690 likes | 836 Views
Enforcing HIPAA Lorman Education Service August 22, 2007 Tacoma, Washington. Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 (206) 370-8126 stephen.rose@klgates.com. HIPAA Enforcement Rule — Overview. Original Enforcement Rule
E N D
Enforcing HIPAALorman Education ServiceAugust 22, 2007Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 (206) 370-8126 stephen.rose@klgates.com
HIPAA Enforcement Rule — Overview • Original Enforcement Rule • Published: April 17, 2003 • Expiration date: September 16, 2005 • New Proposal • Comment period ended: June 17, 2005 • 70 Federal Register 20223 • Final rules issued February 16, 2006 • Final rules effective March 16, 2006
HIPAA Enforcement Rule — Overview • DHHS adopts a “single enforcement policy,” i.e. the HIPAA Enforcement Rule applies to all aspects of HIPAA including the Privacy, Security, and Transactions and Code Sets Standards. • OCR will administer and enforce HIPAA Privacy Rule. • CMS will administer and enforce all HIPAA non-Privacy Rules.
Subparts • Subpart A—”Person” redefined • Subpart C—Compliance and Investigations • Subpart D—Imposition of Monetary Penalties • Subpart E—Procedures for Hearings • [Goodbye carrot, hello stick]
Criminal HIPAA • Knowingly use or cause to be used • Unlawful use or disclosure—not accidental • $50,000 and/or 1 year in jail • Add false pretenses: $100,000 and/or 5 years in jail • Add intent to sell, use for commercial advantage, use for personal gain, or cause malicious harm: $250,000 and/or 10 year in jail
“Person” • Person means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.
Person • The term “person” appears throughout the HIPAA rules, and the definition of the term we propose is a universal one that should work in each of the contexts in which the term “person” occurs. • 70 FR 20227
Person • Does “person” include or not include covered entities?
The Gibson Case • PHI of a cancer patient was stolen by the employee (phlebotomist) of a covered entity. • Employee used this information to obtain credit cards which he used. • Gibson could have been prosecuted under numerous federal identity theft laws.
The Gibson Case • Prosecutor opted to prosecute under HIPAA as the information collected was the PHI of a patient hospitalized in a covered entity. • Prosecuting attorney stated that whether Mr. Gibson was or was not a covered entity was not of great concern.
The Gibson Case • Gibson entered into a plea agreement and is currently in jail. • DOJ unofficially indicated that prosecutions would be based on a broad definition of “person.” • DOJ issued a formal opinion that HIPAA only applies to covered entities. • In the Gibson case he was not a covered entity so prosecution under HIPAA would not be possible today.
Department of Justice • On June 1, 2005 the U.S. Department of Justice issued a Memorandum Opinion stating: • “we do not read the term “person” at the beginning [of this statute] to mean “covered entity.” • Opinion at p. 7.
Department of Justice • As matters currently stand, based on the DOJ Memorandum, “person” does not include “covered entity” for purposes of criminal prosecution under HIPAA.
Complaint Process • Complaints filed with the Secretary of HHS or its designee, OCR. • Can be filed by anyone who believes the CE is not complying with HIPAA. • Competitor • Disgruntled former (current) employee • Patient or patient’s family
Complaint • Must be in writing. • but can be filed by paper or electronically. • Must be detailed. • must name person and act or omission. • Must be filed within 180 days of when complainant knew or should have known of the violation. • DHHS may waive the 180 day requirement for “good cause shown.”
Discretion to Investigate Complaints • Investigation. The Secretary may investigate complaints filed under this section. Such investigation may include a review of the pertinent policies, procedures, or practices of the covered entity and of the circumstances regarding any alleged violation.
Compliance Reviews • An additional route by which you can come to the Secretary’s attention is by way of a Compliance Review. • The Secretary may conduct compliance reviews to determine whether entities are complying with the applicable administrative simplification provisions.
Compliance Reviews • “We cannot project the variety of circumstances under which compliance reviews might be undertaken. Therefore, we do not propose to limit the situations in which this authority could be exercised. • 70 FR 20244
Compliance Reviews • While DHHS has the authority to conduct compliance reviews, DHHS recently stated that compliance and enforcement activities will remain primarily complaint-driven. • DHHS states that they still want to remain focused on promoting voluntary compliance.
Compliance • New rule clarifies that the Enforcement Rule applies to both “acts” and “omissions.” • “a violation occurs when a covered entity fails to take an action required by a HIPAA rule, as well as when a covered entity takes an action prohibited by a HIPAA rule.” • 70 FR 20229
Resolution of Complaint • The Secretary has two choices: • Resolution where non-compliance is indicated. • Resolution where no violation is found. • Secretary notifies CE and complaining party that no violation has been found.
Informal Resolution Where Non-Compliance is Indicated • The Secretary will attempt to reach a resolution of the matter satisfactory to the Secretary by informal means. • Informal means may include demonstrated compliance or a completed corrective action plan or other agreement. • Inform complainant, if any, of resolution. • Vast majority of cases are settled under this section.
Informal Resolution Where Non-Compliance is Indicated • If DHHS determines that the matter cannot be settled by informal means, DHHS must notify the covered entity and any complainant in writing. • Covered entity is then provided the opportunity to submit written evidence of mitigating factors or affirmative defenses.
Resolution • Secretary may settle the matter at any time. • Secretary may compromise the penalty at any time.
Mitigating Factors • If the matter is not resolved informally, the CE may submit written evidence of mitigating factors or affirmative defenses. • Secretary will issue formal finding that the matter is not resolved and that imposition of a CMP is warranted. Once this finding is issued you have 30 days to submit affirmative defenses or other mitigation.
Mitigating Factors • The number of impermissible actions or failures to take required actions. • The number of persons involved. • The amount of time during which the violation occurred. • Whether violation covered physical harm. • Whether violation caused financial harm.
Mitigating Factors • Whether action was intentional. • Whether action was beyond the direct control of the CE. • History of prior offenses. • Financial condition of the CE. • Size of the CE. • Other matters as justice may require.
Mitigating Factors • “. . . As justice may require” includes: • CE’s trustworthiness • CE’s lack of veracity and remorse • Damages to the government • Effect of penalty on the CE’s rehabilitation • CE’s unprompted diligence in correcting the violations
Mitigating Factors • This is a very subjective and very uncertain set of “standards.” • The feds do not give any details of how this formula actually works, i.e. how the categories are weighted, if at all.
Affirmative Defenses • Act is punishable criminally. • [Don’t fine me, I’d rather go to jail?!?!] • Covered entity did not have knowledge. • Covered entity would not have known through the exercise of reasonable diligence. • Might have to explain why your compliance plan did not catch the violation.
Affirmative Defenses • Violation is due to reasonable cause and not willful neglect (or worse) and corrected within 30 days of knowledge (discovery) or such other time as Secretary determines. • Critical to address any reported (alleged) violations as quickly as possible.
Affirmative Defenses • DHHS may waive CMPs if the party asserting the defense can show that failure to comply was due to reasonable cause even though the violation was not corrected within the 30 day time period required by that defense. • Demonstrate that payment of the penalty would be excessive relative to the compliance violation.
Exit Quickly If You Can • Investigate quickly. • Identify affirmative defenses, if any, and present them to the Secretary ASAP to try to end inquiry. • Fix it—the sooner the better especially if you take steps to fix it prior to investigation. • Mitigate.
Exit Quickly If You Can • If you cannot fix prior to investigation starting, try to demonstrate compliance since the filing of the complaint, develop a corrective action plan, or other agreement to settle via “informal means.”
Exit Quickly If You Can • No formal record of proceedings • Limited notice to outside world • Avoid/mitigate penalties
Formal Investigation • Secretary may issue subpoenas • Require attendance of witnesses and production of any other evidence
Formal Investigation • Investigational inquiries are not public, but • Testimony is taken under oath • Attendance of non-witnesses is discretionary • Objections stated on record • Record/transcript of proceedings • Information obtained may be used by HHS in any of its activities and may be offered into evidence in any proceeding
Proposed Determination • If Secretary determines action is necessary, Secretary will issue a Notice of Proposed Determination. • Statutory basis for CMP. • Findings of fact (including statistical sampling if applicable). • Reason(s) why violation(s) subjected CE to a CMP.
Proposed Determination • Amount of proposed penalty. • Factors considered in determining amount of the CMP. • Instructions for responding and/or requesting a hearing.
Proposed Determination • If DHHS used statistical sampling to determine the number of violations, it must provide its sampling study with the notice.
Requesting A Hearing • Must request within 90 days of issuance of Notice of Proposed Penalty/Determination. • DO NOT MISS THIS DEADLINE. • Failure to request hearing in timely manner results in imposition of the CMP and loss of appeal rights.
Request A Hearing • Request must be signed by respondent or respondent’s attorney. • Request must be mailed within 90 days of Notice of Proposed Determination. • Must clearly admit, deny, or explain findings of fact. • Restate affirmative defenses or arguments in mitigation.
First Meeting • Parties are required to schedule a prehearing conference with at least 14 days advanced notice to: • Define the issues to be addressed at the Hearing, and • Consider ways to protect the PHI during the Hearing.
ALJ’s First Review • ALJ must dismiss request for hearing if: • Not mailed within 90 days of Notice of Proposed Penalty/Determination • Not properly filed • Upon withdrawal or abandonment • Failure of CE to raise issue that may be properly addressed • NOTE: Secretary may settle without ALJ consent.
Conduct of Hearing • Fair and impartial. • Set date, place and time of hearing. • Conduct conferences, motion hearing, examination of witnesses, issue subpoenas, and regulate process. • Not bound by federal rules of evidence but may choose to follow them. • Hearing must be public unless good cause shown. • Post-hearing briefs may be filed, no later than 60 days following close of hearing.
ALJ May NOT • Ignore or invalidate federal law or Secretarial delegations of authority. • Secretary can identify someone to appear in his/her place. • Issue a directed verdict. • Compel settlement negotiations. • Enjoin the Secretary. • Review exercise of Secretary discretion.