalties while giving AGs a lesser schedule of fines. HITECH revamped OCR’s Civil Monetary Penalties, creating a 4-tier penalty system that ranges from $100 to $50,000 per infraction. The highest infraction is based on willful neglect with violations not corrected within 30 days. OCR is limited to collecting $1.5 million per year for multiple violations of the same regulation.
On the other hand, State AGs are limited to collecting $100 per violation with a maximum of $25,000 per year for multiple violations of the same regulation. In addition, the State AG may be reimbursed for reasonable attorney fees.
The training materials cited a hypothetical case study of a pharmacy that disclosed the PHI of 1,500 customers to a business associate, which the pharmacy paid to make a treatment communication on its behalf. The pharmacy did not limit the PHI it disclosed to the minimum necessary, and did not include the required information about this practice in its notice of privacy practices that the pharmacy distributed to all 1,500 customers.
The materials find that the pharmacy violated the “minimum necessary” regulation 1500 times, and the “Notice of Privacy Practices” regulation 1500 times. Further, willful neglect was involved and the matter was not corrected for 30 days.
If OCR brings the enforcement action, the minimum necessary violation results in fines of $50,000 x 1500 = $75 million. In addition, the Notice of Privacy Practices violation results in fines of $50,000 x 1500 = $75 million. Combined, the total would result in a whopping $150 million. However, HIPAA limits the amount that can be collected to a maximum of $1.5 million for each violation in a single year. So, the maximum penalties are limited to $1.5 million plus $1.5 million, or $3.0 million.
I imagine that the State AGs felt like second class citizens to learn that if they brought action against this pharmacy, they are limited to penalties of $100 per violation. Working the math, they are entitled to minimum necessary fines of $100 x 1500 = $150,000. Next, the Notice of Privacy Practices violation is another $100 x 1500 = $150,000. Both are limited to a State AG maximum of $25,000 for multiple violations of a single regulation in a year. So, their maximum penalties are limited to $25,000 + $25,000 = $50,000. In addition, they may be reimbursed for their attorney fees.
Interested readers may visit OCR’s State AG Training Information page for access to a full day of video presentations, copies of the slides, and computer-based-training materials.
