RESPONDING TO AN OCR PRIVACY COMPLAINT

1. RESPONDING TO AN OCR PRIVACY COMPLAINT HIPAA COW January 14, 2005 Meeting Nancy Davis - Ministry Health Care Welcome & Introductions Welcome & Introductions

2. PRESENTATION OBJECTIVES Review the HIPAA Privacy Complaint Standards Provide Real-Life Experience in Responding to an OCR Privacy Complaint Investigation Provider Experience Payer Experience Address the Role of Other External Agencies in Responding to and Investigating Privacy Complaints Other External Agencies Joint Commission State of Wisconsin Bureau of Quality Assurance Other External Agencies Joint Commission State of Wisconsin Bureau of Quality Assurance

3. 45 CFR 160.306 COMPLAINTS TO THE SECRETARY (a) Right to file a complaint. A person who believes a covered entity is not complying with the applicable requirements of this part 160 or the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter may file a complaint with the Secretary (Health & Human Services). HIPAA Privacy Rule Grants this Right to Patients HIPAA Privacy Rule Grants this Right to Patients

4. 45 CFR 160.306 - Continued (b) Requirements for filing complaints. Complaints under this section must meet the following requirements: (1) A complaint must be filed in writing, either on paper or electronically. (2) A complaint must name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of this part 160 or the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter. HIPAA Privacy Rule Must be Filed in Writing Must Include Specific Information HIPAA Privacy Rule Must be Filed in Writing Must Include Specific Information

5. 45 CFR 160.306 - Continued (3) A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown. (4) The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register. Act or Omission Must Have Occurred Prior to April, 2003. Act or Omission Must Have Occurred Prior to April, 2003.

6. 45 CFR 164.520 NOTICE OF PRIVACY PRACTICES FOR PHI (b) Implementation Specifications: Content of Notice. (1) Required Elements: (vi) Complaints. The notice must contain a state-ment that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint. Information Regarding the Patient’s Right to File the Complaint and Who to Contact (Local) or HHS Must be Included In Notice. Information Regarding the Patient’s Right to File the Complaint and Who to Contact (Local) or HHS Must be Included In Notice.

7. 45 CFR 164.530 ADMINISTRATIVE REQUIREMENTS (g) Standard: refraining from intimidating or retaliatory acts. A covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against: (2) Individuals and others. Any individual or other person for: (i) Filing of a complaint with the Secretary under subpart C of part 160 of this subchapter Addresses Potential Retaliation (Whistleblower Clause). Addresses Potential Retaliation (Whistleblower Clause).

8. OCR GUIDANCE Fact Sheet: How to File a Health Information Privacy Complaint With the Office for Civil Rights Instructions Special Complaint Form Options Paper or Electronically Mail, Fax, or E-Mail Support Toll Free Number: 1-800-368-1019 OCR Has Made the Process Very Simple by Providing: Fact Sheet Detailed Instructions Complaint Form Multiple Options And Toll Free Support OCR Has Made the Process Very Simple by Providing: Fact Sheet Detailed Instructions Complaint Form Multiple Options And Toll Free Support

9. OCR HEALTH INFORMATION PRIVACY COMPLAINT FORM One Page Form (Optional Second Page) Demographic Section for Complainant Demographic Section for Subject of Complaint Description of the Complaint Signature and Date Reference Form in Handouts Packet – Copy Provided Description of the Complaint: Describe briefly what happened. How and why do you believe your (or someone else’s) health information privacy rights were violated, or the privacy rule was violated. Please be as specific as possible. (Attach additional pages as needed). Second Page Provides an Opportunity for Optional Information as Well as Contact Information Reference Form in Handouts Packet – Copy Provided Description of the Complaint: Describe briefly what happened. How and why do you believe your (or someone else’s) health information privacy rights were violated, or the privacy rule was violated. Please be as specific as possible. (Attach additional pages as needed). Second Page Provides an Opportunity for Optional Information as Well as Contact Information

10. OCR FACT SHEET How to File a Health Information Privacy Complaint With the Office for Civil Rights www.os.dhhs.gov/ocr/privacyhowtofile.htm Reference Copy Available in Handouts Reference Copy Available in Handouts

11. OCR REGIONAL CONTACT INFORMATION Region V – IL, IN, MI, MN, OH, WI Office for Civil Rights U.S. Department of Health & Human Services 233 N. Michigan Avenue – Suite 240 Chicago, IL 60601 (312) 886-2359 (312) 886-1807 (Fax) (312) 353-5693 (TDD) Information Available on Fact Sheet and Health Information Privacy Complaint Form Information Available on Fact Sheet and Health Information Privacy Complaint Form

12. OCR PRIVACY COMPLAINTS 9,541 Complaints Filed (11/18/04) 5,721 Closed Balance in Process 80% of Complaints Investigated 20% Not Applicable Due to No Covered Entity Involved Incidents Took Place Before 4/13/03 Incidents Are Not Violations/Permitted by Rule Information Provided by David Mayer, Office for Civil Rights, DHHS, Region V “Implementing the Next Wave of HIPAA Regulations – Practical Approaches to Security, NPI, Transaction ad Privacy Compliance” December 3, 2004 – Naperville, IllinoisInformation Provided by David Mayer, Office for Civil Rights, DHHS, Region V “Implementing the Next Wave of HIPAA Regulations – Practical Approaches to Security, NPI, Transaction ad Privacy Compliance” December 3, 2004 – Naperville, Illinois

13. OCR PRIVACY COMPLAINTS - Continued Top Five Complaint Allegations Impermissible Disclosures Failure to Establish Safeguards (Administrative, Technical & Physical) Access to Records/Fees for Records Minimum Necessary – Provided Too Much Failure to Provide Notice of Privacy Practices Impermissible Disclosures – Talking Indiscreetly (75% Allegation Substantiated) Minimum Necessary – Provided Too Much Information Top 5 Institution Types: Private Practice (50%) Hospitals Pharmacies Other Outpatient Facilities Group Health Plans (Relatively Small Amount) Impermissible Disclosures – Talking Indiscreetly (75% Allegation Substantiated) Minimum Necessary – Provided Too Much Information Top 5 Institution Types: Private Practice (50%) Hospitals Pharmacies Other Outpatient Facilities Group Health Plans (Relatively Small Amount)

14. OCR PRIVACY COMPLAINTS - Continued As of 9/10/2004, OCR Has Referred 98 Criminal Complaints to DOJ for Investigation DOJ Has Accepted 7 Complaints for Investigation OCR Has Not Yet Levied a Civil Monetary Penalty 1 Prosecution – On November 5, 2004, Richard W. Gibson was sentenced to 16 months in prison, three years of supervised release, and more than $9,000 in restitution for wrongful disclosure of individually identifiable health information for economic gain under HIPAA.   Gibson, an employee of the Seattle Cancer Care alliance, admitted that he obtained a cancer patient’s name, date of birth, and social security number while employed at the center to acquire four credit cards in the patient’s name and rack up more than $9,000 in debt.  The judge called the identity theft a “vicious attack on someone fighting for his life” and went above the prosecutor’s recommended sentence of 12 months and sentenced Gibson to 16 months in prison 1 Prosecution – On November 5, 2004, Richard W. Gibson was sentenced to 16 months in prison, three years of supervised release, and more than $9,000 in restitution for wrongful disclosure of individually identifiable health information for economic gain under HIPAA.   Gibson, an employee of the Seattle Cancer Care alliance, admitted that he obtained a cancer patient’s name, date of birth, and social security number while employed at the center to acquire four credit cards in the patient’s name and rack up more than $9,000 in debt.  The judge called the identity theft a “vicious attack on someone fighting for his life” and went above the prosecutor’s recommended sentence of 12 months and sentenced Gibson to 16 months in prison

15. PROVIDER EXPERIENCE OCR Complaint: Related to a complaint previously investigated at both the local and corporate levels. Involved a disgruntled, recently terminated employee. Incident was determined to be an administrative oversight. Scenario: During the course of a progress disciplinary process, information on an employee’s performance was collected and documented by the organization.  At the time of termination, the employee was presented with objective evidence supporting her failure to complete assigned duties.  This evidence included copies of two medical records which were lacking appropriate documentation of care by the employee. At the end of the meeting, the employee was provided with the paperwork supporting the termination as well as other miscellaneous general termination information.  Unfortunately, the copies from the two medical records supporting the termination were also included.  The copies included the patients’ identification. Scenario: During the course of a progress disciplinary process, information on an employee’s performance was collected and documented by the organization.  At the time of termination, the employee was presented with objective evidence supporting her failure to complete assigned duties.  This evidence included copies of two medical records which were lacking appropriate documentation of care by the employee. At the end of the meeting, the employee was provided with the paperwork supporting the termination as well as other miscellaneous general termination information.  Unfortunately, the copies from the two medical records supporting the termination were also included.  The copies included the patients’ identification.

16. PROVIDER EXPERIENCE - Continued Scenario - Local On day of involuntary termination, employee contacted corporate helpline with multiple complaints regarding previous employer. Only one complaint addressed an inappropriate use and disclosure of PHI. Use and disclosure related to an operational function and not a patient care function. Employee Immediately Involved External Resources (Corporate Office) First Clue Employee Immediately Involved External Resources (Corporate Office) First Clue

17. PROVIDER EXPERIENCE - Continued Scenario - Local Investigation carried out. Focus on privacy issue. Multiple calls to complainant. Follow-up letter with results of investigation to complainant. Corrective action taken. Leadership Inservicing

18. PROVIDER EXPERIENCE - Continued OCR Investigation Not unexpected; retaliation was suspected. Scope of complaint a surprise – and a stretch. Organization fully cooperated and shared details of internal/corporate investigation (documentation, notes, policy changes, education). Employee filed complaint on behalf of the two patients whose PHI was used as evidence in the termination process. Question to OCR – Did We Need to Contact Individuals? No – They Were Never Notified or Involved Employee filed complaint on behalf of the two patients whose PHI was used as evidence in the termination process. Question to OCR – Did We Need to Contact Individuals? No – They Were Never Notified or Involved

19. PROVIDER EXPERIENCE - Continued OCR Notification Letter DHHS/OCR Letterhead Addressed to Privacy Officer Included Reference Number Provided Nature of Complaint Notification of Contact Within 2 Weeks Identification of Contact Individual Know What to Look For – Official Letterhead (DHHS/OCR) Addressed to Privacy Officer (Name & Title) Content: Complaint Received Established Enforcement Responsibility Authority to Collect Information Notification of Future Contact CE Right to Respond, Submit Evidence Notice of HHS Involvement if Unresolved Reference to Freedom of Information Act Closure Know What to Look For – Official Letterhead (DHHS/OCR) Addressed to Privacy Officer (Name & Title) Content: Complaint Received Established Enforcement Responsibility Authority to Collect Information Notification of Future Contact CE Right to Respond, Submit Evidence Notice of HHS Involvement if Unresolved Reference to Freedom of Information Act Closure

20. PROVIDER EXPERIENCE - Continued OCR Investigation OCR Investigation Carried Out in a Thorough and Professional Manner. Requested Organizational Response in a Timely Manner. OCR provided letter of resolution. Letter to Administrator and Complainant Content History of Complaint OCR’s Enforcement Notification of Covered Entity Results of Investigation Covered Entity’s Correction Steps Notice of Resolution Reference to Freed of Information Act Letter to Administrator and Complainant

21. TIMELINE Recent Complaint Complaint Filed in August, 2004 Notification in January, 2005 Recent Complaint Complaint Filed in August, 2004 Notification in January, 2005

22. HEALTH PLAN EXPERIENCE Scenario Due to a common misunderstanding and “branding” of the health plan and the medical center, a member filed a complaint with OCR because the health plan was sending his spouse’s explanation of benefits (EOB) to her ex-spouse. Relatively “Painless” Process for Payer Relatively “Painless” Process for Payer

23. HEALTH PLAN EXPERIENCE - Continued Internal Investigation It was determined by the health plan that the patient (spouse) had dual coverage under both the ex-spouse and the current spouse. No notification had been received by the health plan to terminate coverage under the ex-spouse.

24. HEALTH PLAN EXPERIENCE - Continued OCR Investigation & Outcome Internal investigation information shared with OCR Process of OCR investigation informal Carried out by phone call Resolved Positive Experience Positive Experience

25. HEALTH PLAN EXPERIENCE - Continued Pending Future OCR Investigation? Denial for services sent to wrong patient which may have resulted in disclosure of diagnostic information, social security number, etc. Corrective Action – “Blinding” of SSN or identification numbers Potential Future Concern – Expectation of an OCR Investigation Potential Future Concern – Expectation of an OCR Investigation

26. TAKE AWAYS Don’t Wait for OCR to Make Contact/Call to Request Information to Prepare for Investigation Don’t Assume the Nature of the Complaint Documentation Availability is Key Staff Training & Education Policies & Procedures Internal Investigations and Corrective Actions Request Verification of Resolution Privacy Complaints – Low Hanging Fruit for Disgruntled Individuals Whistleblower Complaints – Disgruntled Employees As a Result of Sound Workforce Training on HIPAA and Privacy, Members are Knowledgeable on How to Report Complaints Whistleblower Complaints – Disgruntled Employees As a Result of Sound Workforce Training on HIPAA and Privacy, Members are Knowledgeable on How to Report Complaints

27. CONSEQUENCES OF HIPAA VIOLATIONS Civil Penalties Fines Criminal Penalties Imprisonment Fines Exclusion Medicare Program Civil Penalties: As of December, 2004, OCR Had Not Yet Levied a Civil Monetary Penalty Civil Penalties: As of December, 2004, OCR Had Not Yet Levied a Civil Monetary Penalty

28. HIPAA CONVICTION Richard W. Gibson, 42, of Seattle, Washington was sentenced to 16 months in prison, three years of supervised release, and more than $9,000 in restitution for wrongful disclosure of individually identifiable health information for economic gain. GIBSON admitted that he obtained a cancer patient's name, date of birth and social security number while GIBSON was employed at the Seattle Cancer Care Alliance, and that he disclosed that information to get four credit cards in the patient's name. GIBSON also admitted that he used several of those cards to rack up more than $9,000 in debt in the patient's name. GIBSON admitted he used the cards to purchase various items, including video games, home improvement supplies, apparel, jewelry, porcelain figurines, groceries and gasoline for his personal use. GIBSON was fired shortly after the identity theft was discovered. In a videotaped victim statement played in court, the cancer patient described how he had "lost a year of life both mentally and physically dealing with the stress" of having his identity stolen and dealing with banks, credit card companies and collection agencies. Judge Martinez went above the prosecutor's recommendation of 12 months and sentenced GIBSON to 16 months in prison. The Judge will determine at a later hearing how much restitution will go directly to the victim for costs he has incurred trying to clear his credit. Martinez also took the unusual step of ordering GIBSON immediately into custody.GIBSON admitted that he obtained a cancer patient's name, date of birth and social security number while GIBSON was employed at the Seattle Cancer Care Alliance, and that he disclosed that information to get four credit cards in the patient's name. GIBSON also admitted that he used several of those cards to rack up more than $9,000 in debt in the patient's name. GIBSON admitted he used the cards to purchase various items, including video games, home improvement supplies, apparel, jewelry, porcelain figurines, groceries and gasoline for his personal use. GIBSON was fired shortly after the identity theft was discovered. In a videotaped victim statement played in court, the cancer patient described how he had "lost a year of life both mentally and physically dealing with the stress" of having his identity stolen and dealing with banks, credit card companies and collection agencies. Judge Martinez went above the prosecutor's recommendation of 12 months and sentenced GIBSON to 16 months in prison. The Judge will determine at a later hearing how much restitution will go directly to the victim for costs he has incurred trying to clear his credit. Martinez also took the unusual step of ordering GIBSON immediately into custody.

29. OTHER EXTERNAL AGENCIES – PRIVACY COMPLAINTS State of Wisconsin Department of Health & Family Services – Bureau of Quality Assurance Joint Commission on Accreditation of Healthcare Organizations Media Outlets (Newspaper, Radio, Internet) The Bureau and JCAHO Provide Processes for Complaints. Experience has Demonstrated that the State is Very Conservative in Applying the Privacy Rule. E-Mail, Phone, Mail Also Provides OCR Contact Information (Privacy) JCAHO Will Also Investigate Privacy Complaints if Contacted. E-Mail, Phone, Fax, Mail Special Form Media: Be Prepared. Have Investigation Information Readily Available. Draft Proactive Press Release The Bureau and JCAHO Provide Processes for Complaints. Experience has Demonstrated that the State is Very Conservative in Applying the Privacy Rule. E-Mail, Phone, Mail Also Provides OCR Contact Information (Privacy) JCAHO Will Also Investigate Privacy Complaints if Contacted. E-Mail, Phone, Fax, Mail Special Form Media: Be Prepared. Have Investigation Information Readily Available. Draft Proactive Press Release

30. QUESTIONS/DISCUSSION davisn@ministryhealth.org 920-746-1613