Key Laws in Healthcare Compliance

Question 1

What Is the Anti-Kickback Statute?

Answer 1

The Anti-Kickback Statute (AKS) is a federal criminal statute prohibiting transactions intended to induce or reward referrals for items or services reimbursed by federal healthcare programs.

Question 2

What are the purposes of the Anti-Kickback Statute?

Answer 2

To prevent inappropriate medical referrals by providers who may be unduly influenced by financial incentives.

To prevent overutilization and increased federal healthcare program costs.

To prevent unfair competition.

To ensure the proper reporting of costs to the government.

Question 3

What are Safeharbors in relation to the Anti-Kickback Statute?

Answer 3

Forms of payment and business practices that may appear to violate the Anti-Kickback Statute but are protected if the party in question meets various tests to qualify

Question 4

What are the examples of safeharbors for the Anti-Kickback Statute?

Answer 4

Space rental

Equipment rental

Electronic health records items and services

Electronic prescribing items and services

Discounts

Health centers

Payments made to bona fide employees

Personal services and management contracts

Warranties

Investment interests

Referral services

Practitioner recruitment

Ambulatory surgical centers

Question 5

What is the history of the Anti-Kickback Statute?

Answer 5

The Anti-Kickback Statute was originally enacted as part of the Social Security Amendments of 1972. Before 1972, only one provision prohibited false claims and misrepresentation to the government, and the statute’s language made it difficult to prosecute Medicare and Medicaid fraud. Despite the update to the AKS, Medicare and Medicaid abuse continued to rise, resulting in new amendments being added to further discourage fraudulent activity.

The original statute made the receipt of kickbacks, bribes, or rebates in connection with items or services covered by Medicare and Medicaid programs a misdemeanor punishable by a fine, imprisonment, or both. In 1977, the Medicare-Medicaid Anti-Fraud and Abuse Amendments increased the penalty for violating the AKS from a misdemeanor to a felony to discourage Medicare and Medicaid fraud. In 1980, the statute was updated to require proof that the defendant acted “knowingly and willfully.”

The Medicare and Medicaid Patient and Program Protection Act (MMPPPA) was passed in 1987, which also made two important changes to the AKS.[7] First, the OIG was granted authority to exclude violators of the AKS from participating in federal health care programs. Second, the legislation directed HHS to promulgate regulations that created additional exceptions to the AKS, which would become known as “safe harbors.” The first series of “safe harbor” regulations were implemented in 1991. In 1996, Congress further amended the AKS through the Health Insurance Portability and Accountability Act (HIPAA), primarily by expanding the law to cover all federal health care programs rather than just Medicare and state health care programs, adding a new exception relating to certain risk-sharing organizations, and enhancing communication between the OIG and public about the applicability of the AKS to certain transactions. One year later, Congress added a civil monetary penalty. Finally, the Patient Protection and Affordable Care Act of 2010 amended the intent requirement to clarify that the government no longer had to prove that the defendant intended to violate the law

Question 6

What are the Anti-Kickback Statute Compliance Risks?

Answer 6

Making False Statements or Representations: The AKS overlaps some with the False Claims Act. Both statutes prohibit knowing and willful false statements for the procurement of federal funds; however, the AKS explicitly prohibits false claims made in regards to benefits or payments under a federal health program. Additionally, the AKS includes liability for healthcare organizations that misappropriate federal health program funds, present a claim for services furnished by a non-physician, or assist a patient with disposing assets in order to become eligible for certain hospice and long-term care services.

Illegal Remunerations: The AKS expressly prohibits anyone from knowingly and willfully soliciting patients, goods, facilities, and services covered under a federal healthcare program for compensation. Further, everyone, including healthcare organizations, is prohibited from offering or paying compensation for referrals of patients, goods, facilities, and services covered under a federal healthcare program. Lastly, attempting to buy, sell, or distribute patient beneficiary identification numbers or providers’ health identifier numbers given under Medicare, Medicaid, or SCHIP is strictly prohibited.

False Statements or Representations with Respect to Condition or Operation of Institutions: Keeping with the AKS’s prohibition of false claims, section 1320a-7b(c) of the statute prohibits the false claims relating to the operation of Medicare certified healthcare facilities.

Illegal Patient Admittance and Retention Practices: Healthcare providers are prohibited from knowingly and willfully overcharging Medicaid patients under a state Medicaid plan or requiring a Medicaid patient to pay as a precondition to being admitted, or continuing to stay, at a hospital when the services are at least partially covered by a state Medicaid plan.

Violation of Assignment Terms: Healthcare providers agreeing to accept assignment of Medicare’s reasonable charges must not intentionally and repeatedly violate the terms of the assignment.

Question 7

What are the corrective actions for violating the Anti-Kickback Statute?

Answer 7

Developing and implementing policies and practices to ensure compliance with the AKS.

Making periodic internal compliance reports.

Daily monitoring of compliance activities.

Requiring employee training on federal healthcare program regulations.

Conspicuous posting of the OIG hotline telephone number for patients to report fraud.

Requiring eligibility screening of current and prospective employees ineligible to furnish services under a federal healthcare program.

Question 8

What Is the Civil Monetary Penalties Law?

Answer 8

The Civil Monetary Penalties Law (CMPL) authorizes the HHS to impose civil money penalties against any person or entity, including a laboratory, that presents fraudulent claims to a federal or state agency.

Question 9

What conduct does the Civil Monetary Penalties Law prohibit

Answer 9

Offering something of value to a Medicare or other state or federal healthcare program beneficiary that the person knows or should know is likely to influence the beneficiary to obtain items or services billed to a state or federal healthcare program.

Employing or contracting with an individual or entity that the provider knows or should know is excluded from participation in a federal healthcare program.

Billing for services requested by an unlicensed physician or an excluded provider.

Knowing of an overpayment and failing to return and report it in a timely fashion.

Billing for medically unnecessary services.

Question 10

When was the Civil Monetary Penalties Law enacted and why?

Answer 10

The CMPL was enacted in 1981 in response to widespread fraud and abuse involving the Medicare and Medicaid programs. It was designed to not only punish healthcare providers who knowingly committed fraud and abuse through their healthcare claims, but also providers who were unaware of the fraud and abuse they were committing. This law encourages providers to verify the accuracy of the Medicare, Medicaid, and state health claim forms submitted by in-house staff and billing services.

Question 11

What are the related laws of the Civil Monetary Penalties Law?

Answer 11

Federal Anti-Kickback Statute

Physician Self-Referral Law (Stark)

Exclusion Statute

False Claims Act

Question 12

What are the Civil Monetary Penalties Law Compliance Risks?

Answer 12

Improperly Filed Claims: Under this provision of the CMPL, a healthcare provider, owner, or operator can be held liable based on their own negligence or the negligence of employees. There is no requirement that intent to defraud be proven. Thus, if a healthcare provider improperly files a claim for a variety of reasons, they can be liable under this statute. Furthermore, sanctions imposed generally exceed the damages actually sustained by filing the improper claim.

Payments to Induce Reduction or Limitations of Services: The CMPL generally prohibits hospitals from paying physicians to reduce or limit services to Medicare or Medicaid beneficiaries. The law prohibits “gainsharing” arrangements whereby hospitals share cost savings with referring physicians unless the arrangement has been approved by the deferral government in an advisory opinion or the arrangement is structured to satisfy new exceptions applicable to accountable care organizations.

Violating Exclusion: Healthcare providers or owners can be held liable under the CMPL for not only practicing medicine while being excluded from federal programs but also for dealing with an excluded individual.

Knowing of Falsity, Omissions, Misrepresentations, and Overpayments and Not Acting: Healthcare providers or owners who partake in a variety of types of fraud can be held liable under the CMPL. Providers who knowingly misrepresent or omit key information will be held liable to civil penalties. Furthermore, intentionally retaining an overpayment can lead to penalties under the CMPL.

Question 13

What Is the Emergency Medical Treatment and Labor Act?

Answer 13

Emergency Medical Treatment and Labor Act (EMTALA) is a federal law that was enacted to prevent discrimination of patients in hospital emergency departments and ban “patient dumping” on public hospitals. The law ensures public access to emergency medical services regardless of ability to pay.

Question 14

What are the three main legal obligations created by EMTALA?

Answer 14

1. Any person who comes into the emergency department must be able to receive a medical screening examination to determine whether an emergency medical condition exists, regardless of their financial or insurance status. The exam and treatment may not be delayed in order to ask about methods of payment or insurance.
2. If an emergency medical condition exists, treatment must be provided until the condition is resolved or the patient is stabilized. If the hospital is unable to treat the emergency medical condition due to capacity or ability, an appropriate transfer to another hospital must be done in accordance with EMTALA provisions.
3. Hospitals with specialized capabilities must accept transfers from hospitals that lack the capacity to treat unstable emergency medical conditions.

Question 15

When was EMTALA enacted and what is its purpose?

Answer 15

EMTALA was passed as part of the Consolidated Omnibus Budget Reconciliation Act (COBRA) of 1985.[7] Referred to as the “anti-dumping” law, it was designed to prevent hospitals from transferring uninsured or Medicaid patients without providing at least a medical screening examination to ensure they were stable for transfer.

Question 16

What are the compliance risks of EMTALA?

Answer 16

Failure to Medically Screen: Medical compliance professionals need to ensure their emergency medical staff are aware of the requirement to screen individuals with emergency medical conditions. EMTALA defines an emergency medical condition as one that “[manifests] itself by acute symptoms of sufficient severity (including severe pain) such that the absence of immediate medical attention could reasonably be expected to result in…placing the health of the individual…in serious jeopardy.”

Failure to Secure Consent for Refusal of Treatment or Medically Appropriate Transfer: Compliance professionals may already be aware of the need to secure patient consent, and that awareness necessarily extends to a patient refusing to consent to the treatment or transfer requirements of EMTALA.

Failure to Get Consent or a Licensed Physician to Sign Off on a Medically Appropriate Transfer: When a physician determines the benefits of a transfer outweighs the risk to the individual, it is imperative that the physician certifies the transfer to avoid a violation.

Transfer to an Inappropriate Medical Facility: Although a transfer away from the admitting emergency department to a medically appropriate facility may be justified, transfer is not proper without consideration of the receiving medical facility. When a transfer is proper, the transferee medical facility must be able to receive the patient, have agreed to receive the patient, have received the appropriate paperwork to treat the patient, and the transfer is conducted with qualified personnel and equipment.

Question 17

What are corrective actions of EMTALA?

Answer 17

Required training of hospital staff to better comply with EMTALA’s provisions,

Conspicuous posting of the availability of financial assistance in the hospital and on the hospital’s website,

Provision of free financial counseling to all patients,

Prohibition from collecting fees of patients applying for financial assistance, and

Required reasonable payment schedules to uninsured or underinsured patients.

Question 18

What is the False Claims Act?

Answer 18

The False Claims Act (FCA), also known as the “Lincoln Law,” is a federal law that imposes liability on persons and companies who defraud governmental programs. It is one of the government’s primary tools for combatting fraud. The FCA creates liability for any person who knowingly submits a false claim or makes a false claim to the government. The FCA also includes a qui tam provision, which allows private persons to file suit for violations of the FCA on behalf of the government. The FCA provides for up to treble damages and also provides awards of 15%–30% of recovery for those bringing cases.

Question 19

What is the history of the False Claims Act?

Answer 19

The FCA was enacted in 1863 by Congress in response to concerns that suppliers of goods during the Civil War were defrauding the Union Army.[9] President Abraham Lincoln advocated for the passage of the FCA when war suppliers were shipping boxes of sawdust instead of guns and selling the same cavalry horses several times to the Union Army, amongst other fraudulent activities.[10] The law contained qui tam provisions that allowed private citizens to sue on the government’s behalf. “Those who filed lawsuits…were entitled to receive 50 percent of the amount the government recovered as a result of their case.”

In 1943, Congress changed the qui tam provisions, drastically reducing the reward amount for those bringing a claim on the government’s behalf. This created less of an incentive for citizens to report fraud. A new provision also prevented whistleblowers from filing a lawsuit based on information already possessed by the government or a government employee, even if the whistleblower provided the information and the government chose not to investigate.

In the 1980s, the law was revised again after reports of widespread fraud against the government during the Cold War. There were many reports of outrageous billing practices by defense contractors against the military, and government enforcement agencies lacked resources to investigate. Congress amended the qui tam provisions to provide that whistleblowers who brought successful cases “were entitled to [15%–30%] of the government’s recovery and attorneys’ fees paid by the defendant.”[11] They also removed the “government possession of information” bar against suits.

The FCA was amended again in 2009 and 2010 to clarify terms and expand its scope from the original law.

Question 20

What are the compliance risks of the False Claims Act?

Answer 20

Making False Claims: 31 U.S.C. § 3729(a)(1) bars several types of false claims. 31 U.S.C. § 3729(a)(1)(A) and (B) prohibit making or presenting a false claim for payment or approval. 31 U.S.C. § 3729(a)(1)(D) alludes to the bait and switch situation alluded to in the “History” section of this article, where suppliers would defraud the government by shipping sawdust instead of the guns. 31 U.S.C. § 3729(a)(1)(G) is commonly referred to as the “reverse false claims section.”[16] Instead of prohibiting claims to receive payment or approval, 31 U.S.C. § 3729(a)(1)(G) prohibits a false record or statement in order to avoid a payment obligation to the government. Further, 31 U.S.C. § 3729(a)(2) provides for mitigation of the amount of damages a cooperative violating party would pay to the government. Lastly, violations of 31 U.S.C. § 3729 may trigger violations of the Anti-Kickback Statute and Stark Law.

Civil Actions for False Claims: False Claims Act lawsuits are often brought by private individuals who are often former or current employees of the alleged violator. The False Claims Act incentivizes individuals to bring suit, known as qui tam plaintiffs or relators, by awarding them a sizeable share of the proceeds from a successful suit or settlement. When an action is brought by a private individual, the complaint is sealed for 60 days while the government investigates and decides whether to take over the action. If the government declines, the private individual may still prosecute the action; however, the government may still choose to intervene. 31 U.S.C. § 3730(h) protects employee whistleblowers from employer retaliation.

Question 21

What are the corrective actions of the False Claims Act?

Answer 21

Appointment of a compliance officer.

Development of a written training plan to ensure compliance with federal healthcare programs.

Required hiring of an independent review organization to review claims for reimbursement by Medicare and Medicaid.

Establishment of an internal disclosure program for employees to report possible compliance violations to the compliance officer without risk of retaliation.

Question 22

What Is the Foreign Corrupt Practices Act?

Answer 22

The Foreign Corrupt Practices Act (FCPA) prohibits the payment of bribes to foreign officials to assist in obtaining or retaining business.[6] It requires publicly held corporations to keep accurate books and records and establish accounting controls to prevent activity that formerly disguised corporate bribes. The anti-bribery provision prohibits the willful use of mail or any other form of interstate commerce to deliver “any offer, payment, promise to pay, or authorization of the payment of money or anything of value to any person, while knowing that all or a portion of such money or thing of value will be offered, given or promised, directly or indirectly, to a foreign official to influence the foreign official in his or her official capacity, induce the foreign official to do or omit to do an act in violation of his or her lawful duty, or to secure any improper advantage in order to assist in obtaining or retaining business for or with, or directing business to, any person.”

The FCPA also requires that all companies whose securities are listed in the United States to meet its accounting provisions. The accounting provisions require corporations to maintain books and records that accurately and fairly reflect a corporation’s transactions and create and maintain an adequate system of internal accounting controls.

Question 23

What is the history of the Foreign Corrupt Practices Act?

Answer 23

The FCPA was enacted in 1977 as an amendment to the Securities Exchange Act of 1934. The FCPA legislation resulted from an SEC investigation into undisclosed payments to domestic and foreign officials triggered by the Watergate scandal, as well as the negative effects foreign bribery had on the United States during the Cold War. Investigations following the Watergate scandal revealed that corporations had made illegal political contributions to foreign officials that were concealed in secret slush funds. This raised concerns that companies were inaccurately reporting their financials in their SEC filings.

Congressional hearings leading up to the passage of the FCPA focused on wanting to renew moral leadership and emphasized the United States’ obligation to set integrity standards in domestic and foreign business relations.

In 1988, Congress amended the FCPA to add two affirmative defenses: the local law defense and the reasonable and bona fide promotional expense defense. They also requested that the president negotiate an international treaty with members of the Organization for Economic Co-Operation and Development (OECD) to prohibit bribery in international business transactions by many major trading partners of the United States. In 1998, the law was amended by the International Anti-Bribery and Fair Competition Act to expand the FCPA’s scope and conform to the requirements of the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.

Question 24

What are the Foreign Corrupt Practices Act Compliance Risks?

Answer 24

Anti-Bribery Provisions: The FCPA’s anti-bribery provisions encompass both direct and indirect corrupt payments. Healthcare organizations’ financial relationships with third-party agents, consultants, distributors, and joint-venture partners present risk under the FCPA. First, a third party may channel payments to a foreign official or US healthcare professional in an effort to drive sales. Second, recommendations for prescribing services or products covered by federal healthcare programs may be suspect. Finally, healthcare professionals who participate in research and development initiatives abroad may be linked to state-owned or -controlled entities, which can create liability under FCPA.

Accounting Requirements: Bribes, both foreign and domestic, are often mischaracterized in companies’ books and records. The “in reasonable” detail qualification was adopted by Congress “in light of the concern that such a standard, if unqualified, might connote a degree of exactitude and precision which is unrealistic….In instances where all the elements of a violation of the anti-bribery provisions are not met—where, for example, there was no use of interstate commerce—companies nonetheless may be liable if the improper payments are inaccurately recorded.” Briberies have been mischaracterized as consulting fees, sales and marketing expenses, scientific incentives, travel and entertainment expenses, rebates or discounts, miscellaneous expenses, etc.

Internal Controls: Internal controls over financial reporting are used by companies to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements. Internal controls include a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); and monitoring.

Question 25

What are the corrective actions of Foreign Corrupt Practices Act?

Answer 25

Appoint an independent corporate monitor who assesses and monitors a company’s adherence to the compliance requirements of an agreement that is designed to reduce the risk of recurrence of the company’s misconduct.

Update internal controls and compliance programs and focus future training on such issues, as appropriate.

Continuously review and improve compliance programs to meet DOJ and SEC evaluation requirements.

Question 26

What Is the Health Information Technology for Economic and Clinical Health Act? (HITECH)

Answer 26

The Health Information Technology for Economic and Clinical Health (HITECH) Act was created to motivate the implementation of electronic health records (EHRs) and supporting technology in the United States. The act implemented changes such as:

Increasing Health Insurance Portability and Accountability Act (HIPAA) enforcement and penalties;

Requiring notification to patients of any unsecured data breaches related to protected health information (PHI), and notifying the U.S. Department of Health & Human Services (HHS) if the breach affected more than 500 patients;

Giving patients and designated third parties access to their PHI in an electronic format; and

Extending HIPAA requirements to apply to business associates.

Question 27

What is the history of the HITECH Act?

Answer 27

The HITECH Act was signed into law by President Barack Obama on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA), an economic stimulus bill.[6] It was passed to promote the expansion of health information technology (IT) and the adoption of EHRs by healthcare organizations by providing incentives for organizations to migrate from paper to electronic records. Prior to the HITECH Act’s adoption, only 10% of hospitals had adopted EHRs. Since the act’s passage, the EHR adoption rate dramatically increased, and, as of 2017, 86% of office-based physicians have moved to EHRs. Accordingly, the HITECH Act has caused a significant growth in healthcare technology fields, such as research informatics, IT, electronic medical records, and other related disciplines.

The HITECH Act is split into four subtitles, with each focusing on either promotion and funding of health IT or strengthening privacy, security, and enforcement of existing HIPAA rules. The act strengthened HIPAA’s Privacy and Security rules by increasing enforcement penalties and expanding HIPAA compliance to business associates of covered entities. Further, the act imposed a data breach notification requirement and increased the protection of electronic protected health information (ePHI). The HITECH Act also gave the HHS Office of the National Coordinator for Health Information Technology (ONC) the authority to manage and set standards for promoting and expanding the adoption of health information technology.

Question 28

What are the Compliance Risk Areas for HITECH?

Answer 28

Individuals’ Right to Access PHI in Electronic Format: Considering the HITECH Act’s promotion of ePHI, the act also imposed a requirement that such information may be transmitted in electronic format to an individual upon request. This includes a request made by an individual to transmit ePHI to another entity. Considering the complexity in providing ePHI while maintaining security and privacy standards, healthcare organizations are permitted to charge a fee commensurate with the cost of transmitting the ePHI.

Application of HIPAA Security and Privacy Rules on Business Associates: Various nonhealthcare provider or insurance provider organizations that have access to PHI were not subject to HIPAA’s Privacy and Security rules prior to the HITECH Act’s passage. The HITECH Act stretched HIPAA’s umbrella over business associates, which include entities such as claims processors, accountants, law firms, consultants, or any other entity that routinely handles PHI to service a healthcare provider or another business associate.

Required Notification of Breach: Breach notification is an important aspect of HIPAA imposed by the HITECH Act, prompting covered entities and business associates to self-report breaches of PHI. The Breach Notification Rule, which is codified under HIPAA at 45 C.F.R. §§ 164.404, 164.406, and 164.408 , requires that covered entities and business associates report breaches to individuals. If the breach exceeds 500 individuals, then the covered entity or business associate must notify the Secretary of the U.S. Department of Health & Human Services. If the breach exceeds 500 individuals in a particular state or jurisdiction, then the covered entity or business associate must notify local media outlets in that location of the breach.

Tougher Enforcement Penalties Under HIPAA: Before the HITECH Act, HIPAA violations were relatively mild, with each violation limited to $100 and totaling no more than $25,000 per calendar year. The HITECH Act imposed a more complex penalty scheme with much tougher potential penalties. Penalties for violations occurring after the HITECH Act’s passage may range from $100 to $10,000 per violation with the total aggregate limit of $1.5 million per calendar year. Further, the penalties are subject to yearly adjustments according to inflation. Current penalty amounts are found at 45 C.F.R. § 102.3 .

Question 29

What are the corrective actions of HITECH?

Answer 29

Required risk analysis submission to HHS.

Required implementation of a risk management plan.

Revision of policies and procedures to ensure compliance with HIPAA rules.

Instituting procedures ensuring proper contracting between covered entities and business associates.

Required training on revised policies and procedures ensuring HIPAA compliance.

Question 30

What Is the Health Insurance Portability and Accountability Act of 1996?

Answer 30

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. It consists of a number of rules that lay out different requirements for HIPAA compliance.

Question 31

What are the different rules of HIPAA?

Answer 31

The Privacy Rule dictates how, when, and under what circumstances personal health information (PHI) can be used and disclosed.

The Security Rule sets the minimum standards to safeguard electronic PHI (ePHI).

The Breach Notification Rule requires covered entities to provide notification to affected individuals, the Department of Health & Human Services (HHS) Secretary, and the media (under specific circumstances) if there is a breach of unsecured PHI; and business associates must notify covered entities if a breach occurs at or by the associates.

The Omnibus Rule made clarifications to the HIPAA Privacy and Security rules and improved the ability of the Office for Civil Rights (OCR) to enforce HIPAA, while also implementing the mandates of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The Enforcement Rule established how OCR can determine liability and impose civil monetary penalties for HIPAA violations.

Question 32

Why was HIPAA enacted?

Answer 32

Improve portability and continuity of health insurance coverage

Combat waste, fraud, and abuse in health insurance and healthcare delivery

Promote the use of medical savings accounts

Improve access to long-term care services and coverage to simplify the administration of health insurance

Question 33

What are the five titles of HIPAA?

Answer 33

Title I protects health insurance coverage for workers and their families when they change or lose their jobs.

Title II, known as the Administrative Simplification provisions, requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. This title is also known as the Privacy rule.

Title III sets guidelines for pretax medical spending accounts.

Titles IV and V set guidelines for group health plans and company-owned insurance policies.

Question 34

Violations of HIPAA generally result from what?

Answer 34

Lack of adequate risk analyses

Lack of comprehensive employee training

Inadequate business associate agreements

Inappropriate disclosures of PHI

Ignorance of the minimum necessary rule

Failure to report breaches within the prescribed time frame

Question 35

What is the history of HIPAA

Answer 35

HIPAA was enacted by the 104th Congress and signed into law by President Bill Clinton in 1996. When the act was originally passed, it only required the Secretary of HHS to propose standards that would protect individually identifiable health information. The initial proposed “Code Set” standards were not published until 1999, with the first proposals for the Privacy Rule being established in 2000.

Since its original passage, HIPAA legislation has evolved significantly. The language of the act has been modified to address changes in technology, and the scope has shifted to include third-party service providers (business associates) that perform a function on behalf of a HIPAA-covered entity that involves the use or disclosure of PHI. Each of the major rules were passed throughout the early 2000s and build out various requirements of HIPAA compliance.

Question 36

What are the compliance risks of HIPAA?

Answer 36

Lack of Adequate Risk Analysis, Policies and Procedures, and Employee Training: Central to HIPAA compliance is the preemption of inappropriate access to PHI. HIPAA requires that healthcare organizations conduct a risk analysis, implement policies to curb risk, and implement disciplinary measures against employees who fail to adhere to those policies. Training is also an essential part of HIPAA’s breach preemption rules. Healthcare organizations must implement policies that make employees aware of the need to maintain security and what to do in the event a security incident occurs. Additionally, healthcare organizations must be prepared in the event that data centers containing PHI are compromised by properly backing up and protecting data. Lastly, keeping PHI secure is an ongoing process for healthcare organizations, and they must conduct routine evaluations to comply with HIPAA and changes in the organizational and security environment.

Inadequate Business Associate Agreements: HIPAA generally applies to two types of entities: (1) covered entities and (2) business associates.[17] Covered entities include healthcare providers, healthcare clearinghouses, and health plans. Business associates include organizations or persons, and their subcontractors, that transmit PHI to or from covered entities. Because PHI often needs to be transmitted, covered entities contract with business associates to provide these services, and both entities are bound by HIPAA’s various rules. In order for these contracts to comply with HIPAA, they must include “satisfactory assurances” that the business associate will protect the PHI. These assurances extend to subcontractors of the business associates, and they include a requirement to report “security incidents” to the covered entity if they arise.

Unauthorized Disclosure: The default rule under HIPAA is that healthcare providers may not use or disclose a patient’s PHI without authorization. This rule also governs what makes an effective authorization, which includes a description of the information, names of those authorized to transmit and those authorized to receive the information, a purpose for the authorization, a date or event of expiration, and the individual’s signature. Authorizations must also include certain adequate notices to the authorizing individual, and a signed copy must be supplied to the individual.

Minimum Necessary Disclosure Rule: An important subpart of section 164.502 is subsection (b), which is known as the Minimum Necessary Rule. When authorized, a healthcare provider or its business associate may disclose PHI, but only to the extent necessary. The rule does have exceptions for disclosures or requests by a healthcare provider for treatment, disclosures to patients of their own PHI, certain authorized disclosures, compliance investigations, and disclosures required by law (e.g., court orders or subpoenas) or for compliance.

PHI Security Requirements: Covered entities and business associates are required to implement security measures to protect PHI. These measures must ensure employees are adequately trained in PHI security and must protect against reasonably anticipated threats, unauthorized uses, and unauthorized disclosures. Although HIPAA does not prescribe specific measures and implementation of PHI security, covered entities and business associates must consider their size and security capabilities, infrastructure, cost, and potential risks of their chosen security method.

Required Notification of Breach: In the event of a breach, covered entities are required to notify individuals within 60 days of discovering the breach. A breach is considered to be known when any employee or agent of the covered entity discovers the breach or should have discovered the breach had the entity conducted “reasonable diligence.” Once discovered, the covered entity must contact the individual via first-class mail and disclose what happened, what information was compromised, and self-protecting steps the individual can take. The rule also requires covered entities to disclose to the affected individual what the entity is doing to investigate the breach, mitigate harm, and protect against further breaches. For breaches affecting more than 500 people, the covered entity must contact prominent media outlets where the affected individuals are located.

Civil Money Penalties: Civil penalties for HIPAA violations depend on both when the violations occurred and the nature of the violation. Violations prior to February 18, 2009, are limited to civil penalties of no more than $100 per violation and no more than $25,000 for the calendar year. Violations on or after February 18, 2009, may range from no less than $100 to no less than $10,000 per violation depending on the nature of the violation. However, the calendar year limit is uniformly set at $1,500,000. The amounts are subject to yearly adjustments in accordance with inflation, and adjusted civil penalty amounts may be found at 45 C.F.R. § 102.3 .

Criminal Penalties: Criminal liability under HIPAA is appropriate for individuals without authorization who knowingly use, cause to be used, obtain, or disclose individually identifiable health information maintained by a covered entity. Criminal penalties depend on the nature of the offense and the intent of the violator. Maximum limits for the most egregious violations range up to a $250,000 fine and 10 years in prison.

Question 37

What are the corrective actions of HIPAA?

Answer 37

Required risk analysis submission to HHS.

Required implementation of a risk management plan.

Revision of policies and procedures to ensure compliance with HIPAA rules.

Instituting procedures ensuring proper contracting between covered entity and business associate.

Required training on revised policies and procedures ensuring HIPAA compliance.

Question 38

What Is the Physician Payments Sunshine Act?

Answer 38

The Physician Payments Sunshine Act (PPSA), which is section 6002 of the Affordable Care Act (ACA) of 2010, requires manufacturers of drugs, medical devices, and biologics to report to the Centers for Medicare & Medicaid Services (CMS) any payments or other transfers of value made to physicians or teaching hospitals. The PPSA also requires certain manufacturers and group purchasing organizations (GPOs) to disclose physician ownership or investment interests held in those companies. This call for transparency within the physician-industry relationship is predicated on the idea that the requirement of industry to track, report, and publicly release financial data will encourage stronger ethical collaborations that will ultimately help achieve better patient care while lowering health insurance costs for covered recipients.

Question 39

What is the history of PSSA?

Answer 39

The PPSA was introduced in the U.S. Congress on September 6, 2007, by Senators Chuck Grassley and Herb Kohl. The goal of the bill was to “shed light” on the nature and extent of financial relationships between physicians and teaching hospitals and applicable manufacturers and GPOs with whom they interact. The expectations were that the bill would reveal the potential overall effect that these relationships have on patient care and rising healthcare costs. The PPSA failed as an independent bill but was signed into law as section 6002 of the ACA in 2010. The PPSA’s final rule was proposed in December 2011, and, after a public comment period, went into effect on August 1, 2013.

Question 40

What are the compliance risks of PSSA?

Answer 40

General Payments or Transfers of Value Such As Meals, Travel Reimbursement, and Consulting Fees: Under the PPSA, manufacturers of drugs, devices, biologics, and medical supplies covered by Medicare, Medicaid, or the Children’s Health Insurance Program are required to report to CMS any payment. Furthermore, any payment made for participation in preclinical research, clinical trials, or other product development activities must be reported. To qualify as research under the final rule, it must be subject to a written agreement or a research protocol.

Ownership and Investment Interests in Manufacturers Held by Physicians as Well as Their Immediate Family Members: The PPSA requires drug, biological, and medical manufacturers (Applicable Manufacturers), and GPOs to annually disclose direct and indirect ownership and investment interests held by physician and their immediate family members. Ownership or investment interest includes, but is not limited to, stock, partnership shares, limited liability company memberships, and loans, bonds, or other financial instruments.

Question 41

What Is the Physician Self-Referral Law (Stark Law)?

Answer 41

The Physician Self-Referral Law/Stark Law (referred to as Stark Law in this article) prohibits a physician from making referrals for certain designated health services payable by Medicare to an entity with which they (or an immediate family member) have a financial relationship, unless an exception applies. It also prohibits the entity from presenting (or causing to be presented) claims to Medicare for those referred services.

Question 42

What are the exceptions and grants to the Physician Self Referral Law (Stark Law)?

Answer 42

Physician services: Permits physicians to refer to other physicians who are members of the same group practice or under the supervision of a physician in the same group practice.

In-office ancillary services: Permits a group medical practice to make referrals for in-office ancillary services, such as laboratory or radiology services.

Services furnished by an organization to enrollees: Physicians can refer patients to organizations that provide prepaid health services to enrollees, including approved health maintenance organizations (HMOs) and competitive medical plans (CMPs), plans approved by the Centers for Medicare & Medicaid Services (CMS), and other plans identified by the Stark Law.

Academic medical centers: Physicians can refer patients to academic medical centers the physician has a financial relationship with, if the physician:

Is a “bona fide” employee of the medical center,

Is licensed in the state where the medical center is located,

Is a faculty member of the facility,

Provides paid clinical teaching services at the center, and

Refers the patient to an academic medical center that is approved under the Stark Law.

Implants furnished by an ambulatory surgery center (ASC): Physicians can refer patients to have certain implant procedures done at an ASC by a physician who belongs to the same medical group.

Eyeglasses and contact lenses after the patient has cataract surgery: Applies when Medicare approved the eyeglasses or contact lenses.

Erythropoietin (EPO) and other prescription drugs for dialysis patients who need outpatient treatment: Applies to referrals for specified drugs (preapproved) that are given in an end-stage renal disease (ERSD) facility.

Preventive services: Vaccines, immunizations, and screening tests covered by Medicare are generally allowed if they are given prudently.

Intra-family rural referrals: Some referrals in rural areas are permitted if the services are for an immediate family member and there are no nearby facilities or people that can provide the same service.

Fair market compensation: Applies when a compensation arrangement is in writing, specifies a timeframe and the compensation to be provided, involves a commercially reasonable transaction, and meets the safe harbors under the Anti-Kickback Statute.

Indirect compensation: Permits indirect compensation arrangements between a physician and an entity if the compensation received by the referring physician is of fair market value, does not take into account the value or volume of referrals, and is set out in writing and signed by the parties.

Nonmonetary exemptions: Applies to the payment of nonmonetary compensation to a physician of up to $300 per year if the physician did not solicit the compensation and it does not take into account the volume or value of referrals.

Rental of office space and/or equipment: Physicians can rent out office space and equipment if the lease is in writing, the term is at least for one year, the lease is commercially reasonable, and other conditions are met.

Bona fide employee relationship: An employer can pay a physician or family member if the physician/family member is a true bona fide employee with the employer, the compensation is fair, it’s clear what services the physician/family member is providing, and other factors are met.

Physician incentive plan: Incentive plants are permitted if they do not limit necessary medical services to eligible patients.

Physician recruitment: Hospitals can pay physicians to persuade them to work for the hospital if the agreement is in writing and does not require the physician to refer patients to the hospital, the amount of the payment is not related to the value or volume of referrals, and the physician can obtain staff privileges at other hospitals.

Charity: A physician may donate to an approved Internal Revenue Service tax-exempt charity as long as the donation is not based on the value or volume of referrals.

Medical staff incidental benefits: Hospitals can provide noncash benefits to medical staff as long as the value of the benefit is less than $25, is provided at the hospital to all members of the medical staff, is comparable to benefits given by other hospitals, and all other conditions are met.

Question 43

What is the history of Stark Law?

Answer 43

The Stark Law—named after its sponsor Congressman Pete Stark—was enacted by Congress in 1989 as the Ethics in Patient Referrals Act. The original intent of the law was to prohibit physicians from referring Medicare patients to clinical labs that a physician had a financial or ownership interest in. In 1993 and 1994, Congress expanded the prohibition to include aspects of physician self-referral to the Medicaid program. In 1997, Congress added a provision that permitted the HHS secretary to issue written advisory opinions as to whether a referral other than clinical laboratory services is prohibited by the act. In late 2020, HHS published two new rules in order to reduce regulatory burdens without increasing the risk of abuse of the federal healthcare system and to promote coordinated and value-based care for patients. “Coordinated care” refers to patient care spanning across care settings in both the federal healthcare programs and the commercial sector.

Question 44

What are the compliance risks of Stark Law?

Answer 44

General Prohibition on Physician Self-Referrals: The Stark Law provides a general prohibition against physicians referring Medicare or Medicaid patients to an entity to provide designated health services if the physician or the physician’s immediate family members have a financial stake in the referred entity. Designated health services include the following:
Clinical laboratory services;
Physical therapy;
Occupational therapy;
Radiology services;
Radiation therapy services and supplies;
Durable medical equipment and supplies;
Parenteral and enteral nutrients, equipment, and supplies;
Prosthetics, orthotics, and prosthetic devices and supplies;
Home health services;
Outpatient prescription drugs;
Inpatient and outpatient hospital services; and
Outpatient speed-language pathology services.
42 U.S.C. § 1395nn(a)(2) describes a “financial relationship” as either ownership or an investment interest, or a compensation arrangement between the physician and the entity. However, the law does provide for exceptions discussed in later sections of the law.

Reporting Requirements: The Stark Law requires facilities providing designated healthcare services to disclose to the HHS secretary their ownership and investment information, as well as any compensation agreements they have with other entities or physicians.

Sanctions and Penalties for Noncompliance: Stark Law violations may result in certain prohibitions, sanctions, and civil penalties. Violating physicians may be prohibited from being reimbursed by Medicare or Medicaid, or from billing patients or other providers for services. A physician may also be banned from participating in Medicare and Medicaid entirely. Civil penalties include up to $15,000 per isolated violation, and up to $100,000 for violations considered as “circumvention schemes,” which are often illegal referral arrangements resulting in multiple individual violations. Lastly, entities that fail to report their ownership, investment, and compensation arrangements under 42 U.S.C. § 1395nn(f) are subject to fines up to $10,000.

General Exceptions to Compensation Arrangement Prohibitions: Many of the exceptions to the Stark Law’s strict general prohibition against self-referrals concern the business realities of medical practice. Some of the exceptions concern physicians working in a group practice. A “group practice” is defined by the Stark Law as a corporate entity of physicians working in the same space, sharing equipment and staff, providing the same full range of services, collectively billing and maintaining the business, and which the physicians are not compensated based on referrals. Physicians are free to refer physician services (e.g., surgeries and consultations) to other physicians in the same group practice, or ancillary services to physicians or supervised personnel within the group practice, where the treating physician normally furnishes their services or where the treated patient receives their services, and billed using an approved Medicare or Medicare billing number. Other exceptions include the ability for physicians to rent offices and equipment, pay employees, be recruited by hospitals, and provide personal services. Typically, all exceptions concern the unlikelihood that such an arrangement would result in conduct that would take advantage of the federal healthcare system and patients. Importantly, the HHS secretary is authorized to pass regulatory exceptions to the Stark Law, which are found at 42 C.F.R. § 411.357 . Section 411.357 includes additional exceptions, such as physician donations to charity, and also expand on the existing statutory exceptions.

General Exceptions to Both Ownership and Investment Prohibitions: The Stark Law allows physicians to maintain certain investment and ownership interests that do not constitute a financial relationship under 42 U.S.C. § 1395nn(a) . Physicians are permitted to invest in entities through publicly available securities available on the New York Stock Exchange and certain mutual funds. Further, physicians can have an ownership or investment interest in a rural healthcare provider or a hospital in Puerto Rico. Physicians may also have an ownership interest in certain hospitals qualifying under 42 U.S.C. § 1395nn

Question 45

What are the consequences of violating the Anti-Kickback Statute?

Answer 45

Violations of false statements or representations, illegal remunerations, or illegal patient admittance and retention practices under the AKS result in a fine of up to $100,000 per violation and imprisonment of up to 10 years. Violations of the prohibition of the solicitation or distribution of beneficiary identification or unique health identifier numbers may result in a fine of up to $500,000 per violation and imprisonment of up to 10 years. Violations of false claims under the AKS may result in a fine of up to $100,000 per violation and imprisonment of up to 10 years. Violations of assignment of terms may result in a fine of up to $4,000 per violation and imprisonment of up to 6 months.

Administrative Proceedings
Penalties
Criminal penalties per violation are up to $100,000 for a felony conviction and up to $20,000 for a misdemeanor conviction for making false statements or representations.

Criminal penalties per violation are up to $100,000 for illegal remuneration and up to $1,000,000 for buying, selling, or distributing beneficiary IDs or unique health identifiers.

Criminal penalties per violation are up to $100,000 for making false statements or representations with respect to condition or operation of a healthcare institution.

Criminal penalties per violation are up to $100,000 for illegal patient admittance and retention practices.

Criminal penalties per violation are up to $4,000 for violating assignment terms.

Civil money penalties per violation of up to $20,000 and not more than three times the amount of remuneration offered, paid, solicited, or received.[15]

Exclusion from participating in federal healthcare programs.

Typical monetary penalties range from several hundred thousand to several million dollars. Extraordinary cases may range up to several hundred million to billions of dollars.

Civil Litigation
Damages
Violations of the AKS involving illegal remuneration for items or services constitute a violation of the False Claims Act, which provides three times the damages the government sustains as a result of a false claims violation.

Criminal Proceedings
Sentencing
Up to 10 years for a felony conviction of false statements or representations.
Up to 10 years for illegal remuneration or for buying, selling, or distributing beneficiary IDs or unique health identifiers.
Up to 10 years for making false statements or representations with respect to condition or operation of a healthcare institution.
Up to 10 years for illegal patient admittance and retention practices.
Up to 6 months for violating assignment terms.

Question 46

What are the consequences of violating the Civil Monetary Penalties Law

Answer 46

Administrative Proceedings

Penalties
In determining the amount or scope of any penalty, assessment, or exclusion imposed pursuant to subsection (a) or (b), the Secretary shall take into account— the nature of claims and the circumstances under which they were presented, the degree of culpability, history of prior offenses, and financial condition of the person presenting the claims, and such other matters as justice may require.

Corrective Actions
Exclusion from participating in federal healthcare programs.

Civil Litigation
Damages
Penalties range from $10,000 to $100,000 per violation.

Civil monetary penalties also may include an assessment of up to three times the amount claimed for each item or service, or up to three times the amount of remuneration offered, paid, solicited, or received.

The maximum penalties under the CMPL for various improperly filed claims have increased to $20,000 (from $10,000), $30,000 (from $15,000), and $100,000 (from $50,000). Maximum penalties under the CMPL for various payments to induce reduction or limitation of services have increased to $5,000 (from $2,000) and $10,000 (from $5,000).[23]

In addition to any other penalties that may be prescribed by law, to a civil money penalty of not more than:

$20,000 for each item or service,

“The term ‘item or service’ includes (A) any particular item, device, medical supply, or service claimed to have been provided to a patient and listed in an itemized claim for payment, and (B) in the case of a claim based on costs, any entry in the cost report, books of account or other documents supporting such claim.”

$30,000 for each individual with respect to whom false or misleading information was given that could reasonably be expected to influence the decision when to discharge such person or another individual from the hospital (in cases under paragraph 3 of the CMPL),

$20,000 for each day the prohibited relationship with an excluded healthcare provider occurs (in cases under paragraph 4 of the CMPL),

$100,000 for each such act (in cases under paragraph 7 of the CMPL),

$100,000 for each false record or statement relating to ordering or prescribing during a period in which the person was excluded from a federal health care program (in cases under paragraph 8 of the CMPL),

$15,000 for each day of the failure to grant timely access, upon reasonable request to the inspector general of the Department of Health & Human Services (in cases under paragraph 9 of the CMPL), and

$100,000 for each false statement or misrepresentation of a material fact to participate or enroll as a provider of services or a supplier under a federal health care program (in cases under paragraph 9 of the CMPL).[25]

The OIG may impose a penalty of up to $50,000 and assessments of up to three times the amount of funds at issue: (1) or each instance of knowingly making a false statement in a document required to be submitted in order to receive funds under an HHS contract, grant, or other agreement; (2) for knowingly making or using a false record or statement that is material to a false or fraudulent claim; and (3) for knowingly making or using a false record or statement material to an obligation to pay or transmit funds or property owed to HHS.[26]

Criminal Proceedings
Sentencing- Not applicable.

Question 47

What are the consequences of violating EMTALA?

Answer 47

Compliance with EMTALA is especially important to compliance professionals because of the severe civil penalties and civil actions arising from compliance violations. Civil money penalties can reach up to $50,000 for large hospitals and $25,000 for hospitals with less than 100 beds, per violation. Concurrently, civil enforcement in the form of private personal injury claims and economic loss of other medical facilities because of a compliance violation are available.

Administrative Proceedings
Penalties
Termination of the healthcare provider’s Medicare agreement,

Money penalties of up to $50,000 per violation, and

Settlement with the Office of Inspector General or Department of Justice ranging from $100,000 to well over $1 million.

Civil Litigation
Damages
Under EMTALA, hospitals are subject to damages arising from personal injury under applicable state law. Apart from patients asserting personal injury, the receiving facility who suffered economic loss from an EMTALA violation may recover damages from the violating hospital or physician.

Question 48

What are the consequences of violating False Claims Act?

Answer 48

Violations of the False Claims Act expose healthcare organizations to civil penalties up to the statutory limit, subject to adjustment for inflation, per violation. Violators are also liable for three times the damages the government sustains as a result of the false claim or reverse false claim.

Administrative Proceedings
Penalties
Violations before August 1999 are subject to civil penalties from $5,000 to $10,000.

Violations from September 29, 1999, to November 2, 2015, are subject to civil penalties from $5,500 to $11,000.

Civil penalties for violations after August 2016 are calculated when the court awards the penalties. As of June 19, 2020, the penalty range is from $11,665 to $23,331 and is updated annually or biennially.

Civil Litigation
Damages
Violators of the False Claims Act are liable for three times the damages the government sustains because of the violation. Violators who cooperate under section 31 U.S.C. § 3729(a)(2) may have damages reduced to two times the damages sustained by the government.

Question 49

What are the consequences of violating the Foreign Corrupt Practices Act?

Answer 49

Administrative Proceedings
Penalties
For each violation of the law’s anti-bribery provisions:

Up to $2 million fine for corporations and other business entities

Up to $250,000 fine and imprisonment up to five years for individuals

For each violation of the law’s accounting provisions:

Up to $25 million fine for corporations and other business entities

Up to $5 million fine and imprisonment up to 20 years for individuals

Civil Litigation
Damages
For violations of the anti-bribery provisions, corporations and other business entities are subject to a civil penalty up to $21,410 per violation.

For violations of the anti-bribery provisions, individuals (including officers, directors, stockholders, and agents of companies) are subject to a civil penalty up $21,410 per violation.

For violating the FCPA’s accounting provision, the SEC may impose “a civil penalty not to exceed the greater of (a) the gross amount of the pecuniary gain to the defendant as a result of the violations or (b) a specified dollar limitation.” The specified dollar limitations are determined by the egregiousness of the violation and can range from $9,639 to $192,768 for an individual and from $96,384 to $963,837 for a company.

Both the DOJ and SEC have civil enforcement authority under the FCPA.

Criminal Proceedings
Sentencing
Up to five years for violations of anti-bribery provisions.

Up to 20 years for violations of accounting provisions.

Only the DOJ has the authority to pursue criminal actions.

The DOJ may agree to resolve criminal FCPA matters against companies either through a declination or, in appropriate cases, a negotiated resolution resulting in a plea agreement, deferred prosecution agreement, or non-prosecution agreement:

Generally, in a plea agreement, the defendant “admits to the facts supporting the charges, admits guilt, and is convicted of the charged crimes when the plea agreement is presented to and accepted by a court.”

Under a deferred prosecution agreement (DPA), the “DOJ files a charging document with the court, but it simultaneously requests that the prosecution be deferred . . . allowing the company to demonstrate its good conduct. DPAs generally require a defendant to agree to pay a monetary penalty, waive the statute of limitation, cooperate with the government, admit the relevant facts, and enter into certain compliance and remediation commitments, potentially including a corporate compliance monitor.”

Under a non-prosecution agreement (NPA), the “DOJ maintains the right to file charges but refrains from doing so to allow the company to demonstrate its good conduct during the term of the NPA. Unlike a DPA, an NPA is not filed with a court but is instead maintained by the parties.”

Question 50

What are the consequences of violating HITECH?

Answer 50

The HITECH Act significantly increases the civil money penalty amount per violation and the cumulative amount per calendar year under HIPAA. Noncompliance and violations of HIPAA expose healthcare organizations to not only civil money penalties and civil litigation, but also corrective actions imposed by corrective action plans should a healthcare organization choose to settle potential violations with the Office for Civil Rights (OCR).

Administrative Proceedings
Penalties
Violations that occurred before February 18, 2019, are subject to civil penalties no more than $100 per violation and no more than $25,000 per calendar year.

Violations occurring on or after February 18, 2019, are subject to civil penalty limits dependent on the nature of the violation.

If unaware of violation and would not have known by exercising reasonable due diligence of the violation: $100–$50,000 per violation or up to $1.5 million per year for identical violations.

Violations due to reasonable cause and not willful neglect: $1,000–$50,000 per violation or up to $1,500,000 per year for identical violations.

Violations due to willful neglect but corrected within 30 days: $10,000–$50,000 per violation or up to $1.5 million per year for identical violations.

Violations due to willful neglect and not corrected within 30 days: No less than $50,000 per violation or up to $1.5 million per year for identical violations.

Civil penalties are adjusted for inflation on a yearly basis, and updated amounts are published at 45 C.F.R. § 102.3 .

Civil Litigation
Damages
A person who was financially harmed by a HIPAA violation may sue a covered entity or business associate for damages under state law.

Question 51

What are the consequences of violating HIPAA?

Answer 51

Noncompliance and violations of HIPAA expose healthcare organizations to civil money penalties within a defined statutory range, subject to adjustment for inflation, and dependent on the nature of the violation.

Administrative Proceedings
Penalties
Violations before February 18, 2019, are subject to civil penalties no more than $100 per violation and no more than $25,000 per calendar year.

Violations occurring on or after February 18, 2019, are subject to civil penalty limits dependent on the nature of the violation.

If unaware of the violation and would not have known by exercising reasonable due diligence of the violation: $100–$50,000 per violation or up to $1.5 million per year for identical violations.

Violations due to reasonable cause and not willful neglect: $1,000–$50,000 per violation or up to $1.5 million per year for identical violations.

Violations due to willful neglect but corrected within 30 days: $10,000–$50,000 per violation, or up to $1.5 million per year for identical violations.

Violations due to willful neglect and not corrected within 30 days: No less than $50,000 per violation or up to $1.5 million per year for identical violations.

Civil penalties are adjusted for inflation on a yearly basis, and updated amounts are published at 45 C.F.R. § 102.3 .

Civil Litigation
Damages
A person who was financially harmed by a HIPAA violation may sue a covered entity or business associate for damages under state law.[26]

Criminal Proceedings
Sentencing
Knowing violation: Up to $50,000 fine and/or up to one-year imprisonment.

Knowing violation committed under false pretenses: Up to $100,000 and/or up to five-year imprisonment.

Knowing violation committed with intent to sell, transfer, or use individual identifiable health information for commercial advantage, personal gain, or malicious harm: Up to $250,000 and/or up to 10-year imprisonment.

Question 52

What are the consequences of violating Physician Payment Sunshine Act (PPSA)?

Answer 52

Administrative Proceedings
Penalties: Not applicable.

Corrective Actions: Not applicable.

Civil Litigation
Damages
Any applicable manufacturer or applicable group purchasing organization that fails to submit information required under subsection (a) in a timely manner in accordance with rules or regulations promulgated to carry out such subsection, shall be subject to a civil money penalty of not less than $1,000, but not more than $10,000, for each payment or other transfer of value or ownership or investment interest not reported as required under such subsection.

Any applicable manufacturer or applicable group purchasing organization that knowingly fails to submit information required under subsection (a) in a timely manner in accordance with rules or regulations promulgated to carry out such subsection, shall be subject to a civil money penalty of not less than $10,000, but not more than $100,000, for each payment or other transfer of value or ownership or investment interest not reported as required under such subsection.

Criminal Proceedings
Not applicable.

Question 53

What are the consequences of violating Stark Law?

Answer 53

Subsection (g) of the Stark Law provides for sanctions and civil penalties in the event a violation occurs. Because Stark Law violations often overlap with AKS violations, the latter law may expose healthcare organization officials to criminal liability.

Administrative Proceedings
Penalties
Payment of a designated health service covered by Medicare or Medicare may be denied.

Collections of amounts billed in violation of the Stark Law must be refunded to the patient or other party.

Any person who presents or causes to be presented a bill or claim for a designated health service that the person knew or should have known was an illegal referral or should have been refunded shall be subject to a civil money penalty not exceeding $15,000 for each service.

Any physician or other entity who enters into an arrangement or scheme that the physician or entity knew or should have known was for securing illegal referrals shall be subject to a civil money penalty not exceeding $100,000 per arrangement or scheme.

Any person required to report its ownership, investment, or compensation arrangements under 42 U.S.C. § 1395nn(f) and fails to do so is subject to a civil money penalty not exceeding $10,000 for each day for which reporting is required to have been made.

Civil Litigation
Damages
Three times damages for violations involving illegal remuneration under the False Claims Act.