1 / 23

HIPAA POST-“HITECH”: Health Information Privacy Enforcement

HIPAA POST-“HITECH”: Health Information Privacy Enforcement. Ian C. Smith DeWaal, Senior Counsel Criminal Division, Fraud Section United States Department of Justice*. American Osteopathic Association of Medical Informatics November 4, 2009 12:30 to 2:00 pm.

Thomas
Download Presentation

HIPAA POST-“HITECH”: Health Information Privacy Enforcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA POST-“HITECH”:Health Information Privacy Enforcement Ian C. Smith DeWaal, Senior Counsel Criminal Division, Fraud Section United States Department of Justice* American Osteopathic Association of Medical Informatics November 4, 2009 12:30 to 2:00 pm * The views expressed during this presentation do not necessarily represent the views of the Department of Justice or of the United States.

  2. I – INTRODUCTION • What I will Cover: • Protected Health Information Privacy Enforcement Pursuant to the Original HIPAA provisions • Statutory Changes enacted by the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) • Future Enforcement • Resources Available • WILL NOT cover all non-enforcement changes

  3. II. Original HIPAA Enforcement • Civil Monetary Penalties Enforced by the Secretary of Health and Human Services • Federal criminal statute enforced by the Attorney General by prosecution through the United States Attorneys or Department of Justice criminal trial attorneys

  4. III. Review: Civil Monetary Penalties: Pre-HITECH • Civil Monetary Penalties established by HIPAA – 42 U.S.C. 1320d-5 • Enforced by the Secretary of Health and Human Services • Delegated to the HHS Office of Civil Rights. • Website: http://www.hhs.gov/ocr/privacy/ • Enforced only against covered entities

  5. Review: Civil Monetary Penalties:Pre-HITECH • Violations of HIPAA punished by $100 CMP – maximum of $25,000 per calendar year for violations of an identical provision • CMP may not be imposed if: • Reasonable cause and not willful neglect (in certain situations can be reduced, instead of waived); and • Corrected within 30 days of discovery or the date on which it should have been discovered with the exercise of due diligence. The Secretary could extend the 30 day period based on nature and extent of the failure to comply • Under § 160.410(b)(2), if covered entity establishes that did not have knowledge of the violation, and by exercising reasonable diligence, would not have known that the violation occurred

  6. III. Review: Civil Monetary Penalties: Pre-HITECH • Secretary prohibited from imposing CMP if “the act constituted an offense punishable under section 1320d-6 of this Title” (42 U.S.C. § 1320d-6 – the criminal statute) • Referral protocol adopted to permit DOJ to review matters that might “constitute an offense.” • Matters not opened as criminal investigations were returned to the Secretary for further administrative action. • As of 9/30/09, HHS-OCR made over 464 referrals to DOJ since the April 2003 enforcement date

  7. III. Review: Civil Monetary Penalties: Pre-HITECH • HHS-OCR HIPAA Statistics Through 9/30/09 • Investigated and resolved over 9,318 cases by requiring changes in privacy practices and other corrective actions by the covered entities. • In 4,680 cases, HHS-OCR investigations found no violation had occurred. • In the remaining completed 26,964 cases, HHS-OCR determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. • Since the compliance date in April 2003, HHS has received over 46,973 HIPAA Privacy complaints and resolved over eighty percent of complaints received (over 40,962):

  8. III. Review: Civil Monetary Penalties: Pre-HITECH • A Resolution Agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations.  A resolution agreement likely would include the payment of a Resolution Agreements: • Resolution Agreement with Providence Health and Services (7/16/2008) • Resolution Agreement with CVS Pharmacy (1/16/2009) • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

  9. IV. Review: Criminal Statute:Pre-HITECH • Violations of 42 U.S.C. § 1320d-6 • A person who knowingly and in violation of this part: • Uses or causes to be used a unique health identifier • Obtains individually identifiable health information relating to an individual • Discloses individually identifiable information to another person

  10. IV. Review: Criminal Statute:Pre-HITECH • Penalties: • General – Fine of not more than $50,000, Not more than one year imprisonment, or both • Offense committed under false pretenses - Fine of not more than $100,000, not more than five years imprisonment, or both • Offense committed under with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm - Fine of not more than $250,000, not more than ten years imprisonment, or both

  11. IV. Review: Criminal Statute:Pre-HITECH • DOJ Office of Legal Counsel Opinion (6/1/05) • Construed the HIPAA criminal statute to be directly enforceable only against “covered entities” • Health care providers • Health plans • Health care clearinghouses • Observed that legal doctrines of aiding and abetting, conspiracy and corporate criminal liability would also apply

  12. IV. Review: Criminal Statute:Pre-HITECH • Approximately 10 HIPAA convictions since April 2003 enforcement date of HIPAA privacy regulations • Types of cases – • Patient credit identity theft • Sale of Medicare/Medicaid patient numbers • Identify law enforcement undercover agent • Defendants: Health care workers and outsiders

  13. V. HITECH Universal Changes to HIPAA • Application of CMPS and HIPAA criminal statute expanded to include “business associates” ARRA § 13404(c) (eff. 2/17/2010) • New patient notification requirements ARRA § 13402 • Notification on the occurrence of certain breaches of protected health information not secured according to standards specified by the Secretary of Health and Human Services (“HHS”) • Effective 30 days after publication of interim final regulations. Interim final rules on breach notification were published on August 24, 2009 (74 Fed. Reg. 42740); eff. 9/23/2009.

  14. V. HITECH Changes to CMPs • ARRA § 13410 - Increased CMPs • NEW Tiered CMPS tied to egregiousness of violation, effective 2/18/09 (Note – rulemaking pending): • The person did not know, and by exercising reasonable diligence would not have known, that such person had violated a provision • At least $100, not to exceed the amount specified in paragraph D. • The violation was due to reasonable cause and not willful neglect • At least $1,000, not to exceed the amount specified in paragraph D.

  15. V. HITECH Changes to CMPs • ARRA § 13410 - Mandatory CMP for Willful Neglect: Section 1320d-5 is amended by adding new subsection (c) - mandates that the Secretary impose a CMP when a violation of HIPAA is due to willful neglect, though as described previously, the amount of the mandatory penalty for willful neglect can be mitigated by timely correction of the violation. • ARRA § 13410 - Bar to Civil Monetary Penalties when action constitutes a criminal violation narrowed: Current section 1320d-5 (b)(1) which precludes assessment of a civil monetary penalty if an act constitutes an offense under section 1320d-6 is amended to preclude a CMP only if a penalty has been imposed pursuant to section 1320d-6. (Eff. 2/17/2011).

  16. V. HITECH Changes to CMPs • The violation was due to willful neglect, and • WAS CORRECTED as provided, within 30 days of the date on which the person liable for violation, knew, or exercising reasonable diligence would have known that the failure to comply occurred • At least $10,000, not to exceed the amount specified in paragraph D. • WAS NOT CORRECTED • At least $50,000, but the total amount imposed on a person for violation on an identical requirement or prohibition, during a calendar year may not exceed $1,500,000.

  17. V. HITECH Changes to CMPs • New enforcement power conferred on state Attorneys General (ARRA § 13410(e) • State AG may bring a civil action in federal district court, parens patriae, for injunctive relief and to obtain statutory damages for one or more state residents whose interest has been threatened or adversely affected by any person who violates HIPAA. • This subsection caps the statutory damages at $100 maximum per violation, and $25,000 maximum for all violations of an identical requirement or prohibition during a calendar year. • The court may consider the identical factors enumerated in § 1320d-5 (a), which may be considered by the Secretary in determining the amount of damages to be assessed, and may award costs and reasonable attorneys fees to the successful state Attorney General.

  18. V. HITECH Changes to CMPs • Prior written notice of an action or if not feasible, immediate notice on commencing an action, must be provided to the HHS Secretary, who will then have the right to intervene, be heard on all matters in the case, and have the right to appeal. • If the Secretary has instituted a HIPAA action against a person under subsection (a) with respect to a specific violation of this part, NO State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action. • State AG action not permitted if a criminal penalty already has been imposed (eff. 2/17/2011 – before this date, if the conduct was a violation of 42 U.S.C. §1320d-6.

  19. V. HITECH Changes: Criminal Statute • ARRA § Section 13409 - Clarification of the definition of “person” added to criminal statute – 42 U.S.C. § 1320d-6 (a) (eff. 2/17/2010) • “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9(b)(3) of this title) and the individual obtained or disclosed obtained or disclosed such information without authorization.”

  20. V. HITECH Changes: Criminal Statute • Conference Report for ARRA (Pub. L. 111-5) ("the Report"), p. 500 stated that: “In July 2005 the Justice Department Office of Legal Counsel (OLC) addressed which persons may be prosecuted under HIPAA and concluded that only a covered entity could be criminally liable.” (sic, apparently referring to the June 1, 2005 OLC opinion) The Report states the amendment to § 1320d-6 “clarifies that criminal penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by a covered entity, whether they are employees or not.” • As of 2/17/2010, a violation of HIPAA will be deemed to have occurred when a person, now defined to include an employee of a covered entity or another individual, obtains or discloses protected health information, which was maintained by a covered entity and the individual obtained or disclosed the such information without authorization.

  21. VI. Conclusion • Congress intended to step up enforcement of health information privacy violations • HHS will continue to work with covered entities and now, business associates on training, and correction of non-criminal violations • When HHS-OCR determines a violation arose from willful neglect, a CMP will be mandatory • Business associates will subject to new administrative and criminal scrutiny. • Uncorrected, willful violations will invite administrative or criminal sanction • Some state Attorneys General may emerge as an additional enforcement resource with respect to CMPs.

  22. VI. Conclusion • Resources: • Ian C. Smith DeWaal, Senior Counsel Criminal Division, Fraud Section (ian.dewaal@usdoj.gov or (202) 514 0669 • HHS Office of Civil Rights http://www.hhs.gov/ocr/privacy/index.html • “If you don't find the information you were seeking, you may submit an e-mail to OCRPrivacy@hhs.gov. Unfortunately, we do not provide individual responses to all of the questions received.  However, in some situations we may be able to forward your questions to an appropriate person or agency.” • Address inquiries to the OCR Regional Manager. • Contact the OCR regional office for your State or Territory, or the headquarters office for further information: http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html

  23. VII. Questions?

More Related