Presentation on theme: "October 16, 2013 Jeanne M. Born, RN, JD Nexsen Pruet, LLC."— Presentation transcript:
October 16, 2013 Jeanne M. Born, RN, JD firstname.lastname@example.org Nexsen Pruet, LLC
Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) American Recovery and Reinvestment Act of 2009 Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”); Subtitle D – Privacy New HITECH Implementing Regulations: 78 F.R. 5566 (“HITECH Final Rule”) published January 25, 2013 – effective March 26, 2013 – enforcement begins September 23, 2013 HITECH Final Rule also implements changes necessary in the Patient Safety & Quality Improvement Act (“PSQIA”) and the Genetic Information Nondiscrimination Act (“GINA”)
HITECH makes multiple changes in the existing HIPAA Statutes, Privacy Standards and Security Standards that directly affect covered entities, business associates and others. This presentation is intended to be a high-level overview of the most critical, but not all, of the changes in HITECH & the HITECH Final Rule... Along with some compliance best practices.
HITECH Act Definitions: Generally, all definitions are the same as under prior law with the exception of the terms further described in this presentation HITECH Final Rule provides more definitions: Including definitions in HITECH, PSQIA & GINA
Covered Entity: CE Business Associate: BA Business Associate Agreement: BAA Individually Identifiable Health Information: IIHI Protected Health Information: PHI Civil Money Penalty: CMP Notice of Privacy Practices: NPP Electronic Health Record: EHR Personal Health Record: PHR
Business Associate: Updates to include: ◦ Patient Safety Organizations (“PSOs”); ◦ Subcontractors (A person to whom a BA delegates a function, activity, or service, other than in the capacity of a member of the workforce of such BA. ◦ Health Information Organizations (“HIOs”); ◦ E-Prescribing Gateways; ◦ Vendors of PHRs; and ◦ Other persons that facilitate data transmissions; (conduits limited to courier services (ex: USPS; UPS) & their electronic equivalents (ex: ISPs)); ◦ Exceptions moved from 164.308(b)(2) & 164.502(e)(1)(ii)
HITECH Act provided that certain Security Standards provisions apply to BAs in the same manner as CEs: ◦ 45 CFR §164.308 – Administrative Safeguards ◦ 45 CFR §164.310 – Physical Safeguards ◦ 45 CFR §164.312 – Technical Safeguards ◦ 45 CFR §164.316 – Policies and procedures and documentation requirements ◦ “The additional requirements of HITECH that relate to security and that are made applicable with respect to CEs shall also be applicable to BAs.” And shall be incorporated into the BA Agreement (“BAA”) between the BA and the CE.
The HITECH Final Rule added: ◦ References to BAs throughout the Security Rule (§§ administrative safeguards; physical safeguards; technical safeguards); ◦ Added that BAs must also comply with §164.314 – Requires the BA to enter into BAAs with Subcontractors (create, receive, maintain, or transmit E-PHI on behalf of a BA); The BAA between a BA and a Subcontractor must require: The Subcontractor must agree to comply with provisions of the Security Standard that apply to BAs; Require any subsequent Subcontractors to comply with provisions of the Security Standard that apply to BAs; and Report Security Incidents and Breaches of Unsecured PHI to the CE.
(a) Provides that the following Privacy Standards provisions apply directly to BAs: ◦ 45 C.F.R. §§ 164.502(e) and 164.504(e) (Re: BAAs) ◦ “The additional provisions in HITECH that relate to privacy that apply to CEs also apply to BAs” (See next slide). (b) Provides that a BA must take steps to cure a breach of the BAA by the CE, terminate the BAA, or report to DHHS if the CE violates the BAA (“Snitch provision”). Provides that if a BA violates (a) or (b), then the BA is subject to the HIPAA Statutory civil and criminal penalties (42 U.S.C. §§1320d-5 & 1320d-6). ◦ Later...
Clarifies: To the extent the BA carries out an obligation under the Privacy Standards on CE’s behalf, BA shall specifically comply with the applicable Privacy Standard(s) in the performance of such obligation.
Need to amend your BAAs in accord with the transition provisions.
A CE or a BA of the CE with respect to a Subcontractor, is deemed to be in compliance with the documentation and contract requirements of §§ 164.308(b), 164.314(a), 164.502(e) and 164.504(e) with respect to a particular BA relationship for the time period set forth below if: ◦ Prior to January 25, 2013, CE s or BAs with respect to a Subcontractor, has entered into and is operating pursuant to a written contract or other written arrangement with the BA that complies with the applicable provisions of §§ 164.314(a) or 164.502(e) that were in effect on such date; and ◦ The contract or other arrangement is not renewed or modified from March 26, 2013, until September 23, 2013 or September 23, 2104. If neither Section above apply, then the CE or the BA with respect to a Subcontractor, must enter into a BAA that complies with the HITECH Final Rule. On September 23, 2014, all BAAs must comply with all provisions of the HITECH Final Rule.
A CE that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured protected health information shall, in the case of a breach, notify the individual whose unsecured protected health information has been or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach. BAs shall notify the CE of such breaches HITECH Final Rule includes similar language
“Breach’’ means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Standards which compromises the security or privacy of such information...
Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under Privacy Standards; Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at same CE or BA or OHCA in which the CE participates, and the PHI received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Standards; and A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Added a “harm” standard by defining “compromises the security or privacy of [protected health] information” as follows: ◦ Posed a significant risk of financial reputational or other harm to the individual Senator Waxman did not like this change and informed Secretary Sebilius by letter dated October 1, 2009. The HITECH Final Rule significantly modified the meaning of “compromises the security and privacy of PHI”.
Depends upon a risk assessment of four factors: ◦ The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; ◦ The unauthorized person who used the PHI or to whom the disclosure was made; ◦ Whether the PHI was actually acquired or viewed; and ◦ The extent to which the risk to the PHI has been mitigated. If after the consideration of each of the foregoing factors the CE has determined that there is a low probability that the privacy or security of the PHI has been compromised, then no breach notification is required.
Unsecured Protected Health Information (“Unsecured PHI”): PHI that is not secured by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals persons and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. Guidance published April 17, 2009.
The technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals are: ◦ Electronic PHI that has been encrypted Data at rest – NIST Special Publication 800-111 Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113) ◦ Media on which PHI is stored or recorded has been destroyed: Paper, film or hard copy: shredded or destroyed such that it cannot be reconstructed Electronic media: cleared or purged consistent with NIST Special Publication 800-88 ◦ FIPS: www.itl.nist.gov/fipspubs/index.htmwww.itl.nist.gov/fipspubs/index.htm ◦ NIST: www.nist.gov/
A breach is discovered on the first day the breach is known or by exercising reasonable diligence, would have been known by the CE; A breach is discovered by a BA on the first day the breach is known or by exercising reasonable diligence, would have been known by the BA; A BA or Subcontractor is required to report the breach to the CE in accordance with the terms of the BA; Clarified in the HITECH Final Rule: A CE will be deemed to have discovered a breach on the first day the breach was discovered by a BA only if the BA is acting as an agent of the CE.
Whether a BA is an agent of the CE is determined by the application of the federal common law of agency: Although there are multiple factors, DHHS found these four (4) to be most important in a “facts and circumstances” test: (1) The time, place, and purpose of a BA agent's conduct; (2) whether a BA agent engaged in a course of conduct subject to a CE's control (manner and means by which the product is accomplished); (3) whether a BA agent's conduct is commonly done by a BA to accomplish the service performed on behalf of a CE; and (4) whether or not the CE reasonably expected that a BA agent would engage in the conduct in question.
Notice must be made within 60 days of when the CE knows or should have reasonably known of the breach. Individuals: notice is provided in writing by first class mail or by e-mail if the individual provided a preference. If contact information is out of date (including 10 or more such individuals), post a toll free number on the CE’s website where individuals can learn if their unsecured PHI has been breached. Regulations add provisions for Personal Representatives of deceased individuals and when contact information is insufficient or out of date: ◦ Fewer than 10: alternative form of written notice, telephone or other means ◦ 10 or greater: conspicuous posting for 90 days on CE’s webpage or in major broadcast media AND contact information
If notification is urgent because of possible misuse, may telephone the individual(s) If 500 or more individuals are involved, notice must be provided to prominent media outlets. Notice must be provided to the Secretary of DHHS; ◦ If 500 or more individuals are involved, this notice must be given immediately ◦ If less that 500, the CE may keep and log and disclose to the Secretary annually. The Secretary of DHHS will post the identities of the CEs involved in breaches where more than 500 individuals are involved.
Breach notification webpage: http://www.hhs.gov/ocr/privacy/hipa a/administrative/breachnotificationrul e/index.html Guidance for notifying Secretary of breaches: http://www.hhs.gov/ocr/privacy/hipa a/administrative/breachnotificationrul e/brinstruction.html http://www.hhs.gov/ocr/privacy/hipa a/administrative/breachnotificationrul e/brinstruction.html Submit Notice of a Breach Affecting 500 or More Individuals Submit Notice of a Breach Affecting 500 or More Individuals Submit Notice of a Breach Affecting Fewer than 500 IndividualsSubmit Notice of a Breach Affecting Fewer than 500 Individuals Notification to the Secretary
Content of notice to the individual : Brief description of what happened (include date of breach and date of discovery) A description of the types of Unsecured PHI involved in the breach The steps that individuals should take to protect themselves from potential harm A brief description of what the CE is doing to investigate, mitigate losses and protect against further breaches Contact information (toll-free telephone number, an e-mail address, web site, or postal address) Notification of Breach
Would impede a criminal investigation Cause damage to national security Notice can be delayed if necessary if law enforcement determines that notice: Notification of Breach
State law compliance: ◦ NC GS § 75-65 ◦ S.C. Code Ann. § 39-1-90 Modify your Notification of Breach Policy to also cover your obligations under State law.
Provides that a CE must comply with a request for a restriction to a in the use or disclosure of PHI disclosure to a health plan or a BA of a health plan (45 C.F.R. §164.522(a)(1)(i)(A)) if the payment is out of pocket in full. Upshot: ◦ Amend your HIPAA policies and procedures and NPP to add this requirement and flag your PHI if such a restriction is requested. ◦ Get the request IN WRITING. ◦ Counsel your patients: Medicare patients: Obtain the refusal to allow filing the claim with Medicare in writing; Billing the health plan if the patient does not pay in full
A CE will be in compliance with the minimum necessary standard if the CE uses, discloses or requests only a limited data set (45 C.F.R. §514(e)(2)) unless the limited data set is not sufficient, then only the minimum necessary PHI to accomplish the purpose may be disclosed. DHHS was to publish guidance on what constitutes “minimum necessary” within 18 months of, February 17, 2009, the publication of HITECH (for now, the CE or BA determines what is the minimum necessary). This provision goes away after the guidance is published. Still waiting! – referenced in the Final Rule and solicited public comment – stay tuned!
Electronic Health Record (“EHR”): means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
If a CE maintains an EHR with respect to PHI, then the accounting of disclosures includes disclosures for treatment, payment and health care operations (“TPO”), but The accounting may be requested for only the prior three (3) years. DHHS will promulgate regulations within 6 months after the date on which DHHS adopts standards on accounting for disclosures in HITECH 3002(b)(2)(B)(iv) - HIT Policy Committee shall make recommendations technologies that as a part of a qualified EHR allow for an accounting of disclosures made by a CE for purposes of TPO. Still waiting!
In processing a request for an accounting, the CE may elect to provide the individual: ◦ An accounting of disclosures of the CE and a BAs; or ◦ An accounting of disclosures of the CE and a list of BAs the individual can contact with contact information. No revisions in the HITECH Final Rules
Effective dates: ◦ If a CE acquired an EHR as of 01/01/09, then 13405(c) applies effective 01/01/14. ◦ If a CE acquired an EHR after 01/01/09, 13405(c) is effective the later of 01/01/11 or the date on which the CE acquires it. BUT: The HIT Policy Committee has not yet made recommendations as to technologies that as a part of a qualified EHR allow for an accounting of disclosures made by a CE for purposes of TPO.
A CE or BA shall NOT directly or indirectly receive remuneration in exchange for any PHI of an individual unless the CE obtains a valid HIPAA authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the receiver. The prohibition does not apply to the following disclosures: ◦ Public health activities (45 C.F.R. §164.512(b)); ◦ Research purposes (45 C.F.R. §164.512(i)) if the price charged reflects the cost of preparation and transmittal of the data; ◦ Treatment and payment; ◦ Due diligence disclosures in connection with the sale or transfer of assets of a potential successor in interest; ◦ Disclosures to the BA; ◦ Access by the individual subject of the PHI; ◦ Disclosures Required by Law; ◦ As otherwise determined by DHHS.
Sale of PHI means when the CE or BA directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI EXCEPT disclosures: [modified as follows] ◦ To or by a BA for activities that the BA undertakes on behalf of a CE, or on behalf of a BA in the case of a Subcontractor and the only remuneration provided is by the CE to the BA or by the BA to the Subcontractor for the performance of such activities; ◦ To an individual when requested for access or accounting of disclosures; ◦ For any other purpose permitted by and in accordance with the applicable requirements of the Privacy Standards, where the only remuneration received by the CE or BA is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law.
Any Sale of EHRs or PHI requires an Authorization. The authorization must: ◦ Comply with the elements and required statements under §164.508; ◦ The authorization must state that the sale of PHI will result in remuneration; & include a specification of whether the PHI can be further exchanged for remuneration by the receiver ◦ The individual must receive a copy of the authorization.
In applying the Privacy Standards access provisions, an individual has the right to obtain information in electronic format and direct the CE to provide it directly to an entity or person identified by the individual, provided the choice is clear, conspicuous and specific.
◦ The individual has the right to request a copy of his/her PHI in electronic format if it is readily producible, or it not, in a hard copy form or in readable electronic form and format as agreed to by CE and the individual. ◦ If the PHI requested is kept electronically, then CE must provide the individual with access in the form and format requested by the individual, if it is readily producible in such form and format, or if not, in a readable electronic form and format as agreed to by CE and the individual.
Require all requests for access be in writing. Inform the patient that you are not responsible for the privacy or security of the PHI once you disclose it. Be very careful with access requests to e- mail addresses.
Any fee charged by the CE for such access cannot be greater than the CE’s actual labor cost: ◦ Cannot make a “profit” S.C. Code Ann. § 44-7-325 ◦ 65¢ per page for the first 30 pages and 50¢ per page thereafter for paper copies; plus ◦ A $15.00 administrative fee representing labor cost; plus ◦ The actual first class postage for mailing via the U.S. Postal Service, if mailing requested.
Any fee charged by the CE for such access cannot be greater than the CE’s actual labor cost: ◦ Cannot make a “profit” Retention and copying provisions are at the following website: http://www.ncmedboard.org/position_statement s/detail/retention_of_medical_records http://www.ncmedboard.org/position_statement s/detail/retention_of_medical_records N.C. Gen. Stat. 90-411: ◦ 75¢ per page for the first 25 pages, 50¢ per page for pages 26 through 100, and 25¢ for each page in excess of 100 pages, provided that the health care provider may impose a minimum fee of up to $10.00, inclusive of copying costs. ◦ Reasonable professional fee for review and preparation of a summary.
Generally, a communication by a CE or BA that is about a product or service and that encourages recipients of the communication to purchase or use the product or service is marketing and prohibited unless you obtain an authorization. Does not include: ◦ Face-to-face communications (even if the CE or BA receives financial remuneration); and ◦ Promotional gifts of nominal value provided by the CE.
Providing refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the patient only if any financial remuneration received by such CE in exchange for making the communication is reasonably related to the CE’s cost of making the communication.
The following treatment and HCO purposes (except where the CE receives financial remuneration in exchange for making the communication): ◦ For treatment of the individual, including case management or care coordination for the individual or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual; ◦ To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the CE making the communication including communications about: the entities participating in a health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described and DOES NOT include any payment for treatment of an individual. Does not include in-kind benefits, only financial.
Must include all of the elements and required statements of a HIPAA authorization; If the marketing involves financial remuneration, then the authorization must state that such remuneration is involved; The individual must receive a copy of the signed authorization. The Preamble states that the authorization may be for ◦ More than one product or service; or ◦ More than one third party So long as the authorization adequately describes the intended purposes (marketing).
Any written fundraising request shall include, in a clear and conspicuous manner, an opportunity for the individual to elect to opt out of receiving future fundraising communications. Such election shall be treated as a revocation of a HIPAA authorization.
The following PHI may be used for or disclosed to a business associate for the purpose of fundraising: ◦ Demographic information which includes the following: name, address and other contact information, age, gender, and date of birth; ◦ Dates of health care provided; ◦ Department of service information; ◦ Treating physician; ◦ Outcome information; and ◦ Health insurance status. Clarified: Can provide information in general mailing about how to “Opt back in”.
Amend the NPP with the following: ◦ Access provisions (providing access in electronic format) ◦ The CE must honor a request for restriction of PHI to a health plan for services paid in-full out of pocket ◦ Delete the provision: Appointment reminders and treatment alternatives ◦ A statement that a CE must obtain an authorization for the following: Disclosures of psychotherapy notes; Disclosures for marketing purposes; and The Sale of PHI ◦ The right to obtain notice of breaches of unsecured PHI. Post the amended NPP and have a copy available upon request Only health plans are required to provide an amended NPP in its next annual mailing.
PHI: Modified by further excluding IIHI “regarding a person who has ben deceased for more than 50 years.” Clarified that a CE may use or disclose PHI to family members and friends (not just to the personal representative) of a decedent to the extent that the family member or friend was involved in the decedent’s care.
CEs are permitted to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. CEs are required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis or the individual (if appropriate).
Practice tip: If obtain verbal agreement: ◦ Draft “talking points” identifying all of the information to be disclosed to the person providing the verbal agreement; ◦ Have the agreement witnessed by 2 persons; & ◦ Document the verbal exchange.
Health Information: Adds specifically “genetic information” to the definition of “health information.” GINA adds new definitions: ◦ “Genetic Information”: Genetic tests of the individual; Genetic tests of family members of the individual; Manifestation of a disease o disorder in family members of such individual; or Any request for, or receipt of, genetic services by the individual or any family member of the individual. Which includes genetic information of a fetus carried by the individual or family member; any embryo legally held by the individual or family member utilizing an assistive reproductive technology; Which excludes information about the sex or age of any individual.
“Genetic Services” means a genetic test, genetic counseling or genetic education. “Family member” means a dependent or other person of 1 st, 2 nd, 3 rd, or 4 th degree relative (including by affinity (adoption or marriage) or consanguinity) 1 st degree include parents, spouses, siblings and children; 2 nd degree include grandparents, grandchildren, aunts, uncles, nephews, and nieces; 3 rd degree include great-grandparents, great- grandchildren, great aunts, great uncles, and first cousins; 4 th include great-great grandparents, great-great grandchildren, and children of first cousins.
“Genetic Test” means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. “Manifestation” or “Manifested” means, with respect to a disease, disorder, or pathological condition, that an individual has been or could reasonably be diagnosed with the disease, disorder, or pathological condition by a health care professional with appropriate training and expertise in the field of medicine involved.
Title I: ◦ Prohibits discrimination in premiums or contributions for group coverage based on genetic information; ◦ Proscribes the use of genetic information as the basis for eligibility determinations or setting premiums in individual and Medigap insurance markets; and ◦ Limits the ability of group health plans, health insurance issuers, and Medigap issuers to collect genetic information or to request or require that individuals undergo genetic testing.
Title II: ◦ Prohibits use of genetic information in the employment context; ◦ Restricts employers and other entities covered under Title II from requesting, requiring or purchasing genetic information; and ◦ Strictly limits such entities from disclosing genetic information.
Multiple revisions made to implement GINA in the Privacy Standards: ◦ Prohibits the use of genetic information for underwriting purposes; ◦ Requires the revision of the NPP for health plans to include a statement that they are prohibited from using or disclosing genetic information for underwriting purposes.
Amends 42 U.S.C. §1320d-6(a) to make it clear that the criminal penalties apply to employees and other individuals. Effective 12 months after the publication of HITECH.
(1) uses or causes to be used a unique health identifier; (2) obtains IIHI relating to an individual; or (3) discloses IIHI to another person, shall be punished as provided in subsection (b) of this section. (a) A person who knowingly and in violation of this part: (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. (b) Penalties - A person described in subsection (a) of this section shall: Criminal Penalties: 42 U.S.C. §1320d-6
A visiting cardiothoracic surgeon from China (working as a research assistant) was convicted of misdemeanor violation of the HIPAA criminal statute After his termination from UCLA, on at least four occasions, he accessed four patient records (co- workers and celebrity) The 9 th Circuit upheld the district court’s finding that he knowingly and in violation of HIPAA obtained IIHI relating to individuals Sentence: ◦ Four months in prison, then a year of supervised release; ◦ $2000 fine
HITECH provides that if a BA violates any applicable Privacy or Security provisions in HITECH the civil and criminal provisions of the HIPAA statute apply to the BA in the same manner as a CE. Significant for BAs: Previously, the only recourse against a BA was an action under the BAA. Effective 12 months after HITECH published (February 2010). Civil and Criminal Provisions of HIPAA apply to BAs
Significantly revises 42 U.S.C. §1320d-5 to include non-compliance due to willful neglect and requires DHHS to investigate if a complaint indicates a violation due to willful neglect. HITECH 13410(a) Makes 13410(a) changes effective 24 months from the date HITECH published. DHHS published regulations to implement this provision. HITECH 13410(b) HITECH 13410(a) & (b): Improved Enforcement
(a) $100/violation, the total not to exceed $25,000 for identical violations / calendar year; (b) $ 1,000/violation, the total not to exceed $100,000 for identical violations/calendar year; (c) $ 10,000/violation, the total not to exceed $250,000 for identical violations/calendar year; (d) $ 50,000/violation, the total not to exceed $1,500,000 for identical violations/calendar year. ◦ A violation where the person did not know and by exercising due reasonable diligence would not have known, the penalty will be not less than (a) but not more than (d). ◦ A violation due to reasonable cause, but not willful neglect, the penalty will be not less than (b) but not more than (d). ◦ A violation due to willful neglect: If corrected, the penalty will be not less than (c) but not more than (d); If not corrected, the penalty will be not less than (d).
Reasonable Cause: An act or omission in which a CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the CE or BA did not act with willful neglect. Reasonable Diligence: The business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
Violations of a BA can be attributed to a CE if the BA is an agent of the CE: ◦ Federal Common Law of Agency when acting within the scope of the agency. Violation of a Subcontractor can be attributed to a BA if the Subcontractor is an agent of the BA. ◦ Federal Common Law of Agency when acting within the scope of the agency.
The nature and extent of the violation, consideration may include: ◦ The number of individuals affected; and ◦ The time period during which the violation occurred. The nature and extent of harm resulting from the violation, consideration may include whether the violation: ◦ Caused physical harm; ◦ Resulted in financial harm; ◦ Resulted in harm to an individual’s reputation; or ◦ Hindered an individual’s ability to obtain health care.
The history of noncompliance by the CE or BA, consideration may include: ◦ Whether the violation is the same or similar to previous noncompliance; ◦ Whether and to what extent the CE or BA has attempted to correct previous noncompliance; ◦ How the CE or BA has responded to technical assistance from the Secretary in the context of the compliance effort; and ◦ How the CE or BA has responded to prior compliants.
The financial condition of the CE or BA, consideration may include: ◦ Whether the CE or BA had financial difficulties that affected its ability to comply; ◦ Whether the imposition of a CMP would jeopardize the ability of the CE or BA to continue to provide or pay for health care; and ◦ The size of the CE or BA. Such other matters as justice may require.
Violation punishable under HIPAA criminal provisions; Violation penalized under HIPAA criminal provisions; Violation is: ◦ Not due to willful neglect; and ◦ Is corrected either during: 30 day period during which the CE or BA knew or by exercising reasonable diligence should have known of the violation; Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
Cignet Health: Large multi-healthcare provider group Failed to provide 41 patients access to their PHI (were 41 complaints – all individually filed with the OCR) Initial fine: $1.3 Million for failure to provide access Subsequent fine: $3.0 Million for failure to cooperate with the OCR’s investigation (3/17/2009 – 4/7/2010) Total fine: $4.3 Million Upshot – cooperate with the OCR investigation!
Phoenix Cardiac Surgery (5 physician practice) Complaint: posting surgery and appointment schedules on a publically accessible internet- based calendar OCR found a “multiyear, continuing failure” to ◦ Implement policies and procedures ◦ Document training of employees ◦ Identify a security official at the practice ◦ Conduct a security analysis ◦ Obtain business associate agreements with its internet-based email and scheduling services
Resolution Agreement: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/exa mples/pcsurgery_agreement.pdf ◦ $100,000 CMP ◦ Comply with a Corrective Action Plan (one year) Develop and implement Privacy and Security policies/procedures and provide to the OCR for approval Implement the policies/procedures within 30 days of approval Distribute the policies/procedures to its workforce and require written certifications of initial compliance from each Assess and update the policies and procedures annually Make reports to the OCR
Take great care: ◦ Risks are high with EHR Greater access/speed/availability means an even greater risk of potential breaches/liabilities ◦ Use of portable devices: Be mindful of where you are using portable devices and whether you have appropriate security (technical and physical) Use only those portable devices that are approved by your practice
Massachusetts Eye and Ear Infirmary and its associated physician practice Self-reported the theft of an unencrypted laptop containing PHI of > 500 patients from an employed physician while on vacation No finding of financial or reputational harm to the patients Findings: Failure to... ◦ Restrict access to ePHI from unauthorized users/portable devices and be able to track access ◦ Track movement of both Hospital/personal portable devices on and off premises ◦ Implement encryption or appropriate alternatives to encryption 9/17/2012 – Agreement (3 years) ◦ $1.5 Million CMP ◦ A Corrective Action Plan (includes a framework for updating policies/procedures and compliance plans for mobile devices) ◦ http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/m eei-agreement-pdf.pdf
Hospice of North Idaho (“HONI”) reported the theft of an unencrypted laptop containing the PHI of 441 patients OCR found: ◦ HONI failed to conduct risk analysis; ◦ HONI failed to implement security measures; ◦ HONI failed to have policies and procedures for mobile devices Settlement Agreement: ◦ Enter into a CAP ◦ CMP of $50,000 ◦ http://www.hhs.gov/ocr/privacy/hipaa/enforcement/ex amples/honi-agreement.pdf
Enforcement by Attorneys General: In any case in which the AG has reason to believe that an interest of one or more of the residents of the State has been threatened or adversely affected by any person who violates a provision of HIPAA, the AG may bring a civil action on behalf of such residents to: ◦ Enjoin further such violations; or ◦ To obtain damages on behalf of such residents calculated by multiplying the number of violations by $100, the total not to exceed $25,000 for identical violations during a calendar year. The court may award attorney fees.
The AG must serve notice on DHHS and provide DHHS a copy of the complaint DHHS has the right to: ◦ Intervene in the action; ◦ To be heard on all matters; and ◦ File petitions for appeal. Effective: The date of HITECH publication (NOW).
Distribution of Civil Money Penalties (“CMPs”): $$ go to the Office for Civil Rights to be used for enforcement purposes The Government Accounting Office is to issue a report 18 months after HITECH is published concerning whether the individual who is harmed by the violation may receive a percentage of the CMP. Cannot locate such a GAO report. HITECH Act: Improved Enforcement