HIPAA POST-“HITECH”:HIPAA POST-“HITECH”:Health Information Privacy Health Information Privacy

EnforcementEnforcement

American Osteopathic AssociationAmerican Osteopathic Associationof Medical Informaticsof Medical Informatics

November 4, 2009November 4, 200912:30 to 2:00 pm12:30 to 2:00 pm

Ian C. Smith DeWaal, Senior CounselCriminal Division, Fraud Section

United States Department of Justice*

* The views expressed during this presentation do not necessarily represent the views of the Department of Justice or of the United States.

What I will Cover:What I will Cover: Protected Health Information Privacy Protected Health Information Privacy

Enforcement Pursuant to the Original HIPAA Enforcement Pursuant to the Original HIPAA provisions provisions

Statutory Changes enacted by the HITECH Statutory Changes enacted by the HITECH provisions of the American Recovery and provisions of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)Reinvestment Act of 2009 (Pub. L. 111-5)

Future EnforcementFuture Enforcement Resources AvailableResources Available

WILL NOT cover all non-enforcement WILL NOT cover all non-enforcement changeschanges

I – INTRODUCTIONI – INTRODUCTION

Civil Monetary Penalties Enforced by the Civil Monetary Penalties Enforced by the Secretary of Health and Human ServicesSecretary of Health and Human Services

Federal criminal statute enforced by the Federal criminal statute enforced by the Attorney General by prosecution through Attorney General by prosecution through the United States Attorneys or the United States Attorneys or Department of Justice criminal trial Department of Justice criminal trial attorneysattorneys

II. Original HIPAA II. Original HIPAA EnforcementEnforcement

III. Review: Civil III. Review: Civil Monetary Penalties: Pre-Monetary Penalties: Pre-

HITECHHITECH Civil Monetary Penalties established by Civil Monetary Penalties established by

HIPAAHIPAA– – 42 U.S.C. 1320d-542 U.S.C. 1320d-5

Enforced by the Secretary of Health and Enforced by the Secretary of Health and Human ServicesHuman Services

Delegated to the HHS Office of Civil Rights.Delegated to the HHS Office of Civil Rights. Website: http://www.hhs.gov/ocr/privacy/Website: http://www.hhs.gov/ocr/privacy/ Enforced only against covered entitiesEnforced only against covered entities

III.III. Review: Civil Monetary Review: Civil Monetary Penalties:Penalties:

Pre-HITECHPre-HITECH Violations of HIPAA punished by $100 CMP –

maximum of $25,000 per calendar year for violations of an identical provision

CMP may not be imposed if: Reasonable cause and not willful neglect (in

certain situations can be reduced, instead of waived); and

Corrected within 30 days of discovery or the date on which it should have been discovered with the exercise of due diligence. The Secretary could extend the 30 day period based on nature and extent of the failure to comply

Under § 160.410(b)(2), if covered entity establishes that did not have knowledge of the violation, and by exercising reasonable diligence, would not have known that the violation occurred

III. Review: Civil Monetary III. Review: Civil Monetary Penalties: Pre-HITECHPenalties: Pre-HITECH

Secretary prohibited from imposing CMP if Secretary prohibited from imposing CMP if “the act constituted an offense punishable “the act constituted an offense punishable under section 1320d-6 of this Title” (42 U.S.C. under section 1320d-6 of this Title” (42 U.S.C. § 1320d-6 – the criminal statute)§ 1320d-6 – the criminal statute)

Referral protocol adopted to permit DOJ to Referral protocol adopted to permit DOJ to review matters that might “constitute an review matters that might “constitute an offense.” offense.” Matters not opened as criminal investigations were Matters not opened as criminal investigations were

returned to the Secretary for further administrative returned to the Secretary for further administrative action. action.

As of 9/30/09, HHS-OCRAs of 9/30/09, HHS-OCR made over 464 referrals to DOJ made over 464 referrals to DOJ since the April 2003 enforcement datesince the April 2003 enforcement date

III. Review: Civil Monetary III. Review: Civil Monetary Penalties: Pre-HITECHPenalties: Pre-HITECH

HHS-OCR HIPAA Statistics Through 9/30/09HHS-OCR HIPAA Statistics Through 9/30/09 Investigated and resolved over 9,318 cases by Investigated and resolved over 9,318 cases by

requiring changes in privacy practices and other requiring changes in privacy practices and other corrective actions by the covered entities. corrective actions by the covered entities.

In 4,680 cases, HHS-OCR investigations found no In 4,680 cases, HHS-OCR investigations found no violation had occurred. violation had occurred.

In the remaining completed 26,964 cases, HHS-In the remaining completed 26,964 cases, HHS-OCR determined that the complaint did not OCR determined that the complaint did not present an eligible case for enforcement of the present an eligible case for enforcement of the Privacy Rule.Privacy Rule.

Since the compliance date in April 2003, HHS has Since the compliance date in April 2003, HHS has received over 46,973 HIPAA Privacy complaints received over 46,973 HIPAA Privacy complaints and resolved over eighty percent of complaints and resolved over eighty percent of complaints received (over 40,962): received (over 40,962):

III. Review: Civil Monetary III. Review: Civil Monetary Penalties: Pre-HITECHPenalties: Pre-HITECH

A A Resolution AgreementResolution Agreement is a contract signed is a contract signed by HHS and a covered entity in which the by HHS and a covered entity in which the covered entity agrees to perform certain covered entity agrees to perform certain obligations (e.g., staff training) and make obligations (e.g., staff training) and make reports to HHS, generally for a period of three reports to HHS, generally for a period of three years. During the period, HHS monitors the years. During the period, HHS monitors the covered entity’s compliance with its obligations. covered entity’s compliance with its obligations.  A resolution agreement likely would include  A resolution agreement likely would include the payment of a Resolution Agreements:the payment of a Resolution Agreements: Resolution Agreement with Providence Health and Resolution Agreement with Providence Health and

Services (7/16/2008)Services (7/16/2008) Resolution Agreement with CVS Pharmacy Resolution Agreement with CVS Pharmacy

(1/16/2009)(1/16/2009) http://www.hhs.gov/ocr/privacy/hipaa/http://www.hhs.gov/ocr/privacy/hipaa/

enforcement/examples/index.htmlenforcement/examples/index.html

IV. Review: Criminal IV. Review: Criminal Statute:Statute:

Pre-HITECHPre-HITECH Violations of 42 U.S.C. § 1320d-6Violations of 42 U.S.C. § 1320d-6

A person who knowingly and in A person who knowingly and in violation of this part:violation of this part: Uses or causes to be used a unique health Uses or causes to be used a unique health

identifieridentifier Obtains individually identifiable health Obtains individually identifiable health

information relating to an individualinformation relating to an individual Discloses individually identifiable Discloses individually identifiable

information to another personinformation to another person

IV. Review: Criminal IV. Review: Criminal Statute:Statute:

Pre-HITECHPre-HITECH Penalties:Penalties:

General – Fine of not more than $50,000, Not General – Fine of not more than $50,000, Not more than one year imprisonment, or bothmore than one year imprisonment, or both

Offense committed under false pretenses - Fine Offense committed under false pretenses - Fine of not more than $100,000, not more than five of not more than $100,000, not more than five years imprisonment, or bothyears imprisonment, or both

Offense committed under with intent to sell, Offense committed under with intent to sell, transfer or use individually identifiable health transfer or use individually identifiable health information for commercial advantage, personal information for commercial advantage, personal gain, or malicious harm - Fine of not more than gain, or malicious harm - Fine of not more than $250,000, not more than ten years $250,000, not more than ten years imprisonment, or bothimprisonment, or both

IV. Review: Criminal IV. Review: Criminal Statute:Statute:

Pre-HITECHPre-HITECH DOJ Office of Legal Counsel Opinion DOJ Office of Legal Counsel Opinion

(6/1/05)(6/1/05) Construed the HIPAA criminal statute to be Construed the HIPAA criminal statute to be

directly enforceable only against “covered directly enforceable only against “covered entities”entities”

Health care providersHealth care providers Health plansHealth plans Health care clearinghousesHealth care clearinghouses

Observed that legal doctrines of aiding and Observed that legal doctrines of aiding and abetting, conspiracy and corporate criminal abetting, conspiracy and corporate criminal liability would also applyliability would also apply

IV. Review: Criminal IV. Review: Criminal Statute:Statute:

Pre-HITECHPre-HITECH Approximately 10 HIPAA convictions Approximately 10 HIPAA convictions

since April 2003 enforcement date of since April 2003 enforcement date of HIPAA privacy regulationsHIPAA privacy regulations

Types of cases – Types of cases – Patient credit identity theftPatient credit identity theft Sale of Medicare/Medicaid patient numbersSale of Medicare/Medicaid patient numbers Identify law enforcement undercover agentIdentify law enforcement undercover agent

Defendants: Health care workers and Defendants: Health care workers and outsidersoutsiders

V. HITECH Universal Changes V. HITECH Universal Changes to HIPAAto HIPAA

Application of CMPS and HIPAA criminal Application of CMPS and HIPAA criminal statute expanded to include “business statute expanded to include “business associates” ARRA § 13404(c) (associates” ARRA § 13404(c) (eff. 2/17/2010)

New patient notification requirements ARRA § 13402§ 13402 Notification on the occurrence of certain breaches

of protected health information not secured according to standards specified by the Secretary of Health and Human Services (“HHS”)

Effective 30 days after publication of interim final regulations. Interim final rules on breach notification were published on August 24, 2009 (74 Fed. Reg. 42740); eff. 9/23/2009.

V. HITECH Changes to CMPsV. HITECH Changes to CMPs ARRA § 13410 - Increased CMPs

NEW Tiered CMPS tied to egregiousness of violation, effective 2/18/09 (Note – rulemaking pending):

The person did not know, and by exercising reasonable diligence would not have known, that such person had violated a provision

At least $100, not to exceed the amount specified in paragraph D.

The violation was due to reasonable cause and not willful neglect

At least $1,000, not to exceed the amount specified in paragraph D.

V. HITECH Changes to V. HITECH Changes to CMPsCMPs

ARRA § 13410 - Mandatory CMP for Willful Neglect: Section 1320d-5 is amended by adding new subsection (c) - mandates that the Secretary impose a CMP when a violation of HIPAA is due to willful neglect, though as described previously, the amount of the mandatory penalty for willful neglect can be mitigated by timely correction of the violation.

ARRA § 13410 - Bar to Civil Monetary Penalties when action constitutes a criminal violation narrowed: Current section 1320d-5 (b)(1) which precludes assessment of a civil monetary penalty if an act constitutes an offense under section 1320d-6 is amended to preclude a CMP only if a penalty has been imposed pursuant to section 1320d-6. (Eff. 2/17/2011).

V. HITECH Changes to CMPsV. HITECH Changes to CMPs

The violation was due to willful neglect, and WAS CORRECTED as provided, within 30 days

of the date on which the person liable for violation, knew, or exercising reasonable diligence would have known that the failure to comply occurred

At least $10,000, not to exceed the amount specified in paragraph D.

WAS NOT CORRECTED At least $50,000, but the total amount imposed on a

person for violation on an identical requirement or prohibition, during a calendar year may not exceed $1,500,000.

V. HITECH Changes to CMPsV. HITECH Changes to CMPs New enforcement power conferred on state Attorneys

General (ARRA § 13410(e)

State AG may bring a civil action in federal district court, parens patriae, for injunctive relief and to obtain statutory damages for one or more state residents whose interest has been threatened or adversely affected by any person who violates HIPAA.

This subsection caps the statutory damages at $100 maximum per violation, and $25,000 maximum for all violations of an identical requirement or prohibition during a calendar year.

The court may consider the identical factors enumerated in § 1320d-5 (a), which may be considered by the Secretary in determining the amount of damages to be assessed, and may award costs and reasonable attorneys fees to the successful state Attorney General.

V. HITECH Changes to V. HITECH Changes to CMPsCMPs

Prior written notice of an action or if not feasible, immediate notice on commencing an action, must be provided to the HHS Secretary, who will then have the right to intervene, be heard on all matters in the case, and have the right to appeal.

If the Secretary has instituted a HIPAA action against a person under subsection (a) with respect to a specific violation of this part, NO State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action.

State AG action not permitted if a criminal penalty already has been imposed (eff. 2/17/2011 – before this date, if the conduct was a violation of 42 U.S.C. §1320d-6.

V. HITECH Changes: Criminal V. HITECH Changes: Criminal StatuteStatute

ARRA § Section 13409 - Clarification of the definition of “person” added to criminal statute – 42 U.S.C. § 1320d-6 (a) (eff. 2/17/2010)

“For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9(b)(3) of this title) and the individual obtained or disclosed obtained or disclosed such information without authorization.”

V. HITECH Changes: Criminal V. HITECH Changes: Criminal StatuteStatute

Conference Report for ARRA (Pub. L. 111-5) ("the Report"), p. 500 stated that: “In July 2005 the Justice Department Office of Legal Counsel (OLC) addressed which persons may be prosecuted under HIPAA and concluded that only a covered entity could be criminally liable.” (sic, apparently referring to the June 1, 2005 OLC opinion) The Report states the amendment to § 1320d-6 “clarifies that criminal penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by a covered entity, whether they are employees or not.”

As of 2/17/2010, a violation of HIPAA will be deemed to have occurred when a person, now defined to include an employee of a covered entity or another individual, obtains or discloses protected health information, which was maintained by a covered entity and the individual obtained or disclosed the such information without authorization.

VI. ConclusionVI. Conclusion Congress intended to step up enforcement of Congress intended to step up enforcement of

health information privacy violationshealth information privacy violations HHS will continue to work with covered entities HHS will continue to work with covered entities

and now, business associates on training, and and now, business associates on training, and correction of non-criminal violationscorrection of non-criminal violations

When HHS-OCR determines a violation arose When HHS-OCR determines a violation arose from willful neglect, a CMP will be mandatoryfrom willful neglect, a CMP will be mandatory

Business associates will subject to new Business associates will subject to new administrative and criminal scrutiny.administrative and criminal scrutiny.

Uncorrected, willful violations will invite Uncorrected, willful violations will invite administrative or criminal sanctionadministrative or criminal sanction

Some state Attorneys General may emerge as an Some state Attorneys General may emerge as an additional enforcement resource with respect to additional enforcement resource with respect to CMPs.CMPs.

VI. ConclusionVI. Conclusion Resources:Resources:

Ian C. Smith DeWaal, Senior CounselIan C. Smith DeWaal, Senior CounselCriminal Division, Fraud SectionCriminal Division, Fraud Section(ian.dewaal@usdoj.gov or (202) 514 0669(ian.dewaal@usdoj.gov or (202) 514 0669

HHS Office of Civil RightsHHS Office of Civil Rights http://www.hhs.gov/ocr/privacy/index.htmlhttp://www.hhs.gov/ocr/privacy/index.html

““If you don't find the information you were seeking, If you don't find the information you were seeking, you may submit an e-mail to OCRPrivacy@hhs.gov. you may submit an e-mail to OCRPrivacy@hhs.gov. Unfortunately, we do not provide individual responses Unfortunately, we do not provide individual responses to all of the questions received.  However, in some to all of the questions received.  However, in some situations we may be able to forward your questions to situations we may be able to forward your questions to an appropriate person or agency.”an appropriate person or agency.”

Address inquiries to the OCR Regional Manager. Address inquiries to the OCR Regional Manager. Contact the OCR regional office for your State or Contact the OCR regional office for your State or

Territory, or the headquarters office for further Territory, or the headquarters office for further information: http://www.hhs.gov/ocr/office/about/rgn-information: http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html hqaddresses.html

VII. Questions?VII. Questions?