1 / 25

U. S. Department of Health and Human Services Office for Civil Rights

U. S. Department of Health and Human Services Office for Civil Rights. Morris Landau Privacy Specialist HIPAA Privacy Rule Compliance/Enforcement March 4, 2003. What is the OCR?. Federal agency Part of U.S. Department of Health and Human Services (HHS)

elsa
Download Presentation

U. S. Department of Health and Human Services Office for Civil Rights

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. U. S. Department of Health and Human ServicesOffice for Civil Rights Morris Landau Privacy Specialist HIPAA Privacy Rule Compliance/Enforcement March 4, 2003

  2. What is the OCR? • Federal agency • Part of U.S. Department of Health and Human Services (HHS) • Enforces regulations prohibiting discrimination on the basis of race, color, national origin, disability, and age, by recipients of Federal financial assistance from HHS

  3. Office for Civil Rights (OCR) • OCR has approximately 270 employees • Employees are located in HQS and ten regional offices

  4. Office for Civil Rights (OCR) • In 2002 OCR’s budget was approximately $33 million

  5. What Laws Does OCR Enforce? • Title VI of 1964 Civil Rights Act • Community Service Assurance of the Hill Burton Act • Section 504 of 1973 Rehabilitation Act • Americans with Disabilities Act of 1990 • Age Discrimination Act of 1975 • Title IX of 1972 Education Amendments • HIPAA

  6. Who is Covered? • All public and private entities receiving DHHS federal financial assistance are “covered entities” (a.k.a. “recipients”) • “Federal financial assistance” includes Medi-Cal, Medicare, Healthy Families, TANF, as well as grants, loans, grants/loans of federal property, details of federal personnel

  7. Who is Covered? (cont.) • State, county and local health and welfare agencies • Hospitals and clinics • Managed care organizations • Nursing homes • Mental health centers • Senior citizen centers • Head Start programs • Contractors

  8. HIPAA: Who is Covered? • Health care providers who transmit health information in (standard) electronic formats • Health plans • Health care clearinghouses

  9. How are Laws Enforced? • Complaints:persons who believe they have been subjected to discrimination may file a complaint with OCR • Compliance reviews: OCR may initiate a review of any agency or program that receives DHHS funds • Technical assistance/training

  10. Filing a Complaint • Must be filed within 180 days of incident • Time limit may be waived if "good cause” shown • Must be in writing • Can use complaint form or write a letter • Complaint form available at: http://www.hhs.gov/ocr/disform.html

  11. OCR’s Authority for HIPAA December 28, 2000 – Secretary issued Delegation of Authority to OCR to enforce the Privacy Rule

  12. OCR’s Authority for HIPAA • To impose civil monetary penalties • Administer, interpret, implement & enforce Privacy Rule

  13. OCR’s Authority for HIPAA • Make exception determinations (reference Part 160 – General Administrative Requirements: • Subpart B – Preemption of State Law)

  14. HIPAA Compliance/ Enforcement • § 160.304 Principles for achieving compliance • Cooperation • Seek cooperation of covered entities in obtaining compliance • Assistance • May provide technical assistance to covered entities to help them comply

  15. HIPAA Compliance/ Enforcement • Themes: • Historically most OCR complaints have been resolved through informal means • HIPAA--Voluntary compliance in order to minimize the need for enforcement • HIPAA--At the outset, enforcement will be driven by complaints

  16. OCR Technical Assistance • OCR is continuing to develop technical assistance tools • Covered Entity Decision Tool • December 3, 2002 Guidance which contains over 200 Q’s and A’s • Other materials being developed targeted to specific audiences

  17. Responsibilities of Covered Entities (Specific to compliance) • Keep records & submit compliance reports as necessary for OCR to determine compliance • Cooperate with OCR investigations & compliance reviews

  18. Responsibilities of Covered Entities (Specific to compliance) • Permit OCR access to its facilities, books, records that are pertinent to compliance • Permit access at any time & without notice if exigent circumstances exist • If information is held by third party and is not provided, so certify & explain efforts to obtain information

  19. Limitations on OCR Disclosure • Protected health information obtained by OCR in an investigation or review will not be disclosed by OCR, except if necessary for ascertaining or enforcing compliance or if otherwise required by law • Exception example: OCR may be required to disclose PHI to the Department of Justice to conduct criminal investigation

  20. OCR Action Regarding Complaints & Compliance Reviews • If investigation or review indicates a failure to comply, OCR will inform covered entity & complainant in writing & seek informal resolution whenever possible

  21. OCR Action Regarding Complaints & Compliance Reviews • If matter cannot be resolved by informal means, OCR may issue written findings documenting non-compliance • If after an investigation or review, OCR determines that further action is not warranted, OCR will so inform covered entity & complainant in writing

  22. Civil Monetary Penalties (CMPs) • Civil monetary penalties can be imposed by OCR • $100 per violation • Capped at $25,000 for each calendar year for each requirement or prohibition that is violated • Note: the covered entity has a right to a hearing before a CMP is imposed.

  23. Criminal Penalties • Criminal penalties can be imposed by DOJ • Up to $50,000 & 1 year imprisonment for knowingly obtaining or disclosing IIHI • Up to $100,000 & 5 years if done under false pretenses • Up to $250,000 & 10 years if intent to sell, transfer, or use for commercial advantage, personal gain or malicious harm • Enforced by DOJ

  24. Criminal Penalties • Same penalties apply to persons who, in violation of a HIPAA rule, • Uses or causes to be used a unique health identifier or • Obtains individually identifiable health information relating to an individual

  25. For More Information • Policy guidances, fact sheets, and other information are available on OCR’s website: www.hhs.gov/ocr/hipaa

More Related