HEALTH CARE COMPLIANCE ASSOCIATION HIPAA UPDATE/ OCR ENFORCEMENT HCCA REGIONAL CONFERENCE East Central Region Michael A. Cassidy, Esquire October 14, 2011 Copyright Tucker Arensberg, P.C. All Rights Reserved. Tucker Arensberg, P.C. 1500 One PPG Place Pittsburgh, PA 15222
HIPAA UPDATE/OCR ENFORCEMENT HIPAA HYPE An industry of compliance and an absence of enforcement HIPAA Privacy Rule April 14, 2003 HIPAA Security Rule April 20, 2005 HHS/OIG Admission Has previously acknowledged lack of appropriate enforcement 2
ENFORCEMENT ABSENCE OF COMPLAINTS OCR PRIVACY COMPLAINTS 2003 3,743 2004 6,534 2005 6,855 2006 7,340 2007 8,190 2008 8,706 2009 7,567 2010 8,524 3
ENFORCEMENT RESULTS IN PENNSYLVANIA TO DATE 4
Top Five Issues in Investigated Cases Closed with corrective Action, by Calendar Year Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5 2010 Impermissible Uses & Safeguards Access Minimum Necessary Notice Disclosures 2009 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Complaints to Covered Entity 2008 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Complaints to Covered Entity 2007 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Notice 2006 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Notice 2005 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation 2004 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Authorizations partial year 2003 Safeguards Impermissible Uses & Disclosures Access Notice Minimum Necessary 5
NATIONAL PRIVACY RULE ENFORCEMENT 63,443 Privacy Complaints 14,309- Resolved by required changes in privacy practices 35,999- Case ineligible for enforcement jurisdiction timeliness 7,440- No violation 57,748 (91%) 5,695 Open 6
Identity of Covered Entity (Frequency) 1.Private Practices 2.General Hospitals 3.Outpatient Facilities 4.Health Plans 5.Pharmacies 7
NATIONAL SECURITY RULE ENFORCEMENTS Transferred to OCR July 27, 2009 2 year reporting history 460 complaints 217 closed/corrective action 309 open cases August 31,2011 8
CHANGING ENFORCEMENT ENVIRONMENT HITECH HHS/OCR HIPAA Compliance audits 9
There will be consequences for failure to comply with HIPAA privacy and security obligations. Susan McAndrew OCR Deputy Director Health Information, Privacy April 13, 2011 10
ENHANCED HIPAA ENFORCEMENT HITECH 13410(d) revised 42 USC 1320d-5 to enhance penalties Prior penalties: $100.00 per violation with a maximum $25,000 Effective February 18, 2009, there are 4 tiers of penalties: 1. Innocent $100/$25,000 2. Reasonable cause $10,000/$100,000 3. Willful neglect $10,000/$250,000 4. $50,000/$1,500,000 11
ENHANCED HIPAA ENFORCEMENT Authorize enforcement by state attorneys general as parens, patriaeand provides training and funding Eliminates the ban on penalties when entity could establish reasonable lack of knowledge i.e. strict liability Prohibits penalties if violations are corrected within 30 days provided not due to willful neglect 12
ENHANCED HIPAA ENFORCEMENT HITECH 15411 requires HHS periodic audits for: 45 CFR 164 (c) security 45 CFR 164 (e) privacy Contracts for audits: June 2011 Audit candidate identification contract to Booze Allen Hamilton Audit protocol and implementation to KPMG 13
3 STEP AUDIT PROCESS Development of protocols Initial round of approximately 20 test audits Remaining full audits adjusted based upon success of beta audits Preliminary Audit Report Final Audit Report 14
Final Audit Report must address issues identified in OCR HIPAA Audit Protocol and Program Performance Contract Solicitation # 0557605 Condition: Criteria: Cause: Effect: observed defects on noncompliance clear demonstration that negative finding is a potential violation of specific requirements source of non-compliance risk exposure Corrective Recommendation Verification of Correction 15
Health Information Privacy HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own authorization form. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patient s record, together with the disclosed information. 16
Health Information Privacy Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees Covered Entity: Private Practice Issue: Access A patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity of the allegation, the entity released the complainant s medical records but also billed him $100.00 for a records review fee as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. To resolve this matter, the covered entity refunded the $100.00 records review fee. 17
Health Information Privacy Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. 18
Health Information Privacy Pharmacy Chain Revises Process for Disclosures to Law Enforcement Covered Entity: Pharmacies Issue: Impermissible Uses and Disclosures A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from law enforcement officials, unless state law requires otherwise. The revised policy was implemented in the chains' stores nationwide. 19
Health Information Privacy Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons Covered Entity: Health Plans Issue: Safeguards A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information. 20
Health Information Privacy Private Practice Revises Process to Provide Access to Records Covered Entity: Private Practices Issue: Access A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. In addition, the covered entity forwarded the complainant a complete copy of the medical record. 21
Health Information Privacy Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena Covered Entity: General Hospital Issue: Impermissible Uses and Disclosures A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained. The hospital also trained relevant staff members on the new procedures. 22
Health Information Privacy Private Practice Provides Access to All Records, Regardless of Source Covered Entity: Private Practice Issue: Access A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it. 23
Health Information Privacy Large Health System Restricts Provider's Use of Patient Records Covered Entity: Multi-Hospital Healthcare Provider Issue: Impermissible Use A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system s organized health care arrangement impermissibly accessed the medical records of her exhusband. In order to resolve this matter to OCR s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner s access to its electronic records system; reported the nurse practitioner s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. 24
Resolution Agreements Resolution Agreements and Civil Money Penalties -A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into five resolution agreements and issued CMPs to one covered entity 25
Resolution Agreements Resolution Agreement with the University of California at Los Angeles Health System --July 6, 2011 Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011 Civil Money Penalty issued to Cignet Health of Prince George's County, MD--February 4, 2011 Resolution Agreement with Managemet Services Organization Washington, Inc.--December 13, 2010 Resolution Agreement with Rite Aid Corporation--July 27, 2010 Resolution Agreement with CVS Pharmacy, Inc.--January 16, 2009 Resolution Agreement with Providence Health & Services--July 16, 2008 26