April 30

New IRS Regulations Force Charitable Hospitals To Publicize Financial Assistance Policies and Limit Collection Activities

Scott - head DSC_8910

New Internal Revenue Service (IRS) regulations (Final Regulations) force charitable hospitals1 to publicize information about their financial assistance policies and limit their collection activities. Section 9007 of the Patient Protection and Affordable Care Act (PPACA)2 added four new requirements for a charitable hospital to maintain its federal income tax exemption under Section 501(c)(3) of the Internal Revenue Code:

1. Community health needs assessment;
2. Financial assistance policy;
3. Limitations on charges; and
4. No extraordinary collection actions before assessing eligibility for assistance.

The Final Regulations implementing these four new requirements of PPACA were published on December 31, 2014, and apply to taxable years beginning after December 29, 2015.3 Section 9007 of PPACA and the Final Regulations respond to complaints that charitable hospitals provided no greater charitable care than for-profit hospitals and used over-aggressive collection tactics against uninsured patients.4

Community Health Needs Assessment
Section 9007 of PPACA and the Final Regulations require a charitable hospital to conduct a community health needs assessment (CHNA) at least once every three years.5 The statutory requirement for CHNAs applies to taxable years beginning after March 23, 2012. In addition, a charitable hospital must report on Schedule H of IRS Form 990 information on the activities and policies of, and community benefit provided by, its hospital facilities and other non-hospital healthcare facilities that it operated during the tax year.6 Hospitals go to great lengths to prepare the CHNA and provide the community benefit data required in Schedule H of Form 990 to justify their tax exemptions.

The remaining three requirements in the IRS regulations focus on affordable care at an individual level.

Financial Assistance Policy
A charitable hospital must establish and widely publicize its financial assistance policy, which must apply to all emergency care and other medically necessary care provided by the hospital facility.7 The “widely publicize” requirement includes dissemination on a Web site, available paper copies, notices to the community most likely to require financial assistance and notices to patients who receive care at the hospital. The hospital must translate the financial assistance policy into each non-English language spoken by each language group of the lesser of 1,000 individuals or five percent of the community served by the hospital.

The financial assistance policy must include (a) the eligibility criteria and whether such assistance includes free or discounted care, (b) the basis for calculating charges, (c) the method of applying for financial assistance, and (d) the actions that may be taken in the event of non-payment. The Final Regulations expressly state that a hospital facility may grant financial assistance notwithstanding an applicant’s failure to provide information required in the financial assistance policy.8

The hospital must also establish (but is not required to widely publicize) its emergency medical care policy to comply with the regulations implementing the Emergency Medical Treatment and Labor Act (EMTALA).9 The Final Regulations on emergency medical care policy apply only to debt collection activities in the emergency department that could discourage individuals from seeking emergency care, or interfere with the provision of emergency care, such as demanding emergency department patients pay before receiving treatment for emergency medical conditions.10 The Final Regulations on financial assistance policies extend beyond emergency care under EMTALA to include “other medically necessary care provided by the hospital facility.”11 The Final Regulations require both the financial assistance policy and the emergency medical care policy to be adopted by an authorized body of the hospital facility (that is the board of directors, board of trustees or equivalent body).12

Limitations on Charges
A charitable hospital must limit the amount of charges for care provided to any individual who is eligible for assistance under its financial assistance policy to not more than the amounts generally billed to individuals who have insurance covering such care.13 In other words, charitable hospitals can no longer charge uninsured patients more than insured patients. The term “amounts generally billed” (AGB) means the amounts determined under one of two methods: (1) a look-back method using 12-month data on charges allowed by health insurers, or (2) a prospective method using the billing and coding process as if the individual were a Medicare or Medicaid fee-for-service beneficiary.

No Extraordinary Collection Actions
A charitable hospital may not engage in extraordinary collection actions against an individual to obtain payment for care before the hospital has made reasonable efforts to determine whether the individual is eligible for assistance under the hospital’s financial assistance policy.14 The term “extraordinary collection actions” includes: (i) selling the individual’s debt to another party; (ii) reporting adverse information to consumer credit reporting agencies or credit bureaus; (iii) deferring or denying, or requiring a payment before providing, medically necessary care because of any individual’s nonpayment of one or more bills for previously provided care covered under the hospital’s financial assistance policy; (iv) actions that require a legal or judicial process including liens, foreclosure of real property, attaching bank accounts or other personal property, commencing civil actions against an individual, causing an individual’s arrest or writ of body attachment and garnishing an individual’s wages.15

The Final Regulations provide detailed guidance for defining “reasonable efforts” to determine if the individual is eligible for financial assistance. In general, a charitable hospital may take no extraordinary collection actions against an individual whose eligibility for financial assistance has not been determined before 120 days after the first post-discharge bill.16 An individual may submit a financial assistance policy application that the charitable hospital must accept and process up to 240 days after the first post-discharge bill, or longer if the charitable hospital allows a longer period.17

Transition Rules
The statutory requirements of Section 9007 of PPACA (except for the CHNA) apply to taxable years beginning after March 23, 2010; as noted above, the statutory requirement for CHNAs applies to taxable years beginning after March 23, 2012. The Final Regulations apply to taxable years beginning after December 29, 2015 to give all hospital facilities roughly a year to come into compliance with the Final Regulations.18 For taxable years beginning on or before December 29, 2015, hospital facilities may rely on a reasonable, good faith interpretation of the statute, the proposed regulations19 or the Final Regulations.

Medicaid Expansion and the Coverage Gap
PPACA expanded Medicaid eligibility in all states to nearly all low-income individuals with incomes at or below 138 percent of federal poverty guidelines. PPACA provides federal funding for 100 percent of the Medicaid expansion for the first three years and declining to a 90 percent federal share by the year 2020. The United States Supreme Court ruled on June 28, 2012 that the statutory provision giving the Secretary of the Department of Health and Human Services (HHS) the authority to penalize states that chose not to participate in PPACA’s expansion of the Medicaid program exceeded Congress’s power under the Spending Clause.20 This ruling made Medicaid expansion optional for the states.

As of March 6, 2015, 22 states have not expanded their Medicaid programs as contemplated by PPACA.21 Medicaid eligibility in states not expanding is limited for parents to 50 percent of federal poverty guidelines, and childless adults are ineligible. The result is a coverage gap in states not expanding Medicaid, which affects individuals who are not eligible for Medicaid (parents earning more than 50 percent of federal poverty guidelines plus childless adults) and who do not earn more than 100 percent of federal poverty guidelines to qualify for government financial aid to buy subsidized private health insurance on the PPACA exchange. Nearly four million individuals fall into the coverage gap, with more than half of those individuals concentrated in four States: Florida, Georgia, North Carolina and Texas.22 Even with the additional insurance coverage provided by PPACA, uninsured and under-insured individuals still need the financial assistance provided by charitable hospitals, particularly those individuals in the Medicaid coverage gap.

Free and Discounted Hospital Care
While the Final Regulations require a plain language summary of the hospital’s financial assistance policy which is clean, concise, and easy to understand, many of the financial assistance policies published to date need further interpretation and explanation. For example, Emory Healthcare in Atlanta, Georgia, offers a generous Financial Assistance Policy for all uninsured and under-insured patients.23 Patients with family income at or below 200 percent of the federal poverty level will qualify for a 100 percent charity adjustment (i.e., free care). Patients with family income at 201 percent to 400 percent of the federal poverty level will qualify for a 50 percent charity adjustment (discount).

But what is the federal poverty level? HHS updates the federal poverty guidelines annually to account for last calendar year’s increase in prices as measured by the Consumer Price Index. HHS publishes main poverty guidelines for the 48 contiguous states and the District of Columbia, and separate poverty guidelines for Alaska and Hawaii. The guidelines vary depending on the number of persons in the family/household. For the year 2015, the main guideline for a family/household of four persons is annual income of $24,250.24 Under Emory Healthcare’s Financial Assistance Policy, a family of four persons will receive free emergency and other medically necessary care in the hospital if annual income does not exceed 200 percent of the federal poverty guideline, which means 200 percent x $24,250 or $48,500. In other words, Emory Healthcare offers free hospital care for families of four making up to $48,500 per year.

Many other tax-exempt hospitals offer free hospital care to individuals with family/household incomes up to 200 percent of the federal poverty guidelines, including Baycare Health System based in Tampa, Florida,25 Texas Health Resources based in Dallas, Texas,26 and Carolinas Healthcare System based in Charlotte, North Carolina.27 The public accounting firm Ernst & Young analyzed information about free care on Schedule H of IRS Form 990 for more than 900 hospitals around the nation and found 100 percent of tax-exempt hospitals provided free care for those below 100 percent of the federal poverty guidelines, while 91 percent of tax-exempt hospitals provided free or discounted care for those below 200 percent of the federal poverty guidelines.28

Hospitals in states which did expand Medicaid are benefiting from larger reductions in uncompensated care than hospitals in states which did not expand Medicaid.29 The reductions in uncompensated care may allow charitable hospitals to expand their community benefits to individuals earning higher, even middle class, incomes.30 For example, Kaiser Permanente is offering free hospital care in California (which has expanded Medicaid) for individuals with incomes up to 350 percent of the federal poverty guidelines, which converts to annual income of $84,875 for a family of four in 2015.31

By 2016, each charitable hospital must widely publicize its financial assistance policy, including the eligibility criteria for free or discounted care. The financial assistance policy must apply to all emergency care and other medically necessary care provided by the hospital facility. A charitable hospital must limit the amount of charges to amounts generally billed to other insured individuals. A charitable hospital may not engage in extraordinary collection actions before it determines whether the individual is eligible for financial assistance. Uninsured individuals in the Medicaid coverage gap need the financial assistance provided by charitable hospitals. Hospitals in states which did expand Medicaid may offer more generous financial assistance as uncompensated care declines. Hospitals should begin reviewing and updating their policies and procedures so that they are in compliance with these changes by their effective date.


Scott C. Withrow is a founding partner of Withrow, McQuade & Olsen, LLP, Atlanta, Georgia. He has practiced corporate and healthcare law for 31 years. He earned his undergraduate degree in accounting from the University of Virginia’s McIntire School of Commerce in 1979 and his law degree from Vanderbilt University in 1984. He may be reached at swithrow@wmolaw.com.


1 Hospitals which are exempt from federal income tax under Section 501(c)(3) of the Internal Revenue Code are commonly referred to as “charitable hospitals.”
2 Pub. Law No. 111-148.
3 T.D. 9708; 79 Fed. Reg. 78954 (Dec. 31, 2014).
4 United States Gov’t Accountability Off’c, NonProfit, For-Profit, and Government Hospitals: Uncompensated Care and Other Community Benefits, Statement of David M. Walker, May 26, 2005, available at http://www.gao.gov/new.items/d05743t.pdf (last viewed March 24, 2015).
5 26 C.F.R. § 1.501(r)-3.
6 http://www.irs.gov/pub/irs-pdf/i990sh.pdf (last viewed Feb. 16, 2015).
7 26 C.F.R. § 1.501(r)-4.
8 26 C.F.R. § 1.501(r)-4(b)(3)(i).
9 26 C.F.R. § 1.501(r)-4(c); 42 C.F.R § 489.24.
10 26 C.F.R. § 1.501(r)-4(c)(2).
11 26 C.F.R. § 1.501(r)-4(b)(1)(i).
12 26 C.F.R. § 1.501(r)-4(d)(1).
13 26 C.F.R. § 1.501(r)-5.
14 26 C.F.R. § 1.501(r)-6.
15 26 C.F.R. § 1.501(r)-6(b)(1).
16 26 C.F.R. § 1.501(r)-6(c)(3)(i).
17 26 C.F.R. § 1.501(r)-6(c)(4)(iii)(A).
18 26 C.F.R. § 1.501(r)-7.
19 77 Fed. Reg. 38148 (June 26, 2012); 78 Fed. Reg. 20533 (Apr. 5, 2013).
20 Nat’l Fed’n of Indep. Bus. v. Sebelius, 132 S. Ct. 2566, 183 L. Ed. 2d 450 (2012).
21 Kaiser Family Foundation, “The Coverage Gap: Uninsured Poor Adults in States that Do Not Expand Medicaid – An Update,” November 2014 http://kff.org/health-reform/issue-brief/the-coverage-gap-uninsured-poor-adults-in-states-that-do-not-expand-medicaid-an-update, revised March 6, 2015 at http://kff.org/interactive/uninsured-gap/ (last viewed Mar. 24, 2015).
22 Id., at p. 2.
23 http://www.emoryhealthcare.org/patient-guide/billing/charity-care-policy.html (last viewed Feb. 18, 2015).
24 80 Fed. Reg. 3236, 3237 (Jan. 22, 2015); see also http://aspe.hhs.gov/poverty/15poverty.cfm (last viewed Feb. 18, 2015).
25 http://www.baycare.org/workfiles/baycarewebfiles/1401916-final.pdf (last viewed Feb. 18, 2015).
26 https://www.texashealth.org/Documents/System/Business_Office/Charity_Care_Program_05-24-2013_English.pdf (last viewed Feb. 18, 2015).
27 http://www.carolinashealthcare.org/chs-financial-assistance (last viewed Feb. 18, 2015).
28 Ernst & Young Schedule H Benchmark Report for the American Hospital Association Tax Years 2009 & 2010, http://www.aha.org/content/12/09-sche-h-benchmark.pdf (last viewed Feb. 18, 2015).
29 http://aspe.hhs.gov/health/reports/2014/UncompensatedCare/ib_UncompensatedCare.pdf (last viewed Feb. 18, 2015).
30 See Center for Health Care Strategies, Inc., “The Future of U.S. Charity Care Programs: Implications of Health Reform,” August 2010, http://www.academyhealth.org/files/publications/FutureofCharityCarePrograms.pdf (last viewed Feb. 18, 2015).
31 http://share.kaiserpermanente.org/article/subsidized-care-and-coverage-medical-financial-assistance-program (last viewed Feb. 18, 2015); http://share.kaiserpermanente.org/wp-content/uploads/2013/10/NCAL-Medical-Financial-Assistance-Policy-Final-9_1_14.pdf (last viewed Feb. 18,. 2015); http://share.kaiserpermanente.org/wp-content/uploads/2013/12/scal_MFA-Policy-10-31-14.pdf (last viewed Feb. 18, 2015).
April 29

Finally, State Securities Filings Electronically: NASAA’s Electronic Filing Depository

Scott - head DSC_8910

The United States Securities and Exchange Commission (SEC) installed its electronic disclosure system, EDGAR, beginning with a pilot program in 1984, and culminating in a full phase-in by 1996. EDGAR accepts, stores, and disseminates federal securities filings in the form of discrete electronic files based on paper disclosure documents. State securities regulators have lagged behind the SEC for decades, relying on paper filings with no integrated method of electronically filing in multiple states simultaneously with a federal filing in EDGAR.

NASAA’s Electronic Filing Depository

On December 15, 2014, the North American Securities Administrators Association (NASAA) announced the launch of the online Electronic Filing Depository (EFD) to enhance the efficiency of the regulatory filing process for certain exempt securities offerings. EFD is an online system that allows an issuer to submit a Form D for a Regulation D, Rule 506 exempt offering to state securities regulators and pay related fees. The EFD website also enables the public to search and view, free of charge, Form D filings made with state securities regulators through EFD. EFD is available at: https://www.efdnasaa.org.

Rule 506 of Regulation D is a “safe harbor” for the private offering exemption of Section 4(a)(2) of the Securities Act, and also provides an exemption for public offerings to verified accredited investors. Issuers relying on the Rule 506 exemption do not have to register their offerings of securities with the SEC or state securities regulators, but they must file what is known as a “Form D” with the SEC and state securities regulators. Form D contains limited information about the securities being offered and the issuer offering those securities.

The EFD system is available 24 hours a day, seven days a week, unless the website is undergoing maintenance. In addition to the filing fees required by the states, there is a one-time $150 system use fee for each offering making its filings through EFD. This one-time system fee covers initial, amendment and renewal filings made through EFD. The EFD system is initially limited to Form D filings for Regulation D, Rule 506 offerings, but NASAA expects the filing system will be expanded to include additional state securities registration and notice filing materials.

Not All States Yet

The EFD system is presently available for 41 out of a total of 53 states and territories (including the District of Columbia, Puerto Rico, and the U.S. Virgin Islands). The 12 states not yet available are: Arizona, California, Connecticut, Delaware, Florida, Louisiana, Massachusetts, Michigan, Minnesota, New York, North Carolina, and Oregon. The author recently used the EFD system for a multi-state offering involving Georgia, Illinois, South Carolina, Tennessee, and Texas.

File Form D with SEC First

The issuer must first file a Form ID electronically with the SEC in order to obtain an EDGAR Central Index Key (CIK) – see https://www.filermanagement.edgarfiling.sec.gov. There is a trick in the Form ID process. Even though the Form ID is submitted electronically, the issuer must manually sign a PDF of the Form ID, and have the signature notarized (the notary requirement does not appear in the instructions), and include the manually signed and notarized Form ID as an attachment to the electronic transmission.

The SEC will transmit the CIK via e-mail within a couple of business days after the Form ID is properly filed. Once the issuer receives the CIK, the issuer then can immediately generate access codes through the EDGAR website that are necessary to file the Form D with the SEC. The issuer then uses the access codes to log into the EDGAR Filing website – https://www.onlineforms.edgarfiling.sec.gov. The issuer will complete Form D, and should make a PDF version of the Form D just before transmitting to the SEC. After the Form D is transmitted to the SEC, the SEC will acknowledge the filing by an e-mail which includes a link to the EFD system:

STATE FILINGS: If you want to submit this filing to one or more U.S. states or territories, please visit the Electronic Filing Depository at: https://efdnasaa.org.

EFD System – Login, Filing Fees and Payment

A first-time filer in the EFD system must register to create a login name and password. Once logged in the EFD system, the filer must search for the Form D as filed with the SEC using the CIK number. The filer can then create state notices for any of the 41 jurisdictions in the EFD system by simply checking a box.

The EFD system will calculate and summarize the applicable state filing fees and the EFD system use fee. In the author’s five-state example, the fees were as follows:

Georgia New Notice Fee $250.00
Illinois New Notice Fee $100.00
South Carolina New Notice Fee $300.00
Tennessee New Notice Fee $500.00
Texas New Notice Fee $500.00
EFD System Use Fee $150.00
Total Fees $1,800.00

Currently, payments must be made by Automated Clearinghouse Payments (ACH), like an online check. NASAA is considering adding credit card functionality to the EFD system in the future. Once the ACH payment data is submitted, the filer can simultaneously transmit all selected state filings. The EFD system will acknowledge the filing by an e-mail and the EFD website will reflect all state filings made by the logged-in filer.


The EFD system is a welcome complement to EDGAR for Rule 506 Form D filings. The EFD system is intuitive and easy to use, and the $150 system fee is justified by efficiencies in a multistate offering. Some major states are not available in EFD, including California, Florida, and New York. NASAA should press forward to get all states in the EFD system and expand the system to other state securities filings.

January 2

Healthcare Industry Still Teeters Over Cliff

Scott - head DSC_8910

Politicians have dramatically saved the country from falling over the proverbial fiscal cliff with a deal struck as the 2013 New Year’s ball descended in Times Square. Health care benefited with a one-year delay in the scheduled 27 percent cuts to Medicare physician payments. Meanwhile, HITECH stimulus funds are now flowing freely to hospitals, many of which are sitting on huge cash reserves built with the benefit of federal income exemptions. Obamacare remains one year away. Healthcare finances appear rosy at the start of 2013.

Yet Medicare’s fee-for-service incentives continue to promote wild spending concentrated in the last six months of life. HITECH efficiencies in healthcare are a mirage. Neither legislators nor technology has made a dent in the inefficient largess of American health care. The country can simply no longer afford this system.

Healthcare industry leaders need to conceive of some real solutions in 2013 before healthcare really does go over the cliff. Unlimited fee-for-service payment is not viable and must be reformed. The healthcare industry as a whole (patients, providers, and insurers) must realize technology efficiencies that most other industries have enjoyed for 10 to 20 years. Healthcare entities must become accountable for the tax exemptions they receive, demonstrating return of those tax savings to benefit taxpayers rather than sitting on huge cash reserves.

Without real healthcare industry solutions, Medicare payment to physicians will be dramatically cut. The federal government will stop throwing good money after bad in search of technology efficiencies in health care. Hospitals serving large numbers of patients without insurance will suffer the effects of $18 billion in payment reductions under the Affordable Care Act from 2014 to 2020. Federal regulators will vigorously seek recoveries under expanded healthcare fraud and abuse laws. Eventually, legislators may be forced to reconsider the value of tax exemptions in the healthcare industry.

The fiscal cliff episode demonstrates the ultimate problem with American health care: the lack of effective governance at all levels. The problem extends to all quarters: Politicians break from the bitter rhetoric only long enough for the grandstanding delay; hospital executives pad the hospital bank accounts and their own wallets without effective oversight of their not-for-profit missions; insurers inhibit technology efficiencies to ensure their own survival; and patients expect limitless health care without having to pay for it.

To create effective governance, patients, providers, insurers, and politicians need to exercise control over health care in a fiscally responsible and ethical manner. All parties need to participate, and in a vastly different way from how they are participating today.

Note: HFMA originally published this article here.

August 2

How to Avoid a HIPAA Horror Story

Scott - head DSC_8910

Imagine you are the CFO of a regional hospital sitting in your office on a sunny, warm Friday afternoon in late spring, winding up the day and looking forward to the weekend. You then receive a page: “CODE TRIAGE EXTERNAL.” You quickly learn a bus carrying a high school girls’ soccer team and their supporters to their state tournament game has collided with a beverage truck on a nearby highway, and the bus overturned. Many bus passengers are injured and in transit to your hospital.

You report to the emergency incident commander, who has initiated the well-rehearsed hospital emergency incident command system and is setting up the command center. The communications unit leader contacts off-duty personnel, who hurry to the hospital. Bloodied girls begin flooding into the emergency department (ED), where they are quickly triaged and color-coded. Red-coded patients are rushed into treatment rooms for life-saving care. Yellow-coded patients receive prompt attention to stabilize their conditions. Green-coded patients are escorted to another lobby area within the hospital where ancillary personnel gather patient information, assist with contacting family members, and arrange discharge. Administrative personnel work into the night to track and complete the registration of a total of 30 injured bus passengers.

The emergency management plan works as designed, enabling the hospital to provide excellent health care under extraordinary demands. Miraculously, all passengers survive and recuperate from their injuries. On the following Friday, you watch as the last injured bus passenger is discharged from the hospital. All hospital personnel feel rewarded and proud of their life-saving efforts.

You return to your office to wind up the day and begin looking forward to the weekend. Just as you are ready to leave, the phone rings and you answer. A reporter from the local newspaper wants your comment on a story he intends to run in the Sunday newspaper. The reporter says a list containing the names, addresses, phone numbers, and primary diagnosis of the injured bus passengers treated at your hospital was sent to a local law firm that specializes in personal injury lawsuits, and family members have been receiving calls from the law firm about suing the beverage distributor that owned the truck involved in the accident. An informant has told the reporter the list was sent to the law firm by an ED physician working in the hospital. The reporter thinks disclosure of the list might be a violation of the Health Insurance Portability and Accountability Act (HIPAA). The rewarding feeling vanishes, and you now feel sick to your stomach.

HIPAA Security

HIPAA mandates certain privacy and security protections to encourage the realization of administrative efficiencies through healthcare information technologies. Privacy and security are distinct but related concepts. Privacy refers to obligations of authorized persons using personal health information to keep such information secret. The ED physician working in the hospital is authorized to use personal health information and is obligated to keep the information private. You cannot believe a physician would breach the privacy obligations by sending a list of patients to a plaintiffs’ law firm. Security refers to procedures designed to prevent unauthorized persons from accessing personal health information. Maybe the law firm placed a “mole” in the ED who somehow breached the security procedures during the ED chaos resulting from the bus accident to obtain the patient list without authority.

HIPAA security provisions include administrative safeguards (45 C.F.R. §164.308 [2010]), physical safeguards (45 C.F.R. §164.310 [2010]), and technical safeguards (45 C.F.R. §164.312 [2010]). New York University has posted an excellent set of HIPAA security procedures implementing these safeguards at www.nyu.edu/its/policies/#hipaa. The two most commonly violated security provisions, according to enforcement statistics of the Centers for Medicare & Medicaid Services, are information access management (45 C.F.R. §164.308[a][4] [2010]) and access control (45 C.F.R. §164.312[a][1 [2010]). Information access management includes specifications for granting access to electronic protected information through access to a workstation, transaction, program, or process. Access control encompasses specifications for unique user identification, automatic logoff, and encryption of electronic protected information, both in motion and at rest.

Could a law firm mole have improperly gained access to a workstation during the ED chaos, intercepted an unencrypted wireless communication, or hacked into the electronic medical records system provided by an outside vendor? Rapid technological developments have greatly increased security risks. Anyone holding an iPhone or a similar device in the hospital is well-equipped for spying. The HIPAA security officer follows the security incident procedures (45 C.F.R. §164.308[a][6][2010]) and rules out a breach of security due to improper workstation access or unencrypted communications.

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) extended the HIPAA security provisions and penalties beyond covered entities (such as hospitals and physicians) to include all business associates (such as electronic medical record vendors and IT services) (see HITECH §13401, codified at 42 U.S.C. §17931 [2010]). The HIPAA security officer asks the hospital’s electronic medical record vendor to follow the security incident procedures to rule out the possibility of outside hacking. The vendor reports back with computer logs ruling out hacking. You begin to think the incident is in fact a privacy breach by an authorized person rather than a security breach by an unauthorized person.

HIPAA Privacy

HITECH also extended the HIPAA privacy and penalty provisions to business associates (HITECH §13404, codified at 42 U.S.C. §17934 [2010]). Tulane University has posted an excellent set of privacy procedures at tulane.edu/counsel/upco/privacy-policies.cfm. The two most commonly violated privacy provisions, according to the Department of Health and Human Services (HHS) Office of Civil Rights enforcement highlights, are impermissible uses and disclosures of protected health information (45 C.F.R. §164.504[e][4][2010]) and lack of appropriate administrative, technical, and physical safeguards of protected health information (45 C.F.R. §164.530[c][1][2010]).HIPAA regulations do not prescribe the particular privacy safeguards that covered entities and now business associates must implement, because the nature of the safeguards will vary with the size of the entity and the type of activities that the entity undertakes. Examples of appropriate safeguards include requiring that the entity shred documents containing protected health information prior to disposal, keep doors to medical records departments (or to file cabinets housing such records) locked, and limit which personnel are authorized to have the key or pass-code.

After interviewing the various physicians and nurses who were present in the ED during the bus emergency, you identify two prime suspects for the privacy breach. One suspect is an ED physician who is employed by an ED physician contracting company and provided to the hospital under a business associate arrangement. In his spare time, the suspect physician has provided expert testimony in lawsuits on behalf of clients of the personal injury law firm that received the list of injured bus passengers. The second suspect is an operating room nurse employed by the hospital who volunteered to help in the ED the afternoon of the bus accident. The nurse’s husband is out of work due to a disability resulting from a slip and fall in the local supermarket, and the personal injury law firm that received the list of bus passengers is representing the husband in a lawsuit against the supermarket.

HIPAA Criminal Penalties

A person who knowingly discloses individually identifiable health information to another person commits a crime punishable by fines up to $50,000 and imprisonment up to one year, or both (42 U.S.C. §1320d-6[b][1] [2010]). The criminal penalties jump to fines up to $250,000 and imprisonment up to 10 years, or both, if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm (42 U.S.C. §1320d-6[b][3][2010]).

HITECH clarified that, for purposes of this crime, a person (including an employee or other individual)shall be considered to have illegally disclosed individually identifiable health information if the information is maintained by a covered entity (such as a hospital) and the individual disclosed such information without authority (HITECH §13410[a], codified at 42 U.S.C. §1320d-6[a][3] [2010]). If either the suspect physician or nurse knowingly disclosed the list of injured bus passengers to the personal injury law firm for personal gain, the person would face up to 10 years in prison, longer than the maximum sentence for an armed bank robber (2009 Federal Sentencing Guidelines Manual §2B3.1 [first offense]).

HIPAA Civil Monetary Penalties

HITECH significantly increased the civil monetary penalties for HIPAA violations. Prior to HITECH, a HIPAA violation was like a speeding ticket. The general penalty for a HIPAA violation was $100 per violation, and the total amount of fines for all such violations of an identical requirement or prohibition during a calendar year could not exceed $25,000. Furthermore, fines could not be imposed if the person did not know, and by exercising reasonable diligence would not have known, that such person violated the provision.

HITECH established categories of violations that reflect increasing levels of culpability, requiring that a penalty determination be based on the nature and extent of the harm resulting from the violations. HITECH significantly increased financial risk of HIPAA violations in two respects: The penalty per violation of $50,000 for uncorrected willful violations is 500 times greater than the prior $100 “speeding ticket,” and the calendar year maximum jumped 60-fold to $1.5 million. HITECH also eliminated the affirmative defense for violations in which the covered entity did not know, or by reasonable diligence would not have known, of the violation, and such violations are now punishable under the first tier of penalties.

If the privacy violations for the 30 bus passengers are considered willful and not corrected, the offending party could hit the calendar year maximum of $1.5 million ($50,000 x 30 = $1,500,000) in a single incident. Even unknowing violations can add up if a large number of patients are affected. HITECH applies these fines not only to the hospital, but also to business associates of the hospital, such as the ED physician contracting company if it is found to be the offending party. This increased financial exposure means both hospitals and their business associates should place greater emphasis on HIPAA compliance.

Improved Enforcement

HITECH provides significant new incentives to improve enforcement of HIPAA. Congress ordered the secretary of HHS to establish by Feb. 17, 2012, a new methodology under which an individual harmed by a HIPAA offense may receive a percentage of the civil monetary penalty or monetary settlement collected with respect to such offense (HITECH §13410, codified at 42 U.S.C. §17939[c] [2010]). Although there remains no private right of action for HIPAA violations, the new methodology will provide monetary incentives for harmed individuals to complain to federal regulators in the hope of sharing in the penalties. HITECH also requires the secretary of HHS to provide for periodic audits to ensure that covered entities and business associates comply with HIPAA (HITECH §13411, codified at 42 U.S.C. §17940 [2010]).

These enforcement provisions will change the healthcare industry’s previously nonchalant approach to HIPAA compliance. The investigation of the disclosed list of bus passengers continues. The personal injury law firm cooperates in the investigation, and produces evidence that the ED physician did in fact send the list of bus passengers to a paralegal at the law firm. The ED physician contracting company terminates the employment of the physician and assures the hospital that it will indemnify the hospital for damages suffered by the hospital as a result of the incident. The HIPAA financial risk appears to be under control, yet the hospital still faces a major public relations problem.

Breach Notification

HITECH requires HIPAA covered entities to notify affected individuals within 60 days following the discovery of a breach of unsecured protected health information (HITECH §13402, codified at 42 U.S.C. §17932 [2010]). Covered entities also must notify the secretary of HHS in all cases (45 C.F.R. §164.408 [2010]), and must notify the media if the breach of protected health information involves more than 500 residents of a state or jurisdiction (45 C.F.R. §164.406 [2010]). In the case of a breach of unsecured protected health information by a business associate of a covered entity (such as the ED physician contracting company), the business associate must notify the covered entity of the breach (45 C.F.R. §164.410 [2010]).

Breach notification is not required for all violations of HIPAA privacy and security protections, just those violations resulting in the unauthorized acquisition, access, use, or disclosure of protected health information. For example, breach notification of the failure to keep medical records cabinets locked or the failure to encrypt wireless transmissions is required only if such failure actually results in the unauthorized use of protected health information. HITECH and the implementing regulations also adopt three exceptions to the definition of breach for certain harmless uses or disclosures (45 C.F.R. §164.402 [2010]). The first exception is unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if it is made in good faith and within the scope of authority and does not result in further unauthorized use or disclosure. The second exception is any inadvertent disclosure by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same entity and does not result in further unauthorized use or disclosure. The third exception is a disclosure where the covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information, such as mail returned unopened.

The breach notification must be written in plain language and include:

  • A brief description of what happened, including the date of the breach and date of discovery, if known
  • A description of the types of unsecured protected health information that were involved in the breach
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach
  • A brief description of what the covered entity is doing to investigate the breach, mitigate the harm to individuals, and protect against further breaches
  • Contact procedures for individuals to ask questions or learn additional information

You are concerned about sending the breach notification to the affected individuals within 60 days, and coordinating public relations efforts with the local newspaper. The hospital, not the ED physician contracting company, is responsible for ensuring the breach notification is sent to the affected individuals. Although it may be possible to delegate this responsibility to the business associate in some circumstances, you determine that the hospital should take charge of the notification process in this situation.

Follow Sound HIPAA Compliance Procedures

HITECH significantly expands the financial risk of HIPAA violations and extends HIPAA procedures and penalties to business associates. Hospitals, physicians, and their business associates should ensure that HIPAA privacy and security provisions are adopted and up-to-date. Compliance efforts should focus on high-risk areas, including information access management, access control, and impermissible disclosures of protected health information.

Business associate agreements should be revisited to verify that business associates accept the direct HIPAA obligations and indemnify the hospital and physicians for any HIPAA breaches. Covered entities and business associates must provide HIPAA training and appropriate monitoring to confirm continuing compliance. A HIPAA horror story can be avoided by following sound HIPAA compliance procedures that will mitigate culpability and reduce any potential civil monetary penalties.

Note: This article was originally published in HFMA and can be found here.