I just reviewed two articles that talked about fines against providers for allegedly illegal behavior related to HIPAA and to the False Claims Act. I also just read an exchange of opinions and information on my state psychological association listserv about a Microsoft cloud service product and whether it is HIPAA compliant. As we deal with our customers on a day-to-day basis, I am amazed at the variation in response to possible breach of the law. Some state things like, “Oh HIPAA. I’m not worried about that stuff.” Others indicate opinions such as, “I would never use a Cloud backup program. It cannot possibly be secure!”
The HIPAA article was in an Open Minds newsletter and focused on the money-making potential of HIPAA. The gist of the article is that 2015 is expected to be a very big year for fines for breach of HIPAA requirements. The cases in OCR’s pipeline as well as the plan for HIPAA audits of providers, insurers and clearinghouses are likely to produce record fines. The advice in the article was similar to the advice given by one of the participants in the listserv discussion mentioned above: complete a comprehensive risk assessment for your organization. There are many tools and much guidance available on the CMS web site; the Indian Health Services also have a checklist for what should be in that risk assessment.
The second article I read this morning was about the False Claims Act and how it relates to certain aspects of the Affordable Care Act. The article discusses a Department of Justice and New York Attorney General’s lawsuit against a healthcare organization accused of failing to return Medicaid overpayments the organization allegedly had knowledge of. Apparently, ACA requires return of overpayments by government payers within 60 days of the provider’s awareness that such an overpayment was received. Additionally, the lawsuit is seeking to apply the False Claims Act to this failure to refund. If it is successful, the organization in question could owe treble damages along with the overpayments! That could be lots of money. Large provider organizations are carefully watching this lawsuit as the outcome could have profound and expensive effects on the industry. It could also save us taxpayers lots of money.
Given the wide range of opinions on laws and what they really require of us that we hear every day, I wonder what motivates your organization to get things right. Is it the threat of a fine that could put you out of business? Is it a threat to your license that could keep you from practicing your profession? Is it simply that we owe it to our patients to protect their information? Do you really not worry about such things? What motivates you to meet the requirements of the law? How does that relate to how you provide care?
Please share your comments below.