Transcript HIPAA Privacy Training Presentation by Meredith Borden of

1
The Current Reality of
HIPAA
Meredith L. Borden
Venable LLP©
April 18, 2008
2
Policy Rationale
Health Insurance Portability and
Accountability Act of 1996
(“HIPAA”) - Administrative
Simplification:
•
Electronic Transactions to
achieve a more efficient health
care system
•
Privacy Rule & Security Rule to
protect health information
3
Civil Enforcement
Enforced by DHHS Office for Civil Rights (OCR)
Penalty limits
• Penalty of $100 for each violation (with total
exposure of no more than $25,000 for all
violations of an identical requirement)
• “Bad faith” penalty can reach $250,000
4
Sanctions
Apply to workforce members
who:
• Violate policies and
procedures
• Violate the Privacy Rule
“Workforce members” include not only your paid
employees, but also trainees and volunteers
who are under your direct control
5
Complaint Process
Internal -- Employees
External -- DHHS
6
Complaint Process, cont’d
Accepts
complaint
DOJ
Possible criminal
violation
OCR receives
complaint
Declines case
and refers back
to OCR
Accepted
Resolution
•No violation
OCR review
Possible Security
Rule violation
Investigation
OCR and CMS
coordinate
investigations
•Voluntary compliance; Corrective action;
and/or Resolution agreement.
•Formal finding of violation
Rejects
complaint
CMS
Civil Monetary Penalties
Imposed IF not properly
resolved
7
Civil Enforcement Efforts to Date
•
Unofficial reports claim that Office of Civil Rights received
approximately 24,000 complaints from 2003 through 2006 –
over 75 percent of which have been closed.
•
Less than 40 complaints have been accepted by the
Department of Justice for further investigation or
prosecution.
•
To date, no OCR-initiated investigations have taken place
(absent a private complaint), and no fines have been levied
against covered entities by OCR for Privacy Rule violations.
8
9
New Enforcement Efforts On the Horizon
•
Audits: The Office of Inspector General (OIG) has initiated
audits of covered entities for compliance with HIPAA.
Piedmont Hospital in Atlanta, Georgia was the first hospital
provider in the country underwent the first audit in March
2007.
•
Subpoenas: On April 16, 2007, Secretary Mike Leavitt of
HHS delegated to the Director of the OCR the authority to
issue subpoenas in investigations of alleged violations of the
HIPAA Privacy Rule.
10
Criminal Enforcement
•
To commit a “criminal offense” under HIPAA, a person must
knowingly and in violation of the HIPAA rules do one (or
more) of the following:
1. Use or cause to be used a unique health identifier
2. Obtain IIHI relating to an individual
3. Disclose IIHI to another person
•
Criminal penalties range from a fine up to $50,000 and/or
imprisonment up to a year to a fine up to $250,000 and/or
imprisonment up to 10 years
•
June 2005 DOJ opinion – covered entity liability only
11
What Prosecutors Go After
•
Theft of IIHI for some form of personal financial gain
by an “employee” of a covered entity
•
To date, only four criminal HIPAA violations
prosecuted by the Department of Justice
12
Criminal Cases
•
Gibson (Seattle): employee of Seattle Cancer Care
Alliance with access to patient information. Used
name, DOB and SSN of a cancer patient to obtain
credit cards in the patient’s name. Used credit cards
to make over $9,000 in purchases. Wrongful
disclosure of IIHI with the intent to use the information
for personal gain. Received 16 months in prison and
had to pay restitution.
13
Criminal Cases, cont’d
•
Ramirez (Texas): Ramirez worked for physician who
provided physicals and medical treatment to FBI
agents. Sold an FBI agent’s medical records for
$500. Using, obtaining and disclosing IIHI with the
intent to sell, transfer and use the information for
personal gain and malicious harm. Received 6
months in jail, 4 months home confinement, 2 years
supervised release and $100 special assessment.
14
Criminal Cases, cont’d
•
•
Machado/Ferrer (Florida): Machado was Cleveland Clinic
employee who accessed computerized patient files and
downloaded IIHI of more than 1,100 Medicare beneficiaries.
Sold the information to Ferrer, an owner of a claims processing
company. Ferrer caused the stolen information to be used in $7
million of fraudulent Medicare claims, which netted about $2.5
million in payments to providers and suppliers. Ferrer sentenced
to 87 months in prison, 3 years supervised release, and ordered
to pay restitution of $2.5 million
Demonstrates that covered entities must take appropriate steps
to protect sensitive data and information or fail to monitor and
promptly address security breaches or other illegal acts by
employees
15
Key Measures for Privacy Compliance
1.
Policies and Procedures
•
Ensures consistent and reasoned response to privacy
issues
•
Focuses on proper use and disclosure of health information
2.
Privacy & Security Officials
•
Develop and implement policies
•
Ensures compliance
3.
Privacy Contact Person
•
Receives and responds to privacy related complaints
16
Key Measures for Privacy Compliance, cont’d
4.
Privacy and Security Safeguards
•
Administrative Safeguards
•
Technical Safeguards
•
Access authorization; screensavers; encryption
•
Audit controls
•
Integrity measures; virus scans, firewalls
•
Authentication through password management
•
Transmission security
•
Physical Safeguards
•
Workforce security
•
Procedures for clearance
•
Access control
•
Controls to access facility
•
Workstation use & security
•
Device & media controls
17
Key Measures for Privacy Compliance, cont’d
5.
Risk Analysis and Risk Management Plan
•
Risk Analysis: Review ePHI; identify threats, vulnerabilities
and risks
•
Risk Management: Implementation of security measures to
reduce risks (42 standards)
6.
Training
•
Initially
•
Recurrently
•
Certification/Attestation
18
Key Documents
•
•
•
•
•
Policies & Procedures
Privacy Notice
Business Associate Agreements
Risk Management Plans
Written Communications
•
All documents to be kept for at least 6 years
19
Future Outlook
•
•
•
•
•
Adjustment period is over
Increased enforcement efforts, scrutiny and
penalties
Decreased emphasis on individual culpability and
increased emphasis on entity culpability
Emphasis on technology – cameras, phones
BUT, the practice of medicine will continue
20
BUT, The Practice of Medicine WILL Continue
21
QUESTIONS?