Presentation is loading. Please wait.

Presentation is loading. Please wait.

TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 masi.

Similar presentations


Presentation on theme: "TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 masi."— Presentation transcript:

1

2 TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP masi

3 TODAY’S HIPAA ENFORCEMENT – WHAT’S CHANGED? Increased Enforcement Substantial Civil Monetary Penalties (“CMPs”) and Corrective Action Plans (“CAPs”)

4 HIPAA PRIVACY RULES Limits Circumstances by Which Individual’s PHI May be Used/Disclosed by Covered Entities (“CEs”) PHI Permitted Use/Disclosure without Patient Authorization for Treatment, Payment or Healthcare Operations May Use/Disclose PHI Only With Patient Authorization Exceptions – Public Health, Judicial, Law Enforcement, Certain Specialized Purposes

5 HIPAA PRIVACY RULES - Continued Privacy Rule - Additional Obligations –Accounting for Certain Disclosures –Disclose Only Minimum Information Necessary –Provide Notice of Privacy Practices –Individual’s Rights to Review/Obtain Copies of PHI –Must Safeguard Protected Health Information from Inappropriate Use/Disclosure –Individuals Have Right to Request Changes to Inaccurate/Incomplete PHI –Maintain Administrative, Technical, Physical Safeguards to Prevent Improper Use/Disclosure of PHI

6 BUSINESS ASSOCIATES (“BAs”) Anyone that Performs, Assists in Performance/Activity Involving Use/Disclosure of PHI on Behalf of CE Examples – Claims Processing, Data Analysis, Utilization Review, Quality Assurance, Billing Benefit Management, Practice Management, Pricing Other BAs –Persons Performing Legal, Actuarial, Accounting, Consulting, Data Aggregation, Management, Administration, Accreditation or Financial Services if Involves Disclosure of PHI from Covered Entity Must Maintain PHI Confidentiality as Required by Service Agreement Violations – Covered Entity Must Terminate Relationship or Report Problem to HHS

7 SECURITY RULE (“SR”) Applies to PHI in Electronic Form (“EPHI”) Requires CE to Maintain Administrative, Technical and Physical Safeguards to Ensure Confidentiality/Integrity/availability of all EPHI the CE creates, receives, maintains or transmits CEs must enter into an agreement with BAs who create, receive, maintain or transmit EPHI BA must provide same safeguards to protect EPHI CE not liable for violations of SR by BA unless knew BA engaged in activity that violated HIPAA SR and CE took no action

8 ENFORCEMENT HISTORY DOJ Had Authority to Impose CMPs and Criminal Sanctions HHS Did Not Enforce Privacy or Security Rule Until 2008 HHS – OIG in 2008 Concluded CMS Had Not Provided Effective Oversight/Enforcement of SR by CEs Prevailing View – “All Bark and No Bite” – Does Not Justify Compliance Expenses

9 RECENT DEVELOPMENTS HHS Office of Civil Rights (“OCR”) Imposed CMPs totaling $4.35MM on Cignet Health of Prince George’s County, Maryland. Settled with Massachusetts General Hospital (“Mass General”) for PR Violations $1MM University of California Los Angeles Health System (“UCLAHS”) – Potential PR and SPR/SR Violations - $865,000 HHS OIG Began to Incorporate New Advanced Electronic/Data Mining Technologies to Uncover Waste, Fraud, Violations in Federal Healthcare Programs and Ensure Regulatory Compliance Data Analytics to Conduct Risk Assessment, Pinpoint Oversight Efforts Reduce Time/Resources Required for Audits, Investigations and Program Integrity Activities

10 HHS POLICY CHANGES –HHS Secretary Delegates PR Enforcement to OCR –April 14, 2003 – PR Compliance Mandatory for Most Covered Entities –Next 5 Years – No Penalties/Settlement for PR Violations – HHS Secretary Delegates Authority to Enforce SR to CMS –March 2006 – HIPAA Enforcement Rules Implemented – – No SR Compliance Actions –2009 Congress/HITECH Expands Enforcement/Penalties –HHS Reassigns Enforcement to OCR

11 HHS’ POLICY CHANGES - Continued Enforcement/Settlement Activities –July 18, HHS Resolution Agreement with Providence Health and Services (“Providence”) - PR/SR Violations, Loss of Electronic Backup Media/Laptop Computers Containing PHI - Providence Pays HHS $100,000 and Implements CAP –January 16, 2009 – $2.25 MM Resolution Agreement/CAP with CVS Pharmacy, Inc. (“CVS”) - Unsecured Disposal of Pharmacy Customers’ PHI –July 27, 2009 – HHS Strips CMS of SR Enforcement and Delegates to OCR

12 HITECH LEGISLATIVE CHANGES Expands Certain Provisions in PR and SR Rules to Business Associates Subjects BAs to Civil/Criminal Liability for Violations Establishes New Limits on Use of PHI for Marketing/Fund Raising Purposes Provides New Enforcement Authority for State Attorneys General to Bring Suit in Federal District Court to Enforce HIPAA Violations Increases Civil/Criminal Penalties for HIPAA Violations

13 HITECH LEGISLATIVE CHANGES Continued Requires CEs/BAs to Notify Public or HHS of Data Breaches Changes Use/Disclosure Rules for PHI Expands Certain Individual Rights Mandates CEs Report to OCR Breaches of Unsecured PHI Mandatory Notifications without Immunity/Reduced Penalties for Reporting

14 STATE ATTORNEYS GENERAL AUTHORITY –Civil Actions Against HIPAA Privacy/Security Violators –Damages Up to $100 per Violation Up to $25,000 for All Violations of Identical Requirement During Calendar Year –Compliance Audits –HITECH Requires HHS to Perform Periodic Audits to Ensure CE and BA Compliance with PR and SR

15 ENHANCED HIPAA PRIVACY/SECURITY ENFORCEMENT ACTIVITIES –Cignet – Breached PR by Failing to Provide 41 Individuals Timely Access to Medical Records/Failing to Cooperate in Investigation/ Not Correcting Violations within 30 Days. Finding of Willful Neglect Not Corrected Within 30 Days –Mass General – Removal/Loss of PHI on Subway by Mass General Employee PHI for a total of 258 patients including with HIV/AIDS $1MM penalty plus 3 year CAP

16 CURRENT CAPs Similar to Corporate Integrity Agreements Entered Into By OIG Imposes Corrective Action Obligations That Reflect Federal Sentencing Guidelines/OIG Compliance Guidance Documents Mass General CAP –Develop, Distribute, Update Policies/Procedures Targeting at Alleged Violation/Rate of Activities –Train Personnel on Policies/Procedures Response to Violation –Monitor/Audit Performance of New Policy/Procedures –Provide Reports to OCR Regarding Performance

17 CURRENT CAPs - Continued UCLAHS CAP –Potential Violations of PR/SR –$865,500 CMP –CAP to Remedy Gap in Compliance –Arose From Incidents Involving Celebrity Patients/Complaints – Employees Accessed PHI –CAP Requires Implement PR/SR Policies Approved by OCR –Conduct Regular Employee Training –Sanction Offending Employees –Independent Monitor to Assess Compliance for 3 Years

18 HHS – OIG Enhanced Technologies/Enforcement Efforts Fraud –Information Technologies/Analytics to uncover fraud/target oversight efforts –Data Mining/Trend Evaluations/Modeling – enterprise view of questionable activities/suspected fraud trends –New Data Storage/Computer Matching/Data analytic capabilities to analyze hospital data for multiple compliance risks –Auditing process from weeks/months to 20 minutes per hospital Healthcare Fraud Prevention and Enforcement Action Team (“HEAT”) –High level law enforcement from DOJ and HHS –Enforce anti-fraud and other compliance obligations –Began in March 2007 – Operates in 7 major cities

19 HHS – OIG Enhanced Technologies/Enforcement Efforts Continued FY 2010 – 140 Indictments Filed Against 284 Defendants that Billed Medicare $590 MM 217 Guilty Pleas Negotiated 29 Jury Trials with Guilty Verdicts Against 23 Defendants 146 Defendants Sentenced/Average More than 40 Months Data Driven/Data Analytics Approach Increasingly Effective

20 CONCLUSION It’s Not the Passive HHS Enforcement Efforts Any More!

21 THANK YOU Armin J. Moeller, Jr. Balch & Bingham, LLP


Download ppt "TODAY’S ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 masi."

Similar presentations


Ads by Google