Upload
griffin-critchett
View
215
Download
2
Embed Size (px)
Citation preview
1
The Current Reality of The Current Reality of HIPAAHIPAA
Meredith L. BordenMeredith L. BordenVenable LLPVenable LLP©© April 18, 2008April 18, 2008
2
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) - Administrative Simplification:
• Electronic Transactions to achieve a more efficient health care system
• Privacy Rule & Security Rule to protect health information
Policy RationalePolicy Rationale
3
Civil EnforcementCivil Enforcement
Enforced by DHHS Office for Civil Rights (OCR)
Penalty limits• Penalty of $100 for each violation (with total
exposure of no more than $25,000 for all violations of an identical requirement)
• “Bad faith” penalty can reach $250,000
4
SanctionsSanctions
Apply to workforce members who:
• Violate policies and procedures
• Violate the Privacy Rule
“Workforce members” include not only your paid employees, but also trainees and volunteers who are under your direct control
5
Internal -- Employees
External -- DHHS
Complaint Process
6
Complaint Process, cont’d
OCR receives complaint
Rejects complaint
Accepts complaint
OCR review
Resolution
•No violation
•Voluntary compliance; Corrective action; and/or Resolution agreement.
•Formal finding of violation
Civil Monetary Penalties Imposed IF not properly
resolved
DOJ
Possible criminal violation
Investigation
CMS
Possible Security Rule violation
OCR and CMS coordinate
investigations
Declines case and refers back
to OCR
Accepted
7
Civil Enforcement Efforts to Date
• Unofficial reports claim that Office of Civil Rights received approximately 24,000 complaints from 2003 through 2006 – over 75 percent of which have been closed.
• Less than 40 complaints have been accepted by the Department of Justice for further investigation or prosecution.
• To date, no OCR-initiated investigations have taken place (absent a private complaint), and no fines have been levied against covered entities by OCR for Privacy Rule violations.
8
9
New Enforcement Efforts On the Horizon
• Audits: The Office of Inspector General (OIG) has initiated audits of covered entities for compliance with HIPAA. Piedmont Hospital in Atlanta, Georgia was the first hospital provider in the country underwent the first audit in March 2007.
• Subpoenas: On April 16, 2007, Secretary Mike Leavitt of HHS delegated to the Director of the OCR the authority to issue subpoenas in investigations of alleged violations of the HIPAA Privacy Rule.
10
Criminal Enforcement
• To commit a “criminal offense” under HIPAA, a person must knowingly and in violation of the HIPAA rules do one (or more) of the following:
1. Use or cause to be used a unique health identifier2. Obtain IIHI relating to an individual3. Disclose IIHI to another person
• Criminal penalties range from a fine up to $50,000 and/or imprisonment up to a year to a fine up to $250,000 and/or imprisonment up to 10 years
• June 2005 DOJ opinion – covered entity liability only
11
What Prosecutors Go After
• Theft of IIHI for some form of personal financial gain by an “employee” of a covered entity
• To date, only four criminal HIPAA violations prosecuted by the Department of Justice
12
Criminal Cases
• Gibson (Seattle): employee of Seattle Cancer Care Alliance with access to patient information. Used name, DOB and SSN of a cancer patient to obtain credit cards in the patient’s name. Used credit cards to make over $9,000 in purchases. Wrongful disclosure of IIHI with the intent to use the information for personal gain. Received 16 months in prison and had to pay restitution.
13
Criminal Cases, cont’d
• Ramirez (Texas): Ramirez worked for physician who provided physicals and medical treatment to FBI agents. Sold an FBI agent’s medical records for $500. Using, obtaining and disclosing IIHI with the intent to sell, transfer and use the information for personal gain and malicious harm. Received 6 months in jail, 4 months home confinement, 2 years supervised release and $100 special assessment.
14
Criminal Cases, cont’d
• Machado/Ferrer (Florida): Machado was Cleveland Clinic employee who accessed computerized patient files and downloaded IIHI of more than 1,100 Medicare beneficiaries. Sold the information to Ferrer, an owner of a claims processing company. Ferrer caused the stolen information to be used in $7 million of fraudulent Medicare claims, which netted about $2.5 million in payments to providers and suppliers. Ferrer sentenced to 87 months in prison, 3 years supervised release, and ordered to pay restitution of $2.5 million
• Demonstrates that covered entities must take appropriate steps to protect sensitive data and information or fail to monitor and promptly address security breaches or other illegal acts by employees
15
Key Measures for Privacy Compliance
1. Policies and Procedures• Ensures consistent and reasoned response to privacy
issues• Focuses on proper use and disclosure of health information
2. Privacy & Security Officials• Develop and implement policies• Ensures compliance
3. Privacy Contact Person• Receives and responds to privacy related complaints
16
Key Measures for Privacy Compliance, cont’d
4. Privacy and Security Safeguards• Administrative Safeguards• Technical Safeguards
• Access authorization; screensavers; encryption• Audit controls• Integrity measures; virus scans, firewalls• Authentication through password management• Transmission security
• Physical Safeguards• Workforce security• Procedures for clearance• Access control• Controls to access facility• Workstation use & security• Device & media controls
17
Key Measures for Privacy Compliance, cont’d
5. Risk Analysis and Risk Management Plan• Risk Analysis: Review ePHI; identify threats, vulnerabilities
and risks• Risk Management: Implementation of security measures to
reduce risks (42 standards)
6. Training• Initially• Recurrently• Certification/Attestation
18
Key Documents
• Policies & Procedures• Privacy Notice• Business Associate Agreements• Risk Management Plans• Written Communications
• All documents to be kept for at least 6 years
19
Future Outlook
• Adjustment period is over• Increased enforcement efforts, scrutiny and
penalties• Decreased emphasis on individual culpability and
increased emphasis on entity culpability• Emphasis on technology – cameras, phones• BUT, the practice of medicine will continue
20
BUT, The Practice of Medicine WILL Continue
21
QUESTIONS?