HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Size: px

Start display at page:

Download "HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011"

Harold Kelly
5 years ago
Views:

1 HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, 2012 Phyllis F. Granade The Granade Law Firm Atlanta, GA (678) Looking Back at /14/11: NPRM re: CLIA and HIPAA 9/13/11: Leon Rodriguez Appointed Director, HHS Office for Civil Rights (replacing Georgina Verdugo) 5/31/11: NPRM re: Accounting of Disclosures First CMPs case OCR Audits of CEs and BAs initiated 1

2 NRPM CLIA and HIPAA 9/14/11, 76 Fed. Reg The proposed changes to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and HIPAA would allow: Laboratories to provide direct patient access to completed test reports following verification of the patient's identity through an authentication process. The proposed rules would revise HIPAA such that an exception to the access requirements no longer exists for a lab subject to CLIA. In short, CLIA laboratories will be required to provide patients with access to their PHI. NPRM Accounting of Disclosures 5/31/11, 76 Fed. Reg Substantive proposed changes to the Accounting of Disclosures standard; three year reach back TPO DRS BAs Addition of a new standard at 45 CFR Section (b), implementing Section of HITECH Access Reports (e.g., audit log) capturing Uses 2

3 State Attorneys General Training April June 2011: OCR Conducted HIPAA Enforcement Training Seminars for State Attorneys General Covering: General introduction to the HIPAA Privacy/Security Rules Analysis of the impact of HITECH on the HIPAA regulations Investigative techniques for identifying and prosecuting potential violations A review of HIPAA and State Law OCR's role in enforcing the HIPAA Privacy and Security Rules AG roles and responsibilities under HIPAA/HITECH Act Resources for AG in pursuing alleged HIPAA violations HIPAA Enforcement Support and Results 2011 Resolution Agreements February 14: Mass General Resolution Agreement The incident giving rise to the RA involved the loss of PHI of 192 patients of Mass General s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS Mass General agreed to Pay $1,000,000 Enter into a Corrective Action Plan (CAP) to implement policies and procedures to safeguard the privacy of its patients. 3

4 2011 Resolution Agreements July 6: UCLA Health System settled potential HIPAA violations for $865,500; committed to a corrective action plan to remedy compliance gaps. The RA involved two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLA HS. The complaints alleged that UCLA HS employees repeatedly and without a need to know reviewed ephi. OCR s investigation into the complaints revealed that from , unauthorized employees repeatedly looked at the ephi of numerous other UCLA HS patients. The corrective action plan required UCLA HS to implement: HIPAA policies and procedures approved by OCR Conduct robust training Sanction offending workforce members Designate an independent monitor to assess compliance over 3 years CMPs Cignet Health Fined $4.3M OCR issued a Notice of Final Determination finding that Cignet Health of Prince George s County, MD, violated HIPAA. OCR imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by OCR for violations of the Privacy Rule. The CMP was based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the HITECH Act. In its Notice of Proposed Determination, issued October 20, 2010, OCR found Cignet violated the rights of 41 patients by denying access to their records. Each patient filed a complaint with OCR. HIPAA requires that a CE provide a patient with a copy of their medical records within 30 days of a request (60 days for offsite records). The CMP for the access rights violations was $1.3 million. 4

5 2011 CMPs Cignet Health Fined $4.3M During the investigation, Cignet refused to respond to OCR s repeated demands to produce the records. Cignet failed to cooperate with OCR s investigation of the complaints, including failure to produce the records in response to OCR s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained default judgment against Cignet on March 30, On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. CEs are required by law to cooperate with OCR s investigations. OCR found that Cignet s failure to cooperate with OCR s investigations was due to willful neglect. The CMP for violations associated with Cignet s failure to comply with OCR s investigation and subpoena was $3 million. Enforcement Trends for 2012 OCR investigation process CE/BA involved? HIPAA violation alleged? Civil or criminal? (Criminal referred to DOJ) OCR enforcement process (in order of increasing burden on CE/BA): Voluntary compliance; Corrective action and/or resolution agreement; Civil Monetary Penalties. 5

6 OCR Audits: Section of the HITECH Act requires OCR to provide for periodic audits to ensure CEs and BAs are complying with the HIPAA regulations. To implement this mandate, OCR is piloting a program to perform up to 150 audits of CEs to assess privacy and security compliance. Audits conducted during the pilot phase will begin November 2011 and conclude by December Although CEs are the initial focus, BAs will also be subject to audits. OCR Audits: KPMG, the OCR contractor, will conduct HIPAA audits Initial audit of 20 CEs, 150 total. Eventually will include BAs. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of compliance efforts. During the pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. 6

7 OCR Audits: Following the site visit, auditors will develop and share with the entity a draft report. Audit reports will describe how the audit was conducted, the findings and the actions the CE is taking in response to those findings. Prior to report finalization, the CE will have an opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the CE has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity. OCR Audits: OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information. OCR expects to notify selected CEs between days prior to the anticipated onsite visit. Onsite visits may take 3 10 business days. After fieldwork, auditor provide CE with a draft final report. CE respond within 10 business days with written comments. Auditor will complete a final audit report within 30 business days after the CE s response and submit it to OCR. Questions: Do these time frames sound realistic to anyone who has worked with OCR? Will KPMG make the difference in timing? For that matter, what CE or BA can respond this quickly? 7

8 OCR Audits: Why Audits? OCR claims it will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective, but don t discount the threat of corrective action plans, resolution agreements Should an audit report indicate a serious compliance issue OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. OCR Audits: OCR will use the audit program to assess HIPAA compliance efforts by a range of CEs. Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals. Question: When comparing compliance activities by CEs and BAs, will OCR keep in mind that the HIPAA requirements were originally intended to be scalable? 8

9 State law compliance State Attorneys General HIPAA Action Prevention and mitigation Business associate agreements Turning a BAA into a positive for your entity Don t stop with a HIPAA Breach analysis HIPAA breach often triggers State law data breach 46 States have data breach laws as of August 2011 Personal information not limited to PHI Encryption safe harbor usually exists May require specific content in notice letter May require notice to State AG and/or State Consumer Affairs Department Massachusetts has its own security standards 9

10 Future trends at State level: Adoption of security standards/technical safeguard requirements Required form(s) of mitigation Increased notification content requirements Case law Risk threshold Damages Mitigation Public policy Standard of care, etc. State Attorneys General and HIPAA HITECH gave State AGs the authority to bring civil actions on behalf of state residents for violations of the HIPAA privacy/security regulations Two States so far: Connecticut and Vermont pursued HIPAA claims against Health Net Vermont result: $55,000 settlement Conn result: Health Net agreed to pay $250,000 10

11 Interesting notes about the Health Net cases: 1.5 million people allegedly impacted nationwide, but only 525 enrollees in Vermont Both States pursued State and HIPAA remedies Conn AG Blumenthal became Senator Blumenthal Senator Blumenthal is the brother of former ONC health IT director Blumenthal State consumer protection and privacy laws Indiana AG recouped $100,000 in July from Wellpoint when it violated State law by failing to timely report a data breach regarding 32,000 individuals Prevention and Mitigation Industry standards Banking/credit card PCI Security Standards Healthcare OCR, National Institute of Standards and Technology (NIST) Website/Social networking FTC NIST security standards Encryption and dozens of other IT standards 11

12 Turn a BAA into a positive for your entity: Breach caused by the act/omission of the BA? BA reimburse costs and expenses of the entity related to: Reasonable and actual expenses associated with mitigation, notification and other federal and state requirements Alternative: Indemnification Problems: liability caps, insurance limits, cost of indemnification/reimbursement not factored into original contract price State law: Cooperation with State data breach and security standard laws Shorter notice requirements Different compliance requirements Cooperation with State authorities AG Consumer Affairs Dept. State Privacy Office Federal and State fines and penalties 12

13 Questions? Phyllis F. Granade The Granade Law Firm (678)

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization