1

The Current Reality of The Current Reality of HIPAAHIPAA

Meredith L. BordenMeredith L. BordenVenable LLPVenable LLP©© April 18, 2008April 18, 2008

2

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) - Administrative Simplification:

• Electronic Transactions to achieve a more efficient health care system

• Privacy Rule & Security Rule to protect health information

Policy RationalePolicy Rationale

3

Civil EnforcementCivil Enforcement

Enforced by DHHS Office for Civil Rights (OCR)

Penalty limits• Penalty of $100 for each violation (with total

exposure of no more than $25,000 for all violations of an identical requirement)

• “Bad faith” penalty can reach $250,000

4

SanctionsSanctions

Apply to workforce members who:

• Violate policies and procedures

• Violate the Privacy Rule

“Workforce members” include not only your paid employees, but also trainees and volunteers who are under your direct control

5

Internal -- Employees

External -- DHHS

Complaint Process

6

Complaint Process, cont’d

OCR receives complaint

Rejects complaint

Accepts complaint

OCR review

Resolution

•No violation

•Voluntary compliance; Corrective action; and/or Resolution agreement.

•Formal finding of violation

Civil Monetary Penalties Imposed IF not properly

resolved

DOJ

Possible criminal violation

Investigation

CMS

Possible Security Rule violation

OCR and CMS coordinate

investigations

Declines case and refers back

to OCR

Accepted

7

Civil Enforcement Efforts to Date

• Unofficial reports claim that Office of Civil Rights received approximately 24,000 complaints from 2003 through 2006 – over 75 percent of which have been closed.

• Less than 40 complaints have been accepted by the Department of Justice for further investigation or prosecution.

• To date, no OCR-initiated investigations have taken place (absent a private complaint), and no fines have been levied against covered entities by OCR for Privacy Rule violations.

8

9

New Enforcement Efforts On the Horizon

• Audits: The Office of Inspector General (OIG) has initiated audits of covered entities for compliance with HIPAA. Piedmont Hospital in Atlanta, Georgia was the first hospital provider in the country underwent the first audit in March 2007.

• Subpoenas: On April 16, 2007, Secretary Mike Leavitt of HHS delegated to the Director of the OCR the authority to issue subpoenas in investigations of alleged violations of the HIPAA Privacy Rule.

10

Criminal Enforcement

• To commit a “criminal offense” under HIPAA, a person must knowingly and in violation of the HIPAA rules do one (or more) of the following:

1. Use or cause to be used a unique health identifier2. Obtain IIHI relating to an individual3. Disclose IIHI to another person

• Criminal penalties range from a fine up to $50,000 and/or imprisonment up to a year to a fine up to $250,000 and/or imprisonment up to 10 years

• June 2005 DOJ opinion – covered entity liability only

11

What Prosecutors Go After

• Theft of IIHI for some form of personal financial gain by an “employee” of a covered entity

• To date, only four criminal HIPAA violations prosecuted by the Department of Justice

12

Criminal Cases

• Gibson (Seattle): employee of Seattle Cancer Care Alliance with access to patient information. Used name, DOB and SSN of a cancer patient to obtain credit cards in the patient’s name. Used credit cards to make over $9,000 in purchases. Wrongful disclosure of IIHI with the intent to use the information for personal gain. Received 16 months in prison and had to pay restitution.

13

Criminal Cases, cont’d

• Ramirez (Texas): Ramirez worked for physician who provided physicals and medical treatment to FBI agents. Sold an FBI agent’s medical records for $500. Using, obtaining and disclosing IIHI with the intent to sell, transfer and use the information for personal gain and malicious harm. Received 6 months in jail, 4 months home confinement, 2 years supervised release and $100 special assessment.

14

Criminal Cases, cont’d

• Machado/Ferrer (Florida): Machado was Cleveland Clinic employee who accessed computerized patient files and downloaded IIHI of more than 1,100 Medicare beneficiaries. Sold the information to Ferrer, an owner of a claims processing company. Ferrer caused the stolen information to be used in $7 million of fraudulent Medicare claims, which netted about $2.5 million in payments to providers and suppliers. Ferrer sentenced to 87 months in prison, 3 years supervised release, and ordered to pay restitution of $2.5 million

• Demonstrates that covered entities must take appropriate steps to protect sensitive data and information or fail to monitor and promptly address security breaches or other illegal acts by employees

15

Key Measures for Privacy Compliance

1. Policies and Procedures• Ensures consistent and reasoned response to privacy

issues• Focuses on proper use and disclosure of health information

2. Privacy & Security Officials• Develop and implement policies• Ensures compliance

3. Privacy Contact Person• Receives and responds to privacy related complaints

16

Key Measures for Privacy Compliance, cont’d

4. Privacy and Security Safeguards• Administrative Safeguards• Technical Safeguards

• Access authorization; screensavers; encryption• Audit controls• Integrity measures; virus scans, firewalls• Authentication through password management• Transmission security

• Physical Safeguards• Workforce security• Procedures for clearance• Access control• Controls to access facility• Workstation use & security• Device & media controls

17

Key Measures for Privacy Compliance, cont’d

5. Risk Analysis and Risk Management Plan• Risk Analysis: Review ePHI; identify threats, vulnerabilities

and risks• Risk Management: Implementation of security measures to

reduce risks (42 standards)

6. Training• Initially• Recurrently• Certification/Attestation

18

Key Documents

• Policies & Procedures• Privacy Notice• Business Associate Agreements• Risk Management Plans• Written Communications

• All documents to be kept for at least 6 years

19

Future Outlook

• Adjustment period is over• Increased enforcement efforts, scrutiny and

penalties• Decreased emphasis on individual culpability and

increased emphasis on entity culpability• Emphasis on technology – cameras, phones• BUT, the practice of medicine will continue

20

BUT, The Practice of Medicine WILL Continue

21

QUESTIONS?