Transcript masiweb.org
TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES masi ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 [email protected] TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED? • Increased Enforcement • Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”) HIPAA PRIVACY RULES • Limits Circumstances by Which Individual’s PHI May be Used/Disclosed by Covered Entities (“CEs”) • PHI Permitted Use/Disclosure without Patient Authorization for Treatment, Payment or Healthcare Operations • May Use/Disclose PHI Only With Patient Authorization • Exceptions – Public Health, Judicial, Law Enforcement, Certain Specialized Purposes HIPAA PRIVACY RULES - Continued • Privacy Rule - Additional Obligations – – – – Accounting for Certain Disclosures Disclose Only Minimum Information Necessary Provide Notice of Privacy Practices Individual’s Rights to Review/Obtain Copies of PHI – Must Safeguard Protected Health Information from Inappropriate Use/Disclosure – Individuals Have Right to Request Changes to Inaccurate/Incomplete PHI – Maintain Administrative, Technical, Physical Safeguards to Prevent Improper Use/Disclosure of PHI BUSINESS ASSOCIATES (“BAs”) • Anyone that Performs, Assists in Performance/Activity Involving Use/Disclosure of PHI on Behalf of CE • Examples – Claims Processing, Data Analysis, Utilization Review, Quality Assurance, Billing Benefit Management, Practice Management, Pricing • Other BAs – Persons Performing Legal, Actuarial, Accounting, Consulting, Data Aggregation, Management, Administration, Accreditation or Financial Services if Involves Disclosure of PHI from Covered Entity • Must Maintain PHI Confidentiality as Required by Service Agreement • Violations – Covered Entity Must Terminate Relationship or Report Problem to HHS SECURITY RULE (“SR”) • Applies to PHI in Electronic Form (“EPHI”) • Requires CE to Maintain Administrative, Technical and Physical Safeguards to Ensure Confidentiality/Integrity/availability of all EPHI the CE creates, receives, maintains or transmits • CEs must enter into an agreement with BAs who create, receive, maintain or transmit EPHI • BA must provide same safeguards to protect EPHI • CE not liable for violations of SR by BA unless knew BA engaged in activity that violated HIPAA SR and CE took no action ENFORCEMENT HISTORY • DOJ Had Authority to Impose CMPs and Criminal Sanctions • HHS Did Not Enforce Privacy or Security Rule Until 2008 • HHS – OIG in 2008 Concluded CMS Had Not Provided Effective Oversight/Enforcement of SR by CEs • Prevailing View – “All Bark and No Bite” – Does Not Justify Compliance Expenses RECENT DEVELOPMENTS • HHS Office of Civil Rights (“OCR”) Imposed CMPs totaling $4.35MM on Cignet Health of Prince George’s County, Maryland. • Settled with Massachusetts General Hospital (“Mass General”) for PR Violations $1MM • University of California Los Angeles Health System (“UCLAHS”) – Potential PR and SPR/SR Violations - $865,000 • HHS OIG Began to Incorporate New Advanced Electronic/Data Mining Technologies to Uncover Waste, Fraud, Violations in Federal Healthcare Programs and Ensure Regulatory Compliance • Data Analytics to Conduct Risk Assessment, Pinpoint Oversight Efforts Reduce Time/Resources Required for Audits, Investigations and Program Integrity Activities HHS POLICY CHANGES – HHS Secretary Delegates PR Enforcement to OCR – April 14, 2003 – PR Compliance Mandatory for Most Covered Entities – Next 5 Years – No Penalties/Settlement for PR Violations – 2003 - HHS Secretary Delegates Authority to Enforce SR to CMS – March 2006 – HIPAA Enforcement Rules Implemented – 2006-2009 – No SR Compliance Actions – 2009 Congress/HITECH Expands Enforcement/Penalties – HHS Reassigns Enforcement to OCR HHS’ POLICY CHANGES Continued • 2008-2009 Enforcement/Settlement Activities – July 18, 2008 - HHS Resolution Agreement with Providence Health and Services (“Providence”) PR/SR Violations, Loss of Electronic Backup Media/Laptop Computers Containing PHI Providence Pays HHS $100,000 and Implements CAP – January 16, 2009 – $2.25 MM Resolution Agreement/CAP with CVS Pharmacy, Inc. (“CVS”) Unsecured Disposal of Pharmacy Customers’ PHI – July 27, 2009 – HHS Strips CMS of SR Enforcement and Delegates to OCR HITECH LEGISLATIVE CHANGES • Expands Certain Provisions in PR and SR Rules to Business Associates • Subjects BAs to Civil/Criminal Liability for Violations • Establishes New Limits on Use of PHI for Marketing/Fund Raising Purposes • Provides New Enforcement Authority for State Attorneys General to Bring Suit in Federal District Court to Enforce HIPAA Violations • Increases Civil/Criminal Penalties for HIPAA Violations HITECH LEGISLATIVE CHANGES Continued • Requires CEs/BAs to Notify Public or HHS of Data Breaches • Changes Use/Disclosure Rules for PHI • Expands Certain Individual Rights • Mandates CEs Report to OCR Breaches of Unsecured PHI • Mandatory Notifications without Immunity/Reduced Penalties for Reporting STATE ATTORNEYS GENERAL AUTHORITY – Civil Actions Against HIPAA Privacy/Security Violators – Damages Up to $100 per Violation Up to $25,000 for All Violations of Identical Requirement During Calendar Year – Compliance Audits – HITECH Requires HHS to Perform Periodic Audits to Ensure CE and BA Compliance with PR and SR ENHANCED HIPAA PRIVACY/SECURITY ENFORCEMENT ACTIVITIES – Cignet – Breached PR by Failing to Provide 41 Individuals Timely Access to Medical Records/Failing to Cooperate in Investigation/ Not Correcting Violations within 30 Days. • Finding of Willful Neglect Not Corrected Within 30 Days – Mass General – Removal/Loss of PHI on Subway by Mass General Employee • PHI for a total of 258 patients including with HIV/AIDS • $1MM penalty plus 3 year CAP CURRENT CAPs • Similar to Corporate Integrity Agreements Entered Into By OIG • Imposes Corrective Action Obligations That Reflect Federal Sentencing Guidelines/OIG Compliance Guidance Documents • Mass General CAP – Develop, Distribute, Update Policies/Procedures Targeting at Alleged Violation/Rate of Activities – Train Personnel on Policies/Procedures Response to Violation – Monitor/Audit Performance of New Policy/Procedures – Provide Reports to OCR Regarding Performance CURRENT CAPs - Continued UCLAHS CAP – Potential Violations of PR/SR – $865,500 CMP – CAP to Remedy Gap in Compliance – Arose From Incidents Involving Celebrity Patients/Complaints – Employees Accessed PHI – CAP Requires Implement PR/SR Policies Approved by OCR – Conduct Regular Employee Training – Sanction Offending Employees – Independent Monitor to Assess Compliance for 3 Years HHS – OIG Enhanced Technologies/Enforcement Efforts • Fraud – Information Technologies/Analytics to uncover fraud/target oversight efforts – Data Mining/Trend Evaluations/Modeling – enterprise view of questionable activities/suspected fraud trends – New Data Storage/Computer Matching/Data analytic capabilities to analyze hospital data for multiple compliance risks – Auditing process from weeks/months to 20 minutes per hospital • Healthcare Fraud Prevention and Enforcement Action Team (“HEAT”) – High level law enforcement from DOJ and HHS – Enforce anti-fraud and other compliance obligations – Began in March 2007 – Operates in 7 major cities HHS – OIG Enhanced Technologies/Enforcement Efforts Continued • FY 2010 – 140 Indictments Filed Against 284 Defendants that Billed Medicare $590 MM • 217 Guilty Pleas Negotiated • 29 Jury Trials with Guilty Verdicts Against 23 Defendants • 146 Defendants Sentenced/Average More than 40 Months • Data Driven/Data Analytics Approach Increasingly Effective CONCLUSION It’s Not the Passive HHS Enforcement Efforts Any More! THANK YOU Armin J. Moeller, Jr. Balch & Bingham, LLP [email protected] 601-965-8156