Responding to a HIPAA Investigation-What to do …Responding to a HIPAA Investigation-What to do When OCR Comes Knocking? Marc D. Goldstone, Esq. Hoagland, Longo, Moran, Dunst & Doukas,

Responding to a HIPAA Responding to a HIPAA InvestigationInvestigation--What to do What to do

When OCR Comes When OCR Comes Knocking?Knocking?

Marc D. Goldstone, Esq.Marc D. Goldstone, Esq.Hoagland, Longo, Moran, Dunst & Doukas, LLPHoagland, Longo, Moran, Dunst & Doukas, LLP

40 Paterson Street40 Paterson StreetP.O. Box 480P.O. Box 480

New Brunswick, NJ 08903New Brunswick, NJ 08903732732--545545--47174717

732732--545545--4579 (fax)4579 (fax)

[email protected]@HOAGLANDLONGO.COM

Responding to an Responding to an InvestigationInvestigation (c) 2003 Marc D. Goldstone, Esq.(c) 2003 Marc D. Goldstone, Esq. 22

First StepFirst Step

Don’t Panic!!!!Don’t Panic!!!!

Really. Prosecutors “home in” on people who Really. Prosecutors “home in” on people who “look guilty” (ever watch NYPD Blue?)“look guilty” (ever watch NYPD Blue?)


Next StepNext Step

Call:Call:Your AttorneysYour AttorneysYour Executive ManagementYour Executive ManagementYour Privacy OfficerYour Privacy OfficerYour Security OfficerYour Security OfficerYour Compliance OfficerYour Compliance OfficerYour Health Information Management Your Health Information Management Department/Custodian of RecordsDepartment/Custodian of Records


Enforcement RegulationsEnforcement RegulationsOn April 17, 2003, the first “Interim” Enforcement On April 17, 2003, the first “Interim” Enforcement Regulations were published (Per DHHS, Regulations were published (Per DHHS, intended to be the “first installment of a rule” intended to be the “first installment of a rule” called the “Enforcement Rule.” 68 FR 18895), to called the “Enforcement Rule.” 68 FR 18895), to be effective 5/19/03be effective 5/19/03DHHS intends to REVISE the interim rule by DHHS intends to REVISE the interim rule by 9/16/04 (corrected from initially published 9/16/04 (corrected from initially published expiration date of 9/16/03; 68 FR 22453)expiration date of 9/16/03; 68 FR 22453)There are no HIPAA HIPPOs (Health There are no HIPAA HIPPOs (Health Information Protection Police Officers)Information Protection Police Officers)… YET!… YET!


How Will OCR Enforce HIPAA?How Will OCR Enforce HIPAA?1.1. A “Kinder and Gentler” OCR?A “Kinder and Gentler” OCR? “To the extent “To the extent

practical, OCR will seek the cooperation of practical, OCR will seek the cooperation of covered entities in obtaining compliance with covered entities in obtaining compliance with the Privacy Rule and may provide technical the Privacy Rule and may provide technical assistance to help covered entities voluntarily assistance to help covered entities voluntarily comply”comply”--“enforcement activities will focus on “enforcement activities will focus on obtaining voluntary compliance through obtaining voluntary compliance through technical assistance. 68 FR 18897technical assistance. 68 FR 18897

2.2. The Government is Here to Help:The Government is Here to Help: “OCR will “OCR will seek to resolve matters by informal means seek to resolve matters by informal means before issuing findings of nonbefore issuing findings of non--compliance” Id.compliance” Id.


OCR EnforcementOCR Enforcement--Con’tCon’t

3.3. Does Anyone Like a Rat?Does Anyone Like a Rat? “The “The process will be process will be complaintcomplaint--driven driven and consist of progressive steps and consist of progressive steps that will provide opportunities to that will provide opportunities to demonstrate compliance or submit demonstrate compliance or submit a corrective action plan.a corrective action plan. 68 FR 68 FR 1889718897


If OCR Knocks At Your DoorIf OCR Knocks At Your DoorCooperate (but cautiously!) Ask for the official identification Cooperate (but cautiously!) Ask for the official identification of of the investigators (NOT business cards); write down their the investigators (NOT business cards); write down their names, office addresses, telephone numbers, fax numbers names, office addresses, telephone numbers, fax numbers and eand e--mail addresses. TIPmail addresses. TIP--if they can’t produce acceptable if they can’t produce acceptable I.D., call your attorney immediately and defer the provision of I.D., call your attorney immediately and defer the provision of any PHIany PHI--but BE SURE before you do.but BE SURE before you do.

Ask for the name and telephone number of their supervisors Ask for the name and telephone number of their supervisors (if their demeanor permits)(if their demeanor permits)

Be sure to determine if there are any law enforcement Be sure to determine if there are any law enforcement personnel present (i.e, FBI, US Attorney investigators, State personnel present (i.e, FBI, US Attorney investigators, State Prosecutor investigators, etc.)Prosecutor investigators, etc.)

Permit the investigators to have access to PHI.Permit the investigators to have access to PHI.


What To Do While They’re At Your What To Do While They’re At Your OfficeOffice

Ask for copies of any search warrants Ask for copies of any search warrants and/or entry and inspection ordersand/or entry and inspection ordersAsk for copies of any complaintsAsk for copies of any complaintsAsk for a list of patients they are interested Ask for a list of patients they are interested ininAsk for a list of documents/items seizedAsk for a list of documents/items seizedDo NOT expect that they will give you any Do NOT expect that they will give you any of the above, except for the search of the above, except for the search warrant and a list of items seized (if any).warrant and a list of items seized (if any).


Anything Else To Do?Anything Else To Do?Don’t leave them alone, if possible (assign an Don’t leave them alone, if possible (assign an employee to “assist” each investigator)employee to “assist” each investigator)Don’t be TOO solicitousDon’t be TOO solicitous

Don’t offer food (“WCD” rule)Don’t offer food (“WCD” rule)Don’t get “chatty”; anything you say REALLY CAN be Don’t get “chatty”; anything you say REALLY CAN be used against you!used against you!

Keep your employees away from the central Keep your employees away from the central officeofficeNotify the Association (if you feel comfortable, to Notify the Association (if you feel comfortable, to obtain their help and also to help “spread the obtain their help and also to help “spread the word”)word”)


Will You Have Advance Notice?Will You Have Advance Notice?MaybeMaybe--Maybe not.Maybe not.

RememberRemember--Anyone may file a complaint with Anyone may file a complaint with OCR; the complainant need not notify the CE OCR; the complainant need not notify the CE Complaints must be filed within 180 days of Complaints must be filed within 180 days of when complainant knew or should have when complainant knew or should have known of the violationknown of the violation•• Beware that DHHS can extend this time Beware that DHHS can extend this time

period for ”good cause shown”.period for ”good cause shown”.The Secretary "will generally" give notice The Secretary "will generally" give notice before requesting access to books and before requesting access to books and records (65 Fed. Reg. 82602, 12/28/00), but records (65 Fed. Reg. 82602, 12/28/00), but is NOT REQUIRED to do so.is NOT REQUIRED to do so.


What Will They Do?What Will They Do?If OCR determines that a CE has committed a HIPAA If OCR determines that a CE has committed a HIPAA violation, they will:violation, they will:

Inform the Covered Entity (in writing)Inform the Covered Entity (in writing)Inform the complainant (if any, in writing)Inform the complainant (if any, in writing)Per the enforcement rule, OCR SHOULD attempt to Per the enforcement rule, OCR SHOULD attempt to resolve the matter by informal means "whenever possible“resolve the matter by informal means "whenever possible“If the issue cannot be informally resolved, DHHS has the If the issue cannot be informally resolved, DHHS has the authority to issue a written noncompliance finding.authority to issue a written noncompliance finding.

If no violation is found:If no violation is found:Inform the Covered Entity and the complainant, if any Inform the Covered Entity and the complainant, if any (nothing says this notification must be in writing)(nothing says this notification must be in writing)


Crimes Against HIPAA?Crimes Against HIPAA?What if the violation is egregious enough to constitute a What if the violation is egregious enough to constitute a crime?crime?

“Secretary shall impose”“Secretary shall impose”•• Criminal Fine: up to $50,000 and/or 1 year in jailCriminal Fine: up to $50,000 and/or 1 year in jail•• Obtain, Use and/or Disclose PHI under false Obtain, Use and/or Disclose PHI under false

pretenses: up to $100,000 and/or 5 years in jailpretenses: up to $100,000 and/or 5 years in jail•• Intent to sell, transfer, or use IIHI for commercial Intent to sell, transfer, or use IIHI for commercial

advantage, personal gain, or malicious harm: advantage, personal gain, or malicious harm: up to $250,000 and/or 10 years in jail up to $250,000 and/or 10 years in jail

OCR: Enforces Privacy Rule; criminal issues referred to OCR: Enforces Privacy Rule; criminal issues referred to OIGOIG


Violation of C.O.P?Violation of C.O.P?

Is a HIPAA violation also a violation of Is a HIPAA violation also a violation of the Medicare Conditions of Participation?the Medicare Conditions of Participation?

"We have not yet addressed" it; however, "We have not yet addressed" it; however, "we note that Medicare conditions of "we note that Medicare conditions of participation require participating providers participation require participating providers to have procedures for ensuring the to have procedures for ensuring the confidentiality of patient records". confidentiality of patient records".

65 Fed Reg. 82605, 12/28/0065 Fed Reg. 82605, 12/28/00


Limits on DHHS CMP AuthorityLimits on DHHS CMP Authority

1.1. CMPs cannot be imposed in respect of acts CMPs cannot be imposed in respect of acts that constitute a “HIPAA Crime.” 42 USC that constitute a “HIPAA Crime.” 42 USC 1320d1320d-- 5(b)(1)5(b)(1)

2.2. A CMP may not be imposed if “it is established A CMP may not be imposed if “it is established to the satisfaction of the Secretary that the to the satisfaction of the Secretary that the person liable for the penalty did not know, and person liable for the penalty did not know, and by exercising reasonable diligence would not by exercising reasonable diligence would not have known, that such person violated the have known, that such person violated the provision.” 42 USC 1320dprovision.” 42 USC 1320d-- 5(b)(2)5(b)(2)


Limits on DHHS CMP Auth.Limits on DHHS CMP Auth.--Con’tCon’t

3.3. A CMP may not be imposed if the failure A CMP may not be imposed if the failure to comply was due to “reasonable cause to comply was due to “reasonable cause and not to willful neglect.” 42 USC and not to willful neglect.” 42 USC 1320d1320d-- 5(b)(3)5(b)(3)

4.4. A CMP may be A CMP may be reduced reduced or or waivedwaived “to the “to the extent that the payment of such penalty extent that the payment of such penalty would be excessive relative to the would be excessive relative to the compliance failure involved.” 42 USC compliance failure involved.” 42 USC 1320d1320d-- 5(b)(4)5(b)(4)



5.5. Secretary may NOT initiate a CMP action “later Secretary may NOT initiate a CMP action “later than six years after the date” of the occurrence than six years after the date” of the occurrence that forms the basis for the CMP. 68 FR 18896.that forms the basis for the CMP. 68 FR 18896.

6.6. CMP actions are NOT summary; the person CMP actions are NOT summary; the person upon whom DHHS seeks to impose CMPs upon whom DHHS seeks to impose CMPs MUST be given the written notice and an MUST be given the written notice and an opportunity for a opportunity for a hearing on the recordhearing on the record, where , where the person may be represented by the person may be represented by counselcounsel, , may may present witnessespresent witnesses, and may , and may crosscross--examine witnessesexamine witnesses. 42 U.S.C. 1320a. 42 U.S.C. 1320a--7a(c)(2).7a(c)(2).



7.7. DHHS CANNOT impose a DHHS CANNOT impose a HIPAA CMP on any person that HIPAA CMP on any person that is NOT a CE! 68 FR 18898 (Are is NOT a CE! 68 FR 18898 (Are your BAs required to indemnify your BAs required to indemnify you for liability imposed on your you for liability imposed on your as a result of their as a result of their acts/omissions?)acts/omissions?)


Can You Settle A Case?Can You Settle A Case?YesYes--DHHS can “settle any case or … DHHS can “settle any case or … compromise any penalty during the compromise any penalty during the process” 68 FR 18898, process” 68 FR 18898, referencing referencing 45 45 CFR Part 160.510CFR Part 160.510Factors to be taken into account by OCR Factors to be taken into account by OCR when making a settlement determination when making a settlement determination will be “addressed in the noticewill be “addressed in the notice--andand--comment rulemaking” planned for the comment rulemaking” planned for the remainder of the Enforcement Rule. 68 remainder of the Enforcement Rule. 68 CFR 18899CFR 18899


HIPAA HearingsHIPAA HearingsTimely Requests: If DHHS notifies a CE of a Timely Requests: If DHHS notifies a CE of a proposed penalty, the respondent MUST timely proposed penalty, the respondent MUST timely request a hearing IN WRITING or the penalty request a hearing IN WRITING or the penalty becomes final, and the respondent has “no right becomes final, and the respondent has “no right to appeal.” 68 FR 18899 to appeal.” 68 FR 18899 referencing referencing 45 CFR 45 CFR Part 160.516. Part 160.516. Time Period: Sixty (60) days after notice of the Time Period: Sixty (60) days after notice of the proposed penalty determination is received by proposed penalty determination is received by the respondent. 45 CFR Part 160.516 (b)the respondent. 45 CFR Part 160.516 (b)

Receipt date is “presumed” to be 5 days after the date Receipt date is “presumed” to be 5 days after the date of the notice. This is a rebuttable presumption. Id.of the notice. This is a rebuttable presumption. Id.


HIPAA HearingsHIPAA Hearings--Con’tCon’tHearing is on the record 45 CFR Part 160.530(a); 560.Hearing is on the record 45 CFR Part 160.530(a); 560.HHS party will be “OCR and/or CMS” 68 FR 18899HHS party will be “OCR and/or CMS” 68 FR 18899Discovery is “limited” 45 CFR Part 160.538 (Document Discovery is “limited” 45 CFR Part 160.538 (Document production, essentially) Depositions/Interrogatories are production, essentially) Depositions/Interrogatories are specifically prohibited 45 CFR Part 160.538(c)specifically prohibited 45 CFR Part 160.538(c)Decision of the ALJ is the decision of DHHS 45 CFR Decision of the ALJ is the decision of DHHS 45 CFR Part 160.564 (d) (contrary to many state systems, where Part 160.564 (d) (contrary to many state systems, where an ALJ’s decision can be adopted, modified or rejected an ALJ’s decision can be adopted, modified or rejected by the head of the administrative agency)by the head of the administrative agency)Judicial Review of final penalty decisions is authorized Judicial Review of final penalty decisions is authorized 42 U.S.C. 1320a42 U.S.C. 1320a--7a(e); 45 CFR Part 160.5687a(e); 45 CFR Part 160.568Respondent may request a stay pending judicial review Respondent may request a stay pending judicial review 160.570(a) (file federal appeal papers with ALJ; stay 160.570(a) (file federal appeal papers with ALJ; stay automatically granted until ALJ rules on request)automatically granted until ALJ rules on request)


Penalty CollectionPenalty Collection

Penalties are recoverable:Penalties are recoverable:in a civil action in U.S.D.C. 45 CFR in a civil action in U.S.D.C. 45 CFR 160.518(b) (all collateral issues are estopped 160.518(b) (all collateral issues are estopped if they could have been raised by respondent if they could have been raised by respondent below) 45 CFR 160.518(d)below) 45 CFR 160.518(d)By Offset from “any sum owed … by the By Offset from “any sum owed … by the United States or a State agency.” 45 CFR United States or a State agency.” 45 CFR 160.518(c).160.518(c).


What to do BEFORE the What to do BEFORE the Investigation?Investigation?

Be Prepared!Be Prepared!Implement your HIPAA Compliance Plan to the Implement your HIPAA Compliance Plan to the greatest extent possible (gain HPBs [HIPAA Brownie greatest extent possible (gain HPBs [HIPAA Brownie Points]; make all of your “incidental disclosures” Points]; make all of your “incidental disclosures” permissible pursuant to the Final Privacy Rule).permissible pursuant to the Final Privacy Rule).Document the steps that you took to implement your Document the steps that you took to implement your plan; HIPAA committee minutes should be in writing.plan; HIPAA committee minutes should be in writing.Document the monies you spent in implementing the Document the monies you spent in implementing the plan; save budgets and receipts.plan; save budgets and receipts.If you made any cost/benefit “reasonableness” If you made any cost/benefit “reasonableness” determinations regarding specific plan elements, determinations regarding specific plan elements, document them and have that documentation document them and have that documentation available for inspection.available for inspection.


What to do BEFORE the What to do BEFORE the InvestigationInvestigation--ContinuedContinued

Periodically examine reports to your Privacy Periodically examine reports to your Privacy Office/HIPAA Hotline (suggest semiOffice/HIPAA Hotline (suggest semi--annually or more)annually or more)

•• Investigate ALL reports and conclude ALL Investigate ALL reports and conclude ALL investigations with WRITTEN documentation investigations with WRITTEN documentation (sample form attached)(sample form attached)

•• Trend all your reports; if there are discernible Trend all your reports; if there are discernible trends, conclude them with written documentation.trends, conclude them with written documentation.

Revisit the trends over time to see if your Revisit the trends over time to see if your solution is effective; if not, revise the solution solution is effective; if not, revise the solution and try again!and try again!

Keep your disclosure logs in good order (especially Keep your disclosure logs in good order (especially with respect to inappropriate disclosureswith respect to inappropriate disclosures--this is where this is where complaints are VERY LIKELY to originate; you don’t complaints are VERY LIKELY to originate; you don’t want it to appear that you “coveredwant it to appear that you “covered--up” anything!)up” anything!)



Train, educate, explain, and then train some moreTrain, educate, explain, and then train some moreMaintain employee training time records and training Maintain employee training time records and training materials usedmaterials usedCreate a “Culture of Privacy” (which probably already Create a “Culture of Privacy” (which probably already exists at most healthcare facilities)exists at most healthcare facilities)Watch the online enforcement video from Watch the online enforcement video from OCROCR, at , at http://http://www.ehcca.com/streaming/index.htmlwww.ehcca.com/streaming/index.htmlGreat guidance from Robinsue Froboese, J.D., Ph.D.Great guidance from Robinsue Froboese, J.D., Ph.D.Deputy Director, Office of Civil RightsDeputy Director, Office of Civil RightsInclude HIPAA in your policy for responding to official Include HIPAA in your policy for responding to official investigations (Don’t have a policy for responding to investigations (Don’t have a policy for responding to investigations? Now’s the time to get one!).investigations? Now’s the time to get one!).



DON’T include the OCR address in your NPP (you DON’T include the OCR address in your NPP (you don’t have to; you just have to tell patients how to get don’t have to; you just have to tell patients how to get it. If they have to contact you to get it, then you may it. If they have to contact you to get it, then you may have the opportunity to resolve the complaint; at the have the opportunity to resolve the complaint; at the very least, you’ll be on notice of a potential very least, you’ll be on notice of a potential complaint!)complaint!)GET AND RELY ON THE WRITTEN ADVICE OF GET AND RELY ON THE WRITTEN ADVICE OF COUNSEL/QUALIFIED CONSULTANTS!!!!!!!!!!!!!! (at COUNSEL/QUALIFIED CONSULTANTS!!!!!!!!!!!!!! (at best, they’ll be right; at worst, you can be indemnified best, they’ll be right; at worst, you can be indemnified by their professional liability policies!) Due diligence is by their professional liability policies!) Due diligence is important in developing an effective HIPAA important in developing an effective HIPAA compliance plan.compliance plan.


Thanks!Thanks!

Thanks for your kind Thanks for your kind attention!!!!!!!!!!!!!!!!!!!!attention!!!!!!!!!!!!!!!!!!!!


Marc D. Goldstone, EsqMarc D. Goldstone, Esq..

Hoagland, Longo, Moran, Dunst & Doukas, LLPHoagland, Longo, Moran, Dunst & Doukas, LLP40 Paterson Street40 Paterson StreetP.O. Box 480P.O. Box 480New Brunswick, NJ 08903New Brunswick, NJ 08903(732) 545(732) 545--47174717(732) 545(732) 545--4579 (FAX)4579 (FAX)[email protected]@Hoaglandlongo.comwww.healthlawnj.comwww.healthlawnj.com

Documents

Responding to a HIPAA Investigation-What to do …Responding to a HIPAA Investigation-What to do When OCR Comes Knocking? Marc D. Goldstone, Esq. Hoagland, Longo, Moran, Dunst & Doukas,