Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA POST-“HITECH”: Health Information Privacy Enforcement American Osteopathic Association of Medical Informatics November 4, 2009 12:30 to 2:00 pm Ian.

Similar presentations


Presentation on theme: "HIPAA POST-“HITECH”: Health Information Privacy Enforcement American Osteopathic Association of Medical Informatics November 4, 2009 12:30 to 2:00 pm Ian."— Presentation transcript:

1 HIPAA POST-“HITECH”: Health Information Privacy Enforcement American Osteopathic Association of Medical Informatics November 4, :30 to 2:00 pm Ian C. Smith DeWaal, Senior Counsel Criminal Division, Fraud Section United States Department of Justice* * The views expressed during this presentation do not necessarily represent the views of the Department of Justice or of the United States.

2 What I will Cover: What I will Cover: Protected Health Information Privacy Enforcement Pursuant to the Original HIPAA provisions Protected Health Information Privacy Enforcement Pursuant to the Original HIPAA provisions Statutory Changes enacted by the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (Pub. L ) Statutory Changes enacted by the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (Pub. L ) Future Enforcement Future Enforcement Resources Available Resources Available WILL NOT cover all non-enforcement changes WILL NOT cover all non-enforcement changes I – INTRODUCTION

3 Civil Monetary Penalties Enforced by the Secretary of Health and Human Services Civil Monetary Penalties Enforced by the Secretary of Health and Human Services Federal criminal statute enforced by the Attorney General by prosecution through the United States Attorneys or Department of Justice criminal trial attorneys Federal criminal statute enforced by the Attorney General by prosecution through the United States Attorneys or Department of Justice criminal trial attorneys II. Original HIPAA Enforcement

4 III. Review: Civil Monetary Penalties: Pre-HITECH Civil Monetary Penalties established by HIPAA Civil Monetary Penalties established by HIPAA – 42 U.S.C. 1320d-5 Enforced by the Secretary of Health and Human Services Enforced by the Secretary of Health and Human Services Delegated to the HHS Office of Civil Rights. Delegated to the HHS Office of Civil Rights. Website: Website: Enforced only against covered entities Enforced only against covered entities

5 III.Review: Civil Monetary Penalties: Pre-HITECH Violations of HIPAA punished by $100 CMP – maximum of $25,000 per calendar year for violations of an identical provision CMP may not be imposed if: Reasonable cause and not willful neglect (in certain situations can be reduced, instead of waived); and Corrected within 30 days of discovery or the date on which it should have been discovered with the exercise of due diligence. The Secretary could extend the 30 day period based on nature and extent of the failure to comply Under § (b)(2), if covered entity establishes that did not have knowledge of the violation, and by exercising reasonable diligence, would not have known that the violation occurred

6 III. Review: Civil Monetary Penalties: Pre-HITECH Secretary prohibited from imposing CMP if “the act constituted an offense punishable under section 1320d- 6 of this Title” (42 U.S.C. § 1320d-6 – the criminal statute) Secretary prohibited from imposing CMP if “the act constituted an offense punishable under section 1320d- 6 of this Title” (42 U.S.C. § 1320d-6 – the criminal statute) Referral protocol adopted to permit DOJ to review matters that might “constitute an offense.” Referral protocol adopted to permit DOJ to review matters that might “constitute an offense.” Matters not opened as criminal investigations were returned to the Secretary for further administrative action. Matters not opened as criminal investigations were returned to the Secretary for further administrative action. As of 9/30/09, HHS-OCR made over 464 referrals to DOJ since the April 2003 enforcement date As of 9/30/09, HHS-OCR made over 464 referrals to DOJ since the April 2003 enforcement date

7 III. Review: Civil Monetary Penalties: Pre-HITECH HHS-OCR HIPAA Statistics Through 9/30/09 HHS-OCR HIPAA Statistics Through 9/30/09 Investigated and resolved over 9,318 cases by requiring changes in privacy practices and other corrective actions by the covered entities. Investigated and resolved over 9,318 cases by requiring changes in privacy practices and other corrective actions by the covered entities. In 4,680 cases, HHS-OCR investigations found no violation had occurred. In 4,680 cases, HHS-OCR investigations found no violation had occurred. In the remaining completed 26,964 cases, HHS-OCR determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. In the remaining completed 26,964 cases, HHS-OCR determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. Since the compliance date in April 2003, HHS has received over 46,973 HIPAA Privacy complaints and resolved over eighty percent of complaints received (over 40,962): Since the compliance date in April 2003, HHS has received over 46,973 HIPAA Privacy complaints and resolved over eighty percent of complaints received (over 40,962):

8 III. Review: Civil Monetary Penalties: Pre-HITECH A Resolution Agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a Resolution Agreements: A Resolution Agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a Resolution Agreements: Resolution Agreement with Providence Health and Services (7/16/2008) Resolution Agreement with Providence Health and Services (7/16/2008) Resolution Agreement with CVS Pharmacy (1/16/2009) Resolution Agreement with CVS Pharmacy (1/16/2009) examples/index.html examples/index.html examples/index.html examples/index.html

9 IV. Review: Criminal Statute: Pre-HITECH Violations of 42 U.S.C. § 1320d-6 Violations of 42 U.S.C. § 1320d-6 A person who knowingly and in violation of this part: A person who knowingly and in violation of this part: Uses or causes to be used a unique health identifier Uses or causes to be used a unique health identifier Obtains individually identifiable health information relating to an individual Obtains individually identifiable health information relating to an individual Discloses individually identifiable information to another person Discloses individually identifiable information to another person

10 IV. Review: Criminal Statute: Pre-HITECH IV. Review: Criminal Statute: Pre-HITECH Penalties: Penalties: General – Fine of not more than $50,000, Not more than one year imprisonment, or both General – Fine of not more than $50,000, Not more than one year imprisonment, or both Offense committed under false pretenses - Fine of not more than $100,000, not more than five years imprisonment, or both Offense committed under false pretenses - Fine of not more than $100,000, not more than five years imprisonment, or both Offense committed under with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm - Fine of not more than $250,000, not more than ten years imprisonment, or both Offense committed under with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm - Fine of not more than $250,000, not more than ten years imprisonment, or both

11 IV. Review: Criminal Statute: Pre-HITECH DOJ Office of Legal Counsel Opinion (6/1/05) DOJ Office of Legal Counsel Opinion (6/1/05) Construed the HIPAA criminal statute to be directly enforceable only against “covered entities” Construed the HIPAA criminal statute to be directly enforceable only against “covered entities” Health care providers Health care providers Health plans Health plans Health care clearinghouses Health care clearinghouses Observed that legal doctrines of aiding and abetting, conspiracy and corporate criminal liability would also apply Observed that legal doctrines of aiding and abetting, conspiracy and corporate criminal liability would also apply

12 IV. Review: Criminal Statute: Pre-HITECH Approximately 10 HIPAA convictions since April 2003 enforcement date of HIPAA privacy regulations Approximately 10 HIPAA convictions since April 2003 enforcement date of HIPAA privacy regulations Types of cases – Types of cases – Patient credit identity theft Patient credit identity theft Sale of Medicare/Medicaid patient numbers Sale of Medicare/Medicaid patient numbers Identify law enforcement undercover agent Identify law enforcement undercover agent Defendants: Health care workers and outsiders Defendants: Health care workers and outsiders

13 V. HITECH Universal Changes to HIPAA Application of CMPS and HIPAA criminal statute expanded to include “business associates” ARRA § 13404(c) ( Application of CMPS and HIPAA criminal statute expanded to include “business associates” ARRA § 13404(c) (eff. 2/17/2010) § New patient notification requirements ARRA § Notification on the occurrence of certain breaches of protected health information not secured according to standards specified by the Secretary of Health and Human Services (“HHS”) Effective 30 days after publication of interim final regulations. Interim final rules on breach notification were published on August 24, 2009 (74 Fed. Reg ); eff. 9/23/2009.

14 V. HITECH Changes to CMPs ARRA § Increased CMPs NEW Tiered CMPS tied to egregiousness of violation, effective 2/18/09 (Note – rulemaking pending): The person did not know, and by exercising reasonable diligence would not have known, that such person had violated a provision At least $100, not to exceed the amount specified in paragraph D. The violation was due to reasonable cause and not willful neglect At least $1,000, not to exceed the amount specified in paragraph D.

15 V. HITECH Changes to CMPs ARRA § Mandatory CMP for Willful Neglect: Section 1320d-5 is amended by adding new subsection (c) - mandates that the Secretary impose a CMP when a violation of HIPAA is due to willful neglect, though as described previously, the amount of the mandatory penalty for willful neglect can be mitigated by timely correction of the violation. ARRA § Bar to Civil Monetary Penalties when action constitutes a criminal violation narrowed: Current section 1320d-5 (b)(1) which precludes assessment of a civil monetary penalty if an act constitutes an offense under section 1320d-6 is amended to preclude a CMP only if a penalty has been imposed pursuant to section 1320d-6. (Eff. 2/17/2011).

16 V. HITECH Changes to CMPs The violation was due to willful neglect, and WAS CORRECTED as provided, within 30 days of the date on which the person liable for violation, knew, or exercising reasonable diligence would have known that the failure to comply occurred At least $10,000, not to exceed the amount specified in paragraph D. WAS NOT CORRECTED At least $50,000, but the total amount imposed on a person for violation on an identical requirement or prohibition, during a calendar year may not exceed $1,500,000.

17 V. HITECH Changes to CMPs New enforcement power conferred on state Attorneys General (ARRA § 13410(e) State AG may bring a civil action in federal district court, parens patriae, for injunctive relief and to obtain statutory damages for one or more state residents whose interest has been threatened or adversely affected by any person who violates HIPAA. This subsection caps the statutory damages at $100 maximum per violation, and $25,000 maximum for all violations of an identical requirement or prohibition during a calendar year. The court may consider the identical factors enumerated in § 1320d-5 (a), which may be considered by the Secretary in determining the amount of damages to be assessed, and may award costs and reasonable attorneys fees to the successful state Attorney General.

18 V. HITECH Changes to CMPs Prior written notice of an action or if not feasible, immediate notice on commencing an action, must be provided to the HHS Secretary, who will then have the right to intervene, be heard on all matters in the case, and have the right to appeal. If the Secretary has instituted a HIPAA action against a person under subsection (a) with respect to a specific violation of this part, NO State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action. State AG action not permitted if a criminal penalty already has been imposed (eff. 2/17/2011 – before this date, if the conduct was a violation of 42 U.S.C. §1320d-6.

19 V. HITECH Changes: Criminal Statute ARRA § Section Clarification of the definition of “person” added to criminal statute – 42 U.S.C. § 1320d-6 (a) (eff. 2/17/2010) “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9(b)(3) of this title) and the individual obtained or disclosed obtained or disclosed such information without authorization.”

20 V. HITECH Changes: Criminal Statute Conference Report for ARRA (Pub. L ) ("the Report"), p. 500 stated that: “In July 2005 the Justice Department Office of Legal Counsel (OLC) addressed which persons may be prosecuted under HIPAA and concluded that only a covered entity could be criminally liable.” (sic, apparently referring to the June 1, 2005 OLC opinion) The Report states the amendment to § 1320d-6 “clarifies that criminal penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by a covered entity, whether they are employees or not.” As of 2/17/2010, a violation of HIPAA will be deemed to have occurred when a person, now defined to include an employee of a covered entity or another individual, obtains or discloses protected health information, which was maintained by a covered entity and the individual obtained or disclosed the such information without authorization.

21 VI. Conclusion Congress intended to step up enforcement of health information privacy violations Congress intended to step up enforcement of health information privacy violations HHS will continue to work with covered entities and now, business associates on training, and correction of non-criminal violations HHS will continue to work with covered entities and now, business associates on training, and correction of non-criminal violations When HHS-OCR determines a violation arose from willful neglect, a CMP will be mandatory When HHS-OCR determines a violation arose from willful neglect, a CMP will be mandatory Business associates will subject to new administrative and criminal scrutiny. Business associates will subject to new administrative and criminal scrutiny. Uncorrected, willful violations will invite administrative or criminal sanction Uncorrected, willful violations will invite administrative or criminal sanction Some state Attorneys General may emerge as an additional enforcement resource with respect to CMPs. Some state Attorneys General may emerge as an additional enforcement resource with respect to CMPs.

22 VI. Conclusion Resources: Resources: Ian C. Smith DeWaal, Senior Counsel Ian C. Smith DeWaal, Senior Counsel Criminal Division, Fraud Section or (202) HHS Office of Civil Rights HHS Office of Civil Rights “If you don't find the information you were seeking, you may submit an to Unfortunately, we do not provide individual responses to all of the questions received. However, in some situations we may be able to forward your questions to an appropriate person or agency.” “If you don't find the information you were seeking, you may submit an to Unfortunately, we do not provide individual responses to all of the questions received. However, in some situations we may be able to forward your questions to an appropriate person or Address inquiries to the OCR Regional Manager. Address inquiries to the OCR Regional Manager. Contact the OCR regional office for your State or Territory, or the headquarters office for further information: Contact the OCR regional office for your State or Territory, or the headquarters office for further information:

23 VII. Questions?


Download ppt "HIPAA POST-“HITECH”: Health Information Privacy Enforcement American Osteopathic Association of Medical Informatics November 4, 2009 12:30 to 2:00 pm Ian."

Similar presentations


Ads by Google