today’s enforcement hipaa privacy and security statutes
DESCRIPTION
TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES. ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 [email protected]. masi. TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED?. Increased Enforcement Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”). - PowerPoint PPT PresentationTRANSCRIPT
TODAY’S ENFORCEMENT
HIPAA PRIVACY AND SECURITY STATUTES
ARMIN J. MOELLER, JR.BALCH & BINGHAM LLP
masimasi
TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED?
• Increased Enforcement
• Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”)
HIPAA PRIVACY RULES
• Limits Circumstances by Which Individual’s PHI May be Used/Disclosed by Covered Entities (“CEs”)
• PHI Permitted Use/Disclosure without Patient Authorization for Treatment, Payment or Healthcare Operations
• May Use/Disclose PHI Only With Patient Authorization
• Exceptions – Public Health, Judicial, Law Enforcement, Certain Specialized Purposes
HIPAA PRIVACY RULES - Continued
• Privacy Rule - Additional Obligations
– Accounting for Certain Disclosures– Disclose Only Minimum Information Necessary– Provide Notice of Privacy Practices– Individual’s Rights to Review/Obtain Copies of
PHI– Must Safeguard Protected Health Information
from Inappropriate Use/Disclosure– Individuals Have Right to Request Changes to
Inaccurate/Incomplete PHI– Maintain Administrative, Technical, Physical
Safeguards to Prevent Improper Use/Disclosure of PHI
BUSINESS ASSOCIATES (“BAs”)
• Anyone that Performs, Assists in Performance/Activity Involving Use/Disclosure of PHI on Behalf of CE
• Examples – Claims Processing, Data Analysis, Utilization Review, Quality Assurance, Billing Benefit Management, Practice Management, Pricing
• Other BAs– Persons Performing Legal, Actuarial, Accounting, Consulting, Data
Aggregation, Management, Administration, Accreditation or Financial Services if Involves Disclosure of PHI from Covered Entity
• Must Maintain PHI Confidentiality as Required by Service Agreement
• Violations – Covered Entity Must Terminate Relationship or Report Problem to HHS
SECURITY RULE (“SR”)
• Applies to PHI in Electronic Form (“EPHI”)
• Requires CE to Maintain Administrative, Technical and Physical Safeguards to Ensure Confidentiality/Integrity/availability of all EPHI the CE creates, receives, maintains or transmits
• CEs must enter into an agreement with BAs who create, receive, maintain or transmit EPHI
• BA must provide same safeguards to protect EPHI
• CE not liable for violations of SR by BA unless knew BA engaged in activity that violated HIPAA SR and CE took no action
ENFORCEMENT HISTORY
• DOJ Had Authority to Impose CMPs and Criminal Sanctions
• HHS Did Not Enforce Privacy or Security Rule Until 2008
• HHS – OIG in 2008 Concluded CMS Had Not Provided Effective Oversight/Enforcement of SR by CEs
• Prevailing View – “All Bark and No Bite” – Does Not Justify Compliance Expenses
RECENT DEVELOPMENTS• HHS Office of Civil Rights (“OCR”) Imposed CMPs totaling
$4.35MM on Cignet Health of Prince George’s County, Maryland.
• Settled with Massachusetts General Hospital (“Mass General”) for PR Violations $1MM
• University of California Los Angeles Health System (“UCLAHS”) – Potential PR and SPR/SR Violations - $865,000
• HHS OIG Began to Incorporate New Advanced Electronic/Data Mining Technologies to Uncover Waste, Fraud, Violations in Federal Healthcare Programs and Ensure Regulatory Compliance
• Data Analytics to Conduct Risk Assessment, Pinpoint Oversight Efforts Reduce Time/Resources Required for Audits, Investigations and Program Integrity Activities
HHS POLICY CHANGES
– HHS Secretary Delegates PR Enforcement to OCR
– April 14, 2003 – PR Compliance Mandatory for Most Covered Entities
– Next 5 Years – No Penalties/Settlement for PR Violations
– 2003 - HHS Secretary Delegates Authority to Enforce SR to CMS
– March 2006 – HIPAA Enforcement Rules Implemented
– 2006-2009 – No SR Compliance Actions
– 2009 Congress/HITECH Expands Enforcement/Penalties
– HHS Reassigns Enforcement to OCR
HHS’ POLICY CHANGES - Continued
• 2008-2009 Enforcement/Settlement Activities
– July 18, 2008 - HHS Resolution Agreement with Providence Health and Services (“Providence”) - PR/SR Violations, Loss of Electronic Backup Media/Laptop Computers Containing PHI - Providence Pays HHS $100,000 and Implements CAP
– January 16, 2009 – $2.25 MM Resolution Agreement/CAP with CVS Pharmacy, Inc. (“CVS”) - Unsecured Disposal of Pharmacy Customers’ PHI
– July 27, 2009 – HHS Strips CMS of SR Enforcement and Delegates to OCR
HITECH LEGISLATIVE CHANGES
• Expands Certain Provisions in PR and SR Rules to Business Associates
• Subjects BAs to Civil/Criminal Liability for Violations
• Establishes New Limits on Use of PHI for Marketing/Fund Raising Purposes
• Provides New Enforcement Authority for State Attorneys General to Bring Suit in Federal District Court to Enforce HIPAA Violations
• Increases Civil/Criminal Penalties for HIPAA Violations
HITECH LEGISLATIVE CHANGESContinued
• Requires CEs/BAs to Notify Public or HHS of Data Breaches
• Changes Use/Disclosure Rules for PHI
• Expands Certain Individual Rights
• Mandates CEs Report to OCR Breaches of Unsecured PHI
• Mandatory Notifications without Immunity/Reduced Penalties for Reporting
STATE ATTORNEYS GENERAL AUTHORITY
– Civil Actions Against HIPAA Privacy/Security Violators
– Damages Up to $100 per Violation Up to $25,000 for All Violations of Identical Requirement During Calendar Year
– Compliance Audits
– HITECH Requires HHS to Perform Periodic Audits to Ensure CE and BA Compliance with PR and SR
ENHANCED HIPAA PRIVACY/SECURITY
ENFORCEMENT ACTIVITIES
– Cignet – Breached PR by Failing to Provide 41 Individuals Timely Access to Medical Records/Failing to Cooperate in Investigation/ Not Correcting Violations within 30 Days.
• Finding of Willful Neglect Not Corrected Within 30 Days
– Mass General – Removal/Loss of PHI on Subway by Mass General Employee
• PHI for a total of 258 patients including with HIV/AIDS
• $1MM penalty plus 3 year CAP
CURRENT CAPs
• Similar to Corporate Integrity Agreements Entered Into By OIG
• Imposes Corrective Action Obligations That Reflect Federal Sentencing Guidelines/OIG Compliance Guidance Documents
• Mass General CAP
– Develop, Distribute, Update Policies/Procedures Targeting at Alleged Violation/Rate of Activities
– Train Personnel on Policies/Procedures Response to Violation
– Monitor/Audit Performance of New Policy/Procedures
– Provide Reports to OCR Regarding Performance
CURRENT CAPs - Continued
UCLAHS CAP
– Potential Violations of PR/SR
– $865,500 CMP
– CAP to Remedy Gap in Compliance
– Arose From Incidents Involving Celebrity Patients/Complaints – Employees Accessed PHI
– CAP Requires Implement PR/SR Policies Approved by OCR
– Conduct Regular Employee Training
– Sanction Offending Employees
– Independent Monitor to Assess Compliance for 3 Years
HHS – OIG Enhanced Technologies/Enforcement Efforts
• Fraud– Information Technologies/Analytics to uncover fraud/target oversight
efforts– Data Mining/Trend Evaluations/Modeling – enterprise view of
questionable activities/suspected fraud trends– New Data Storage/Computer Matching/Data analytic capabilities to
analyze hospital data for multiple compliance risks– Auditing process from weeks/months to 20 minutes per hospital
• Healthcare Fraud Prevention and Enforcement Action Team (“HEAT”)– High level law enforcement from DOJ and HHS– Enforce anti-fraud and other compliance obligations– Began in March 2007 – Operates in 7 major cities
HHS – OIG Enhanced Technologies/Enforcement Efforts
Continued
• FY 2010 – 140 Indictments Filed Against 284 Defendants that Billed Medicare $590 MM
• 217 Guilty Pleas Negotiated
• 29 Jury Trials with Guilty Verdicts Against 23 Defendants
• 146 Defendants Sentenced/Average More than 40 Months
• Data Driven/Data Analytics Approach Increasingly Effective
CONCLUSION
It’s Not the Passive HHS Enforcement Efforts Any More!