310 likes | 522 Views
HIPAA plus HITECH Where are we now?. Ann Bittinger Board Certified Health Law Attorney The Bittinger Law Firm 13500 Sutton Park Drive South, Suite 201 Jacksonville, FL 32224 (904) 821-9000 ann@bittingerlaw.com. History.
E N D
HIPAA plus HITECH Where are we now? Ann Bittinger Board Certified Health Law Attorney The Bittinger Law Firm 13500 Sutton Park Drive South, Suite 201 Jacksonville, FL 32224 (904) 821-9000 ann@bittingerlaw.com www.bittingerlaw.com NEFHIMA March 12, 2010
History • Congress enacted the Health Insurance Portability and Accountability Act in 1996. • Goals: • Access to health insurance (portability) • Protecting privacy of health information • Promoting the standardization of health claims/efficiency • Privacy Regulations: First proposed November 3, 1999; Finalized April 14, 2002 for most entities, with enforcement to start April 14, 2003. www.bittingerlaw.com NEFHIMA March 12, 2010
History • Security Rule • Proposed August 12, 1998 • Final Rule issued on February 20, 2008, taking effect April 21, 2003, with a compliance date of April 21, 2005. • Tweaks thereafter. www.bittingerlaw.com NEFHIMA March 12, 2010
HITECH Changes to HIPAA • Part of the American Recovery and Reinvestment Act of 2007 (ARRA) • “Health Information Technology for Economic and Clinical Health Act” • $36 billion for HIT and HIE www.bittingerlaw.com NEFHIMA March 12, 2010
HITECH • Creates a private right of actions. Individuals can now sue for HIPAA breaches through state Attorneys General (2/19/09) • Portion of penalties go back to individual • Breach reporting is now required • Applies many of the HIPAA privacy and security requirements DIRECTLY to Business Associates www.bittingerlaw.com NEFHIMA March 12, 2010
Penalties – pre-HITECH • Civil • $100 per violation • Annual cap of $25,000 for all violations of a single requirement or prohibition • Criminal • Wrongful disclosure: up to $5,000 and/or 1 year in jail • False pretenses: up to $100,000 and/or 5 years in jail • For profit/with malice: up to $250,000 and/or 10 years in jail www.bittingerlaw.com NEFHIMA March 12, 2010
Penalties after HITECH • May permit criminal prosecution of individuals for knowing HIPAA violations • Civil penalties: max of $1.5M for each type • If the entity did not know violation occurred and by “exercising reasonable due diligence would not have known” • $100/violation to $25K for identical in CY • If “reasonable cause and not to willful neglect” • $1000/violation to $100K for identical in CY • If due to “willful neglect” • $10K/violation (for violations corrected in 30 days): $250K CY • $50K/violation (if not corrected in 30 days); $1.5M CY www.bittingerlaw.com NEFHIMA March 12, 2010
HITECH expanded enforcement • As of 2/17/11: Secretary MUST formally investigate a complaint if the preliminary investigation shows possibility of violation due to willful neglect • Secretary also MUST impose monetary penalty for violations due to willful neglect • Expect regs on this by 8/17/10 www.bittingerlaw.com NEFHIMA March 12, 2010
Criminal proceedings • “Seattle Man Pleads Guilty in First Ever Conviction for HIPAA Rules Violation,” August 19, 2004. Richard Gibson, an employee at the Seattle Cancer Care Alliance, got cancer patient’s name, DOB, and SSN and got credit cards in patients’ names. • $9,000 for jewelry, home improvements, etc. • Got maximum sentence: 16 months prison. www.bittingerlaw.com NEFHIMA March 12, 2010
Criminal proceedings • “Nurse Pleads Guilty to Privacy Violation,” April 17, 2008. • Andrea Smith, LPN • Plead guilty to wrongfully disclosing a patient’s health information for personal gain (E.D. Arkansas). • Accessed the PHI of an unnamed patient while employed at the Northeast Arkansas Clinic in Jonesboro. • Gave the info to her husband who called the patient and threatened to use the information against the patient in an “upcoming legal proceeding.” • Conspiracy; malice: faces 10 years imprisonment and fine of $250,000. www.bittingerlaw.com NEFHIMA March 12, 2010
Complaints • Privacy: • As of the June 15, 2003: 637 privacy complaints. • 2 months after effective date. • By April 2008: 34,771 complaints. • 27,796 were resolved (80%). • No violations in 2,952 of the resolved • Changes required in 5,971. • Remaining 18,873: out of jurisdiction, untimely, withdrawn or didn’t violate the law www.bittingerlaw.com NEFHIMA March 12, 2010
Complaints • Security: • December 2007, CMS had received a total of 283 security complaints • Closed 191. The majority of security complaints are allegations of "inappropriate access and risk of inappropriate disclosure." www.bittingerlaw.com NEFHIMA March 12, 2010
2008 Enforcement data www.bittingerlaw.com NEFHIMA March 12, 2010
Recent developments • January 2010: Health Net of Connecticut • May 2009 loss of hard drive with info on 450,000, including names, address, bank account numbers and SSNs • Health Net offered 2 years free credit monitoring, $1 million in identity theft insurance • No evidence of a single instance of ID theft • Nonetheless: CT AG sued Health Net under HITECH • Seeks fines and requirement that health Net encrypt any PHI on portable media www.bittingerlaw.com NEFHIMA March 12, 2010
Great resource • New CMS Compliance Reviews and Checklist for HIPAA Security – 2/2008 • Sample audit checklist on CMS website • www.hhs.gov/ocr/privacy • Compliance and Enforcement Case Examples • www.hhs.gov/ocr/privacy/enforcement/allcases www.bittingerlaw.com NEFHIMA March 12, 2010
Privacy Compliance and Enforcement • Example 1: • “A municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors that were not business associates. Among other corrective actions to resolve the specific issues in the case, OCR required that the agency develop procedures for properly disclosing protected health information only to its valid business associates and to train its staff on the new processes.” www.bittingerlaw.com NEFHIMA March 12, 2010
Business Associates • If an entity that is not a covered entity is doing something “on behalf of” you, and is not treatment, you need a BA Agreement with them. • Applies to payment and health care operations • Examples: • Consultants to assist with audits • Lawyers to assist with lawsuits; claims; collections • Data processing • Claims processing • Accreditation • Accounting www.bittingerlaw.com NEFHIMA March 12, 2010
Privacy Plan • Must have in place a plan to address HIPAA Privacy • Nothing mandated: typically address privacy rights, oral communications, the method of handing out and tracking the Notice, document retention • Training • Designated Privacy Officer www.bittingerlaw.com NEFHIMA March 12, 2010
Notice of Privacy Practices • Must give to all patients at first date of service • Explains the uses and disclosures of PHI at the entity • Must contain certain language www.bittingerlaw.com NEFHIMA March 12, 2010
Authorization • Use when: • not treatment, payment or health care operations • not to a BA; and • no other exception applies. • Patient signs; must be “plain language” • Must have certain language • Cannot condition treatment on signing • Must inform patients of their rights www.bittingerlaw.com NEFHIMA March 12, 2010
Privacy Compliance and Enforcement • Example 2: • At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures. www.bittingerlaw.com NEFHIMA March 12, 2010
Individual Rights • Access: • General rule: right to access • Must act within 30 days • Certain ground for denial, which are reviewable www.bittingerlaw.com NEFHIMA March 12, 2010
Privacy Compliance and Enforcement • Example 2.5 • A private practice denied an individual access to his records on the basis that a portion of the individual’s record was created by a physician not associated with the practice…no similar provision limits individuals’ rights to access their protected health information. Among other steps to resolve the specific issues, OCR required the practice to revise its access policy to affirm that “patients have access to their record regardless of whether another entity created information contained within it.” www.bittingerlaw.com NEFHIMA March 12, 2010
Privacy Compliance and Enforcement • Example #3: • An outpatient surgical facility disclosed a patient’s PHI to a research entity for recruitment purposes without the patient’s authorization or an IRB or privacy-board approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. OCR required the facility to revise its written policies and procedures regarding disclosures of PHI for research recruitment purposes to require valid written authorizations; retain staff; log the disclosure of patient’s PHI. www.bittingerlaw.com NEFHIMA March 12, 2010
Accounting/Log • Individuals have a right to a list of disclosures made in the six years prior to the request (but not before the implementation date). • Exceptions: • To the patient • Incidentals • Authorized disclosures (signed authorization) • National security • Releases to BA’s have to be tracked • Content: date, name of recipient and address, description of info and purpose of disclosure • Must act within 30 days. www.bittingerlaw.com NEFHIMA March 12, 2010
Research • Research/HIPAA booklet on NIH site: http://privacyruleandresearch.nih.gov/pr_02.asp • De-identification: very difficult • Authorization (can be in the Informed Consent Document) allows a covered entity to use or disclose the individual's PHI for the purposes, and to the recipient or recipients, as stated in the Authorization. • Must be for specific research, not to nonspecific research or to future, unspecified projects. • Data bases. www.bittingerlaw.com NEFHIMA March 12, 2010
Privacy Compliance and Enforcement • A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the PHI of one of its patients. Contrary to the privacy rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order…. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained. www.bittingerlaw.com NEFHIMA March 12, 2010
Breach • HITECH: first federal law mandating breach notification • Florida does not have such a law; 45 do • Applies to covered entities, business associates, PHR vendors and PHR service providers www.bittingerlaw.com NEFHIMA March 12, 2010
Breach • Notification required upon “discovery” of a “breach” of “unsecured PHI” • “Breach” defined as unauthorized acquisition, access, use or disclosure of unsecured PHI which compromises the security or privacy of such information • “Compromises” means creates a “significant risk of financial, reputation or other harm to the individual” • Requires risk assessment: fact specific analysis (consider nature of information, recipient, mitigation) to determine if significant harm exists. www.bittingerlaw.com NEFHIMA March 12, 2010
Example of breach • January 2010 BCBS of Tennessee • October 2, 2009: alarm at offsite facility storing hard drives • Investigation 3 days later reveals 57 missing hard drives containing audio copies of phone calls and video screen images • BCBS notified 220,000; up to 500,000 may be affected • Spent over $7 million to date • Has to notify AGs in 32 states. www.bittingerlaw.com NEFHIMA March 12, 2010
Questions? Ann Bittinger Board certified health law attorney The Bittinger Law Firm 13500 Sutton Park Drive South, Suite 201 Jacksonville, FL 32224 (904) 821-9000 ann@bittingerlaw.com www.bittingerlaw.com NEFHIMA March 12, 2010