TODAY’S ENFORCEMENT

HIPAA PRIVACY AND SECURITY STATUTES

ARMIN J. MOELLER, JR.BALCH & BINGHAM LLP

601-965-8156amoeller@balch.com

masimasi

TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED?

• Increased Enforcement

• Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”)

HIPAA PRIVACY RULES

• Limits Circumstances by Which Individual’s PHI May be Used/Disclosed by Covered Entities (“CEs”)

• PHI Permitted Use/Disclosure without Patient Authorization for Treatment, Payment or Healthcare Operations

• May Use/Disclose PHI Only With Patient Authorization

• Exceptions – Public Health, Judicial, Law Enforcement, Certain Specialized Purposes

HIPAA PRIVACY RULES - Continued

• Privacy Rule - Additional Obligations

– Accounting for Certain Disclosures– Disclose Only Minimum Information Necessary– Provide Notice of Privacy Practices– Individual’s Rights to Review/Obtain Copies of

PHI– Must Safeguard Protected Health Information

from Inappropriate Use/Disclosure– Individuals Have Right to Request Changes to

Inaccurate/Incomplete PHI– Maintain Administrative, Technical, Physical

Safeguards to Prevent Improper Use/Disclosure of PHI

BUSINESS ASSOCIATES (“BAs”)

• Anyone that Performs, Assists in Performance/Activity Involving Use/Disclosure of PHI on Behalf of CE

• Examples – Claims Processing, Data Analysis, Utilization Review, Quality Assurance, Billing Benefit Management, Practice Management, Pricing

• Other BAs– Persons Performing Legal, Actuarial, Accounting, Consulting, Data

Aggregation, Management, Administration, Accreditation or Financial Services if Involves Disclosure of PHI from Covered Entity

• Must Maintain PHI Confidentiality as Required by Service Agreement

• Violations – Covered Entity Must Terminate Relationship or Report Problem to HHS

SECURITY RULE (“SR”)

• Applies to PHI in Electronic Form (“EPHI”)

• Requires CE to Maintain Administrative, Technical and Physical Safeguards to Ensure Confidentiality/Integrity/availability of all EPHI the CE creates, receives, maintains or transmits

• CEs must enter into an agreement with BAs who create, receive, maintain or transmit EPHI

• BA must provide same safeguards to protect EPHI

• CE not liable for violations of SR by BA unless knew BA engaged in activity that violated HIPAA SR and CE took no action

ENFORCEMENT HISTORY

• DOJ Had Authority to Impose CMPs and Criminal Sanctions

• HHS Did Not Enforce Privacy or Security Rule Until 2008

• HHS – OIG in 2008 Concluded CMS Had Not Provided Effective Oversight/Enforcement of SR by CEs

• Prevailing View – “All Bark and No Bite” – Does Not Justify Compliance Expenses

RECENT DEVELOPMENTS• HHS Office of Civil Rights (“OCR”) Imposed CMPs totaling

$4.35MM on Cignet Health of Prince George’s County, Maryland.

• Settled with Massachusetts General Hospital (“Mass General”) for PR Violations $1MM

• University of California Los Angeles Health System (“UCLAHS”) – Potential PR and SPR/SR Violations - $865,000

• HHS OIG Began to Incorporate New Advanced Electronic/Data Mining Technologies to Uncover Waste, Fraud, Violations in Federal Healthcare Programs and Ensure Regulatory Compliance

• Data Analytics to Conduct Risk Assessment, Pinpoint Oversight Efforts Reduce Time/Resources Required for Audits, Investigations and Program Integrity Activities

HHS POLICY CHANGES

– HHS Secretary Delegates PR Enforcement to OCR

– April 14, 2003 – PR Compliance Mandatory for Most Covered Entities

– Next 5 Years – No Penalties/Settlement for PR Violations

– 2003 - HHS Secretary Delegates Authority to Enforce SR to CMS

– March 2006 – HIPAA Enforcement Rules Implemented

– 2006-2009 – No SR Compliance Actions

– 2009 Congress/HITECH Expands Enforcement/Penalties

– HHS Reassigns Enforcement to OCR

HHS’ POLICY CHANGES - Continued

• 2008-2009 Enforcement/Settlement Activities

– July 18, 2008 - HHS Resolution Agreement with Providence Health and Services (“Providence”) - PR/SR Violations, Loss of Electronic Backup Media/Laptop Computers Containing PHI - Providence Pays HHS $100,000 and Implements CAP

– January 16, 2009 – $2.25 MM Resolution Agreement/CAP with CVS Pharmacy, Inc. (“CVS”) - Unsecured Disposal of Pharmacy Customers’ PHI

– July 27, 2009 – HHS Strips CMS of SR Enforcement and Delegates to OCR

HITECH LEGISLATIVE CHANGES

• Expands Certain Provisions in PR and SR Rules to Business Associates

• Subjects BAs to Civil/Criminal Liability for Violations

• Establishes New Limits on Use of PHI for Marketing/Fund Raising Purposes

• Provides New Enforcement Authority for State Attorneys General to Bring Suit in Federal District Court to Enforce HIPAA Violations

• Increases Civil/Criminal Penalties for HIPAA Violations

HITECH LEGISLATIVE CHANGESContinued

• Requires CEs/BAs to Notify Public or HHS of Data Breaches

• Changes Use/Disclosure Rules for PHI

• Expands Certain Individual Rights

• Mandates CEs Report to OCR Breaches of Unsecured PHI

• Mandatory Notifications without Immunity/Reduced Penalties for Reporting

STATE ATTORNEYS GENERAL AUTHORITY

– Civil Actions Against HIPAA Privacy/Security Violators

– Damages Up to $100 per Violation Up to $25,000 for All Violations of Identical Requirement During Calendar Year

– Compliance Audits

– HITECH Requires HHS to Perform Periodic Audits to Ensure CE and BA Compliance with PR and SR

ENHANCED HIPAA PRIVACY/SECURITY

ENFORCEMENT ACTIVITIES

– Cignet – Breached PR by Failing to Provide 41 Individuals Timely Access to Medical Records/Failing to Cooperate in Investigation/ Not Correcting Violations within 30 Days.

• Finding of Willful Neglect Not Corrected Within 30 Days

– Mass General – Removal/Loss of PHI on Subway by Mass General Employee

• PHI for a total of 258 patients including with HIV/AIDS

• $1MM penalty plus 3 year CAP

CURRENT CAPs

• Similar to Corporate Integrity Agreements Entered Into By OIG

• Imposes Corrective Action Obligations That Reflect Federal Sentencing Guidelines/OIG Compliance Guidance Documents

• Mass General CAP

– Develop, Distribute, Update Policies/Procedures Targeting at Alleged Violation/Rate of Activities

– Train Personnel on Policies/Procedures Response to Violation

– Monitor/Audit Performance of New Policy/Procedures

– Provide Reports to OCR Regarding Performance

CURRENT CAPs - Continued

UCLAHS CAP

– Potential Violations of PR/SR

– $865,500 CMP

– CAP to Remedy Gap in Compliance

– Arose From Incidents Involving Celebrity Patients/Complaints – Employees Accessed PHI

– CAP Requires Implement PR/SR Policies Approved by OCR

– Conduct Regular Employee Training

– Sanction Offending Employees

– Independent Monitor to Assess Compliance for 3 Years

HHS – OIG Enhanced Technologies/Enforcement Efforts

• Fraud– Information Technologies/Analytics to uncover fraud/target oversight

efforts– Data Mining/Trend Evaluations/Modeling – enterprise view of

questionable activities/suspected fraud trends– New Data Storage/Computer Matching/Data analytic capabilities to

analyze hospital data for multiple compliance risks– Auditing process from weeks/months to 20 minutes per hospital

• Healthcare Fraud Prevention and Enforcement Action Team (“HEAT”)– High level law enforcement from DOJ and HHS– Enforce anti-fraud and other compliance obligations– Began in March 2007 – Operates in 7 major cities

HHS – OIG Enhanced Technologies/Enforcement Efforts

Continued

• FY 2010 – 140 Indictments Filed Against 284 Defendants that Billed Medicare $590 MM

• 217 Guilty Pleas Negotiated

• 29 Jury Trials with Guilty Verdicts Against 23 Defendants

• 146 Defendants Sentenced/Average More than 40 Months

• Data Driven/Data Analytics Approach Increasingly Effective

CONCLUSION

It’s Not the Passive HHS Enforcement Efforts Any More!

THANK YOU

Armin J. Moeller, Jr.Balch & Bingham, LLP

amoeller@balch.com601-965-8156