hipaa enforcement under the hitech act; the gloves...

©2011 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011

©2011 Foley & Lardner LLP

Topics Covered   Enforcement of HIPAA under the Health

Information Technology for Economic and Clinical Health Act (HITECH)

  Overview of changes made by HITECH   What HITECH means for Business Associate

relationships   Changes in the rules governing marketing

and other highlights and lowlights under HITECH


Enforcement Before and After HITECH   Prior to HITECH, focus was almost exclusively on

achieving voluntary compliance   Now there is a significant punitive element   HITECH increased penalties

–  For the most egregious violations (those caused by willful neglect which are not timely corrected), HITECH provides civil penalties of at least $50,000 per violation up to a maximum $1.5 million a year for the same violation

–  Frequently the same incident involves violations of multiple provisions


Enforcement After HITECH   Requires OCR to investigate any complaint

where there is a possible violation due to “willful neglect” and to levy fines for uncorrected violations due to “willful neglect”

  Clarifies that directors, officers and employees can be individually liable


Creating Enforcement Incentives   Fines collected through enforcement go

back to OCR to fund additional enforcement   GAO is required to conduct a study into

mechanisms for returning a percentage of recoveries to persons injured by a violation


Enforcement Statistics   To date, OCR has received over 62,000

complaints. Over 91% have been resolved   In about 63% of the cases, HHS determined that

the complaint did not present an eligible case for enforcement of the Privacy Rule. –  Eg, the complaint was filed more than 60 days after the

alleged violation   In about 25% of the cases, OCR required changes

in the organization’s privacy practices or other corrective action by the covered entity.

  In about 12% of the cases, OCR found no violation.


Most Common Violations   Impermissible access to, or use or disclosure of,

protected health information (PHI)   Lack of safeguards of PHI   Lack of patient access to their PHI   Uses or disclosures of more than the Minimum

Necessary PHI   Complaints to the covered entity went unanswered


Mass General Hospital (Feb 2011)   Employee left PHI on a subway (a patient schedule

and billing encounter forms containing names and medical record numbers for 192 infectious disease patients, including diagnosis for 66 of those patients, some of which had HIV/AIDS).

  Paid $1 million and entered into a Resolution Agreement

  (1) Unauthorized disclosure caused by (2) inadequate safeguards (3) compounded by failure to train and (4) absence of employee sanctions


Resolution Agreements   Corrective action plan typically requiring

detailed policies and procedures   Appointment of independent monitor who

makes semi-annual reports   Annual implementation reports   Self-reporting requirements   Training of work force   Three year term


Cignet Health (Feb 2011)   Denied access to 41 patients seeking their

medical records and then failed to respond to OCR subpoenas and letters

  Paid $4.3 million and entered into Resolution Agreement


UCLA (July 2011)   employees repeatedly and without

permissible reason looked at the electronic PHI of two celebrity patients

  UCLA paid $865,500 in fines and entered into Resolution Agreement


CVS/Caremark (Feb 2009)   CVS failed to implement adequate policies to

appropriately safeguard PHI during the disposal process and

  did not maintain a sanctions policy for members of its workforce who failed to comply with its disposal policies

  Paid $2,250,000 and entered into a Resolution Agreement

  Rite Aid—similar allegations, paid $1 million (Feb 2010)


HIPAA’s Criminal Penalties   Knowingly obtaining and disclosing PHI

– $50,000 and imprisonment for one year   Same offense committed under false pretenses

– $100,000 fine and imprisonment for five years   Obtaining or disclosing PHI with the intent to sell,

transfer or use for commercial advantage, personal gain or malicious harm – $250,000 and ten years imprisonment


Criminal Enforcement   OCR had made approximately 500 referrals

to the Department of Justice for criminal investigation

  DOJ has brought 22 criminal prosecutions – 19 convictions by plea bargain – One convicted by jury – Two pending

  Often handled by local US Attorneys’ offices


Criminal Prosecutions   Most cases have been against persons

accessing records for personal gain (e.g., identity theft, selling PHI to the media, filing false Medicare claims)

  However, five prosecutions brought against people who accessed PHI without a motive for personal gain


Examples of Criminal Violations   Employee at UCLA who accessed medical records

of celebrities out of curiosity –  Paid $2000 and spent 4 months in prison

  Doctor in Arkansas pled guilty to a HIPAA violation after logging in to the medical record of a murdered news anchor –  Paid $5000 and sentenced to 50 hours community

service educating professionals on HIPAA   A nurse who accessed a patient’s records, without

authorization, at the request of a psychologist evaluating the patient’s fitness to have custody,


State AG Enforcement Authority   State Attorneys General can bring civil

actions on behalf of state residents for HIPAA violations (as well as state law claims) – can obtain damages in the amount of up

$25,000 per year for all violations of an identical requirement,

–  can enjoin further violations – Can recover attorneys’ fees

  OCR has provided HIPAA Enforcement Training to SAGs and their staffs


SAG Actions by Conn. & Vermont   HealthNet lost a hard drive containing more

than 500,000 individuals’ records, including clinical data and social security numbers

  Paid $250,000, with possibility of another $500,00 if it is determined that information is accessed and used illegally – Settlement noted that HealthNet had spent $7

million investigating and had not found evidence that the data had been accessed


OCR Compliance Audits   The HITECH Act requires compliance audits   OCR awarded a $9.2 million contract to

KPMG to develop and implement the audits – developed audit protocols – Will conduct 20 pilot audits and revise the

protocols – Will be followed by up to 130 on site audits,

likely to be completed by the end of 2012


OCR Compliance Audits   OCR is targeting a wide range of covered

entities for initial audits (and later BAs)   Letters to be sent announcing audit and

requesting policies and compliance records   Site visits to last from 3 to 10 days   Audited entity will have an opportunity to

comment on draft results before finalized   OCR will not make the audit results public in

a way that will identify the audited entities


Additional Requirements Imposed by HITECH Act   Breach Notification

–  Breach notification Interim Final Rule (8/24/09) –  Guidance on Unsecured PHI – (4/17/09)

  Modifications to Security, Privacy, and Enforcement Rules –  Proposed Rule (7/14/10) –  Omnibus Final Rule pending (to include breach notification and

security, privacy, and enforcement)   Accounting for Disclosures

–  Proposed rule – (5/31/2011) –  Final Rule pending

  Enforcement Final Rule (10/29/09)   Minimum Necessary rule/guidance pending


Additional HITECH Act Requirements   Breach notification requirements   Enforcement of HIPAA privacy and security compliance on

downstream entities –  Business Associates (BAs) (including subcontractors), Health

Information Organizations, E-Prescribing Gateways, other persons that provide data transmission services, Personal Health Record vendors if service provided for Covered Entity (CE)

–  Expanded definition of “workforce member” to include volunteers, trainees, others

  Restrictions on uses of PHI –  Restrictions on marketing, fundraising, prohibitions on sale of PHI –  Minimum necessary requirements


Additional HITECH Act Requirements   Expansion of individual rights

– Access to and Accounting for Disclosures of PHI in Electronic Health Records (EHRs)

– Enhancements to Notice of Privacy Practices – Health Plan disclosure restrictions – Access to PHI of decedents

  Research – Compound authorizations – Authorizations for future research


Liability for BAs Under HITECH   Pre-HITECH

–  Requirements for Business Associate Agreement (BAA) defined in regulation

–  BAAs imposed contractual liability on BAs for meeting the requirements set forth

–  CE was liable for its own acts and for the acts of its BAs who met the federal common law definition of an “agent” unless the requirements for a BAA were met, the CE did not know of a pattern or practice of the BA violating the agreement, and the CE did not fail to act as required by HIPAA in response to the violation


Liability for BAs Under HITECH   Post-HITECH: New Framework for Liability

– BAs are directly liable for violations of HIPAA and HITECH, even if entities failed to enter into BAA   Defines subcontractors of BAs as “Business

Associates”   “Subcontractors” are those persons who perform

functions for or provide services to a Business Associate other than in the capacity of a workforce member


Additional Privacy & Security Requirements for Business Associates   Directly subject to certain Privacy Rules

–  Disclose PHI to HHS for compliance purposes –  Disclose PHI in electronic format for access to PHI –  Provide accounting for disclosures in Electronic Health

Record (EHR) –  Comply with minimum necessary standard –  Take reasonable steps to cure a material breach of

subcontractor   Directly subject to Security Rule

–  Implement administrative, physical, and technical safeguards, and meet policy and documentation requirements


Expanded Requirements for Business Associate Agreements   Proposed Rule requires the following

provisions for BAs be incorporated into BAA – Compliance with 45 C.F.R. 164.308, 164.310,

164.312, and 164.316 of the Security Rule with regard to e-PHI

– Report Breaches of Unsecured PHI to CEs – Ensure that any subcontractors that create or

receive PHI on behalf of BA agree to the same restrictions and conditions that apply to BA with respect to such information


Liability for Agents Under HITECH   Proposed Rule imputes liability to CEs for

violation by BAs if agency relationship exists – Also imputes liability to BAs for violations by

subcontractors

  Agency relationship defined under federal common law of agency (fact-specific)

  Removes any exception to vicarious liability for violations of agent


Implications for Business Associate Agreements   Increased emphasis on issues relevant to

indemnification – Costs and expenses associated with breach

notification and mitigation of harm – Responsibility for/involvement with risk

assessment and breach notification – Limits on liability – Determination of whether “agency relationship”

exists that imputes liability to CE or BA


Implications for Business Associate Agreements

  Related issues – Damages arising from civil actions brought by

State Attorneys General for HIPAA violations – Costs and expenses associated with

investigations of HIPAA violations, criminal conduct, etc.

– Other damages associated with breach


Compliance   Ambiguities Regarding Compliance

–  HITECH changes (including requirements for BAs) in Subtitle D generally effective February 1, 2010

–  Proposed Rule provides for compliance date of 180 days after effective date of Final Rule

–  Transition provision would grandfather existing BAAs for up to one year beyond the compliance date of the Final Rule, if not BAAs not modified between effective date and compliance date of Final Rule

–  Final Rule still pending


Compliance   CEs

–  Review of service agreements with third parties –  Negotiation of liability issues

  BAs –  Implementation of BAAs with subcontractors –  Compliance with Security Rule

  Gap assessment   Written HIPAA Security Plan that addresses the required and

addressable implementation standards for administrative, technical, and physical safeguards


HIPAA Restrictions on Marketing   Previous HIPAA framework for marketing

–  Authorization required to use or disclose Protected Health Information for marketing

–  Marketing means   A communication about a product or service that encourages

recipients of the communication to purchase or use the product or service (with certain exceptions), or

  An arrangement whereby the Covered Entity discloses Protected Health Information to a third party for marketing in exchange for direct or indirect remuneration

  Marketing communications allowed without authorization if –  Face-to-face communication –  Promotional gifts of nominal value to the individual


HIPAA Restrictions on Marketing   Pre-HITECH Did Not Include as Marketing

–  Health care operations communications to describe a health-related product or service that is provided by or included in a plan of benefits of, the CE making the communication; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits

–  Communications for case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual

–  Communications for the treatment of the individual –  Even if indirect or direct payment from a third party was

involved


HITECH Revised Framework for Marketing   Limits Cross-promoting Products or Services of

Other Entities Without Individual’s Authorization –  Certain health care operations communications

permitted without authorization, but only if no financial remuneration is received in exchange for making communication

  Defines Financial Remuneration as –  Direct or indirect payment from or on behalf of a third

party whose product or service is being described. –  Does not include any payment for treatment of an

individual.


HITECH Revised Framework for Marketing   Permits individuals to opt out of treatment communications

(including case management and care coordination) if remuneration is received in exchange for making the communication –  Requires that the Notice of Privacy Practices inform individuals

about the remuneration and provides them the right to opt out of receiving further communications; and

–  The treatment communication must also disclose the remuneration and provides a clear and conspicuous opportunity to opt out of further communications.

  Permits communications to provide prescription refill reminders or about a currently prescribed drug, provided the amount of the remuneration to the CE is reasonably related to the CE’s cost in making the communication


HITECH Revised Framework for Marketing   HITECH clarifies prohibition on sale of PHI

–  CE or BA may not receive “direct or indirect” remuneration in exchange for disclosure of PHI, unless valid authorization provided (with certain specified exceptions, e.g., treatment, payment, public health, research, for sale/transfer/merger consolidation of CE, to or by a BA on behalf of the CE, to an individual, required by law, or for copies of PHI.)

  Proposed Rule requires that the individual authorization state that the disclosure will result in financial remuneration to the CE


HITECH Revisions to Fundraising   Individuals have right to opt out

–  Proposed Rule require that a CE provide, with each fundraising communication, a clear and conspicuous opportunity to opt out of receiving future fundraising communications   No undue burden on individual   CE cannot condition treatment or payment on an individual's

choice to receive or not to receive fundraising communications   When an individual has opted out of receiving fundraising

communications, CE may not send such information to them (reasonable efforts are insufficient)

– Must include information about fundraising communications in Notice of Privacy Practices


Compliance   Issues

–  Review of relationships involving potential marketing of products or services of third parties

–  Determination of whether financial remuneration involved in communications

–  Revisions of Notice of Privacy Practices, to the extent that financial remuneration received for communication or for fundraising communications

–  Implementation of opt-out requirements –  Effective date of compliance, given that final rule has

not yet been issued


More to Come   Definition of “subcontractor” of Business

Associate   Amount of payment allowable for communications

about drugs , scope of exception to marketing   Scope of opt-out for treatment communications

and fundraising   Exceptions to sale of PHI   Whether/how to allow targeted fundraising

campaigns by CEs


Contact Information Leeanne Habte

[email protected] 213-972-4500 R. Michael Scarano, Jr

[email protected] 858-847-6712

hipaa enforcement under the hitech act; the gloves...

Documents