HIPAA. The Physician Self-Referral Law (aka Stark law). The Anti-Kickback Statute. Price transparency. These and many other regulations keep healthcare compliance teams on track toward compliance, safety, and continuing quality improvement.
According to the American Hospital Association’s Regulatory Overload Report, healthcare organizations spend $39 billion per year on activities to comply with 629 federal regulatory requirements. With the recent addition of the Hospital Price Transparency Rule, the No Surprises Act, and CMS’ Interoperability Rules, that number has grown.
The financial consequences of healthcare regulatory non-compliance can be devastating. A major compliance violation that results in exclusion from government healthcare programs can even put a healthcare organization out of business. At minimum, the penalties range from hefty fines and legal fees to reputational damage and the resulting loss of business.
Increasingly, healthcare organizations with effective compliance programs use comprehensive risk assessments to comply with regulations to avoid financial and other consequences of noncompliance.
What is healthcare noncompliance?
Noncompliance is used in two contexts in healthcare:
- To refer to patients’ failure to follow their medical treatment plans (e.g., failing to take medication as prescribed)
- Regulatory noncompliance, whereby healthcare providers or other staff, vendors, and/or organizations fail to adhere to federal, state, and other healthcare regulations and accreditation body standards. Broadly speaking, these regulations and standards are designed to protect patients and prevent fraud and abuse.
Is noncompliance in healthcare the same as HIPAA?
Many in healthcare immediately think solely of the Health Insurance Portability and Accountability Act (HIPAA) when they hear the term “noncompliance.” HIPAA violations are serious events that carry severe financial consequences, but healthcare noncompliance encompasses countless other external regulations. For example, there are laws and regulations at the federal (e.g., Occupational Safety and Health Administration, or OSHA, standards) and state levels. There are accreditation standards (e.g., The Joint Commission). And of course healthcare organizations follow their own internal policies and procedures (e.g., the bylaws).
Here are some of the financial consequences of noncompliance with several major healthcare regulations.
HIPAA is a federal law that protects sensitive patient health information from being disclosed without the patient’s consent or knowledge. A major goal of the HIPAA Privacy Rule is to protect individuals’ health information while allowing the flow of health information needed to provide and promote high-quality healthcare and protect the public’s health and well-being.
HIPAA-covered entities—providers, health plans, and clearinghouses—and their business associates must follow the HIPAA Privacy, Security, and Breach Notification Rules. With a few exceptions, covered entities are permitted to use/disclose patients’ protected health information (PHI) without their consent only for treatment, payment, and healthcare operations.
What is a HIPAA violation?
A HIPAA violation occurs when a HIPAA-covered entity or its business associate fails to comply with one or more provisions of the HIPAA Privacy, Security, or Breach Notification Rules. Violations may be deliberate or unintentional. Disclosing too much PHI (violating the minimum necessary information standard) is an unintentional HIPAA violation. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties are lower than those for willful violations of HIPAA Rules.
Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures. An example of a deliberate violation is when healthcare organizations unnecessarily delay sending breach notification letters to patients (exceeding the maximum of 60 days following the discovery of a breach to issue notifications).
Since April 2003 (the institution of the Privacy Rule), the Department of Health and Human Services’ Office for Civil Rights (OCR) has received more than 290,000 HIPAA complaints and initiated roughly 1,100 compliance reviews. These are the most frequent HIPAA complaints related to PHI:
- Impermissible uses and disclosures
- Lack of safeguards for information
- Lack of patient access to their data
- Lack of administrative safeguards for electronic PHI (ePHI)
- Use or disclosure of more than the minimum necessary data
The 2020 CARES Act aligns with HIPAA
The Coronavirus Aid, Relief, and Economic Security Act (CARES) Act is a $2.2 trillion stimulus bill signed into law in March 2020 to provide relief for eligible healthcare providers, lessening some of the pandemic’s harmful effects. It has also helped providers to continue caring for the patients in their communities and across state lines via telemedicine.
According to the HIPAA Journal, those with substance abuse disorder (SUD) must also access treatment during the pandemic, which required changes to 42 CFR Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations. The HIPAA Journal states, “The CARES Act improves 42 CFR Part 2 regulations by expanding the ability of healthcare providers to share the records of individuals with SUD but also tightens the requirements in the event of a breach of confidentiality. In short, the changes made by the CARES Act have aligned 42 CFR Part 2 regulations more closely with HIPAA.”
2021 HIPAA Safe Harbor Law and financial penalties
In January 2021, the HIPAA Safe Harbor Bill (HR 7898)—intended to encourage healthcare organizations to improve their cybersecurity defenses—was signed into law and amended the HITECH Act.
Under the HIPAA Safe Harbor Bill, if a data breach occurs at a HIPAA-regulated entity, the HHS will take into account the cybersecurity best practices that the entity adopted in the 12 months preceding the data breach when considering HIPAA enforcement actions and calculating any financial penalties related to security breaches. The bill also requires the HHS to decrease the length and extent of any audits in response to those breaches if industry security best practices have been implemented.
Costly consequences of HIPAA noncompliance
The financial consequences of HIPAA non-compliance are steep—up to $50,000 in civil monetary penalties per violation, however minor. As of January 2022, OCR settled or imposed a civil monetary penalty in 106 cases resulting in a total of $131,392,632.
Fines for missing business associate agreements
A business associate is an individual or vendor—such as a billing company or IT contractor—that creates, receives, maintains, or transmits PHI on a healthcare organization’s behalf. Before information sharing begins, HIPAA requires covered entities to enter into contracts with their business associates, typically via business associate agreements (BAAs), to ensure that PHI is protected. Business associates may use or disclose PHI only as permitted or required by their BAA or as required by law.
The OCR can impose hefty fines and corrective action plans (CAPs) on organizations for failing to have a BAA in place with business associates. For example North Memorial Healthcare paid $1.55 million to settle a HIPAA violation case involving a lack of a BAA and comprehensive risk analysis. The healthcare organization failed to obtain a signed BAA before giving Accretive Health, Inc., access to PHI for payment operations. A laptop stolen from an Accretive Health employee contained unencrypted ePHI, resulting in a data breach that affected 290,000 patients.
Security breaches and breach notifications
The OCR’s breach portal shows 686 healthcare data breaches of 500 or more records in 2021—a record high.
According to IBM Security’s 2021 Cost of a Data Breach Report, healthcare data breaches cost an average of $9.23 million per incident, including lost revenue, settlement, forensics, lawsuits and breach notification. And then there’s a hidden cost to data breaches: Victims of a data breach may change healthcare providers. According to one survey, 66% of patients said they would leave their healthcare provider if their personally identifiable information or payment information was compromised in a data breach that occurred as a result of the failure to implement appropriate security measures.
A data breach or security incident that results from any HIPAA violation could result in separate fines issued for different aspects of the breach under multiple security and privacy standards. In 2021, for example, Excellus Health Plan paid a $5.1 million penalty to settle a HIPAA violation case involving a 2015 data breach that affected 9.3 million patients. OCR’s investigation revealed multiple HIPAA violations, including the failure to conduct an accurate and thorough organization-wide risk analysis, the failure to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a lack of technical policies and procedures to limit data access to authorized persons and software programs. Excellus agreed to implement a CAP to address all areas of compliance.
Government and internal audits and violation fines
The OCR investigates patient complaints and reviews covered entities’ HIPAA compliance through auditing. An OCR audit is costly in terms of the resources it siphons—staff time and expenses required to provide documentation—but the worst financial consequences occur if the healthcare organization or health plan is found in violation of HIPAA.
Fines can range from $100 to $50,000 per violation, with a maximum fine of $1.5 million per violation category. These numbers are multiplied by the number of years an organization allowed the violation to persist. The Federal Trade Commission also can issue fines of up to $16,000 per violation.
To reduce the risk of HIPAA violations and fines, healthcare organizations and health plans should conduct internal HIPAA audits according to the OCR’s audit protocol. The extensive audit protocol is time and labor intensive, leading some compliance teams to bring in third-party auditors. External audits can cost $40,000 or more.
Settlements and corrective action plans (CAPs)
The Department of Health and Human Services (HHS) imposes financial penalties and CAPs for HIPAA compliance violations. OCR has investigated and resolved over 29,428 HIPAA cases by requiring changes in privacy practices and corrective actions.
One settlement case involved the theft of a laptop containing PHI from a CardioNet employee. The OCR investigation found insufficient risk analysis and risk management processes in place, and that the company's policies and procedures hadn't been implemented. Consequently, the company settled by paying $2.5 million and implementing a CAP.
Class-action and civil lawsuits
Victims of data breaches may pursue class-action lawsuits against a healthcare provider on the grounds of negligence. Individual victims may also pursue monetary compensation through civil lawsuits.
CaptureRX recently proposed a $4.75 million settlement to resolve several class-action lawsuits related to a data breach affecting 1.65 million patients. Attorneys for the plaintiffs will receive about a third of the settlement, while plaintiffs will receive about $2,000 each. The remainder of the fund will cover claims from class members.
Having an effective compliance plan with regular risk assessments can improve a healthcare organization’s outcome in lawsuits. The legal system treats proactive compliance more favorably than reactive compliance, with willful-neglect cases resulting in greater financial penalties and possibly even jail time for compliance officers and others within an organization.
Federal fraud and abuse laws: Stark law and the Anti-Kickback Statute
Anti-Kickback Statute (AKS) penalties
The Anti-Kickback Statute is a criminal law that prohibits the knowing and willful payment of remuneration to induce or reward patient referrals or the generation of business involving any item or service payable by the federal healthcare programs (e.g., drugs, supplies, or healthcare services for Medicare or Medicaid patients). Remuneration includes anything of value, such as cash, free rent, expensive hotel stays and meals, and excessive compensation for medical directorships or consultancies. The Anti-Kickback Statute covers the payers of kickbacks (e.g., the companies that offer or make payments) as well as the organizations or individuals (often physicians) who receive them.
Violating the AKS results in criminal and civil/administrative penalties, including civil monetary payment law fines. Criminal penalties include fines of up to $25,000 and up to five years in prison per violation. Violations are also subject to steep civil monetary penalties: up to $50,000 per violation plus three times the amount of the remuneration. AKS offenders are also excluded from participating in federal healthcare programs (e.g., Medicare, Medicaid).
The Physician Self-Referral Law (aka the Stark law) penalties
Commonly referred to as the Stark law, the Physician Self-Referral Law prohibits physicians from referring patients to receive "designated health services" payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship, unless an exception applies. Stark law also prohibits the designated health services entity (e.g., clinical laboratory, physical therapy, radiology, and other imaging services) from submitting claims to Medicare for those services resulting from a prohibited referral.
Civil penalties for violating the Stark law can be steep: up to $15,000 for each referred service (for intentional violations). Providers must also refund any Medicare or Medicaid reimbursement for illegally referred services. Stark law offenders are also excluded from participating in federal healthcare programs.
Exclusion from federal healthcare programs has severe financial consequences
Healthcare providers who are convicted of Medicare or Medicaid fraud (including Anti-Kickback Statute and Stark law violations) are excluded from participation in federal healthcare programs. Revenue from federal programs can account for up to half of a hospital’s income, so exclusion from these programs can put hospitals out of business.
The No Surprises Act
The No Surprises Act protects insured patients from receiving surprise medical bills when they receive most emergency services, non-emergency services from out-of-network providers at in-network facilities, and services from out-of-network air ambulance service providers.
In the past, if patients had health insurance and received care from an out-of-network provider or an out-of-network facility, even unknowingly, their health plan may not have covered the entire out-of-network cost. Patients would often be charged more than if they had received care from an in-network provider or facility. In addition to any out-of-network cost sharing patients might have owed, the out-of-network provider or facility could bill for the difference between the billed charge and the amount the health plan paid, unless banned by state law. This is called “balance billing.” An unexpected balance bill from an out-of-network provider is called a surprise medical bill.
The No Surprises Act applies to consumers who have group, Health Insurance Marketplace, or individual health insurance plans. Medicare and Medicaid patients were already protected against surprise billing. In summary, the No Surprises Act:
- Bans surprise bills for most emergency services, even if patients receive the services out-of-network and without prior authorization
- Bans out-of-network cost-sharing (e.g., coinsurance or copayments) for most emergency and some non-emergency services. Patients can’t be charged more than in-network cost sharing for these services
- Bans out-of-network charges and balance bills for certain additional services (e.g., anesthesiology or radiology) furnished by out-of-network providers as part of a patient’s visit to an in-network facility
- Requires that healthcare providers and facilities give patients an easy-to-understand notice explaining the applicable billing protections, who to contact if they have concerns that a provider or facility has violated the protections, and that patient consent is required to waive billing protections (i.e., patients must receive notice of and consent to being balance billed by an out-of-network provider)
Penalties for surprise billing
Providers, facilities, and health plans that bill patients in violation of the No Surprises Act are subject to civil monetary penalties of up to $10,000. However, such penalties don't apply if the facility or provider does not knowingly violate the law, should not have reasonably known that it violated the law, withdraws the bill within 30 days, and reimburses any payments received plus interest.
Health plans can prevent surprise billing by maintaining a current, accurate provider directory that indicates which providers are in-network.
Compliance software helps prevent non-compliance
To prevent the harmful financial consequences of non-compliance, healthcare organizations must conduct due diligence to ensure their compliance program includes seven fundamental elements:
- Implementation of written policies, procedures, and standards of conduct
- Designation of a compliance officer and compliance committee
- Regular conduct of effective training and education
- Maintenance of effective lines of communication among involved parties
- Regular conduct of internal monitoring and auditing
- Enforcement of standards through well-publicized disciplinary guidelines
- Ability to respond promptly to detected offenses and undertake corrective action
Internal monitoring starts with a comprehensive risk assessment. Risk assessments identify potential compliance problems so you can take steps to reduce their negative impact on your organization, staff, and patients. The Office of Inspector General recommends identifying your fraud and abuse risk areas (e.g., conflicts of interest, financial relationships with providers and vendors).
Compliance software automates and unifies compliance activities, making it easy to:
- Conduct risk assessments
- Monitor and mediate risks
- Report, track, and manage compliance incidents and investigations
- Conduct surveys and audits
symplr Compliance enables healthcare organizations to proactively assess, communicate, and mitigate operational and financial risks across your healthcare organization amid changing regulatory requirements and protocols.