HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Similar documents
HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Getting a Grip on HIPAA

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Highlights of the Omnibus HIPAA/HITECH Final Rule

Fifth National HIPAA Summit West

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

ACC Compliance and Ethics Committee Presentation February 19, 2013

To: Our Clients and Friends January 25, 2013

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA, HITECH & Meaningful Use

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA Omnibus Rule Compliance

New HIPAA-HITECH Proposed Regulations Issued

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Health Law Diagnosis

Determining Whether You Are a Business Associate

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Management Alert Final HIPAA Regulations Issued

HIPAA Compliance Under the Magnifying Glass

HIPAA: Impact on Corporate Compliance

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

ARE YOU HIP WITH HIPAA?

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Welcome to today s Webinar

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

ARRA s Amendments to HIPAA Privacy & Security Rules

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

What is HIPAA? (1 of 2)

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA & The Medical Practice

AFTER THE OMNIBUS RULE

Omnibus Rule: HIPAA 2.0 for Law Firms

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

"HIPAA RULES AND COMPLIANCE"

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA and Lawyers: Your stakes have just been raised

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE January 3, I. Executive Summary.

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

HIPAA Omnibus Final Rule and Research

The Audits are coming!

HIPAA Background and History

RISK TRACK. Privacy and Data Protection

HIPAA Compliance Guide

HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches

LEGAL ISSUES IN HEALTH IT SECURITY

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

ARRA 2009: Privacy and Security Provisions. Deven McGraw

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Be Careful What You Wish For: The Final Rule Is Out

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HEALTHCARE BREACH TRIAGE

HIPAA OMNIBUS FINAL RULE

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Privacy Compliance Checklist

HIPAA UPDATE/ OCR ENFORCEMENT

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

HIPAA Data Breach ITPC

ARTICLE 1. Terms { ;1}

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Omnibus HIPAA Rule: Impact on Covered Entities

EGYPTIAN ELECTRIC COOPERATIVE ASSOCIATION POLICY BULLETIN NO. 214A

Transcription:

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500

Topics Covered Enforcement of HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH) Overview of changes made by HITECH What HITECH means for Business Associate relationships Changes in the rules governing marketing and other highlights and lowlights under HITECH

Enforcement Before and After HITECH Prior to HITECH, focus was almost exclusively on achieving voluntary compliance Now there is a significant punitive element HITECH increased penalties For the most egregious violations (those caused by willful neglect which are not timely corrected), HITECH provides civil penalties of at least $50,000 per violation up to a maximum $1.5 million a year for the same violation Frequently the same incident involves violations of multiple provisions

Enforcement After HITECH Requires OCR to investigate any complaint where there is a possible violation due to willful neglect and to levy fines for uncorrected violations due to willful neglect Clarifies that directors, officers and employees can be individually liable

Creating Enforcement Incentives Fines collected through enforcement go back to OCR to fund additional enforcement GAO is required to conduct a study into mechanisms for returning a percentage of recoveries to persons injured by a violation

Enforcement Statistics To date, OCR has received over 62,000 complaints. Over 91% have been resolved In about 63% of the cases, HHS determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. Eg, the complaint was filed more than 60 days after the alleged violation In about 25% of the cases, OCR required changes in the organizations privacy practices or other corrective action by the covered entity. In about 12% of the cases, OCR found no violation.

Most Common Violations Impermissible access to, or use or disclosure of, protected health information (PHI) Lack of safeguards of PHI Lack of patient access to their PHI Uses or disclosures of more than the Minimum Necessary PHI Complaints to the covered entity went unanswered

Mass General Hospital (Feb 2011) Employee left PHI on a subway (a patient schedule and billing encounter forms containing names and medical record numbers for 192 infectious disease patients, including diagnosis for 66 of those patients, some of which had HIV/AIDS). Paid $1 million and entered into a Resolution Agreement (1) Unauthorized disclosure caused by (2) inadequate safeguards (3) compounded by failure to train and (4) absence of employee sanctions

Resolution Agreements Corrective action plan typically requiring detailed policies and procedures Appointment of independent monitor who makes semi-annual reports Annual implementation reports Self-reporting requirements Training of work force Three year term

Cignet Health (Feb 2011) Denied access to 41 patients seeking their medical records and then failed to respond to OCR subpoenas and letters Paid $4.3 million and entered into Resolution Agreement

UCLA (July 2011) employees repeatedly and without permissible reason looked at the electronic PHI of two celebrity patients UCLA paid $865,500 in fines and entered into Resolution Agreement

CVS/Caremark (Feb 2009) CVS failed to implement adequate policies to appropriately safeguard PHI during the disposal process and did not maintain a sanctions policy for members of its workforce who failed to comply with its disposal policies Paid $2,250,000 and entered into a Resolution Agreement Rite Aid similar allegations, paid $1 million (Feb 2010)

HIPAAs Criminal Penalties Knowingly obtaining and disclosing PHI $50,000 and imprisonment for one year Same offense committed under false pretenses $100,000 fine and imprisonment for five years Obtaining or disclosing PHI with the intent to sell, transfer or use for commercial advantage, personal gain or malicious harm $250,000 and ten years imprisonment

Criminal Enforcement OCR had made approximately 500 referrals to the Department of Justice for criminal investigation DOJ has brought 22 criminal prosecutions 19 convictions by plea bargain One convicted by jury Two pending Often handled by local US Attorneys offices

Criminal Prosecutions Most cases have been against persons accessing records for personal gain (e.g., identity theft, selling PHI to the media, filing false Medicare claims) However, five prosecutions brought against people who accessed PHI without a motive for personal gain

Examples of Criminal Violations Employee at UCLA who accessed medical records of celebrities out of curiosity Paid $2000 and spent 4 months in prison Doctor in Arkansas pled guilty to a HIPAA violation after logging in to the medical record of a murdered news anchor Paid $5000 and sentenced to 50 hours community service educating professionals on HIPAA A nurse who accessed a patients records, without authorization, at the request of a psychologist evaluating the patients fitness to have custody,

State AG Enforcement Authority State Attorneys General can bring civil actions on behalf of state residents for HIPAA violations (as well as state law claims) can obtain damages in the amount of up $25,000 per year for all violations of an identical requirement, can enjoin further violations Can recover attorneys fees OCR has provided HIPAA Enforcement Training to SAGs and their staffs

SAG Actions by Conn. & Vermont HealthNet lost a hard drive containing more than 500,000 individuals records, including clinical data and social security numbers Paid $250,000, with possibility of another $500,00 if it is determined that information is accessed and used illegally Settlement noted that HealthNet had spent $7 million investigating and had not found evidence that the data had been accessed

OCR Compliance Audits The HITECH Act requires compliance audits OCR awarded a $9.2 million contract to KPMG to develop and implement the audits developed audit protocols Will conduct 20 pilot audits and revise the protocols Will be followed by up to 130 on site audits, likely to be completed by the end of 2012

OCR Compliance Audits OCR is targeting a wide range of covered entities for initial audits (and later BAs) Letters to be sent announcing audit and requesting policies and compliance records Site visits to last from 3 to 10 days Audited entity will have an opportunity to comment on draft results before finalized OCR will not make the audit results public in a way that will identify the audited entities

Additional Requirements Imposed by HITECH Act Breach Notification Breach notification Interim Final Rule (8/24/09) Guidance on Unsecured PHI (4/17/09) Modifications to Security, Privacy, and Enforcement Rules Proposed Rule (7/14/10) Omnibus Final Rule pending (to include breach notification and security, privacy, and enforcement) Accounting for Disclosures Proposed rule (5/31/2011) Final Rule pending Enforcement Final Rule (10/29/09) Minimum Necessary rule/guidance pending

Additional HITECH Act Requirements Breach notification requirements Enforcement of HIPAA privacy and security compliance on downstream entities Business Associates (BAs) (including subcontractors), Health Information Organizations, E-Prescribing Gateways, other persons that provide data transmission services, Personal Health Record vendors if service provided for Covered Entity (CE) Expanded definition of workforce member to include volunteers, trainees, others Restrictions on uses of PHI Restrictions on marketing, fundraising, prohibitions on sale of PHI Minimum necessary requirements

Additional HITECH Act Requirements Expansion of individual rights Access to and Accounting for Disclosures of PHI in Electronic Health Records (EHRs) Enhancements to Notice of Privacy Practices Health Plan disclosure restrictions Access to PHI of decedents Research Compound authorizations Authorizations for future research

Liability for BAs Under HITECH Pre-HITECH Requirements for Business Associate Agreement (BAA) defined in regulation BAAs imposed contractual liability on BAs for meeting the requirements set forth CE was liable for its own acts and for the acts of its BAs who met the federal common law definition of an agentunless the requirements for a BAA were met, the CE did not know of a pattern or practice of the BA violating the agreement, and the CE did not fail to act as required by HIPAA in response to the violation

Liability for BAs Under HITECH Post-HITECH: New Framework for Liability BAs are directly liable for violations of HIPAA and HITECH, even if entities failed to enter into BAA Defines subcontractors of BAs as Business Associates Subcontractors are those persons who perform functions for or provide services to a Business Associate other than in the capacity of a workforce member

Additional Privacy & Security Requirements for Business Associates Directly subject to certain Privacy Rules Disclose PHI to HHS for compliance purposes Disclose PHI in electronic format for access to PHI Provide accounting for disclosures in Electronic Health Record (EHR) Comply with minimum necessary standard Take reasonable steps to cure a material breach of subcontractor Directly subject to Security Rule Implement administrative, physical, and technical safeguards, and meet policy and documentation requirements

Expanded Requirements for Business Associate Agreements Proposed Rule requires the following provisions for BAs be incorporated into BAA Compliance with 45 C.F.R. 164.308, 164.310, 164.312, and 164.316 of the Security Rule with regard to e-phi Report Breaches of Unsecured PHI to CEs Ensure that any subcontractors that create or receive PHI on behalf of BA agree to the same restrictions and conditions that apply to BA with respect to such information

Liability for Agents Under HITECH Proposed Rule imputes liability to CEs for violation by BAs if agency relationship exists Also imputes liability to BAs for violations by subcontractors Agency relationship defined under federal common law of agency (fact-specific) Removes any exception to vicarious liability for violations of agent

Implications for Business Associate Agreements Increased emphasis on issues relevant to indemnification Costs and expenses associated with breach notification and mitigation of harm Responsibility for/involvement with risk assessment and breach notification Limits on liability Determination of whether agency relationship exists that imputes liability to CE or BA

Implications for Business Associate Agreements Related issues Damages arising from civil actions brought by State Attorneys General for HIPAA violations Costs and expenses associated with investigations of HIPAA violations, criminal conduct, etc. Other damages associated with breach

Compliance Ambiguities Regarding Compliance HITECH changes (including requirements for BAs) in Subtitle D generally effective February 1, 2010 Proposed Rule provides for compliance date of 180 days after effective date of Final Rule Transition provision would grandfather existing BAAs for up to one year beyond the compliance date of the Final Rule, if not BAAs not modified between effective date and compliance date of Final Rule Final Rule still pending

Compliance CEs Review of service agreements with third parties Negotiation of liability issues BAs Implementation of BAAs with subcontractors Compliance with Security Rule Gap assessment Written HIPAA Security Plan that addresses the required and addressable implementation standards for administrative, technical, and physical safeguards

HIPAA Restrictions on Marketing Previous HIPAA framework for marketing Authorization required to use or disclose Protected Health Information for marketing Marketing means A communication about a product or service that encourages recipients of the communication to purchase or use the product or service (with certain exceptions), or An arrangement whereby the Covered Entity discloses Protected Health Information to a third party for marketing in exchange for direct or indirect remuneration Marketing communications allowed without authorization if Face-to-face communication Promotional gifts of nominal value to the individual

HIPAA Restrictions on Marketing Pre-HITECH Did Not Include as Marketing Health care operations communications to describe a health-related product or service that is provided by or included in a plan of benefits of, the CE making the communication; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits Communications for case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual Communications for the treatment of the individual Even if indirect or direct payment from a third party was involved

HITECH Revised Framework for Marketing Limits Cross-promoting Products or Services of Other Entities Without Individuals Authorization Certain health care operations communications permitted without authorization, but only if no financial remuneration is received in exchange for making communication Defines Financial Remuneration as Direct or indirect payment from or on behalf of a third party whose product or service is being described. Does not include any payment for treatment of an individual.

HITECH Revised Framework for Marketing Permits individuals to opt out of treatment communications (including case management and care coordination) if remuneration is received in exchange for making the communication Requires that the Notice of Privacy Practices inform individuals about the remuneration and provides them the right to opt out of receiving further communications; and The treatment communication must also disclose the remuneration and provides a clear and conspicuous opportunity to opt out of further communications. Permits communications to provide prescription refill reminders or about a currently prescribed drug, provided the amount of the remuneration to the CE is reasonably related to the CEs cost in making the communication

HITECH Revised Framework for Marketing HITECH clarifies prohibition on sale of PHI CE or BA may not receive direct or indirect remuneration in exchange for disclosure of PHI, unless valid authorization provided (with certain specified exceptions, e.g., treatment, payment, public health, research, for sale/transfer/merger consolidation of CE, to or by a BA on behalf of the CE, to an individual, required by law, or for copies of PHI.) Proposed Rule requires that the individual authorization state that the disclosure will result in financial remuneration to the CE

HITECH Revisions to Fundraising Individuals have right to opt out Proposed Rule require that a CE provide, with each fundraising communication, a clear and conspicuous opportunity to opt out of receiving future fundraising communications No undue burden on individual CE cannot condition treatment or payment on an individual's choice to receive or not to receive fundraising communications When an individual has opted out of receiving fundraising communications, CE may not send such information to them (reasonable efforts are insufficient) Must include information about fundraising communications in Notice of Privacy Practices

Compliance Issues Review of relationships involving potential marketing of products or services of third parties Determination of whether financial remuneration involved in communications Revisions of Notice of Privacy Practices, to the extent that financial remuneration received for communication or for fundraising communications Implementation of opt-out requirements Effective date of compliance, given that final rule has not yet been issued

More to Come Definition of subcontractor of Business Associate Amount of payment allowable for communications about drugs, scope of exception to marketing Scope of opt-out for treatment communications and fundraising Exceptions to sale of PHI Whether/how to allow targeted fundraising campaigns by CEs

Contact Information Leeanne Habte lhabte@foley.com 213-972-4500 R. Michael Scarano, Jr mscarano@foley.com 858-847-6712

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback