2 Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) - Administrative Simplification: Electronic Transactions to achieve a more efficient health care system Privacy Rule & Security Rule to protect health information Policy Rationale
3 Civil Enforcement Enforced by DHHS Office for Civil Rights (OCR) Penalty limits Penalty of $100 for each violation (with total exposure of no more than $25,000 for all violations of an identical requirement) “Bad faith” penalty can reach $250,000
4 Sanctions Apply to workforce members who: Violate policies and procedures Violate the Privacy Rule “Workforce members” include not only your paid employees, but also trainees and volunteers who are under your direct control
5 Internal -- Employees External -- DHHS Complaint Process
6 Complaint Process, cont’d OCR receives complaint Rejects complaint Accepts complaint OCR review Resolution No violation Voluntary compliance; Corrective action; and/or Resolution agreement. Formal finding of violation Civil Monetary Penalties Imposed IF not properly resolved DOJ Possible criminal violation Investigation CMS Possible Security Rule violation OCR and CMS coordinate investigations Declines case and refers back to OCR Accepted
7 Civil Enforcement Efforts to Date Unofficial reports claim that Office of Civil Rights received approximately 24,000 complaints from 2003 through 2006 – over 75 percent of which have been closed. Less than 40 complaints have been accepted by the Department of Justice for further investigation or prosecution. To date, no OCR-initiated investigations have taken place (absent a private complaint), and no fines have been levied against covered entities by OCR for Privacy Rule violations.
9 New Enforcement Efforts On the Horizon Audits: The Office of Inspector General (OIG) has initiated audits of covered entities for compliance with HIPAA. Piedmont Hospital in Atlanta, Georgia was the first hospital provider in the country underwent the first audit in March 2007. Subpoenas: On April 16, 2007, Secretary Mike Leavitt of HHS delegated to the Director of the OCR the authority to issue subpoenas in investigations of alleged violations of the HIPAA Privacy Rule.
10 Criminal Enforcement To commit a “criminal offense” under HIPAA, a person must knowingly and in violation of the HIPAA rules do one (or more) of the following: 1.Use or cause to be used a unique health identifier 2.Obtain IIHI relating to an individual 3.Disclose IIHI to another person Criminal penalties range from a fine up to $50,000 and/or imprisonment up to a year to a fine up to $250,000 and/or imprisonment up to 10 years June 2005 DOJ opinion – covered entity liability only
11 What Prosecutors Go After Theft of IIHI for some form of personal financial gain by an “employee” of a covered entity To date, only four criminal HIPAA violations prosecuted by the Department of Justice
12 Criminal Cases Gibson (Seattle): employee of Seattle Cancer Care Alliance with access to patient information. Used name, DOB and SSN of a cancer patient to obtain credit cards in the patient’s name. Used credit cards to make over $9,000 in purchases. Wrongful disclosure of IIHI with the intent to use the information for personal gain. Received 16 months in prison and had to pay restitution.
13 Criminal Cases, cont’d Ramirez (Texas): Ramirez worked for physician who provided physicals and medical treatment to FBI agents. Sold an FBI agent’s medical records for $500. Using, obtaining and disclosing IIHI with the intent to sell, transfer and use the information for personal gain and malicious harm. Received 6 months in jail, 4 months home confinement, 2 years supervised release and $100 special assessment.
14 Criminal Cases, cont’d Machado/Ferrer (Florida): Machado was Cleveland Clinic employee who accessed computerized patient files and downloaded IIHI of more than 1,100 Medicare beneficiaries. Sold the information to Ferrer, an owner of a claims processing company. Ferrer caused the stolen information to be used in $7 million of fraudulent Medicare claims, which netted about $2.5 million in payments to providers and suppliers. Ferrer sentenced to 87 months in prison, 3 years supervised release, and ordered to pay restitution of $2.5 million Demonstrates that covered entities must take appropriate steps to protect sensitive data and information or fail to monitor and promptly address security breaches or other illegal acts by employees
15 Key Measures for Privacy Compliance 1.Policies and Procedures Ensures consistent and reasoned response to privacy issues Focuses on proper use and disclosure of health information 2.Privacy & Security Officials Develop and implement policies Ensures compliance 3.Privacy Contact Person Receives and responds to privacy related complaints
16 Key Measures for Privacy Compliance, cont’d 4.Privacy and Security Safeguards Administrative Safeguards Technical Safeguards Access authorization; screensavers; encryption Audit controls Integrity measures; virus scans, firewalls Authentication through password management Transmission security Physical Safeguards Workforce security Procedures for clearance Access control Controls to access facility Workstation use & security Device & media controls
17 Key Measures for Privacy Compliance, cont’d 5.Risk Analysis and Risk Management Plan Risk Analysis: Review ePHI; identify threats, vulnerabilities and risks Risk Management: Implementation of security measures to reduce risks (42 standards) 6.Training Initially Recurrently Certification/Attestation
18 Key Documents Policies & Procedures Privacy Notice Business Associate Agreements Risk Management Plans Written Communications All documents to be kept for at least 6 years
19 Future Outlook Adjustment period is over Increased enforcement efforts, scrutiny and penalties Decreased emphasis on individual culpability and increased emphasis on entity culpability Emphasis on technology – cameras, phones BUT, the practice of medicine will continue