Privacy Rule - Complaint Investigations

Similar documents
503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA UPDATE/ OCR ENFORCEMENT

ARE YOU HIP WITH HIPAA?

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA & The Medical Practice

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

2016 Business Associate Workforce Member HIPAA Training Handbook

Business Associate Risk

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

1 Security 101 for Covered Entities

HIPAA Omnibus Rule Compliance

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

"HIPAA RULES AND COMPLIANCE"

Effective Date: 4/3/17

H E A L T H C A R E L A W U P D A T E

HIPAA Data Breach ITPC

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA: Impact on Corporate Compliance

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Determining Whether You Are a Business Associate

Future of Healthcare in Washington April 2, Christiansen IT Law

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Compliance Guide

American Bar Association. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

Getting a Grip on HIPAA

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HHS, Office for Civil Rights. IAPP October 11, 2012

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA PRIVACY AND SECURITY AWARENESS

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA Compliance Under the Magnifying Glass

HIPAA Breach Notification Case Studies on What to Do and When to Report

HEALTHCARE BREACH TRIAGE

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

EXCERPT. Do the Right Thing R1112 P1112

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

LEGAL ISSUES IN HEALTH IT SECURITY

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

HIPAA Privacy, Breach, & Security Rules

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

March 1. HIPAA Privacy Policy

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

HIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory

To: Our Clients and Friends January 25, 2013

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA Privacy: PHI Disclosure Accounting (Changes) and Access Report (New)

March 1. HIPAA Privacy Policy. This document includes: HIPAA Privacy Policy Statement, HIPAA Manual and HIPAA Forms

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA Basic Training for Health & Welfare Plan Administrators

ALERT. November 20, 2009

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

HIPAA Privacy Overview

and disclosure of your PHI for treatment, payment, and health care operations

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

The Road Ahead. Diane Meyer Chief Compliance and Privacy Officer Stanford University Medical Center

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Privacy and Security Standards

HIPAA Privacy & Security Plan October 2016

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

AFTER THE OMNIBUS RULE

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

HIPAA OMNIBUS FINAL RULE

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Changes to HIPAA Privacy and Security Rules

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

ACC Compliance and Ethics Committee Presentation February 19, 2013

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

GUIDANCE ON HIPAA & CLOUD COMPUTING

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

MANITOBA OMBUDSMAN PRACTICE NOTE

HIPAA Electronic Transactions & Code Sets

BAY-ARENAC BEHAVIORAL HEALTH AUTHORITY POLICIES AND PROCEDURES MANUAL

Transcription:

Update on Enforcement of the HIPAA Privacy and Security Rules Marilou King, JD Office for Civil Rights U.S. Department of Heath and Human Services www.hcca-info.org 888-580-8373 Privacy Rule - Complaint Investigations Every complaint received by OCR is reviewed and allegations analyzed An investigation is launched when warranted by the allegations in the complaint OCR investigations have resulted in changes and improvements in the privacy practices and procedures of covered entities in over 5,500 cases since April 2003 Corrective action obtained by HHS from covered entities has resulted in systemic change that benefits all individuals they serve www.hcca-info.org 888-580-8373 2 1

Privacy Rule - Complaint Process OCR www.hcca-info.org 888-580-8373 3 Privacy Rule - All Complaints www.hcca-info.org 888-580-8373 4 2

Privacy Rule - Complaints Resolved by CY Total Resolutions 8,000 7,177 7,000 6,467 6,000 5,621 5,000 4,764 Number of Cases 4,000 3,000 2,000 1,508 1,000-2003 2004 2005 2006 2007 Year www.hcca-info.org 888-580-8373 5 Privacy Rule - Total Investigated Cases www.hcca-info.org 888-580-8373 6 3

Privacy Rule - Investigated Cases by CY Investigated Resolutions 3,000 2,500 2,466 2,200 Number of Cases 2,000 1,500 1,000 1,033 1,392 1,161 1,803 895 1,571 1,483 642 717 500 260 339 359 79-2003 2004 2005 2006 2007 Year No Violation Corrective Action Total www.hcca-info.org 888-580-8373 7 Privacy Rule - Issues in Enforcement Actions (April 14, 2003 to December 31, 2007) The compliance issues investigated most frequently, in order, are: Impermissible use or disclosure of an individual s identifiable health information The lack of adequate safeguards to protect identifiable health information Refusal or failure to provide the individual with access to or a copy of his/her records The disclosure of more information than is minimally necessary to satisfy a particular request for information Failure to have the individual s valid authorization for a disclosure that requires one www.hcca-info.org 888-580-8373 8 4

Privacy Rule - Covered Entities in Enforcement Actions (April 14, 2003 to December 31, 2007) The most common types of covered entities that have been required to take corrective actions and voluntarily comply, in order of frequency, are: Private physician practices General hospitals Outpatient facilities Health plans (Group Health Plans and Health Insurance Issuers) Pharmacies www.hcca-info.org 888-580-8373 9 CMS HIPAA Complaint Statistics (as of December 31, 2007) 283 Security 4 NPI 567 TCS Complaint Type Open Closed Totals Transactions and Code Sets (TCS) 52 515 567 Security 92 191 283 National Provider Identifier (NPI) 0 4 4 Total 144 710 854 Note: 49 of 191 of the closed Security Rule cases have been resolved through corrective actions by the covered entities. www.hcca-info.org 888-580-8373 10 5

Top Security Rule Complaint Issues Unauthorized access to ephi - For example, employees or relatives access ephi inappropriately Loss or theft of devices containing ephi - Small number of complaints, large volume of ephi Insufficient access controls for systems - Shared passwords, generic user IDs, lack of encryption Majority of Security Rule complaints are referred to CMS by OCR; originated as Privacy Rule complaints www.hcca-info.org 888-580-8373 11 Privacy Rule - Enforcement Case Examples Pharmacy Chain Institutes New Safeguards for Protected Health Information Pharmacy stores maintained pseudo ephedrine log books containing protected health information so that individual protected health information was visible on counter. OCR required that CE implement new training and national policies and procedures to safeguard the log books. www.hcca-info.org 888-580-8373 12 6

Privacy Rule - Enforcement Case Examples Health System Changes System-wide Process for Amendment of Records Health system failed to consider a request for amendment without an appeal to legal counsel s office. As a condition for resolution, OCR required the CE to revise its policies and procedures to eliminate this step, and to implement the change nationally. www.hcca-info.org 888-580-8373 13 Privacy Rule - Enforcement Case Examples Provider Revises Process to Prevent Unauthorized Disclosures to Employers Physician s office disclosed protected health information to complainant s employer without compliant authorization. OCR required the CE to revise its policies and procedures to require compliant patient authorization prior to release protected health information to an employer. All staff was trained on the revised policies and procedures. www.hcca-info.org 888-580-8373 14 7

Privacy Rule - Enforcement Case Examples National Health Insurer Required to Sanction Employee, Retrain Staff and Mitigate Harm An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer s authorization and verification procedures. OCR required the health insurer to: train its staff on the applicable policies and procedures; mitigate the harm to the individual; and apply sanctions to employee who made the unauthorized disclosure www.hcca-info.org 888-580-8373 15 Privacy Rule - Enforcement Case Examples HMO Required to Correct Computer Program A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant s unauthorized family member. OCR s investigation determined that a flaw in computer program put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. OCR required the insurer to: correct the flaw in its computer program; review all transactions for a six month period; and correct all corrupted patient information. www.hcca-info.org 888-580-8373 16 8

Security Rule Enforcement Case Example Provider and its Business Associate Required to Correct Website Program A small provider allowed patients to register on-line, using an internet service. The program allowed any user of the website to see ephi of all of the registered users. CMS investigation determined that flaw in website program put ephi of approximately 500 individuals at risk of disclosure. CMS/OESS required the covered entity to: - Immediately correct the flaw in the website application; - Monitor the website daily to ensure the program was corrected www.hcca-info.org 888-580-8373 17 Other Avenues to Obtain Compliance Resolution Agreements are next step in enforcement actions. Where informal resolution through voluntary compliance, corrective action, or Resolution Agreement satisfactory to HHS is not reached with the covered entity, next stage is Notice of Proposed Determination containing a civil money penalty. HHS also obtains privacy compliance through outreach and education efforts. HHS has reached hundreds of thousands of covered entities and consumers through educational conferences, a toll-free call line, and an interactive website. www.hcca-info.org 888-580-8373 18 9

Security Rule Compliance Reviews In 2008, CMS will conduct on-site compliance reviews. CMS has contracted with PriceWaterhouseCoopers to conduct reviews. Reviews will be conducted on covered entities against whom complaints has been filed; selection will be based on a severity impact analysis where violation had the potential to affect a large number of individuals. CEs will be required to produce a list of mandatory documentation, such as the risk assessment and risk management plans; specific policies and procedures; and samples of training and awareness materials. All compliance reviews will include assessment of policies and procedures related to remote access and use of portable devices. CMS will publish lessons learned from the reviews on the CMS website: www.cms.hhs.gov/enforcement. www.hcca-info.org 888-580-8373 19 Tips for Privacy and Security Compliance Officers Handling an OCR or OESS Investigation When notification letter is received, contact investigator named in letter. Establish effective communication with investigator. Contact investigator for assistance with questions, such as, How does this work? Respond within stated time frames. If CE cannot make the due date, let investigator know. Request a reasonable extension of time enough so CE can accomplish the requested task. Avoid multiple requests for time extensions. Return telephone calls from the investigator promptly. www.hcca-info.org 888-580-8373 20 10

Investigation Tips (cont d) Understand that investigations take place over an extended period of time. The investigator will work hard to be timely but some investigations take longer than others. Be cooperative with the investigator. Facts need to be confirmed by OCR or OESS. If investigator requests to interview an employee or requests contact information for former employees, provide this information in a timely manner. If you cannot, explain why. Ask for technical assistance if you do not understand what is expected by a particular requirement of the Privacy Rule or Security Rule. www.hcca-info.org 888-580-8373 21 Investigation Tips (cont d) If CE is aware of a Privacy Rule or Security Rule incident even before receiving notification letter, start gathering relevant materials and facts. Formulate a corrective action plan (CAP) and execute it. An executed CAP will then be in place to deliver to the investigator when the notification letter is received. Be specific in your responses to requests for data and information. For example, if training was provided, supply all the facts when, who was trained (sign-in sheet), topics covered. If a policy was revised, send copy of old and new policies. Do not send entire privacy policies and procedures manual unless specifically requested. www.hcca-info.org 888-580-8373 22 11

Investigation Tips (cont d) Be forthcoming and acknowledge errors if they occurred. Remember, the goal is resolution through voluntary compliance and completed corrective action. Respond. Ignoring the investigation will exacerbate the matter. www.hcca-info.org 888-580-8373 23 Our Mutual Goal Ensuring the privacy and security of each individual s health information in accordance with the standards and requirements of the HIPAA Privacy and Security Rules. www.hcca-info.org 888-580-8373 24 12

Privacy Rule - Want More Information? The OCR website, http://www.hhs.gov/ocr/hipaa/ offers a wide range of helpful information about the Privacy Rule: The full text of the Privacy Rule A HIPAA Privacy Rule summary A covered entity "decision tool" to assist individuals and entities in making these determinations Over 200 frequently asked questions Fact sheets Information and monthly statistics about the OCR enforcement program www.hcca-info.org 888-580-8373 25 Security Rule Want More Information? The CMS website, http://www.cms.hhs.gov offers a wide range of helpful information about the Security Rule: The full text of the Security Rule Guidance on Remote Access Educational materials, including seven Security Papers focusing on each aspect of the Rule Frequently Asked Questions (FAQs) Information and monthly statistics about the OESS enforcement program www.hcca-info.org 888-580-8373 26 13

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback