1 / 20


TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES. ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 amoeller@balch.com. masi. TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED? . Increased Enforcement Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”).

Download Presentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript


  2. TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED? • Increased Enforcement • Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”)

  3. HIPAA PRIVACY RULES • Limits Circumstances by Which Individual’s PHI May be Used/Disclosed by Covered Entities (“CEs”) • PHI Permitted Use/Disclosure without Patient Authorization for Treatment, Payment or Healthcare Operations • May Use/Disclose PHI Only With Patient Authorization • Exceptions – Public Health, Judicial, Law Enforcement, Certain Specialized Purposes

  4. HIPAA PRIVACY RULES - Continued • Privacy Rule - Additional Obligations • Accounting for Certain Disclosures • Disclose Only Minimum Information Necessary • Provide Notice of Privacy Practices • Individual’s Rights to Review/Obtain Copies of PHI • Must Safeguard Protected Health Information from Inappropriate Use/Disclosure • Individuals Have Right to Request Changes to Inaccurate/Incomplete PHI • Maintain Administrative, Technical, Physical Safeguards to Prevent Improper Use/Disclosure of PHI

  5. BUSINESS ASSOCIATES (“BAs”) • Anyone that Performs, Assists in Performance/Activity Involving Use/Disclosure of PHI on Behalf of CE • Examples – Claims Processing, Data Analysis, Utilization Review, Quality Assurance, Billing Benefit Management, Practice Management, Pricing • Other BAs • Persons Performing Legal, Actuarial, Accounting, Consulting, Data Aggregation, Management, Administration, Accreditation or Financial Services if Involves Disclosure of PHI from Covered Entity • Must Maintain PHI Confidentiality as Required by Service Agreement • Violations – Covered Entity Must Terminate Relationship or Report Problem to HHS

  6. SECURITY RULE (“SR”) • Applies to PHI in Electronic Form (“EPHI”) • Requires CE to Maintain Administrative, Technical and Physical Safeguards to Ensure Confidentiality/Integrity/availability of all EPHI the CE creates, receives, maintains or transmits • CEs must enter into an agreement with BAs who create, receive, maintain or transmit EPHI • BA must provide same safeguards to protect EPHI • CE not liable for violations of SR by BA unless knew BA engaged in activity that violated HIPAA SR and CE took no action

  7. ENFORCEMENT HISTORY • DOJ Had Authority to Impose CMPs and Criminal Sanctions • HHS Did Not Enforce Privacy or Security Rule Until 2008 • HHS – OIG in 2008 Concluded CMS Had Not Provided Effective Oversight/Enforcement of SR by CEs • Prevailing View – “All Bark and No Bite” – Does Not Justify Compliance Expenses

  8. RECENT DEVELOPMENTS • HHS Office of Civil Rights (“OCR”) Imposed CMPs totaling $4.35MM on Cignet Health of Prince George’s County, Maryland. • Settled with Massachusetts General Hospital (“Mass General”) for PR Violations $1MM • University of California Los Angeles Health System (“UCLAHS”) – Potential PR and SPR/SR Violations - $865,000 • HHS OIG Began to Incorporate New Advanced Electronic/Data Mining Technologies to Uncover Waste, Fraud, Violations in Federal Healthcare Programs and Ensure Regulatory Compliance • Data Analytics to Conduct Risk Assessment, Pinpoint Oversight Efforts Reduce Time/Resources Required for Audits, Investigations and Program Integrity Activities

  9. HHS POLICY CHANGES • HHS Secretary Delegates PR Enforcement to OCR • April 14, 2003 – PR Compliance Mandatory for Most Covered Entities • Next 5 Years – No Penalties/Settlement for PR Violations • 2003 - HHS Secretary Delegates Authority to Enforce SR to CMS • March 2006 – HIPAA Enforcement Rules Implemented • 2006-2009 – No SR Compliance Actions • 2009 Congress/HITECH Expands Enforcement/Penalties • HHS Reassigns Enforcement to OCR

  10. HHS’ POLICY CHANGES - Continued • 2008-2009 Enforcement/Settlement Activities • July 18, 2008 - HHS Resolution Agreement with Providence Health and Services (“Providence”) - PR/SR Violations, Loss of Electronic Backup Media/Laptop Computers Containing PHI - Providence Pays HHS $100,000 and Implements CAP • January 16, 2009 – $2.25 MM Resolution Agreement/CAP with CVS Pharmacy, Inc. (“CVS”) - Unsecured Disposal of Pharmacy Customers’ PHI • July 27, 2009 – HHS Strips CMS of SR Enforcement and Delegates to OCR

  11. HITECH LEGISLATIVE CHANGES • Expands Certain Provisions in PR and SR Rules to Business Associates • Subjects BAs to Civil/Criminal Liability for Violations • Establishes New Limits on Use of PHI for Marketing/Fund Raising Purposes • Provides New Enforcement Authority for State Attorneys General to Bring Suit in Federal District Court to Enforce HIPAA Violations • Increases Civil/Criminal Penalties for HIPAA Violations

  12. HITECH LEGISLATIVE CHANGESContinued • Requires CEs/BAs to Notify Public or HHS of Data Breaches • Changes Use/Disclosure Rules for PHI • Expands Certain Individual Rights • Mandates CEs Report to OCR Breaches of Unsecured PHI • Mandatory Notifications without Immunity/Reduced Penalties for Reporting

  13. STATE ATTORNEYS GENERAL AUTHORITY • Civil Actions Against HIPAA Privacy/Security Violators • Damages Up to $100 per Violation Up to $25,000 for All Violations of Identical Requirement During Calendar Year • Compliance Audits • HITECH Requires HHS to Perform Periodic Audits to Ensure CE and BA Compliance with PR and SR

  14. ENHANCED HIPAA PRIVACY/SECURITY ENFORCEMENT ACTIVITIES • Cignet – Breached PR by Failing to Provide 41 Individuals Timely Access to Medical Records/Failing to Cooperate in Investigation/ Not Correcting Violations within 30 Days. • Finding of Willful Neglect Not Corrected Within 30 Days • Mass General – Removal/Loss of PHI on Subway by Mass General Employee • PHI for a total of 258 patients including with HIV/AIDS • $1MM penalty plus 3 year CAP

  15. CURRENT CAPs • Similar to Corporate Integrity Agreements Entered Into By OIG • Imposes Corrective Action Obligations That Reflect Federal Sentencing Guidelines/OIG Compliance Guidance Documents • Mass General CAP • Develop, Distribute, Update Policies/Procedures Targeting at Alleged Violation/Rate of Activities • Train Personnel on Policies/Procedures Response to Violation • Monitor/Audit Performance of New Policy/Procedures • Provide Reports to OCR Regarding Performance

  16. CURRENT CAPs - Continued UCLAHS CAP • Potential Violations of PR/SR • $865,500 CMP • CAP to Remedy Gap in Compliance • Arose From Incidents Involving Celebrity Patients/Complaints – Employees Accessed PHI • CAP Requires Implement PR/SR Policies Approved by OCR • Conduct Regular Employee Training • Sanction Offending Employees • Independent Monitor to Assess Compliance for 3 Years

  17. HHS – OIG Enhanced Technologies/Enforcement Efforts • Fraud • Information Technologies/Analytics to uncover fraud/target oversight efforts • Data Mining/Trend Evaluations/Modeling – enterprise view of questionable activities/suspected fraud trends • New Data Storage/Computer Matching/Data analytic capabilities to analyze hospital data for multiple compliance risks • Auditing process from weeks/months to 20 minutes per hospital • Healthcare Fraud Prevention and Enforcement Action Team (“HEAT”) • High level law enforcement from DOJ and HHS • Enforce anti-fraud and other compliance obligations • Began in March 2007 – Operates in 7 major cities

  18. HHS – OIG Enhanced Technologies/Enforcement EffortsContinued • FY 2010 – 140 Indictments Filed Against 284 Defendants that Billed Medicare $590 MM • 217 Guilty Pleas Negotiated • 29 Jury Trials with Guilty Verdicts Against 23 Defendants • 146 Defendants Sentenced/Average More than 40 Months • Data Driven/Data Analytics Approach Increasingly Effective

  19. CONCLUSION It’s Not the Passive HHS Enforcement Efforts Any More!

  20. THANK YOU Armin J. Moeller, Jr. Balch & Bingham, LLP amoeller@balch.com 601-965-8156

More Related