A healthcare provider or vendor failing to comply with HIPAA (the Health Insurance Portability and Accountability Act of 1996) can expect to be on the receiving end of a fine. However, according to a recent letter from the Medical Group Management Association (MGMA) to the Centers for Medicare & Medicaid Services (CMS), that penalty is not likely to come from that particular government agency … and the medical group believes that CMS should flex its punitive muscle and demonstrate its regulatory might so that healthcare entities will have more incentive to follow HIPAA guidelines.
The letter, signed by MGMA’s Anders Gilberg, MGA, Senior Vice President, Government Affairs was in response to a CMS call for comments regarding a draft of its HIPAA violation complaint form. Gilberg did indeed have several specific suggestions for revisions of the CMS form, but the letter’s focus spilled outside of the margins of the complaint form itself to include a critique of how the agency is handling the HIPAA administrative simplification process — and therefore, it implicitly begged the question of whether these complaints to CMS are complaints in name only.
“…there is little reason to submit a complaint…”
The CMS form in question is intended to serve as the vehicle for physician complaints against health plans and healthcare clearinghouses regarding potential HIPAA violations. But it seems reasonable to conclude that a complaint is only as good as the likelihood of regulatory enforcement on the receiving end. And therefore, at the present moment, many healthcare providers might feel that filing a HIPAA complaint with CMS is an exercise in futility.
“MGMA members have reported many occurrences of non-compliance on the part of health plans (including commercial plans, state Medicaid agencies, and Veterans Affairs-contracted payers,” Gilberg wrote. “With no enforcement fines to date levied against a covered entity for non-compliance, there is little reason to submit a complaint on the part of a provider and little incentive to be compliant on the part of a health plan.”
In what would be hard not to see as a rebuke, Gilberg pointed out that the Department of Health and Human Services’s Office for Civil Rights (OCR) has, in contrast to CMS, responded to complaints by handing out many fines for HIPAA violations. “Conversely, the Office for Civil Rights (OCR) has not only levied fines and reached numerous settlement agreements with non-compliant covered entities, but they have widely communicated each instance of non-compliance through press releases and other communication channels.”
CMS is mandated to aid OCR in HIPAA enforcement … but is it doing enough?
The CMS is actually mandated to work with the OCR on enforcing HIPAA rules, so the fact that CMS has not yet issued any fines for violations perhaps makes the rebuke easier to understand.
Rather than just criticize CMS’s lack of punitive action when it comes to these HIPAA violation complaints, the MGMA letter included suggestions for adding some bite to CMS’s bark. Citing the OCR’s protocol for investigating HIPAA breach complaints, its compliance audits, and when necessary, its fines levied for non-compliance (as well as its public announcements of violations and violators), Gilberg recommended that CMS follow suit in sending the consistent message that HIPAA violations will come with consequences.
Specific suggestions for CMS include doing away with “voluntary” audits, implementing a program for random audits, and “publish[ing] the names of every covered entity who either failed a CMS audit, entered into a corrective action plan with CMS, or is levied a fine or reached a settlement agreement with CMS regarding non-compliance with any of the administrative simplification standards.”
MGMA’s network is vast
A group that’s nearly a century old, the MGMA’s membership includes over 40,000 medical practice administrators, executives, and leaders; it represents more than 12,500 organizations that, according to its website, “deliver almost half of the healthcare in the United States.”
This article is provided for educational purposes only and is not offered as, and should not be relied on as, legal advice. Any individual or entity reading this information should consult an attorney for their particular situation. For more information/questions regarding any legal matters, please email [email protected] or call 310.203.2800.