Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA © HIPAA Solutions, LC 2007 HIPAA Enforcement Risks Rising For Healthcare In 2007 Presented by Peter MacKoul, J.D.

Similar presentations


Presentation on theme: "HIPAA © HIPAA Solutions, LC 2007 HIPAA Enforcement Risks Rising For Healthcare In 2007 Presented by Peter MacKoul, J.D."— Presentation transcript:

1 HIPAA © HIPAA Solutions, LC 2007 HIPAA Enforcement Risks Rising For Healthcare In 2007 Presented by Peter MacKoul, J.D.

2 © HIPAA Solutions, LC 2007 Agenda Introduction HIPAA Evolution HIPAA Environment Regulations Misconceptions Court Rulings Current Enforcement Environment OIG Audits At Piedmont Hospital - Federal Audits Cleveland Clinic – Criminal Conviction Herman v. Kratch – Civil Action Sorensen v. Barbudo – Civil Action Acosta v. Byrum – Civil Action Northwest Memorial Hospital v. John Ashcroft AG of US – Public Records State AGs Create Enforcement Departments Legislative & Agency Environment

3 © HIPAA Solutions, LC 2007 Introduction Peter MacKoul, Esq. is an attorney and technical analyst with over 15 years of legal and technical consulting experience in both public and private sectors for major organizations including Blue Cross, IBM, Nextel, General Dynamics, educational institutions and local government. His legal background includes criminal and civil law. His expertise includes the areas of HIPAA, IT development, Internet law, healthcare issues and handicapped access to technology involving law, technology, privacy, and security. He served as a subject matter expert on HIPAA Privacy and Security in Texas for the Governors Health Information Technology Advisory Committee (HITAC) which created recommendations on healthcare IT issues related to privacy and security, including Regional Health Information Organizations (RHIOs). Mr. MacKoul has published articles on HIPAA; created compliance training resources and has been a featured speaker on issues of privacy and security for regional IT security conferences (TRISC), the Texas Healthcare Association (THA) and major technology events. He has also been referenced in technology publications such as ComputerWorld on HIPAA and privacy.

4 © HIPAA Solutions, LC 2007 HIPAA Statutes Focused On Protection Of Patient Privacy Chaos In Early Compliance Environment Technology Advances Are Outstripping Business Processes Healthcare Efficiency Pushing Technology / EMRs Identity Theft, Fraud, Homeland Security Raising Awareness of Security and Privacy Issues In a report last year, the World Privacy Forum found that the number of Americans identifying themselves in government documents as victims of medical identity theft had nearly tripled in just four years, to more than a quarter-million in NBC News April 2007 HIPAA Evolution

5 © HIPAA Solutions, LC 2007 Privacy Is At The Heart Of HIPAA Security Compliance Cannot Be Achieved Without Addressing Privacy Issues First HIPAA Environment - Regulations

6 © HIPAA Solutions, LC 2007 HIPAA Compliance Is Voluntary Only Class Action Litigation Is Allowed Only Healthcare Providers Are Effected State Laws Can Supercede HIPAA HIPAA Will Ultimately Go Away The Feds Are Not Enforcing HIPAA Its Not Necessary to Conduct Thorough Remediation HIPAA Environment - Misconceptions

7 © HIPAA Solutions, LC 2007 US Attorneys District Courts Appellate Courts Federal Courts Regulatory Agencies HIPAA Environment – Court Rulings

8 © HIPAA Solutions, LC 2007 March 8, 2007, issue of MEDICARE ADVANTAGE NEWSMEDICARE ADVANTAGE NEWS In a surprise move, OIG on March 5 began the first audit of a provider's compliance with the HIPAA security regulation. The target: Piedmont Hospital in Atlanta. Auditors are expected to stay at the hospital three to four weeks and then forward their findings to CMS, which enforces the security rule. This is the government's first systematic hands- on examination of compliance with any HIPAA regulation. Enforcement – OIG Audits

9 © HIPAA Solutions, LC 2007 March 8, 2007, issue of MEDICARE ADVANTAGE NEWSMEDICARE ADVANTAGE NEWS An OIG spokeswoman says, "We can't answer questions about ongoing work. The number of audits to do has yet to be determined." OIG auditors plan to audit Piedmont's administrative, physical and technical safeguards the core requirements under the security regulation. This will include the hospital's policies and procedures relating to access to electronic protected health information (e-PHI); the risk assessment relative to e-PHI; electronically transmitting e-PHI; preventing, detecting, containing and correcting security violations; monitoring systems; remote access; wireless security; anti-virus mechanisms; firewalls; and other e-PHI security requirements. Enforcement – OIG Audits

10 © HIPAA Solutions, LC 2007 Former Hospital Employee and Co-Conspirator Sentenced to Prison for Medicare Fraud and Identity Theft In Ft. Lauderdale... Machado was employed at the Cleveland Clinic when she and her cousin Ferrer stole the personal information of Cleveland Clinic and MHA patients. That information included, among other things, the patients' names, dates of birth, Social Security numbers, Medicare numbers and addresses. Enforcement – Cleveland Clinic Criminal

11 © HIPAA Solutions, LC 2007 Civil action against a clinic for the unauthorized disclosure of medical information invasion of privacy and the and intentional infliction of emotional distress after clinic sent patient's personal medical records to her employer. - Herman v. Kratch, 2006 WL (Ohio App. 8 Dist.) Enforcement – Herman v. Kratch - Civil

12 © HIPAA Solutions, LC 2007 The Appellate Court found in the unauthorized disclosure action that theclinic was liable for its unauthorized disclosure of patient's medical records; and with regard to the Invasion of Privacy tort, triable fact existed as to whether clinic's unauthorized disclosure of patient's medical records was the type of act that would cause a person of ordinary sensibilities outrage, mental suffering, shame, or humiliation. Herman v. Kratch, 2006 WL (Ohio App. 8 Dist.) Enforcement – Herman v. Kratch - Civil

13 © HIPAA Solutions, LC 2007 The court stated: while the document authorizes the Clinic to release plaintiff's medical information for purposes of payment, that is not what occurred here. The Clinic does not dispute that plaintiff's bills should have been sent to United Healthcare for payment, not Nestle. There is nothing in the Clinic's [HIPAA], notice document that authorized the release of plaintiff's medical information to the wrong payor, whether accidentally or not. Enforcement – Herman v. Kratch - Civil

14 © HIPAA Solutions, LC 2007 Many HIPAA cases are used by courts in other jurisdictions to decide cases in front of them. A good example of this is Sorensen v. Barbuto and Acosta v. Byrum. The Sorensen case, (handed down from the Appellate Court in Utah), appears to be the first case enabling a plaintiff to use HIPAA as a standard of care to bring a private cause of action involving the intentional infliction of emotional distress. Enforcement – Sorensen v. Barbudo - Civil

15 © HIPAA Solutions, LC 2007 This case provides a legal method enabling plaintiffs attorneys to utilize HIPAA as a standard of care to bring an individual action using HIPAA privacy regulations and standards instead of attempting to bring an individual lawsuit directly under HIPAA itself which is not permitted.... This allegation does not state a cause of action under HIPAA. Rather, plaintiff cites to HIPAA as evidence of the appropriate standard of care, a necessary element of negligence... Acosta v. Byrum, 638 S.E.2d 246, 2006 Enforcement – Acosta v. Byrum - Civil

16 © HIPAA Solutions, LC 2007 Northwest Memorial Hospital v. John Ashcroft Attorney General of United States The Northwestern case involved the potential of having de-identified medical records involving partial birth abortions made a part of the trial record in New York, thus available to skillful Googlers, as characterized by the court. Enforcement – Northwest Case – Public Records

17 © HIPAA Solutions, LC 2007 Northwest Memorial Hospital v. John Ashcroft Attorney General of United States The court elaborated on this Internet issue, before ruling that the Attorney General of United States could not access and use these records, let alone have them available to web surfers.... This ruling is highly significant in that it interprets the HIPAA Privacy rule covering de- identification as not sufficient to protect an organization that follows the rules in a partial birth abortion case. Northwestern Memorial Hospital v. Ashcroft, 362 F. 3d. 923 at 929. Enforcement – Northwest Case – Public Records

18 © HIPAA Solutions, LC 2007 HIPAA Enforcement Swings from Voluntary Compliance to Punishment for Violation of Privacy and Security Laws as States Join Federal Enforcement Under Federal Mandate (PRWeb) November 28, Congress passed the 2006 False Claims Act. States are ordered to actively investigate and prosecute both providers as well as business associates effective January 1, States are required to create a False Claims Division and keep the overwhelming majority of fines recovered. Enforcement – State AGs Create Enforcement

19 © HIPAA Solutions, LC 2007 Since voluntary compliance has been ignored many providers for years, the Federal Government has examined how to make physical and electronic compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) reality. Whistleblowers will be awarded 15% of fines. Enforcement – State AGs Create Enforcement

20 © HIPAA Solutions, LC 2007 HHS Delegates HIPAA Subpoena Authority To OCR.... Notice is hereby given that I have delegated to the Director of the Office for Civil Rights the following authority vested in the Secretary of Health and Human Services. Subpoenas for the Health Insurance Portability and Accountability Act of 1996: Authority under Section 205(d) of the Social Security Act (42 U.S.C. 405(d)), with authority to redelegate, to issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence.... Michael O. Leavitt, Secretary. [FR Doc. 07–1872 Filed 4–13– 07; 8:45 am]... Legislative & Agencies

21 © HIPAA Solutions, LC 2007 GAO blasts HHS on IT, privacy January 2007 GAO recommends that HHS define and implement an overall privacy approach that identifies milestones for integrating the outcomes of its initiatives, ensures that key privacy principles are fully addressed, and addresses challenges associated with the nationwide exchange of health information. Legislative & Agencies

22 © HIPAA Solutions, LC 2007 Summary Health Care Privacy & HIPAA Are Here To Stay Courts & Prosecutors Are Using HIPAA Privacy Compliance MUST Be A First Step In Security Technology Is Not A Replacement For Sound Business Processes Peter MacKoul, J.D. HIPAA Solutions, LC Toll Free:


Download ppt "HIPAA © HIPAA Solutions, LC 2007 HIPAA Enforcement Risks Rising For Healthcare In 2007 Presented by Peter MacKoul, J.D."

Similar presentations


Ads by Google