hipaaupdate/ ocr enforcement - hcca official site
TRANSCRIPT
HEALTH CARE COMPLIANCE ASSOCIATION
HCCA REGIONAL CONFERENCE
HIPAA UPDATE/OCR ENFORCEMENT
© Copyright Tucker Arensberg, P.C. All Rights Reserved.
HCCA REGIONAL CONFERENCE
East Central Region
Michael A. Cassidy, Esquire
October 14, 2011
Tucker Arensberg, P.C.
1500 One PPG Place Pittsburgh, PA 15222
HIPAA UPDATE/OCR ENFORCEMENT
HIPAA HYPE – An “industry” of compliance and an “absence” of enforcement
HIPAA Privacy Rule – April 14, 2003
2
HIPAA Security Rule – April 20, 2005
HHS/OIG Admission – Has previously acknowledged lack of appropriate enforcement
ENFORCEMENT ≠ ABSENCE OF COMPLAINTS
OCR PRIVACY COMPLAINTS
2003 3,7432004 6,5342005 6,855
3
2005 6,8552006 7,3402007 8,1902008 8,7062009 7,5672010 8,524
ENFORCEMENT RESULTS IN PENNSYLVANIA TO DATE
4
Top Five Issues in Investigated Cases Closed with corrective Action, by Calendar Year
Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5
2010 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary Notice
2009 Impermissible Uses &
Disclosures
Safeguards Access Minimum Necessary Complaints to Covered
Entity
2008 Impermissible Uses &
Disclosures
Safeguards Access Minimum Necessary Complaints to Covered
Entity
2007 Impermissible Uses &
Disclosures
Safeguards Access Minimum Necessary Notice
5
2006 Impermissible Uses &
Disclosures
Safeguards Access Minimum Necessary Notice
2005 Impermissible Uses &
Disclosures
Safeguards Access Minimum Necessary Mitigation
2004 Impermissible Uses &
Disclosures
Safeguards Access Minimum Necessary Authorizations
partial year 2003 Safeguards Impermissible Uses &
Disclosures
Access Notice Minimum Necessary
NATIONAL PRIVACY RULE ENFORCEMENT
63,443 Privacy Complaints
14,309- Resolved by required changes in privacy practices
6
35,999- Case ineligible for enforcement• jurisdiction• timeliness
7,440- No violation57,748 (91%)
5,695 Open
Identity of Covered Entity (Frequency)
1.Private Practices
2.General Hospitals
7
3.Outpatient Facilities
4.Health Plans
5.Pharmacies
NATIONAL SECURITY RULE ENFORCEMENTS
Transferred to OCR July 27, 2009
2 year reporting history
8
460 complaints
217 closed/corrective action
309 open cases August 31,2011
CHANGING ENFORCEMENT ENVIRONMENT
•HITECH
•HHS/OCR HIPAACompliance audits
9
Compliance audits
“There will be consequences for failure to
comply with HIPAA privacy and security
10
obligations.”
Susan McAndrewOCR Deputy DirectorHealth Information, PrivacyApril 13, 2011
ENHANCED HIPAA ENFORCEMENT
HITECH § 13410(d) revised 42 USC § 1320d-5 to enhance penalties
Prior penalties: $100.00 per violation with a maximum $25,000
Effective February 18, 2009, there are 4 tiers of penalties:
11
Effective February 18, 2009, there are 4 tiers of penalties:
1. Innocent $100/$25,000
2. Reasonable cause $10,000/$100,000
3. Willful neglect $10,000/$250,000
4. ________ $50,000/$1,500,000
ENHANCED HIPAA ENFORCEMENT
•Authorize enforcement by state attorneys general as parens, patriaeand provides training and funding
•Eliminates the ban on penalties when
12
•Eliminates the ban on penalties when entity could establish reasonable lack of knowledge – i.e. strict liability
•Prohibits penalties if violations are corrected within 30 days provided not due to willful neglect
ENHANCED HIPAA ENFORCEMENT
• HITECH § 15411 requires HHS periodic audits for:
45 CFR 164 (c) – security
13
45 CFR 164 (e) – privacy
• Contracts for audits: June 2011
• Audit candidate identification contract to Booze Allen Hamilton
•Audit protocol and implementation to KPMG
3 STEP AUDIT PROCESS
• Development of protocols
• Initial round of approximately 20 test audits
• Remaining full audits adjusted based upon
14
• Remaining full audits adjusted based upon success of “beta” audits
• Preliminary Audit Report
• Final Audit Report
Final Audit Report must address issues identified in OCR HIPAA Audit Protocol and Program Performance Contract Solicitation # 0557605
Condition: observed defects on noncompliance
15
Criteria: clear demonstration that negative finding is a potential violation of specific requirements
Cause: source of non-compliance
Effect: risk exposure
Corrective Recommendation
Verification of Correction
Health Information PrivacyHMO Revises Process to Obtain Valid AuthorizationsCovered Entity: Health Plans / HMOsIssue: Impermissible Uses and Disclosures; AuthorizationsA complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a
16
that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patient’s record, together with the disclosed information.
Health Information PrivacyEntity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based FeesCovered Entity: Private PracticeIssue: AccessA patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity of the allegation, the entity released the complainant’s medical records
17
allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. To resolve this matter, the covered entity refunded the $100.00 “records review fee.”
Health Information PrivacyPharmacy Chain Enters into Business Associate Agreement with Law FirmCovered Entity: Pharmacy ChainIssue: Impermissible Uses and Disclosures; Business AssociatesA complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR
18
disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer’s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement.
Health Information PrivacyPharmacy Chain Revises Process for Disclosures to Law EnforcementCovered Entity: PharmaciesIssue: Impermissible Uses and Disclosures
A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not
19
municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from law enforcement officials, unless state law requires otherwise. The revised policy was implemented in the chains' stores nationwide.
Health Information PrivacyHealth Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong PersonsCovered Entity: Health PlansIssue: Safeguards
A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family
20
benefits (EOB) by mail to a complainant's unauthorized family member. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information.
Health Information PrivacyPrivate Practice Revises Process to Provide Access to RecordsCovered Entity: Private PracticesIssue: AccessA private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on
21
investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. In addition, the covered entity forwarded the complainant a complete copy of the medical record.
Health Information PrivacyPublic Hospital Corrects Impermissible Disclosure of PHI in Response to a SubpoenaCovered Entity: General HospitalIssue: Impermissible Uses and Disclosures
A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information
22
of its patients. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained. The hospital also trained relevant staff members on the new procedures.
Health Information PrivacyPrivate Practice Provides Access to All Records, Regardless of SourceCovered Entity: Private PracticeIssue: Access
A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. While the amendment
23
physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it.
Health Information PrivacyLarge Health System Restricts Provider's Use of Patient RecordsCovered Entity: Multi-Hospital Healthcare ProviderIssue: Impermissible Use
A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care
24
care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training.
Resolution Agreements
Resolution Agreements and Civil Money Penalties -A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution
25
covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into five resolution agreements and issued CMPs to one covered entity
Resolution AgreementsResolution Agreement with the University of California at Los Angeles Health System --July 6, 2011
Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011
Civil Money Penalty issued to Cignet Health of Prince George's County,
26
Civil Money Penalty issued to Cignet Health of Prince George's County, MD--February 4, 2011
Resolution Agreement with Managemet Services Organization Washington, Inc.--December 13, 2010
Resolution Agreement with Rite Aid Corporation--July 27, 2010
Resolution Agreement with CVS Pharmacy, Inc.--January 16, 2009
Resolution Agreement with Providence Health & Services--July 16, 2008