Embed Size (px)
Citation preview
1
HIPAA Privacy and Security Enforcement Update
Health Care Compliance Association’s
14th Annual Compliance Institute
April 19, 2010
David Holtzman, J.D.
Health Information Privacy Division, Office for Civil Rights
22
Enforcement Framework in Complaint Investigation
� The Enforcement Rule
� 71 FR 32, P.8390 (Feb. 16, 2006)
� Revised 74 FR, P.56123 (October 30, 2009)
� Enforcement Rule modified to implement changes
mandated by HITECH Act
� The Enforcement Rule applies to both the Privacy
& Security Rules
� Civil Monetary Penalties can be imposed by OCR
2
33
HITECH Enforcement Changes
HITECH Act:
� Noncompliance Due to Willful Neglect
� Distribution of Certain Civil Monetary Penalties
� Transfer to OCR for Enforcement
� Percentages to Harmed Individuals
� State Attorneys General
� Periodic Audits
� Criminal Penalties for Individuals (Employees)
44
Modifications to the Enforcement Rule
� Tiered Increase in Amount of CMPs:
� Four categories of violations that reflect increasing levels of culpability;
� Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
� A maximum penalty amount of $1.5 million for all violations of an identical provision.
3
55
Amount of a Civil Money Penalty
$1,500,000$25,000Calendar
Year Cap
$100 to $50,000 or more
per violation
Up to $100per violation
Penalty Amount
For violations occurring on or
after2/18/2009
For violations occurring prior to
2/18/2009
OCR may reduce a penalty if the failure to comply was due to reasonable cause and not willful neglect, and the penalty would be excessive relative to the noncompliance.
66
Amount of a Civil Money Penalty
$1,500,000$50,000Willful Neglect-Not Corrected
$1,500,000$10,000 -$50,000
Willful Neglect-Corrected
$1,500,000$1,000 -$50,000
Reasonable Cause
$1,500,000$100 -$50,000
Did Not Know
All Identical Violations per Calendar Year
Each Violation
Violation Category
4
77
Affirmative Defenses
� Violations Occurring Before the HITECH Act(before February 18, 2009):� Disclosure is punishable criminally under § 1177;� CE did not know and reasonably would not have known
that violation occurred; or� Violation due to reasonable cause and not willful
neglect, and corrected during 30-day time period.
� Violations Occurring After the HITECH Act(on or after February 18, 2009):� Disclosure is punishable criminally under § 1177 (until
February 18, 2011); or� Not due to willful neglect and corrected during 30-day
time period.
88
Changes in Available Affirmative Defenses
� A covered entity that “did not know” of a violation can no longer claim an affirmative defense to the imposition of a penalty, UNLESS
� The covered entity has corrected the violation during 30-day time period - beginning on the date the covered entity knew, or, by exercising reasonable diligence, would have known of the violation.
� Violation due to reasonable cause and covered entity has corrected the violation during 30-day time period .
5
99
HITECT Act Section 13410(e): State Attorneys General Jurisdiction
� State Attorney General (AG) may bring an action in federal court on behalf of state residents to:
� enjoin defendant from further violation; or
� obtain damages (of $100 per violation).
� State must serve prior written notice upon HHS.
� HHS may intervene in the state action.
� If HHS has already instituted an action against defendant, State AG may not bring action while HHS action ongoing.
Effective Date: Violations occurring after 2/18/2009
1010
State Attorneys General Jurisdiction
� First complaint filed by CT SAG under HITECH authority
� USDC/District of CT #3:10-cv-00057-PCD
� Injunctive relief, statutory penalties sought
� Combination of HIPAA and state law� Security Rule violations alleged in loss/theft of
portable media
� Privacy Rule violations alleged in access
� State law breach notification claims
6
1111
Complaint Investigations
� Every complaint received is reviewed and the allegations are analyzed.
� An investigation is launched when warranted by the facts and circumstances presented.
� OCR investigations have resulted in changes in privacy and information security practices and other corrective actions in over 10,000 cases since April 2003.
� Corrective action obtained by HHS from covered entities has resulted in systemic change
1212
HIPAA Security Rule Enforcement
� Delegation of Authority – July 27, 2009
� Streamline, unify, simplify investigation and resolution of cases
� Address growing overlap of security/privacy in HIT environment
� Support and cooperation of CMS to effectuate transfer of cases, system support, technical experts
� OCR investigative staff in Regional Offices allows expansion of compliance review and on-site investigatory methods
7
1313
� 45 CFR 160.312: If investigation or compliance review indicates noncompliance, HHS will attempt to reach resolution satisfactory to the Secretary by “informal means.”
� “Informal means” includes:
� Demonstrated compliance;
� Completed corrective action plan; or
� Other agreement.
Resolution Through Informal Means
1414
� Settlement agreement between HHS and covered entity
� Represents “other agreement” under 160.312
� Incorporates a Corrective Action Plan
� Generally for three years
� Policies and procedures, subject to HHS approval
� Improved training
� Monitoring of implementation and compliance
� Includes payment of a resolution amount
What is a Resolution Agreement?
8
1515
� Resolution Agreement and Corrective Action Plan is not:
� A formal finding of facts
� A formal finding of a violation
� An admission
� Resolution Amount is not a civil monetary penalty, fine, or other formal penalty.
� Because Resolution Agreement an informal resolution:
� Covered entity has no right to formal process
� Covered entity has no right to request an ALJ hearing
What is a Resolution Agreement?
1616
Elements of a Corrective Action Plan
� Training
� Recipients must certify receipt of training
� Training must be annually reviewed and updated as necessary
� Monitoring
� Unannounced site visits
� Interviews with workforce members
� Inspections of sample of devices
� Improvements to policies and procedures where necessary
9
1717
Elements of a Corrective Action Plan
� Reports
� Implementation Report
� Annual Reports
� Failure to Implement CAP
� Opportunity to cure
� If no cure, imposition of CMPs for:
� Original conduct that gave rise to investigation
� New conduct that breached CAP, if also violation of HIPAA
1818
How does RA/CAP Differ from Other Types of Informal Resolution?
� Usually investigations in which there are indications of noncompliance are concluded when:
� The entity completes certain voluntary compliance actions to the satisfaction of OCR, and
� OCR notifies the complainant and the covered entity in writing of the resolution result
� RA/CAP is for those cases where resolution satisfactory to OCR cannot be obtained through the entity’s demonstrated compliance and/or through other means
10
1919
CVS Resolution Agreement
� Large US pharmacy store chain
� Series of media reports about incidents of personnel disposing of PHI, including labeled pill bottles and prescriptions, in unsecured dumpsters outside of several CVS pharmacy stores
2020
CVS Investigation
� Compliance Review of all CVS retail pharmacy policies and practices related to disposal of PHI
� Conducted jointly with the FTC
� CVS cooperated during investigation
� Settled with OCR through Resolution Agreement and Corrective Action Plan on 1-16-09
� Simultaneously settled with FTC through Consent Order
11
2121
Indications of Noncompliance Cited in Resolution Agreement
� CVS policies and procedures for disposal did not reasonably and appropriately safeguard PHI
� CVS did not maintain sanctions policy for workforce members who failed to safeguard PHI in disposal process
� CVS did not provide necessary and appropriate training for its workforce regarding disposal of PHI
2222
Actions to Settle Case
� $2.25 million resolution amount
� Corrective Action Plan
� Both HHS and FTC require CVS to actively monitor its compliance with the Resolution Agreement and Consent Order
12
2323
Actions to Settle Case
� CVS Corrective Action Plan1. Revising, distributing policies & procedures
regarding PHI disposal 2. Sanctioning workers who do not follow them;3. Training workforce members 4. Conducting internal monitoring5. Engaging a third-party assessor to render
reports to HHS6. New internal reporting procedures requiring
workers to report all violations of these new privacy policies and procedures
7. Submitting compliance reports to HHS for a period of three years
2424
Lessons Learned
� Disposal of PHI in unsecured dumpsters or similar repositories is not compliant with safeguards standard of the Privacy Rule
� Personnel involved in disposal must be trained in how to implement disposal safeguards
� Management must supervise implementation
Note - See FAQs on Disposal of PHI
13
2525
� Health care system based in Seattle, Washington
� Series of five incidents occurring between September 2005 and March 2006
� Incidents giving rise to the agreement involved two entities within the system
� Providence Home and Community Services and
� Providence Hospice and Home Care
Providence Resolution Agreement
2626
� Triggered by 31 complaints submitted to OCR and CMS
� Complaints merged into joint compliance reviews by CMS and OCR
� Practices of entities created vulnerabilities that led to massive losses of PHI
� Cooperation of Providence
� Settled with OCR through Resolution Agreement and Corrective Action Plan on 7-16-09
Providence Investigation
14
2727
� Electronic information was not encrypted or otherwise properly safeguarded
� Backup tapes, optical disks, and laptops, all containing unencrypted electronic PHI, were removed from the Providence premises and left unattended in vehicles
� Media & laptops were ultimately lost or stolen, compromising the PHI of over 386,000 patients
� Management knew of such practices but allowed it to continue
Indications of Noncompliance Cited in Resolution Agreement
2828
� $100,000 resolution amount� Corrective Action Plan1. Revise policies, procedures
� New risk assessment and risk management
� Improved physical & technical safeguards (e.g., encryption) for off-site transport and storage of electronic media containing patient information
� Subject to HHS approval
2. Train workforce members on safeguards
3. Conduct audits and site visits of facilities
4. Submit implementation report and annual reports to HHS for period of three years
Actions to Settle Cases
15
2929
� Effective compliance means more than just written policies and procedures
� Covered entities need to continuously monitor implementation
� HHS willing to work with cooperative entities to implement effective changes to ensure that consumers are protected
� Covered entities need to ensure that these efforts include
� Effective privacy and security staffing
� Employee training
� Physical and technical features
Lessons Learned
3030
� RA/CAP is one of several effective enforcement tools, to be used on case by case basis
� In investigations where there is evidence of significant noncompliance with the Privacy and Security Rules, covered entities may face similar action
Part of Overall Enforcement Strategy
16
3131
Breach Notification45 CFR 164 Subpart D
� HHS Issues RFI – April 2009
� Guidance on Technologies/Methodologies for unusable, unreadable, indecipherable PHI
� HHS Issues IFR – August 24, 2009
� Effective for breaches after 9/23/09
� 60 day public comment period ended 10/23/09
� Approximately 120 comments received
3232
Breach Notification IFR
� Covered entities must notify each affected individual of breach of “unsecured protected health information.”
� HHS Breach Notification Guidance: PHI is “unsecured” if it is NOT� Encrypted
� Destroyed
� “Breach” defined as: � Impermissible use/disclosure
� “Compromises privacy/security”
� Exceptions for inadvertent, harmless mistakes
17
3333
Breach Notification IFR
� Business associate must notify covered entity of breach
� Notice to media if more than 500 people affected.
� Notifications to be provided without unreasonable delay (but no later than 60 days) of discovery of breach.
� Notice to Secretary of breach and posting on HHS Website.
3434
Breach Reports Involving >500
� Notifications to the Secretary required through web portal on OCR website
� As of January 2010, 35 reports of breaches affecting 500+ individuals reported, resulting in 712,000 notices
� Mostly ePHI that is contained in lost or stolen unencrypted media or portable device
� OCR reviews reports for analysis of underlying Privacy and Security compliance
18
3535
Privacy and Security Compliance Reviews Arise From Breach Reports
� OCR opens a review of all breach reports involving >500
� CE should be prepared to respond with:
� Determination of the root cause of disclosure
� Identifying gaps in compliance with Privacy and Security Rules that led to the breach
� Provide evidence that the root cause has been addressed to insure that further breaches do not occur
3636
Breach Reports <500
� HHS has received over 300 reports of smaller breaches
� Mostly paper records sent to wrong fax number, wrong address, wrong individual
� Report listing the reports of the smaller breaches to be posted on OCR website
19
3737
FTC Breach Notification for PHRs
� FTC to regulate similar notice requirements for PHR vendors not subject to HIPAA
� FTC Notice of Proposed Rulemaking Published April 2009; Request for Public Comment due June 1, 2009
� FTC Final Rule published August 2009
� HHS and FTC to study and recommend to Congress privacy and security requirements for non-HIPAA PHR vendors and best oversight
3838
Pie Chart: All Privacy Complaints
20
3939
Pie Chart: Total Privacy Investigated
4040
Issues in Privacy Enforcement Actions(April 14, 2003 to December 31, 2009)
The compliance issues investigated most frequently, in order, are:
� Impermissible use or disclosure of an individual’s identifiable health information
� The lack of adequate safeguards to protect identifiable health information
� Refusal or failure to provide the individual with access to or a copy of his/her records
� The use or disclosure of more than the minimally necessary information
� Failure to have a process for individuals to make complaints
21
4141
Issues in Security Enforcement Actions(April 20, 2005 to December 31, 2009)
The compliance issues investigated most frequently, in order, are:
� Information access management
� Access controls
� Security awareness and training
� Security incident procedures
� Device and media controls
4242
Want More Information?
The OCR website, http://www.hhs.gov/ocr/privacy/offers a wide range of helpful information about health information privacy including educational information, FAQ’s, rule text and guidance for the Privacy, Security, and Breach Notification Rules.
