Business Attorney Christopher Ezold Warns That Ignorance of Health Privacy Issues Could Cause Major Problems in 2013
Employers who ignore or are partially compliant with health care privacy issues could face greater government scrutiny and fines, says top Philadelphia attorney Christopher Ezold (www.ezoldlaw.com).
This new focus on compliance applies to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA requires that a "covered entity" maintain the privacy of personal health information (PHI).
Covered entities can include health care providers, health plans and health clearing houses and their business associates. HIPAA does not apply to all employer-provided health insurance, but it does apply to employer-sponsored health plans and, therefore, to employers who sponsor those types of plans. A partner at Philadelphia-based The Ezold Law Firm, P.C., Christopher Ezold warns that while enforcement of PHI rules have been lax in the past, the U.S. Department of Health and Human Services (HHS) has recently imposed penalties of more than $1 million against companies found in violation of HIPAA.
For example, the Alaska Department of Health and Social Services agreed to pay a $1.7 million fine to settle possible violations. Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million to settle potential HIPAA violations. Smaller employers have also found themselves on the receiving end of a HIPAA audit. This is a strong reminder for businesses to revisit their compliance programs.
The HHS's Federal Office for Civil Rights (OCR) has stepped up HIPAA audits of "covered entities" that are subject to HIPAA. OCR has now begun levying significant monetary penalties for violations of HIPAA's privacy rule. In practice, OCR is not interested in small fines; it has levied penalties in the hundreds of thousands and even millions of dollars for what appeared at first glance to be small issues, according to Ezold. The lesson here is that you should assume you are not a "covered entity" - you must ensure that you are not covered or, if you are covered, that you have met your obligations.
"If OCR comes knocking, you may be able to avoid significant liability by showing that you have engaged in a good faith attempt to meet your obligations," says Ezold.
To protect yourself, hold an annual internal review to ensure that the privacy requirements are being met. OCR will not consider a once-and-done review to be sufficient; annual reviews provide better protection than merely doing an initial assessment. Ezold recommends:
• Designate a HIPAA compliance officer.
• Create privacy and security policies that comply with HIPAA and HITECH.
• Determine which employees have access to PHI.
• Limit access to PHI both operationally and in policy to those employees who "need to know."
• Review physical and encryption security for PHI.
• Schedule annual reviews of policies, operations and regulations.
• Create annual risk analyses and security plans.
• Have policies in place regarding breaches of PHI security.
• Schedule annual computer network security reviews.
• Safeguard all physical/documentary PHI in a locked location.
• Create policies for reviewing and shredding old documents.
• Ensure that no one keeps PHI on any mobile digital device.
"Given that most businesses review their policies at the end of the year, this is an ideal time to have your counsel or compliance officer examine your own policies to ensure that you would not become an unfortunate victim of an OCR audit," Ezold says. "A small investment in time now could prevent extremely painful repercussions down the road if you are not in compliance."
Christopher Ezold is a partner at The Ezold Law Firm, P.C., a Philadelphia-based boutique law firm focusing on business, employment and health care law. Mr. Ezold has a L.L.M. in Taxation from the Villanova University School of Law, including a Certificate in Employee Benefits, serves as General Counsel to the Main Line Chamber of Commerce and is the past chair of the Board of Directors of the Magellan Leadership Group. Mr. Ezold is licensed to practice law in Pennsylvania, Delaware and New Jersey.