HIPAA UPDATE/OCR ENFORCEMENT

HIPAA HYPE – An “industry” of compliance and an “absence” of enforcement

HIPAA Privacy Rule – April 14, 2003

2

HIPAA Security Rule – April 20, 2005

HHS/OIG Admission – Has previously acknowledged lack of appropriate enforcement

ENFORCEMENT ≠ ABSENCE OF COMPLAINTS

OCR PRIVACY COMPLAINTS

2003 3,7432004 6,5342005 6,855

3

2005 6,8552006 7,3402007 8,1902008 8,7062009 7,5672010 8,524

ENFORCEMENT RESULTS IN PENNSYLVANIA TO DATE

4

Top Five Issues in Investigated Cases Closed with corrective Action, by Calendar Year

Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5

2010 Impermissible Uses & Disclosures

Safeguards Access Minimum Necessary Notice

2009 Impermissible Uses &

Disclosures

Safeguards Access Minimum Necessary Complaints to Covered

Entity


Disclosures

Safeguards Access Minimum Necessary Complaints to Covered

Entity


Disclosures


5


Disclosures



Disclosures

Safeguards Access Minimum Necessary Mitigation


Disclosures

Safeguards Access Minimum Necessary Authorizations

partial year 2003 Safeguards Impermissible Uses &

Disclosures

Access Notice Minimum Necessary

NATIONAL PRIVACY RULE ENFORCEMENT

63,443 Privacy Complaints

14,309- Resolved by required changes in privacy practices

6

35,999- Case ineligible for enforcement• jurisdiction• timeliness

7,440- No violation57,748 (91%)

5,695 Open

Identity of Covered Entity (Frequency)

1.Private Practices

2.General Hospitals

7

3.Outpatient Facilities

4.Health Plans

5.Pharmacies

NATIONAL SECURITY RULE ENFORCEMENTS

Transferred to OCR July 27, 2009

2 year reporting history

8

460 complaints

217 closed/corrective action

309 open cases August 31,2011

CHANGING ENFORCEMENT ENVIRONMENT

•HITECH

•HHS/OCR HIPAACompliance audits

9

Compliance audits

“There will be consequences for failure to

comply with HIPAA privacy and security

10

obligations.”

Susan McAndrewOCR Deputy DirectorHealth Information, PrivacyApril 13, 2011

ENHANCED HIPAA ENFORCEMENT

HITECH § 13410(d) revised 42 USC § 1320d-5 to enhance penalties

Prior penalties: $100.00 per violation with a maximum $25,000

Effective February 18, 2009, there are 4 tiers of penalties:

11

Effective February 18, 2009, there are 4 tiers of penalties:

1. Innocent $100/$25,000

2. Reasonable cause $10,000/$100,000

3. Willful neglect $10,000/$250,000

4. ________ $50,000/$1,500,000


•Authorize enforcement by state attorneys general as parens, patriaeand provides training and funding

•Eliminates the ban on penalties when

12

•Eliminates the ban on penalties when entity could establish reasonable lack of knowledge – i.e. strict liability

•Prohibits penalties if violations are corrected within 30 days provided not due to willful neglect


• HITECH § 15411 requires HHS periodic audits for:

45 CFR 164 (c) – security

13

45 CFR 164 (e) – privacy

• Contracts for audits: June 2011

• Audit candidate identification contract to Booze Allen Hamilton

•Audit protocol and implementation to KPMG

3 STEP AUDIT PROCESS

• Development of protocols

• Initial round of approximately 20 test audits

• Remaining full audits adjusted based upon

14

• Remaining full audits adjusted based upon success of “beta” audits

• Preliminary Audit Report

• Final Audit Report

Final Audit Report must address issues identified in OCR HIPAA Audit Protocol and Program Performance Contract Solicitation # 0557605

Condition: observed defects on noncompliance

15

Criteria: clear demonstration that negative finding is a potential violation of specific requirements

Cause: source of non-compliance

Effect: risk exposure

Corrective Recommendation

Verification of Correction

Health Information PrivacyHMO Revises Process to Obtain Valid AuthorizationsCovered Entity: Health Plans / HMOsIssue: Impermissible Uses and Disclosures; AuthorizationsA complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a

16

that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patient’s record, together with the disclosed information.

Health Information PrivacyEntity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based FeesCovered Entity: Private PracticeIssue: AccessA patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity of the allegation, the entity released the complainant’s medical records

17

allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. To resolve this matter, the covered entity refunded the $100.00 “records review fee.”

Health Information PrivacyPharmacy Chain Enters into Business Associate Agreement with Law FirmCovered Entity: Pharmacy ChainIssue: Impermissible Uses and Disclosures; Business AssociatesA complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR

18

disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer’s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement.

Health Information PrivacyPharmacy Chain Revises Process for Disclosures to Law EnforcementCovered Entity: PharmaciesIssue: Impermissible Uses and Disclosures

A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not

19

municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from law enforcement officials, unless state law requires otherwise. The revised policy was implemented in the chains' stores nationwide.

Health Information PrivacyHealth Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong PersonsCovered Entity: Health PlansIssue: Safeguards

A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family

20

benefits (EOB) by mail to a complainant's unauthorized family member. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information.

Health Information PrivacyPrivate Practice Revises Process to Provide Access to RecordsCovered Entity: Private PracticesIssue: AccessA private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on

21

investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. In addition, the covered entity forwarded the complainant a complete copy of the medical record.

Health Information PrivacyPublic Hospital Corrects Impermissible Disclosure of PHI in Response to a SubpoenaCovered Entity: General HospitalIssue: Impermissible Uses and Disclosures

A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information

22

of its patients. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained. The hospital also trained relevant staff members on the new procedures.

Health Information PrivacyPrivate Practice Provides Access to All Records, Regardless of SourceCovered Entity: Private PracticeIssue: Access

A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. While the amendment

23

physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it.

Health Information PrivacyLarge Health System Restricts Provider's Use of Patient RecordsCovered Entity: Multi-Hospital Healthcare ProviderIssue: Impermissible Use

A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care

24

care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training.

Resolution Agreements

Resolution Agreements and Civil Money Penalties -A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution

25

covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into five resolution agreements and issued CMPs to one covered entity

Resolution AgreementsResolution Agreement with the University of California at Los Angeles Health System --July 6, 2011

Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011

Civil Money Penalty issued to Cignet Health of Prince George's County,

26

Civil Money Penalty issued to Cignet Health of Prince George's County, MD--February 4, 2011

Resolution Agreement with Managemet Services Organization Washington, Inc.--December 13, 2010

Resolution Agreement with Rite Aid Corporation--July 27, 2010

Resolution Agreement with CVS Pharmacy, Inc.--January 16, 2009

Resolution Agreement with Providence Health & Services--July 16, 2008

hipaaupdate/ ocr enforcement - hcca official site

Documents