HIPAA UPDATE/ OCR ENFORCEMENT

Similar documents
Privacy Rule - Complaint Investigations

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Data Breach ITPC

503 SURVIVING A HIPAA BREACH INVESTIGATION

Be Careful What You Wish For: The Final Rule Is Out

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Future of Healthcare in Washington April 2, Christiansen IT Law

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Business Associate Risk

Fifth National HIPAA Summit West

HIPAA Omnibus Rule Compliance

HIPAA & The Medical Practice

The Audits are coming!

HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Highlights of the Omnibus HIPAA/HITECH Final Rule

Trinity Family Physicians

American Bar Association. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

and disclosure of your PHI for treatment, payment, and health care operations

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

ARE YOU HIP WITH HIPAA?

HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

WHAT IS HB 300? HOW DOES IT AFFECT MY PRACTICE AND WHAT DO I DO TO FOLLOW THE RULES?

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Hand & Microsurgery Medical Group, Inc. HIPAA NOTICE AND ACKNOWLEDGEMENT

To: Our Clients and Friends January 25, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Determining Whether You Are a Business Associate

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

Administrative Requirements

New HIPAA-HITECH Proposed Regulations Issued

RISK TRACK. Privacy and Data Protection

HIPAA AND LANGUAGE SERVICES IN HEALTH CARE 1

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Robert E. Parker, Ph.D., P.C st Ave S. #101 Normandy Park, WA (206)

HIPAA MANUAL Whole Child Pediatrics

PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

NOTICE OF PRIVACY PRACTICES 1. PLEASE REVIEW IT CAREFULLY.

Getting a Grip on HIPAA

2016 Business Associate Workforce Member HIPAA Training Handbook

TOPS MARKETS, LLC NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

BUSINESS ASSOCIATE AGREEMENT

Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013

ALERT. November 20, 2009

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

HIPAA s Medical Privacy Standards:

AMERICAN BAR ASSOCIATION. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HEALTHCARE BREACH TRIAGE

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

Effective Date: March 23, 2016

1. INTRODUCTION AND PURPOSE OF THIS DOCUMENT:

PEDRO J. MORALES, M.D. & TIM P. CARLSON, M.D., P.A. NOTICE OF PRIVACY PRACTICES UPDATED 01/01/2014

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

NEW JERSEY NOTICE FORM

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

Compliance Program. Health First Health Plans Medicare Parts C & D Training

HIPAA, HITECH & Meaningful Use

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Varkey Medical LLC NOTICE OF PRIVACY PRACTICES

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE January 3, I. Executive Summary.

Notice of Privacy Practices

MICHIGAN HEALTHCARE PROFESSIONALS, P.C.

Glenn Hutchinson, Ph.D Century Blvd; suite B Atlanta, GA Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Health Law Diagnosis

30 Supplier Standards

"HIPAA RULES AND COMPLIANCE"

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) SUMMARY OF OUR NOTICE OF PRIVACY PRACTICES. Health Plan Responsibilities

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Transcription:

HEALTH CARE COMPLIANCE ASSOCIATION HIPAA UPDATE/ OCR ENFORCEMENT HCCA REGIONAL CONFERENCE East Central Region Michael A. Cassidy, Esquire October 14, 2011 Copyright Tucker Arensberg, P.C. All Rights Reserved. Tucker Arensberg, P.C. 1500 One PPG Place Pittsburgh, PA 15222

HIPAA UPDATE/OCR ENFORCEMENT HIPAA HYPE An industry of compliance and an absence of enforcement HIPAA Privacy Rule April 14, 2003 HIPAA Security Rule April 20, 2005 HHS/OIG Admission Has previously acknowledged lack of appropriate enforcement 2

ENFORCEMENT ABSENCE OF COMPLAINTS OCR PRIVACY COMPLAINTS 2003 3,743 2004 6,534 2005 6,855 2006 7,340 2007 8,190 2008 8,706 2009 7,567 2010 8,524 3

ENFORCEMENT RESULTS IN PENNSYLVANIA TO DATE 4

Top Five Issues in Investigated Cases Closed with corrective Action, by Calendar Year Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5 2010 Impermissible Uses & Safeguards Access Minimum Necessary Notice Disclosures 2009 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Complaints to Covered Entity 2008 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Complaints to Covered Entity 2007 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Notice 2006 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Notice 2005 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Mitigation 2004 Impermissible Uses & Disclosures Safeguards Access Minimum Necessary Authorizations partial year 2003 Safeguards Impermissible Uses & Disclosures Access Notice Minimum Necessary 5

NATIONAL PRIVACY RULE ENFORCEMENT 63,443 Privacy Complaints 14,309- Resolved by required changes in privacy practices 35,999- Case ineligible for enforcement jurisdiction timeliness 7,440- No violation 57,748 (91%) 5,695 Open 6

Identity of Covered Entity (Frequency) 1.Private Practices 2.General Hospitals 3.Outpatient Facilities 4.Health Plans 5.Pharmacies 7

NATIONAL SECURITY RULE ENFORCEMENTS Transferred to OCR July 27, 2009 2 year reporting history 460 complaints 217 closed/corrective action 309 open cases August 31,2011 8

CHANGING ENFORCEMENT ENVIRONMENT HITECH HHS/OCR HIPAA Compliance audits 9

There will be consequences for failure to comply with HIPAA privacy and security obligations. Susan McAndrew OCR Deputy Director Health Information, Privacy April 13, 2011 10

ENHANCED HIPAA ENFORCEMENT HITECH 13410(d) revised 42 USC 1320d-5 to enhance penalties Prior penalties: $100.00 per violation with a maximum $25,000 Effective February 18, 2009, there are 4 tiers of penalties: 1. Innocent $100/$25,000 2. Reasonable cause $10,000/$100,000 3. Willful neglect $10,000/$250,000 4. $50,000/$1,500,000 11

ENHANCED HIPAA ENFORCEMENT Authorize enforcement by state attorneys general as parens, patriaeand provides training and funding Eliminates the ban on penalties when entity could establish reasonable lack of knowledge i.e. strict liability Prohibits penalties if violations are corrected within 30 days provided not due to willful neglect 12

ENHANCED HIPAA ENFORCEMENT HITECH 15411 requires HHS periodic audits for: 45 CFR 164 (c) security 45 CFR 164 (e) privacy Contracts for audits: June 2011 Audit candidate identification contract to Booze Allen Hamilton Audit protocol and implementation to KPMG 13

3 STEP AUDIT PROCESS Development of protocols Initial round of approximately 20 test audits Remaining full audits adjusted based upon success of beta audits Preliminary Audit Report Final Audit Report 14

Final Audit Report must address issues identified in OCR HIPAA Audit Protocol and Program Performance Contract Solicitation # 0557605 Condition: Criteria: Cause: Effect: observed defects on noncompliance clear demonstration that negative finding is a potential violation of specific requirements source of non-compliance risk exposure Corrective Recommendation Verification of Correction 15

Health Information Privacy HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own authorization form. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patient s record, together with the disclosed information. 16

Health Information Privacy Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees Covered Entity: Private Practice Issue: Access A patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity of the allegation, the entity released the complainant s medical records but also billed him $100.00 for a records review fee as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. To resolve this matter, the covered entity refunded the $100.00 records review fee. 17

Health Information Privacy Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. 18

Health Information Privacy Pharmacy Chain Revises Process for Disclosures to Law Enforcement Covered Entity: Pharmacies Issue: Impermissible Uses and Disclosures A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from law enforcement officials, unless state law requires otherwise. The revised policy was implemented in the chains' stores nationwide. 19

Health Information Privacy Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons Covered Entity: Health Plans Issue: Safeguards A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information. 20

Health Information Privacy Private Practice Revises Process to Provide Access to Records Covered Entity: Private Practices Issue: Access A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. In addition, the covered entity forwarded the complainant a complete copy of the medical record. 21

Health Information Privacy Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena Covered Entity: General Hospital Issue: Impermissible Uses and Disclosures A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained. The hospital also trained relevant staff members on the new procedures. 22

Health Information Privacy Private Practice Provides Access to All Records, Regardless of Source Covered Entity: Private Practice Issue: Access A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it. 23

Health Information Privacy Large Health System Restricts Provider's Use of Patient Records Covered Entity: Multi-Hospital Healthcare Provider Issue: Impermissible Use A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system s organized health care arrangement impermissibly accessed the medical records of her exhusband. In order to resolve this matter to OCR s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner s access to its electronic records system; reported the nurse practitioner s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. 24

Resolution Agreements Resolution Agreements and Civil Money Penalties -A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into five resolution agreements and issued CMPs to one covered entity 25

Resolution Agreements Resolution Agreement with the University of California at Los Angeles Health System --July 6, 2011 Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011 Civil Money Penalty issued to Cignet Health of Prince George's County, MD--February 4, 2011 Resolution Agreement with Managemet Services Organization Washington, Inc.--December 13, 2010 Resolution Agreement with Rite Aid Corporation--July 27, 2010 Resolution Agreement with CVS Pharmacy, Inc.--January 16, 2009 Resolution Agreement with Providence Health & Services--July 16, 2008 26

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback