HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500
Topics Covered Enforcement of HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH) Overview of changes made by HITECH What HITECH means for Business Associate relationships Changes in the rules governing marketing and other highlights and lowlights under HITECH
Enforcement Before and After HITECH Prior to HITECH, focus was almost exclusively on achieving voluntary compliance Now there is a significant punitive element HITECH increased penalties For the most egregious violations (those caused by willful neglect which are not timely corrected), HITECH provides civil penalties of at least $50,000 per violation up to a maximum $1.5 million a year for the same violation Frequently the same incident involves violations of multiple provisions
Enforcement After HITECH Requires OCR to investigate any complaint where there is a possible violation due to willful neglect and to levy fines for uncorrected violations due to willful neglect Clarifies that directors, officers and employees can be individually liable
Creating Enforcement Incentives Fines collected through enforcement go back to OCR to fund additional enforcement GAO is required to conduct a study into mechanisms for returning a percentage of recoveries to persons injured by a violation
Enforcement Statistics To date, OCR has received over 62,000 complaints. Over 91% have been resolved In about 63% of the cases, HHS determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. Eg, the complaint was filed more than 60 days after the alleged violation In about 25% of the cases, OCR required changes in the organizations privacy practices or other corrective action by the covered entity. In about 12% of the cases, OCR found no violation.
Most Common Violations Impermissible access to, or use or disclosure of, protected health information (PHI) Lack of safeguards of PHI Lack of patient access to their PHI Uses or disclosures of more than the Minimum Necessary PHI Complaints to the covered entity went unanswered
Mass General Hospital (Feb 2011) Employee left PHI on a subway (a patient schedule and billing encounter forms containing names and medical record numbers for 192 infectious disease patients, including diagnosis for 66 of those patients, some of which had HIV/AIDS). Paid $1 million and entered into a Resolution Agreement (1) Unauthorized disclosure caused by (2) inadequate safeguards (3) compounded by failure to train and (4) absence of employee sanctions
Resolution Agreements Corrective action plan typically requiring detailed policies and procedures Appointment of independent monitor who makes semi-annual reports Annual implementation reports Self-reporting requirements Training of work force Three year term
Cignet Health (Feb 2011) Denied access to 41 patients seeking their medical records and then failed to respond to OCR subpoenas and letters Paid $4.3 million and entered into Resolution Agreement
UCLA (July 2011) employees repeatedly and without permissible reason looked at the electronic PHI of two celebrity patients UCLA paid $865,500 in fines and entered into Resolution Agreement
CVS/Caremark (Feb 2009) CVS failed to implement adequate policies to appropriately safeguard PHI during the disposal process and did not maintain a sanctions policy for members of its workforce who failed to comply with its disposal policies Paid $2,250,000 and entered into a Resolution Agreement Rite Aid similar allegations, paid $1 million (Feb 2010)
HIPAAs Criminal Penalties Knowingly obtaining and disclosing PHI $50,000 and imprisonment for one year Same offense committed under false pretenses $100,000 fine and imprisonment for five years Obtaining or disclosing PHI with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm $250,000 and ten years imprisonment
Criminal Enforcement OCR had made approximately 500 referrals to the Department of Justice for criminal investigation DOJ has brought 22 criminal prosecutions 19 convictions by plea bargain One convicted by jury Two pending Often handled by local US Attorneys offices
Criminal Prosecutions Most cases have been against persons accessing records for personal gain (e.g., identity theft, selling PHI to the media, filing false Medicare claims) However, five prosecutions brought against people who accessed PHI without a motive for personal gain
Examples of Criminal Violations Employee at UCLA who accessed medical records of celebrities out of curiosity Paid $2000 and spent 4 months in prison Doctor in Arkansas pled guilty to a HIPAA violation after logging in to the medical record of a murdered news anchor Paid $5000 and sentenced to 50 hours community service educating professionals on HIPAA A nurse who accessed a patients records, without authorization, at the request of a psychologist evaluating the patients fitness to have custody,
State AG Enforcement Authority State Attorneys General can bring civil actions on behalf of state residents for HIPAA violations (as well as state law claims) can obtain damages in the amount of up $25,000 per year for all violations of an identical requirement, can enjoin further violations Can recover attorneys fees OCR has provided HIPAA Enforcement Training to SAGs and their staffs
SAG Actions by Conn. & Vermont HealthNet lost a hard drive containing more than 500,000 individuals records, including clinical data and social security numbers Paid $250,000, with possibility of another $500,00 if it is determined that information is accessed and used illegally Settlement noted that HealthNet had spent $7 million investigating and had not found evidence that the data had been accessed
OCR Compliance Audits The HITECH Act requires compliance audits OCR awarded a $9.2 million contract to KPMG to develop and implement the audits developed audit protocols Will conduct 20 pilot audits and revise the protocols Will be followed by up to 130 on site audits, likely to be completed by the end of 2012
OCR Compliance Audits OCR is targeting a wide range of covered entities for initial audits (and later BAs) Letters to be sent announcing audit and requesting policies and compliance records Site visits to last from 3 to 10 days Audited entity will have an opportunity to comment on draft results before finalized OCR will not make the audit results public in a way that will identify the audited entities
Additional Requirements Imposed by HITECH Act Breach Notification Breach notification Interim Final Rule (8/24/09) Guidance on Unsecured PHI (4/17/09) Modifications to Security, Privacy, and Enforcement Rules Proposed Rule (7/14/10) Omnibus Final Rule pending (to include breach notification and security, privacy, and enforcement) Accounting for Disclosures Proposed rule (5/31/2011) Final Rule pending Enforcement Final Rule (10/29/09) Minimum Necessary rule/guidance pending
Additional HITECH Act Requirements Breach notification requirements Enforcement of HIPAA privacy and security compliance on downstream entities Business Associates (BAs) (including subcontractors), Health Information Organizations, E-Prescribing Gateways, other persons that provide data transmission services, Personal Health Record vendors if service provided for Covered Entity (CE) Expanded definition of workforce member to include volunteers, trainees, others Restrictions on uses of PHI Restrictions on marketing, fundraising, prohibitions on sale of PHI Minimum necessary requirements
Additional HITECH Act Requirements Expansion of individual rights Access to and Accounting for Disclosures of PHI in Electronic Health Records (EHRs) Enhancements to Notice of Privacy Practices Health Plan disclosure restrictions Access to PHI of decedents Research Compound authorizations Authorizations for future research
Liability for BAs Under HITECH Pre-HITECH Requirements for Business Associate Agreement (BAA) defined in regulation BAAs imposed contractual liability on BAs for meeting the requirements set forth CE was liable for its own acts and for the acts of its BAs who met the federal common law definition of an agentunless the requirements for a BAA were met, the CE did not know of a pattern or practice of the BA violating the agreement, and the CE did not fail to act as required by HIPAA in response to the violation
Liability for BAs Under HITECH Post-HITECH: New Framework for Liability BAs are directly liable for violations of HIPAA and HITECH, even if entities failed to enter into BAA Defines subcontractors of BAs as Business Associates Subcontractors are those persons who perform functions for or provide services to a Business Associate other than in the capacity of a workforce member
Additional Privacy & Security Requirements for Business Associates Directly subject to certain Privacy Rules Disclose PHI to HHS for compliance purposes Disclose PHI in electronic format for access to PHI Provide accounting for disclosures in Electronic Health Record (EHR) Comply with minimum necessary standard Take reasonable steps to cure a material breach of subcontractor Directly subject to Security Rule Implement administrative, physical, and technical safeguards, and meet policy and documentation requirements
Expanded Requirements for Business Associate Agreements Proposed Rule requires the following provisions for BAs be incorporated into BAA Compliance with 45 C.F.R. 164.308, 164.310, 164.312, and 164.316 of the Security Rule with regard to e-phi Report Breaches of Unsecured PHI to CEs Ensure that any subcontractors that create or receive PHI on behalf of BA agree to the same restrictions and conditions that apply to BA with respect to such information
Liability for Agents Under HITECH Proposed Rule imputes liability to CEs for violation by BAs if agency relationship exists Also imputes liability to BAs for violations by subcontractors Agency relationship defined under federal common law of agency (fact-specific) Removes any exception to vicarious liability for violations of agent
Implications for Business Associate Agreements Increased emphasis on issues relevant to indemnification Costs and expenses associated with breach notification and mitigation of harm Responsibility for/involvement with risk assessment and breach notification Limits on liability Determination of whether agency relationship exists that imputes liability to CE or BA
Implications for Business Associate Agreements Related issues Damages arising from civil actions brought by State Attorneys General for HIPAA violations Costs and expenses associated with investigations of HIPAA violations, criminal conduct, etc. Other damages associated with breach
Compliance Ambiguities Regarding Compliance HITECH changes (including requirements for BAs) in Subtitle D generally effective February 1, 2010 Proposed Rule provides for compliance date of 180 days after effective date of Final Rule Transition provision would grandfather existing BAAs for up to one year beyond the compliance date of the Final Rule, if not BAAs not modified between effective date and compliance date of Final Rule Final Rule still pending
Compliance CEs Review of service agreements with third parties Negotiation of liability issues BAs Implementation of BAAs with subcontractors Compliance with Security Rule Gap assessment Written HIPAA Security Plan that addresses the required and addressable implementation standards for administrative, technical, and physical safeguards
HIPAA Restrictions on Marketing Previous HIPAA framework for marketing Authorization required to use or disclose Protected Health Information for marketing Marketing means A communication about a product or service that encourages recipients of the communication to purchase or use the product or service (with certain exceptions), or An arrangement whereby the Covered Entity discloses Protected Health Information to a third party for marketing in exchange for direct or indirect remuneration Marketing communications allowed without authorization if Face-to-face communication Promotional gifts of nominal value to the individual
HIPAA Restrictions on Marketing Pre-HITECH Did Not Include as Marketing Health care operations communications to describe a health-related product or service that is provided by or included in a plan of benefits of, the CE making the communication; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits Communications for case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual Communications for the treatment of the individual Even if indirect or direct payment from a third party was involved
HITECH Revised Framework for Marketing Limits Cross-promoting Products or Services of Other Entities Without Individuals Authorization Certain health care operations communications permitted without authorization, but only if no financial remuneration is received in exchange for making communication Defines Financial Remuneration as Direct or indirect payment from or on behalf of a third party whose product or service is being described. Does not include any payment for treatment of an individual.
HITECH Revised Framework for Marketing Permits individuals to opt out of treatment communications (including case management and care coordination) if remuneration is received in exchange for making the communication Requires that the Notice of Privacy Practices inform individuals about the remuneration and provides them the right to opt out of receiving further communications; and The treatment communication must also disclose the remuneration and provides a clear and conspicuous opportunity to opt out of further communications. Permits communications to provide prescription refill reminders or about a currently prescribed drug, provided the amount of the remuneration to the CE is reasonably related to the CEs cost in making the communication
HITECH Revised Framework for Marketing HITECH clarifies prohibition on sale of PHI CE or BA may not receive direct or indirect remuneration in exchange for disclosure of PHI, unless valid authorization provided (with certain specified exceptions, e.g., treatment, payment, public health, research, for sale/transfer/merger consolidation of CE, to or by a BA on behalf of the CE, to an individual, required by law, or for copies of PHI.) Proposed Rule requires that the individual authorization state that the disclosure will result in financial remuneration to the CE
HITECH Revisions to Fundraising Individuals have right to opt out Proposed Rule require that a CE provide, with each fundraising communication, a clear and conspicuous opportunity to opt out of receiving future fundraising communications No undue burden on individual CE cannot condition treatment or payment on an individual's choice to receive or not to receive fundraising communications When an individual has opted out of receiving fundraising communications, CE may not send such information to them (reasonable efforts are insufficient) Must include information about fundraising communications in Notice of Privacy Practices
Compliance Issues Review of relationships involving potential marketing of products or services of third parties Determination of whether financial remuneration involved in communications Revisions of Notice of Privacy Practices, to the extent that financial remuneration received for communication or for fundraising communications Implementation of opt-out requirements Effective date of compliance, given that final rule has not yet been issued
More to Come Definition of subcontractor of Business Associate Amount of payment allowable for communications about drugs, scope of exception to marketing Scope of opt-out for treatment communications and fundraising Exceptions to sale of PHI Whether/how to allow targeted fundraising campaigns by CEs
Contact Information Leeanne Habte lhabte@foley.com 213-972-4500 R. Michael Scarano, Jr mscarano@foley.com 858-847-6712