HIPAA Compliance Now Even More Critical for Managed Care Organizations

This whitepaper provides outstanding information regarding how Managed Care Organizations can achieve compliance with the HIPAA Omnibus Rule.

The stakes are being raised. As of September 23, 2013, the Office for Civil Rights (OCR) began enforcement of the HIPAA Omnibus Final Rule. As the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) Director Leon Rodriguez recently stated, the final Omnibus rule not only greatly enhances patient rights and protections but also “strengthens the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Rodriguez has consistently stated that his office will aggressively pursue penalties for organizations that show “an ongoing failure to comply with HIPAA Privacy and Security Rules”. Such organizations will likely be subject to “willful neglect” penalties, which carry a minimum of $50,000 per member/per day for each violation cited. Basically, willful neglect means the “conscious, intentional failure or reckless indifference” to the obligation to comply with the regulations. While a violation of a certain requirement once had a maximum fine of $25,000, it now carries a maximum of $1.5 million. Some attorneys have projected that an organization found in violation of the 22 standards related to the Security Rule could be fined as much as $33 million, for example.

Managed Care Organizations, including safety net health plans, are not exempted from this greatly increased focus on compliance. Safeguarding Protected Health Information (PHI) is a foundational requirement for all healthcare organizations, especially those directly responsible for the delivery of quality care, providing access to the right care and doing so in a timely manner. Safeguarding PHI is a matter of patient and member safety.

In addition to increased enforcement and significantly higher penalties, the HITECH Act mandates that the DHHS conduct periodic audits of both Covered Entities and Business Associates for compliance with HIPAA. The HITECH Act granted state attorneys general (SAG) jurisdiction to file civil suits on behalf of their citizens for HIPAA violations. A breach of protected health information is NOT required to trigger enforcement action; however, member or patient complaints, self-reported breaches and mandatory audits have been known to trigger lengthy and expensive investigations by the OCR resulting in negotiated resolutions, settlement agreements, corrective action plans, formal monitoring program and/or negotiated penalties. Effective September 23, OCR is no longer required to seek an “informal resolution” to violations; in fact, OCR is required to investigate especially those cases involving “willful neglect”. With or without a breach, a Covered Entity (or a Business Associate) can be held accountable for failing to have properly complied with the regulatory requirements.


Download the full whitepaper to learn more.