The health care law world has been buzzing over the weekend about the release by HHS of its Notice of Enforcement Discretion, regarding a reduction and cap of Civil Monetary Penalties (CMP) for violations of both HIPAA’s Privacy Rule and its corollary Security Rule.
The new system sets annual limits for these fines based on the organization’s “level of culpability” associated with the HIPAA violation. That means organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.
Many are not aware that HIPAA has both a “privacy” component and a “security” component, the former pertains to use of Protected Health Information (PHI) and the latter of which speaks to the how such information is to be securely stored both in paper form and digitally.
The Health Information Technology for Economic and Clinical Health Act, (the HITECH Act) outlines minimum and maximum civil money penalties for HIPAA enforcement based on four tiers, which take into account whether the organization in question was aware of the violation and whether it had taken steps to abide by HIPAA’s rules. The tiers escalate in severity, from an organization that is unaware of the violation to one that demonstrated “willful neglect” in not correcting violations.
Violation of the HIPAA requirements mandates “self-reporting,” meaning that a health care provider (which includes in this instance addiction treatment providers) must report themselves to HHS of any such breach. Depending on the “level of culpability” there is a fine that is imposed. If a provider does not self-report, the fines are much more punitive and steep.
Last year marked a record year for HIPAA enforcements, as HHS collected an all-time high of $28.7 million from HIPAA-covered entities and their business associates. That surpassed the previous record of $23.5 million, which HHS doled out in 2016.
To avoid all of the pitfalls and landmines that permeate health care generally, a well-trained and experienced Compliance Officer who works with ownership and staff (and preferably a Compliance Committee) is a strong and wise investment. Such persons are tasked with primary responsibility to oversee and coordinate relevant and timely information pertaining to laws, rules and regulations governing matters such HIPAA; billing & coding; employee & vendor compensation; insurance audits; working with investigators; and patient financial responsibility.
A Certified Compliance Officer (CHC or “Certified in Healthcare Compliance”) is a recognized professional in this space who is trained to develop, implement and regularly update arecognized compliance program, which in many instances is viewed as a mitigating factor when determining whether a regulatory breach has occurred, as opposed to criminal activity.
The Health Care Compliance Association (HCCA) is the pre-eminent membership organization for all persons certified in health care compliance to share “best practices” and to network as to the latest trends and news in health care compliance. This organization worked extensively with the Compliance Certification Board (CCB) to develop criteria to determine competence in the practice of compliance, in this instance, in the health care sector.
According to the CCB:
“The healthcare world can be a high-risk and challenging environment that demands a proactive compliance approach. Being certified in this dynamic, changing profession can help mitigate compliance-related risks. An individual who actively holds the Certified in Healthcare Compliance (CHC)® is someone with knowledge of relevant regulations and expertise in compliance processes sufficient to assist the healthcare industry organizations in understanding and addressing legal obligations, and promote organizational integrity through the operation of effective compliance programs.”
The time is right for the addiction treatment and recovery residence industries to elevate what it means to have a “Compliance Officer” on staff, to be more than simply someone who ensures DCF licensure is up-to-date. Specific training and qualifications should be sought for such important positions within a program, no differently than in medical health care.
In my 9+ years of working extensively within the addiction treatment space, I have often met persons identified as a client’s “Compliance Officer” but came to realize many did not have the full scope of training to be able to anticipate and navigate the daily landmines and pitfalls that operating a health care business brings. Hiring a staff member who is certified in health care compliance should be viewed as an essential hire in addiction treatment to begin to lift this segment out of the shadows and into respectable health care as well as within the larger “recovery community” of service providers.
Hiring a competent certified compliance officer is but a small investment to make in exchange for the peace of mind that all aspects of a treatment provider’s operations, including any recovery residential services, meet the both the letter and the intent of the law.
For more information, visit the HCCA’s website at https://www.hcca-info.org/.