290 likes | 467 Views
HIPAA Enforcement Update. Gregory D. Frost Breazeale, Sachse & Wilson LLP Baton Rouge, Louisiana. OCR’s Vision.
E N D
HIPAA Enforcement Update Gregory D. Frost Breazeale, Sachse & Wilson LLP Baton Rouge, Louisiana
OCR’s Vision • Through investigations, voluntary dispute resolution, enforcement, technical assistance, policy development and information services, OCR will protect the civil rights of all individuals who are subject to discrimination in health and human services programs and protect the health information privacy rights of consumers.
Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year
Enforcement Results – LouisianaApril 14, 2003 – December 31, 2010
Privacy Rule Enforcement Results • HHS / OCR has investigated and resolved over 14,527 cases by requiring changes in privacy practices and other corrective actions by the covered entities. • Corrective actions obtained by HHS from these entities have resulted in change that is systemic and that affects all the individuals they serve. • HHS has successfully enforced the Privacy Rule by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity. • OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
Privacy Rule Enforcement Results • In another 7,548 cases, our investigations found no violation had occurred. • In the rest of our completed cases (36,334), HHS determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. These include cases in which: • OCR lacks jurisdiction under HIPAA – such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by the Privacy Rule; • the complaint is untimely, or withdrawn or not pursued by the filer; • the activity described does not violate the Rule – such as when the covered entity has disclosed protected health information in circumstances in which the Rule permits such a disclosure.
Privacy Rule Enforcement Results • In summary, since the compliance date in April 2003, HHS has received over 64,126 HIPAA Privacy complaints. We have resolved over ninety-one percent of complaints received (over 58,409): through investigation and enforcement (over 14,527); through investigation and finding no violation (7,548); and through closure of cases that were not eligible for enforcement (36,334).
Privacy Rule Enforcement Results • From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency: • Impermissible uses and disclosures of protected health information; • Lack of safeguards of protected health information; • Lack of patient access to their protected health information; • Uses or disclosures of more than the Minimum Necessary protected health information; and • Complaints to the covered entity. • The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: • Private Practices; • General Hospitals; • Outpatient Facilities; • Health Plans (group health plans and health insurance issuers); and, • Pharmacies.
Referrals • OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rule. As of the date of this summary, OCR made over 494 such referrals to DOJ.
State Attorneys General Training • Invitations to 50 State Attorneys General and District, Territories • 4 In Person Training sites: • Dallas April 4 & 5 • Atlanta May 9 & 10 • Washington DC May 19 & 20 • San Francisco June 13 & 14 • Computer based training will follow
Cignet Health Care • Cignet Health Care is a treatment provider and health plan issuer • Over a two-year period, 41 individuals complained to OCR that Cignet had ignored their requests for access to their health records • Cignet failed to respond to OCR’s investigation or provide copies of the patients’ records
Cignet Health Care • CMP of $4.3 Million Levied • Civil Money Penalty of $1.3 million attributable to failure to provide individuals access to their health records • Penalty of $3 million for failure to respond to OCR demands to produce records and failure to cooperate with OCR’s investigation
Massachusetts General Hospital • Large multi-specialty healthcare provider • Employee, who had taken patient files home, left the folders on the subway train and they were never recovered • Investigation initiated after media reports of incident and a complaint from an individual whose PHI was lost • Settled with OCR through Resolution Agreement and corrective action plan
Massachusetts General Hospital • Actions to Settle Case • $1 million resolution amount • Corrective Action Plan • MGH required to actively monitor its compliance with the Corrective Action Plan through use of an internal monitor
Management Services Organization of Washington • MSO provided practice management services to individual health care providers • Affiliated company, Washington Practice Management, markets and sells Medicare Advantage plans to consumers for which it earns commissions • Separate agreements with DOJ and OIG to settle allegations under the Federal False Claims Act
Management Services Organization of Washington • Indications of Noncompliance WA MSO Resolution Agreement • MSO disclosed ePHI to WPM, without a valid authorization, so that WPM could market Medicare Advantage plans to those individuals • MSO had not developed or implemented appropriate and reasonable administrative, technical, and physical safeguards to protect ePHI
Management Services Organization of Washington • Actions to Settle Case • $35,000 resolution amount to OCR • Corrective Action Plan • Develop and implement policies & procedures to demonstrate compliance with the Privacy and Security Rules • Train workforce members • Conduct internal monitoring • Submit compliance reports to HHS for a period of two years
Rite Aid Corporation • Large US pharmacy chain • Series of media reports about personnel disposing of PHI, including labeled pill bottles and prescriptions, in unsecured garbage containers outside of several Rite Aid pharmacy stores • Settled with OCR through Resolution Agreement and corrective action plan • Simultaneously settled with FTC through a consent order
Rite Aid Corporation • Indications of Non-Compliance in Rite Aid Resolution Agreement • Rite Aid policies and procedures for disposal did not reasonably and appropriately safeguard PHI • Rite Aid did not maintain sanctions policy for workforce members who failed to safeguard PHI in disposal process • Rite Aid did not provide necessary and appropriate training for its workforce regarding disposal of PHI
Rite Aid Corporation • Actions to Settle Case • $1 million resolution amount • Corrective Action Plan • Both HHS and FTC require RAC to actively monitor its compliance with the Resolution Agreement and Consent Order
Rite Aid Corporation • Actions to Settle Case 1. Revising, distributing policies & procedures regarding PHI disposal 2. Sanctioning workers who do not follow them 3. Training workforce members 4. Conducting internal monitoring 5. Engaging a third-party assessor to render reports to HHS 6. New internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures 7. Submitting compliance reports to HHS for a period of three years
UCLA Health System • Large multi-campus healthcare provider • UCLAHS employees repeatedly and without permissible reason looked at the e-PHI of two high profile patients • From 2005-2008, unauthorized employees repeatedly looked at e-PHI of other UCLAHS patients
UCLA Health System • $865,500 settlement amount • Corrective Action Plan (CAP) • Implement OCR approved Policies and Procedures • Training for UCLAHS employees • UCLAHS required to actively monitor its compliance with the CAP through use of an independent monitor for 3 years