Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18, 2008 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18,

Published byGriffin Critchett Modified over 9 years ago

Similar presentations

Presentation on theme: "1 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18, 2008 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18,"— Presentation transcript:

1 1 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18, 2008 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18, 2008

2 2 Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) - Administrative Simplification: Electronic Transactions to achieve a more efficient health care system Privacy Rule & Security Rule to protect health information Policy Rationale

3 3 Civil Enforcement Enforced by DHHS Office for Civil Rights (OCR) Penalty limits Penalty of $100 for each violation (with total exposure of no more than $25,000 for all violations of an identical requirement) “Bad faith” penalty can reach $250,000

4 4 Sanctions Apply to workforce members who: Violate policies and procedures Violate the Privacy Rule “Workforce members” include not only your paid employees, but also trainees and volunteers who are under your direct control

5 5 Internal -- Employees External -- DHHS Complaint Process

6 6 Complaint Process, cont’d OCR receives complaint Rejects complaint Accepts complaint OCR review Resolution No violation Voluntary compliance; Corrective action; and/or Resolution agreement. Formal finding of violation Civil Monetary Penalties Imposed IF not properly resolved DOJ Possible criminal violation Investigation CMS Possible Security Rule violation OCR and CMS coordinate investigations Declines case and refers back to OCR Accepted

7 7 Civil Enforcement Efforts to Date Unofficial reports claim that Office of Civil Rights received approximately 24,000 complaints from 2003 through 2006 – over 75 percent of which have been closed. Less than 40 complaints have been accepted by the Department of Justice for further investigation or prosecution. To date, no OCR-initiated investigations have taken place (absent a private complaint), and no fines have been levied against covered entities by OCR for Privacy Rule violations.

8 8

9 9 New Enforcement Efforts On the Horizon Audits: The Office of Inspector General (OIG) has initiated audits of covered entities for compliance with HIPAA. Piedmont Hospital in Atlanta, Georgia was the first hospital provider in the country underwent the first audit in March 2007. Subpoenas: On April 16, 2007, Secretary Mike Leavitt of HHS delegated to the Director of the OCR the authority to issue subpoenas in investigations of alleged violations of the HIPAA Privacy Rule.

10 10 Criminal Enforcement To commit a “criminal offense” under HIPAA, a person must knowingly and in violation of the HIPAA rules do one (or more) of the following: 1.Use or cause to be used a unique health identifier 2.Obtain IIHI relating to an individual 3.Disclose IIHI to another person Criminal penalties range from a fine up to $50,000 and/or imprisonment up to a year to a fine up to $250,000 and/or imprisonment up to 10 years June 2005 DOJ opinion – covered entity liability only

11 11 What Prosecutors Go After Theft of IIHI for some form of personal financial gain by an “employee” of a covered entity To date, only four criminal HIPAA violations prosecuted by the Department of Justice

12 12 Criminal Cases Gibson (Seattle): employee of Seattle Cancer Care Alliance with access to patient information. Used name, DOB and SSN of a cancer patient to obtain credit cards in the patient’s name. Used credit cards to make over $9,000 in purchases. Wrongful disclosure of IIHI with the intent to use the information for personal gain. Received 16 months in prison and had to pay restitution.

13 13 Criminal Cases, cont’d Ramirez (Texas): Ramirez worked for physician who provided physicals and medical treatment to FBI agents. Sold an FBI agent’s medical records for $500. Using, obtaining and disclosing IIHI with the intent to sell, transfer and use the information for personal gain and malicious harm. Received 6 months in jail, 4 months home confinement, 2 years supervised release and $100 special assessment.

14 14 Criminal Cases, cont’d Machado/Ferrer (Florida): Machado was Cleveland Clinic employee who accessed computerized patient files and downloaded IIHI of more than 1,100 Medicare beneficiaries. Sold the information to Ferrer, an owner of a claims processing company. Ferrer caused the stolen information to be used in $7 million of fraudulent Medicare claims, which netted about $2.5 million in payments to providers and suppliers. Ferrer sentenced to 87 months in prison, 3 years supervised release, and ordered to pay restitution of $2.5 million Demonstrates that covered entities must take appropriate steps to protect sensitive data and information or fail to monitor and promptly address security breaches or other illegal acts by employees

15 15 Key Measures for Privacy Compliance 1.Policies and Procedures Ensures consistent and reasoned response to privacy issues Focuses on proper use and disclosure of health information 2.Privacy & Security Officials Develop and implement policies Ensures compliance 3.Privacy Contact Person Receives and responds to privacy related complaints

16 16 Key Measures for Privacy Compliance, cont’d 4.Privacy and Security Safeguards Administrative Safeguards Technical Safeguards Access authorization; screensavers; encryption Audit controls Integrity measures; virus scans, firewalls Authentication through password management Transmission security Physical Safeguards Workforce security Procedures for clearance Access control Controls to access facility Workstation use & security Device & media controls

17 17 Key Measures for Privacy Compliance, cont’d 5.Risk Analysis and Risk Management Plan Risk Analysis: Review ePHI; identify threats, vulnerabilities and risks Risk Management: Implementation of security measures to reduce risks (42 standards) 6.Training Initially Recurrently Certification/Attestation

18 18 Key Documents Policies & Procedures Privacy Notice Business Associate Agreements Risk Management Plans Written Communications All documents to be kept for at least 6 years

19 19 Future Outlook Adjustment period is over Increased enforcement efforts, scrutiny and penalties Decreased emphasis on individual culpability and increased emphasis on entity culpability Emphasis on technology – cameras, phones BUT, the practice of medicine will continue

20 20 BUT, The Practice of Medicine WILL Continue

21 21 QUESTIONS?

Download ppt "1 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18, 2008 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18,"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Component 1: Introduction to Health Care and Public Health in the U.S. Unit 6: Regulating Health Care Lecture 4 This material was developed by Oregon Health.

Component 1: Introduction to Health Care and Public Health in the U.S. Unit 6: Regulating Health Care Lecture 4 This material was developed by Oregon Health.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
1 1 Medicare Marketing Danielle R. Moon, J.D., M.P.A. Director, Medicare Drug & Health Plan Contract Administration Group National Association of Health.

1 1 Medicare Marketing Danielle R. Moon, J.D., M.P.A. Director, Medicare Drug & Health Plan Contract Administration Group National Association of Health.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.

Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
Hipaa privacy and Security

Hipaa privacy and Security
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Similar presentations

Ads by Google