Download
1 / 20
200 likes | 357 Views
TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES. ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 amoeller@balch.com. masi. TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED? . Increased Enforcement Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”).
E N D
TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 amoeller@balch.com masi
TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED? • Increased Enforcement • Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”)
HIPAA PRIVACY RULES • Limits Circumstances by Which Individual’s PHI May be Used/Disclosed by Covered Entities (“CEs”) • PHI Permitted Use/Disclosure without Patient Authorization for Treatment, Payment or Healthcare Operations • May Use/Disclose PHI Only With Patient Authorization • Exceptions – Public Health, Judicial, Law Enforcement, Certain Specialized Purposes
HIPAA PRIVACY RULES - Continued • Privacy Rule - Additional Obligations • Accounting for Certain Disclosures • Disclose Only Minimum Information Necessary • Provide Notice of Privacy Practices • Individual’s Rights to Review/Obtain Copies of PHI • Must Safeguard Protected Health Information from Inappropriate Use/Disclosure • Individuals Have Right to Request Changes to Inaccurate/Incomplete PHI • Maintain Administrative, Technical, Physical Safeguards to Prevent Improper Use/Disclosure of PHI
BUSINESS ASSOCIATES (“BAs”) • Anyone that Performs, Assists in Performance/Activity Involving Use/Disclosure of PHI on Behalf of CE • Examples – Claims Processing, Data Analysis, Utilization Review, Quality Assurance, Billing Benefit Management, Practice Management, Pricing • Other BAs • Persons Performing Legal, Actuarial, Accounting, Consulting, Data Aggregation, Management, Administration, Accreditation or Financial Services if Involves Disclosure of PHI from Covered Entity • Must Maintain PHI Confidentiality as Required by Service Agreement • Violations – Covered Entity Must Terminate Relationship or Report Problem to HHS
SECURITY RULE (“SR”) • Applies to PHI in Electronic Form (“EPHI”) • Requires CE to Maintain Administrative, Technical and Physical Safeguards to Ensure Confidentiality/Integrity/availability of all EPHI the CE creates, receives, maintains or transmits • CEs must enter into an agreement with BAs who create, receive, maintain or transmit EPHI • BA must provide same safeguards to protect EPHI • CE not liable for violations of SR by BA unless knew BA engaged in activity that violated HIPAA SR and CE took no action
ENFORCEMENT HISTORY • DOJ Had Authority to Impose CMPs and Criminal Sanctions • HHS Did Not Enforce Privacy or Security Rule Until 2008 • HHS – OIG in 2008 Concluded CMS Had Not Provided Effective Oversight/Enforcement of SR by CEs • Prevailing View – “All Bark and No Bite” – Does Not Justify Compliance Expenses
RECENT DEVELOPMENTS • HHS Office of Civil Rights (“OCR”) Imposed CMPs totaling $4.35MM on Cignet Health of Prince George’s County, Maryland. • Settled with Massachusetts General Hospital (“Mass General”) for PR Violations $1MM • University of California Los Angeles Health System (“UCLAHS”) – Potential PR and SPR/SR Violations - $865,000 • HHS OIG Began to Incorporate New Advanced Electronic/Data Mining Technologies to Uncover Waste, Fraud, Violations in Federal Healthcare Programs and Ensure Regulatory Compliance • Data Analytics to Conduct Risk Assessment, Pinpoint Oversight Efforts Reduce Time/Resources Required for Audits, Investigations and Program Integrity Activities
HHS POLICY CHANGES • HHS Secretary Delegates PR Enforcement to OCR • April 14, 2003 – PR Compliance Mandatory for Most Covered Entities • Next 5 Years – No Penalties/Settlement for PR Violations • 2003 - HHS Secretary Delegates Authority to Enforce SR to CMS • March 2006 – HIPAA Enforcement Rules Implemented • 2006-2009 – No SR Compliance Actions • 2009 Congress/HITECH Expands Enforcement/Penalties • HHS Reassigns Enforcement to OCR
HHS’ POLICY CHANGES - Continued • 2008-2009 Enforcement/Settlement Activities • July 18, 2008 - HHS Resolution Agreement with Providence Health and Services (“Providence”) - PR/SR Violations, Loss of Electronic Backup Media/Laptop Computers Containing PHI - Providence Pays HHS $100,000 and Implements CAP • January 16, 2009 – $2.25 MM Resolution Agreement/CAP with CVS Pharmacy, Inc. (“CVS”) - Unsecured Disposal of Pharmacy Customers’ PHI • July 27, 2009 – HHS Strips CMS of SR Enforcement and Delegates to OCR
HITECH LEGISLATIVE CHANGES • Expands Certain Provisions in PR and SR Rules to Business Associates • Subjects BAs to Civil/Criminal Liability for Violations • Establishes New Limits on Use of PHI for Marketing/Fund Raising Purposes • Provides New Enforcement Authority for State Attorneys General to Bring Suit in Federal District Court to Enforce HIPAA Violations • Increases Civil/Criminal Penalties for HIPAA Violations
HITECH LEGISLATIVE CHANGESContinued • Requires CEs/BAs to Notify Public or HHS of Data Breaches • Changes Use/Disclosure Rules for PHI • Expands Certain Individual Rights • Mandates CEs Report to OCR Breaches of Unsecured PHI • Mandatory Notifications without Immunity/Reduced Penalties for Reporting
STATE ATTORNEYS GENERAL AUTHORITY • Civil Actions Against HIPAA Privacy/Security Violators • Damages Up to $100 per Violation Up to $25,000 for All Violations of Identical Requirement During Calendar Year • Compliance Audits • HITECH Requires HHS to Perform Periodic Audits to Ensure CE and BA Compliance with PR and SR
ENHANCED HIPAA PRIVACY/SECURITY ENFORCEMENT ACTIVITIES • Cignet – Breached PR by Failing to Provide 41 Individuals Timely Access to Medical Records/Failing to Cooperate in Investigation/ Not Correcting Violations within 30 Days. • Finding of Willful Neglect Not Corrected Within 30 Days • Mass General – Removal/Loss of PHI on Subway by Mass General Employee • PHI for a total of 258 patients including with HIV/AIDS • $1MM penalty plus 3 year CAP
CURRENT CAPs • Similar to Corporate Integrity Agreements Entered Into By OIG • Imposes Corrective Action Obligations That Reflect Federal Sentencing Guidelines/OIG Compliance Guidance Documents • Mass General CAP • Develop, Distribute, Update Policies/Procedures Targeting at Alleged Violation/Rate of Activities • Train Personnel on Policies/Procedures Response to Violation • Monitor/Audit Performance of New Policy/Procedures • Provide Reports to OCR Regarding Performance
CURRENT CAPs - Continued UCLAHS CAP • Potential Violations of PR/SR • $865,500 CMP • CAP to Remedy Gap in Compliance • Arose From Incidents Involving Celebrity Patients/Complaints – Employees Accessed PHI • CAP Requires Implement PR/SR Policies Approved by OCR • Conduct Regular Employee Training • Sanction Offending Employees • Independent Monitor to Assess Compliance for 3 Years
HHS – OIG Enhanced Technologies/Enforcement Efforts • Fraud • Information Technologies/Analytics to uncover fraud/target oversight efforts • Data Mining/Trend Evaluations/Modeling – enterprise view of questionable activities/suspected fraud trends • New Data Storage/Computer Matching/Data analytic capabilities to analyze hospital data for multiple compliance risks • Auditing process from weeks/months to 20 minutes per hospital • Healthcare Fraud Prevention and Enforcement Action Team (“HEAT”) • High level law enforcement from DOJ and HHS • Enforce anti-fraud and other compliance obligations • Began in March 2007 – Operates in 7 major cities
HHS – OIG Enhanced Technologies/Enforcement EffortsContinued • FY 2010 – 140 Indictments Filed Against 284 Defendants that Billed Medicare $590 MM • 217 Guilty Pleas Negotiated • 29 Jury Trials with Guilty Verdicts Against 23 Defendants • 146 Defendants Sentenced/Average More than 40 Months • Data Driven/Data Analytics Approach Increasingly Effective
CONCLUSION It’s Not the Passive HHS Enforcement Efforts Any More!
THANK YOU Armin J. Moeller, Jr. Balch & Bingham, LLP amoeller@balch.com 601-965-8156
