Transcript Document

HIPAA Enforcement
Past, Present and Future
[Cyndi Moore] [Kevin Bernys]
Rose Willis
Dickinson Wright PLLC
HIPAA Enforcement
Past, Present and Future
•
•
•
•
•
•
•
HIPAA Enforcement Rule
The OCR Enforcement Process
Enforcement Data
Case Samples Corrective Actions
Resolution Agreements
Trends and Predictions
WWOCRD?
2
HIPAA Enforcement Rule
• Enforcement of the Privacy Rule began April 14,
2003 for most HIPAA covered entities
• HIPAA covered entities were required to comply
with the Security Rule beginning on April 20, 2005.
OCR became responsible for enforcing the Security
Rule on July 27, 2009.
• HITECH Act strengthened civil and criminal
enforcement of HIPAA
3
3
Enforcement Penalties
• The Omnibus Rule formally adopts the following penalty scheme for violations of
the HITECH Act occurring on or after Feb. 18, 2009:
• For violations where a covered entity did not know and, by exercising reasonable
diligence, would not have known that the covered entity violated a provision, a
penalty of not less than $100 or more than $50,000 for each violation
• For a violation due to reasonable cause and not to willful neglect, a penalty of not
less than $1,000 or more than $50,000 for each violation
• For a violation due to willful neglect that was timely corrected, a penalty of not
less than $10,000 or more than $50,000 for each violation
• For a violation due to willful neglect that was not timely corrected, a penalty of
not less than $50,000 for each violation; the penalty for violations of the same
requirement or prohibition under any of these categories may not exceed $1.5
million in a calendar year.
4
The OCR Enforcement Process
• Right to file a complaint. A person who believes a covered entity or business
associate is not complying may file a complaint with the Secretary.
– Disgruntled Employees
– Patients
• Investigation. The Secretary will investigate any complaint filed when a preliminary
review indicates possible violation due to willful neglect.
• Compliance Reviews. The Secretary will conduct a compliance review to determine
whether a covered entity or business associate is complying when a preliminary
review of the facts indicates a possible violation due to willful neglect or in any other
circumstance.
• Today’s breach report could lead to tomorrow’s OCR Compliance Review
5
5
Enforcement Process (continued)
• If the evidence indicates that the covered entity was not in compliance, OCR will
attempt to resolve the case by obtaining:
– Voluntary compliance;
– Corrective action; and/or
– Resolution agreement.
• Civil Money Penalties are also possible.
• Possible referrals to the Department of Justice for criminal violations.
• Michigan enforcement results from compliance reviews as of December 31,
2013:
– 12% (No Violation)
– 64% (Resolved after Intake and Review)
– 24% (Corrective Action)
6
The Top Fives
• Top 5 Issues Investigated in 2013 that were Closed with Corrective Action
– Impermissible uses and disclosures
– Lack of safeguards of PHI
– Lack of access by individuals to PHI
– Use or disclosure of more than the minimum necessary PHI
– Mitigation
The most common types of covered entities that have been required to take
corrective action to achieve voluntary compliance are, in order of frequency:
•
•
•
•
•
Private Practices;
General Hospitals;
Outpatient Facilities;
Health Plans (group health plans and health insurance issuers); and,
Pharmacies.
7
7
8
9
10
Enforcement by State Attorneys General
• OCR developed HIPAA enforcement training in 2011 to help State attorneys
general use their new authority under the HITECH Act to enforce the HIPAA
Privacy and Security Rules. Videos and slides are available on the OCR
website.
– 8 modules, including Module 6: “Investigating and Prosecuting HIPAA Violations.”
– Includes examples of how OCR could impose civil money penalties to a given fact
pattern.
• State AGs have not made extensive use of their new enforcement power to date.
• Minnesota AG filed complaint against Accretive Health, a business associate, in January
2012; settled in July 2012 for $2.5 million.
11
11
OCR Audit Program
• OCR Audits of covered entities and business associates
• OCR will use the audit reports for the following purposes:
– To determine what types of technical assistance should be developed;
– To share best practices;
– To identify what types of corrective action are most effective; and
– May use the report as the basis to initiate a compliance review that could lead to civil
money penalties
12
12
Phase 1 Audit Program
• OCR audited 115 covered entities under the Phase 1 Audit program, with the following
aggregate results:
– There were no findings or observations for only 11% of the covered entities audited;
– Despite representing just more than half of the audited entities (53%), health care providers
were responsible for 65% of the total findings and observations;
– The smallest covered entities were found to struggle with compliance under all three of the
HIPAA Standards;
– Greater than 60% of the findings or observations were Security Standard violations, and 58 of
59 audited health care provider covered entities had at least one Security Standard finding or
observation even though the Security Standards represented only 28% of the total audit
items;
– Greater than 39% of the findings and observations related to the Privacy Standards were
attributed to a lack of awareness of the applicable Privacy Standard requirement; and
– Only 10% of the findings and observations were attributable to a lack of compliance with the
Breach Notification Standards
13
13
Phase 2 Audit Program
• OCR has indicated that it plans to conduct the second round of audits
sometime in the Fall of 2014 (date TBD), involving 350 covered entities (232
healthcare providers, 109 health plans and 9 health care clearinghouses)
and 50 business associates.
• Entities who received an address verification letter in the spring were supposed
to receive audit letters in the fall.
• Desk reviews (not on-site visits)
14
14
Phase 2 Audit Program (continued)
• Audits will focus on compliance with Security Standards and on those areas that
involved high numbers of non-compliance in the Phase 1 audit, including:
– risk analysis and risk management;
– content and timeliness of breach notifications;
– notice of privacy practices;
– individual access;
– Privacy Standards’ reasonable safeguards requirement;
– training on policies and procedures;
– device and media controls; and
– transmission security.
• Breach reports and complaints,
• Phase 2 Audits of business associates will focus on risk analysis and risk
management and breach reporting to covered entities.
15
How to prepare for a Phase 2 Audit?
• Conduct a risk assessment; update your HIPAA Policies and Procedures
• Update your Notice of Privacy Practices
• Conduct a self-audit using the audit protocols at
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
– Privacy Rule (81)
– Security Rule (78)
– Breach Notification Rule (10)
• Have a current list of business associates and their contact information
• Use encryption of ePHI to prevent breaches
• 2 weeks to respond to an audit request – No last minute cramming for this test!
16
16
Audit Protocol Sample – Privacy Rule
• Established performance criteria: identify workforce members who need access
to PHI (§164.514(d)(2)(i)).
• Key activity: minimum necessary uses of PHI.
• Audit procedure: Inquire of management as to whether access to PHI is
restricted. Obtain and review a sample of workforce members with access to
PHI for their corresponding job title and description to determine
appropriateness. Obtain and review policies and procedures and evaluate the
content relative to the specified criteria for terminating access to PHI. Select a
sample listing of former employees to confirm that access to PHI was terminated.
NOTE: The rule requires that the class/job functions that need to use or disclose
PHI be determined, and the information be limited to what is needed for that job
classification.
17
17
Case Samples – Corrective Compliance Actions
• Radiologist practice submitted a worker’s compensation claim to the patient’s
employer which included patient’s test results. Patient had not indicated workers
comp coverage. Practice had relied on incorrect billing information from treating
hospital.
• Private practice failed to honor patient’s request for copy of minor son’s medical
record. State regs permitted summary of record, however, Privacy Rule is more
restrictive by permitting summary only if individual agrees in advance.
• Physician’s office disclosed a patient’s HIV status in a misdirected fax. Written
disciplinary warning, apologies to patient, addition of confidential communication
language on fax cover sheet and additional training required.
18
18
Resolution Agreements
What is a Resolution Agreement?
A contract between HHS and a covered entity in which the covered entity agrees
to perform certain obligations (such as staff training) and make reports to HHS,
generally for a 3 year period. During this period, HHS monitors the covered
entity’s compliance with its obligations. Typically includes payment of a resolution
amount. A resolution agreement is used to settle investigations with more serious
outcomes.
19
19
Recent Resolution Agreements
August 2013 – June 23, 2014
$800,000 HIPAA Settlement in Medical Records Dumping Case
– Hospital took custody of medical records to assist in physician’s retirement
– Returned 71 boxes of medical records at the end of physician’s driveway (for an
unknown reason)
– Complaint came from the retiring physician
• Data Breach Results in $4.8 Million HIPAA Settlements
– The New York Presbyterian Hospital and Columbia University operated a shared data
network.
– A physician employed by Columbia University attempted to deactivate a personallyowned computer server on the network, and the deactivation resulted in the ePHI of
6,800 individuals being accessible on general internet search engines.
– The entities learned of the breach after receiving a complaint by an individual who
found the ePHI of the individual’s deceased partner on the internet.
– The Hospital and Columbia University self-reported the breach to the U.S. Department
of Health and Human Services Office for Civil Rights who initiated an investigation.
20
20
Recent Resolution Agreements
August 2013 – June 23, 2014
• Concentra Settles HIPAA Case for $1,725,220
– Unencrypted laptop stolen from Concentra facility
• QCA Settles HIPAA Case for $250,000
– Unencrypted laptop stolen from employee’s car
• Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts
– Unencrypted thumb drive containing ePHI of 2,200 individuals was stolen from a vehicle
of one of its workforce members
– Thumb drive was never recovered
– PC notified patients of the theft and provided media notice
– $150,000 resolution amount and corrective action plan
21
Recent Resolution Agreements
August 2013 – June 23, 2014
• HHS Settles with Health Plan in Photocopier Breach Case
– Failure to properly erase photocopier hard drives prior to sending the photocopiers to a
leasing company
– Affinity Health Plan notified OCR regarding the breach
– $1,215,780 and entered into corrective action plan.
• County Government Settles Potential HIPAA Violations
– Skagit County inadvertently allowed public access to PHI on public web server and
failred to notify individuals of the breach
– $215,000 settlement and implementation of corrective action plan
22
Trends and Predictions
• Today’s data breach report could lead to tomorrow’s compliance investigation.
• Resolution agreements signal that OCR is moving into a more aggressive
enforcement phase, with the assessment of “resolution amounts” and, if it cannot
reach agreement with the covered entity, civil money penalties.
• Second round of HIPAA audits to come sometime by the end of 2014
• Enforcement Actions against Business Associates to come
• According to a chief regional civil rights counsel at HHS, the past 12 months of
HIPAA enforcement will likely pale in comparison to what OCR will do in the next
year.
• OCR will share more information with other federal and state agencies, including
the FTC, DOJ, OIG, State Attorneys’ General, to enforce HIPAA
• Covered entities need a robust compliance program in place and foster a culture of
compliance within their organization.
23
23
WWOCRD?
(What Would OCR Do?)
24