230 likes | 337 Views
HIPAA Enforcement Risks Rising For Healthcare In 2007. Presented by Peter MacKoul, J.D. Agenda. Introduction HIPAA Evolution HIPAA Environment Regulations Misconceptions Court Rulings Current Enforcement Environment OIG Audits At Piedmont Hospital - Federal Audits
E N D
HIPAA Enforcement Risks Rising For Healthcare In 2007 Presented by Peter MacKoul, J.D.
Agenda Introduction HIPAA Evolution HIPAA Environment • Regulations • Misconceptions • Court Rulings Current Enforcement Environment • OIG Audits At Piedmont Hospital - Federal Audits • Cleveland Clinic – Criminal Conviction • Herman v. Kratch – Civil Action • Sorensen v. Barbudo – Civil Action • Acosta v. Byrum – Civil Action • Northwest Memorial Hospital v. John Ashcroft AG of US – Public Records • State AG’s Create Enforcement Departments Legislative & Agency Environment
Introduction Peter MacKoul, Esq.is an attorney and technical analyst with over 15 years of legal and technical consulting experience in both public and private sectors for major organizations including Blue Cross, IBM, Nextel, General Dynamics, educational institutions and local government. His legal background includes criminal and civil law. His expertise includes the areas of HIPAA, IT development, Internet law, healthcare issues and handicapped access to technology involving law, technology, privacy, and security. He served as a subject matter expert on HIPAA Privacy and Security in Texas for the Governor’s Health Information Technology Advisory Committee (HITAC) which created recommendations on healthcare IT issues related to privacy and security, including Regional Health Information Organizations (RHIO’s). Mr. MacKoul has published articles on HIPAA; created compliance training resources and has been a featured speaker on issues of privacy and security for regional IT security conferences (TRISC), the Texas Healthcare Association (THA) and major technology events. He has also been referenced in technology publications such as ComputerWorld on HIPAA and privacy.
Introduction A Note to the Reader - The information contained in this document is meant for informational purposes only and not intended to act as a substitute for the advice of an attorney. Please contact appropriate legal counsel before acting on any of the information contained in this document.
HIPAA Evolution • HIPAA Statutes Focused On Protection Of Patient Privacy • Chaos In Early Compliance Environment • Technology Advances Are Outstripping Business Processes • Healthcare Efficiency Pushing Technology / EMR’s • Identity Theft, Fraud, Homeland Security Raising Awareness of Security and Privacy Issues In a report last year, the World Privacy Forum found that the number of Americans identifying themselves in government documents as victims of medical identity theft had nearly tripled in just four years, to more than a quarter-million in 2005. NBC News April 2007
HIPAA Environment - Regulations Privacy Is At The Heart Of HIPAA Security Compliance Cannot Be Achieved Without Addressing Privacy Issues First
HIPAA Environment - Misconceptions • HIPAA Compliance Is Voluntary • Only Class Action Litigation Is Allowed • Only Healthcare Providers Are Effected • State Laws Can Supercede HIPAA • HIPAA Will Ultimately Go Away • The Fed’s Are Not Enforcing HIPAA • It’s Not Necessary to Conduct Thorough Remediation
HIPAA Environment – Court Rulings • US Attorneys • District Courts • Appellate Courts • Federal Courts • Regulatory Agencies
Enforcement – OIG Audits March 8, 2007, issue of MEDICARE ADVANTAGE NEWS In a surprise move, OIG on March 5 began the first audit of a provider's compliance with the HIPAA security regulation. The target: Piedmont Hospital in Atlanta. Auditors are expected to stay at the hospital three to four weeks and then forward their findings to CMS, which enforces the security rule. This is the government's first systematic hands-on examination of compliance with any HIPAA regulation.
Enforcement – OIG Audits March 8, 2007, issue of MEDICARE ADVANTAGE NEWS An OIG spokeswoman says, "We can't answer questions about ongoing work. The number of audits to do has yet to be determined." OIG auditors plan to audit Piedmont's administrative, physical and technical safeguards — the core requirements under the security regulation. This will include the hospital's policies and procedures relating to access to electronic protected health information (e-PHI); the risk assessment relative to e-PHI; electronically transmitting e-PHI; preventing, detecting, containing and correcting security violations; monitoring systems; remote access; wireless security; anti-virus mechanisms; firewalls; and other e-PHI security requirements.
Enforcement – Cleveland Clinic Criminal Former Hospital Employee and Co-Conspirator Sentenced to Prison for Medicare Fraud and Identity Theft In Ft. Lauderdale . . . Machado was employed at the Cleveland Clinic when she and her cousin Ferrer stole the personal information of Cleveland Clinic and MHA patients. That information included, among other things, the patients' names, dates of birth, Social Security numbers, Medicare numbers and addresses.
Enforcement – Herman v. Kratch - Civil Civil action against a clinic for the “unauthorized disclosure of medical information” “invasion of privacy” and the “and intentional infliction of emotional distress after clinic sent patient's personal medical records to her employer.” - Herman v. Kratch, 2006 WL 3240680 (Ohio App. 8 Dist.)
Enforcement – Herman v. Kratch - Civil The Appellate Court found in the“unauthorized disclosure action” that the “clinic was liable for its unauthorized disclosure of patient's medical records;” and with regard to the Invasion of Privacy tort, “triable fact existed as to whether clinic's unauthorized disclosure of patient's medical records was the type of act that would cause a person of ordinary sensibilities outrage, mental suffering, shame, or humiliation.” Herman v. Kratch, 2006 WL 3240680 (Ohio App. 8 Dist.)
Enforcement – Herman v. Kratch - Civil The court stated: “while the document authorizes the Clinic to release plaintiff's medical information for purposes of payment, that is not what occurred here. The Clinic does not dispute that plaintiff's bills should have been sent to United Healthcare for payment, not Nestle. There is nothing in the Clinic's” [HIPAA], “notice document that authorized the release of plaintiff's medical information to the wrong payor, whether accidentally or not.”
Enforcement – Sorensen v. Barbudo - Civil Many HIPAA cases are used by courts in other jurisdictions to decide cases in front of them. A good example of this is Sorensen v. Barbuto and Acosta v. Byrum. The Sorensen case, (handed down from the Appellate Court in Utah), appears to be the first case enabling a plaintiff to use HIPAA as a standard of care to bring a private cause of action involving the “intentional infliction of emotional distress.”
Enforcement – Acosta v. Byrum - Civil This case provides a legal method enabling plaintiffs’ attorneys to utilize HIPAA as a “standard of care” to bring an individual action using HIPAA privacy regulations and standards instead of attempting to bring an individual lawsuit directly under HIPAA itself which is not permitted. . . . This allegation does not state a cause of action under HIPAA. Rather, plaintiff cites to HIPAA as evidence of the appropriate standard of care, a necessary element of negligence. . .” Acosta v. Byrum, 638 S.E.2d 246, 2006
Enforcement – Northwest Case – Public Records Northwest Memorial Hospital v. John Ashcroft Attorney General of United States The Northwestern case involved the potential of having de-identified medical records involving partial birth abortions “made a part of the trial record in New York,” thus available to “skillful Googlers,” as characterized by the court.
Enforcement – Northwest Case – Public Records Northwest Memorial Hospital v. John Ashcroft Attorney General of United States The court elaborated on this Internet issue, before ruling that the Attorney General of United States could not access and use these records, let alone have them available to web surfers. . . . This ruling is highly significant in that it interprets the HIPAA Privacy rule covering de-identification as not sufficient to protect an organization that follows the rules in a partial birth abortion case. Northwestern Memorial Hospital v. Ashcroft, 362 F. 3d. 923 at 929.
Enforcement – State AG’s Create Enforcement HIPAA Enforcement Swings from Voluntary Compliance to Punishment for Violation of Privacy and Security Laws as States Join Federal Enforcement Under Federal Mandate (PRWeb) November 28, 2006 -- Congress passed the 2006 False Claims Act. States are ordered to actively investigate and prosecute both providers as well as business associates effective January 1, 2007. States are required to create a False Claims Division and keep the overwhelming majority of fines recovered.
Enforcement – State AG’s Create Enforcement Since voluntary compliance has been ignored many providers for years, the Federal Government has examined how to make physical and electronic compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) reality. Whistleblowers will be awarded 15% of fines.
Legislative & Agencies HHS Delegates HIPAA Subpoena Authority To OCR . . . . Notice is hereby given that I have delegated to the Director of the Office for Civil Rights the following authority vested in the Secretary of Health and Human Services. Subpoenas for the Health Insurance Portability and Accountability Act of 1996: Authority under Section 205(d) of the Social Security Act (42 U.S.C. 405(d)), with authority to redelegate, to issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence . . . . Michael O. Leavitt, Secretary. [FR Doc. 07–1872 Filed 4–13–07; 8:45 am] . . .
Legislative & Agencies GAO blasts HHS on IT, privacy January 2007 GAO recommends that HHS define and implement an overall privacy approach that identifies milestones for integrating the outcomes of its initiatives, ensures that key privacy principles are fully addressed, and addresses challenges associated with the nationwide exchange of health information.
Summary • Health Care Privacy & HIPAA Are Here To Stay • Courts & Prosecutors Are Using HIPAA • Privacy Compliance MUST Be A First Step In Security • Technology Is Not A Replacement For Sound Business Processes Peter MacKoul, J.D. HIPAA Solutions, LC Peter.MacKoul@hipaasolutions.org www.hipaasolutions.org Toll Free: 877-779-3004