Presentation on theme: "Www.bittingerlaw.com NEFHIMA March 12, 2010 HIPAA plus HITECH Where are we now? Ann Bittinger Board Certified Health Law Attorney The Bittinger Law Firm."— Presentation transcript:
NEFHIMA March 12, 2010 HIPAA plus HITECH Where are we now? Ann Bittinger Board Certified Health Law Attorney The Bittinger Law Firm Sutton Park Drive South, Suite 201 Jacksonville, FL (904)
NEFHIMA March 12, 2010 History Congress enacted the Health Insurance Portability and Accountability Act in Goals: Access to health insurance (portability) Protecting privacy of health information Promoting the standardization of health claims/efficiency Privacy Regulations: First proposed November 3, 1999; Finalized April 14, 2002 for most entities, with enforcement to start April 14, 2003.
NEFHIMA March 12, 2010 History Security Rule Proposed August 12, 1998 Final Rule issued on February 20, 2008, taking effect April 21, 2003, with a compliance date of April 21, Tweaks thereafter.
NEFHIMA March 12, 2010 HITECH Changes to HIPAA Part of the American Recovery and Reinvestment Act of 2007 (ARRA) “Health Information Technology for Economic and Clinical Health Act” $36 billion for HIT and HIE
NEFHIMA March 12, 2010 HITECH Creates a private right of actions. Individuals can now sue for HIPAA breaches through state Attorneys General (2/19/09) Portion of penalties go back to individual Breach reporting is now required Applies many of the HIPAA privacy and security requirements DIRECTLY to Business Associates
NEFHIMA March 12, 2010 Penalties – pre-HITECH Civil $100 per violation Annual cap of $25,000 for all violations of a single requirement or prohibition Criminal Wrongful disclosure: up to $5,000 and/or 1 year in jail False pretenses: up to $100,000 and/or 5 years in jail For profit/with malice: up to $250,000 and/or 10 years in jail
NEFHIMA March 12, 2010 Penalties after HITECH May permit criminal prosecution of individuals for knowing HIPAA violations Civil penalties: max of $1.5M for each type If the entity did not know violation occurred and by “exercising reasonable due diligence would not have known” $100/violation to $25K for identical in CY If “reasonable cause and not to willful neglect” $1000/violation to $100K for identical in CY If due to “willful neglect” $10K/violation (for violations corrected in 30 days): $250K CY $50K/violation (if not corrected in 30 days); $1.5M CY
NEFHIMA March 12, 2010 HITECH expanded enforcement As of 2/17/11: Secretary MUST formally investigate a complaint if the preliminary investigation shows possibility of violation due to willful neglect Secretary also MUST impose monetary penalty for violations due to willful neglect Expect regs on this by 8/17/10
NEFHIMA March 12, 2010 Criminal proceedings “Seattle Man Pleads Guilty in First Ever Conviction for HIPAA Rules Violation,” August 19, Richard Gibson, an employee at the Seattle Cancer Care Alliance, got cancer patient’s name, DOB, and SSN and got credit cards in patients’ names. $9,000 for jewelry, home improvements, etc. Got maximum sentence: 16 months prison.
NEFHIMA March 12, 2010 Criminal proceedings “Nurse Pleads Guilty to Privacy Violation,” April 17, Andrea Smith, LPN Plead guilty to wrongfully disclosing a patient’s health information for personal gain (E.D. Arkansas). Accessed the PHI of an unnamed patient while employed at the Northeast Arkansas Clinic in Jonesboro. Gave the info to her husband who called the patient and threatened to use the information against the patient in an “upcoming legal proceeding.” Conspiracy; malice: faces 10 years imprisonment and fine of $250,000.
NEFHIMA March 12, 2010 Complaints Privacy: As of the June 15, 2003: 637 privacy complaints. 2 months after effective date. By April 2008: 34,771 complaints. 27,796 were resolved (80%). No violations in 2,952 of the resolved Changes required in 5,971. Remaining 18,873: out of jurisdiction, untimely, withdrawn or didn’t violate the law
NEFHIMA March 12, 2010 Complaints Security: December 2007, CMS had received a total of 283 security complaints Closed 191. The majority of security complaints are allegations of "inappropriate access and risk of inappropriate disclosure."
NEFHIMA March 12, Enforcement data
NEFHIMA March 12, 2010 Recent developments January 2010: Health Net of Connecticut May 2009 loss of hard drive with info on 450,000, including names, address, bank account numbers and SSNs Health Net offered 2 years free credit monitoring, $1 million in identity theft insurance No evidence of a single instance of ID theft Nonetheless: CT AG sued Health Net under HITECH Seeks fines and requirement that health Net encrypt any PHI on portable media
NEFHIMA March 12, 2010 Great resource New CMS Compliance Reviews and Checklist for HIPAA Security – 2/2008 Sample audit checklist on CMS website Compliance and Enforcement Case Examples
NEFHIMA March 12, 2010 Privacy Compliance and Enforcement Example 1: “A municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors that were not business associates. Among other corrective actions to resolve the specific issues in the case, OCR required that the agency develop procedures for properly disclosing protected health information only to its valid business associates and to train its staff on the new processes.”
NEFHIMA March 12, 2010 Business Associates If an entity that is not a covered entity is doing something “on behalf of” you, and is not treatment, you need a BA Agreement with them. Applies to payment and health care operations Examples: Consultants to assist with audits Lawyers to assist with lawsuits; claims; collections Data processing Claims processing Accreditation Accounting
NEFHIMA March 12, 2010 Privacy Plan Must have in place a plan to address HIPAA Privacy Nothing mandated: typically address privacy rights, oral communications, the method of handing out and tracking the Notice, document retention Training Designated Privacy Officer
NEFHIMA March 12, 2010 Notice of Privacy Practices Must give to all patients at first date of service Explains the uses and disclosures of PHI at the entity Must contain certain language
NEFHIMA March 12, 2010 Authorization Use when: not treatment, payment or health care operations not to a BA; and no other exception applies. Patient signs; must be “plain language” Must have certain language Cannot condition treatment on signing Must inform patients of their rights
NEFHIMA March 12, 2010 Privacy Compliance and Enforcement Example 2: At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures.
NEFHIMA March 12, 2010 Individual Rights Access: General rule: right to access Must act within 30 days Certain ground for denial, which are reviewable
NEFHIMA March 12, 2010 Privacy Compliance and Enforcement Example 2.5 A private practice denied an individual access to his records on the basis that a portion of the individual’s record was created by a physician not associated with the practice…no similar provision limits individuals’ rights to access their protected health information. Among other steps to resolve the specific issues, OCR required the practice to revise its access policy to affirm that “patients have access to their record regardless of whether another entity created information contained within it.”
NEFHIMA March 12, 2010 Privacy Compliance and Enforcement Example #3: An outpatient surgical facility disclosed a patient’s PHI to a research entity for recruitment purposes without the patient’s authorization or an IRB or privacy-board approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. OCR required the facility to revise its written policies and procedures regarding disclosures of PHI for research recruitment purposes to require valid written authorizations; retain staff; log the disclosure of patient’s PHI.
NEFHIMA March 12, 2010 Accounting/Log Individuals have a right to a list of disclosures made in the six years prior to the request (but not before the implementation date). Exceptions: To the patient Incidentals Authorized disclosures (signed authorization) National security Releases to BA’s have to be tracked Content: date, name of recipient and address, description of info and purpose of disclosure Must act within 30 days.
NEFHIMA March 12, 2010 Research Research/HIPAA booklet on NIH site: De-identification: very difficult Authorization (can be in the Informed Consent Document) allows a covered entity to use or disclose the individual's PHI for the purposes, and to the recipient or recipients, as stated in the Authorization. Must be for specific research, not to nonspecific research or to future, unspecified projects. Data bases.
NEFHIMA March 12, 2010 Privacy Compliance and Enforcement A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the PHI of one of its patients. Contrary to the privacy rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order…. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained.
NEFHIMA March 12, 2010 Breach HITECH: first federal law mandating breach notification Florida does not have such a law; 45 do Applies to covered entities, business associates, PHR vendors and PHR service providers
NEFHIMA March 12, 2010 Breach Notification required upon “discovery” of a “breach” of “unsecured PHI” “Breach” defined as unauthorized acquisition, access, use or disclosure of unsecured PHI which compromises the security or privacy of such information “Compromises” means creates a “significant risk of financial, reputation or other harm to the individual” Requires risk assessment: fact specific analysis (consider nature of information, recipient, mitigation) to determine if significant harm exists.
NEFHIMA March 12, 2010 Example of breach January 2010 BCBS of Tennessee October 2, 2009: alarm at offsite facility storing hard drives Investigation 3 days later reveals 57 missing hard drives containing audio copies of phone calls and video screen images BCBS notified 220,000; up to 500,000 may be affected Spent over $7 million to date Has to notify AGs in 32 states.
NEFHIMA March 12, 2010 Questions? Ann Bittinger Board certified health law attorney The Bittinger Law Firm Sutton Park Drive South, Suite 201 Jacksonville, FL (904)