HIPAA Enforcement Past, Present and Future

1
HIPAA EnforcementPast, Present and Future

• Cyndi Moore Kevin Bernys
• Rose Willis
• Dickinson Wright PLLC

2
HIPAA EnforcementPast, Present and Future

• HIPAA Enforcement Rule
• The OCR Enforcement Process
• Enforcement Data
• Case Samples Corrective Actions
• Resolution Agreements
• Trends and Predictions
• WWOCRD?

3
HIPAA Enforcement Rule

• Enforcement of the Privacy Rule began April 14,
  2003 for most HIPAA covered entities
• HIPAA covered entities were required to comply
  with the Security Rule beginning on April 20,
  2005. OCR became responsible for enforcing the
  Security Rule on July 27, 2009.
• HITECH Act strengthened civil and criminal
  enforcement of HIPAA

3
4
Enforcement Penalties

• The Omnibus Rule formally adopts the following
  penalty scheme for violations of the HITECH Act
  occurring on or after Feb. 18, 2009
• For violations where a covered entity did not
  know and, by exercising reasonable diligence,
  would not have known that the covered entity
  violated a provision, a penalty of not less than
  100 or more than 50,000 for each violation
• For a violation due to reasonable cause and not
  to willful neglect, a penalty of not less than
  1,000 or more than 50,000 for each violation
• For a violation due to willful neglect that was
  timely corrected, a penalty of not less than
  10,000 or more than 50,000 for each violation
• For a violation due to willful neglect that was
  not timely corrected, a penalty of not less than
  50,000 for each violation the penalty for
  violations of the same requirement or prohibition
  under any of these categories may not exceed 1.5
  million in a calendar year.

5
The OCR Enforcement Process

• Right to file a complaint. A person who believes
  a covered entity or business associate is not
  complying may file a complaint with the
  Secretary.
• Disgruntled Employees
• Patients
• Investigation. The Secretary will investigate
  any complaint filed when a preliminary review
  indicates possible violation due to willful
  neglect.
• Compliance Reviews. The Secretary will conduct a
  compliance review to determine whether a covered
  entity or business associate is complying when a
  preliminary review of the facts indicates a
  possible violation due to willful neglect or in
  any other circumstance.
• Todays breach report could lead to tomorrows
  OCR Compliance Review

5
6
Enforcement Process (continued)

• If the evidence indicates that the covered entity
  was not in compliance, OCR will attempt to
  resolve the case by obtaining
• Voluntary compliance
• Corrective action and/or
• Resolution agreement.
• Civil Money Penalties are also possible.
• Possible referrals to the Department of Justice
  for criminal violations.
• Michigan enforcement results from compliance
  reviews as of December 31, 2013
• 12 (No Violation)
• 64 (Resolved after Intake and Review)
• 24 (Corrective Action)

7
The Top Fives

• Top 5 Issues Investigated in 2013 that were
  Closed with Corrective Action
• Impermissible uses and disclosures
• Lack of safeguards of PHI
• Lack of access by individuals to PHI
• Use or disclosure of more than the minimum
  necessary PHI
• Mitigation

• The most common types of covered entities that
  have been required to take corrective action to
  achieve voluntary compliance are, in order of
  frequency
• Private Practices
• General Hospitals
• Outpatient Facilities
• Health Plans (group health plans and health
  insurance issuers) and,
• Pharmacies.

7
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
Enforcement by State Attorneys General

• OCR developed HIPAA enforcement training in 2011
  to help State attorneys general use their new
  authority under the HITECH Act to enforce the
  HIPAA Privacy and Security Rules. Videos and
  slides are available on the OCR website.
• 8 modules, including Module 6 Investigating
  and Prosecuting HIPAA Violations.
• Includes examples of how OCR could impose civil
  money penalties to a given fact pattern.
• State AGs have not made extensive use of their
  new enforcement power to date.
• Minnesota AG filed complaint against Accretive
  Health, a business associate, in January 2012
  settled in July 2012 for 2.5 million.

11
12
OCR Audit Program

• OCR Audits of covered entities and business
  associates
• OCR will use the audit reports for the following
  purposes
• To determine what types of technical assistance
  should be developed
• To share best practices
• To identify what types of corrective action are
  most effective and
• May use the report as the basis to initiate a
  compliance review that could lead to civil money
  penalties

12
13
Phase 1 Audit Program

• OCR audited 115 covered entities under the Phase
  1 Audit program, with the following aggregate
  results
• There were no findings or observations for only
  11 of the covered entities audited
• Despite representing just more than half of the
  audited entities (53), health care providers
  were responsible for 65 of the total findings
  and observations
• The smallest covered entities were found to
  struggle with compliance under all three of the
  HIPAA Standards
• Greater than 60 of the findings or observations
  were Security Standard violations, and 58 of 59
  audited health care provider covered entities had
  at least one Security Standard finding or
  observation even though the Security Standards
  represented only 28 of the total audit items
• Greater than 39 of the findings and observations
  related to the Privacy Standards were attributed
  to a lack of awareness of the applicable Privacy
  Standard requirement and
• Only 10 of the findings and observations were
  attributable to a lack of compliance with the
  Breach Notification Standards

13
14
Phase 2 Audit Program

• OCR has indicated that it plans to conduct the
  second round of audits sometime in the Fall of
  2014 (date TBD), involving 350 covered entities
  (232 healthcare providers, 109 health plans and 9
  health care clearinghouses) and 50 business
  associates.
• Entities who received an address verification
  letter in the spring were supposed to receive
  audit letters in the fall.
• Desk reviews (not on-site visits)

14
15
Phase 2 Audit Program (continued)

• Audits will focus on compliance with Security
  Standards and on those areas that involved high
  numbers of non-compliance in the Phase 1 audit,
  including 
• risk analysis and risk management
• content and timeliness of breach notifications
• notice of privacy practices
• individual access
• Privacy Standards reasonable safeguards
  requirement
• training on policies and procedures
• device and media controls and
• transmission security. 
• Breach reports and complaints,
• Phase 2 Audits of business associates will focus
  on risk analysis and risk management and breach
  reporting to covered entities.

16
How to prepare for a Phase 2 Audit?

• Conduct a risk assessment update your HIPAA
  Policies and Procedures
• Update your Notice of Privacy Practices
• Conduct a self-audit using the audit protocols at
  http//www.hhs.gov/ocr/privacy/hipaa/enforcement/a
  udit/protocol.html
• Privacy Rule (81)
• Security Rule (78)
• Breach Notification Rule (10)
• Have a current list of business associates and
  their contact information
• Use encryption of ePHI to prevent breaches
• 2 weeks to respond to an audit request No last
  minute cramming for this test!

16
17
Audit Protocol Sample Privacy Rule

• Established performance criteria identify
  workforce members who need access to PHI
  (164.514(d)(2)(i)).
• Key activity minimum necessary uses of PHI.
• Audit procedure Inquire of management as to
  whether access to PHI is restricted. Obtain and
  review a sample of workforce members with access
  to PHI for their corresponding job title and
  description to determine appropriateness. Obtain
  and review policies and procedures and evaluate
  the content relative to the specified criteria
  for terminating access to PHI. Select a sample
  listing of former employees to confirm that
  access to PHI was terminated. NOTE The rule
  requires that the class/job functions that need
  to use or disclose PHI be determined, and the
  information be limited to what is needed for that
  job classification.

17
18
Case Samples Corrective Compliance Actions

• Radiologist practice submitted a workers
  compensation claim to the patients employer
  which included patients test results. Patient
  had not indicated workers comp coverage.
  Practice had relied on incorrect billing
  information from treating hospital.
• Private practice failed to honor patients
  request for copy of minor sons medical record.
  State regs permitted summary of record, however,
  Privacy Rule is more restrictive by permitting
  summary only if individual agrees in advance.
• Physicians office disclosed a patients HIV
  status in a misdirected fax. Written
  disciplinary warning, apologies to patient,
  addition of confidential communication language
  on fax cover sheet and additional training
  required.

18
19
Resolution Agreements

• What is a Resolution Agreement?
• A contract between HHS and a covered entity in
  which the covered entity agrees to perform
  certain obligations (such as staff training) and
  make reports to HHS, generally for a 3 year
  period. During this period, HHS monitors the
  covered entitys compliance with its obligations.
  Typically includes payment of a resolution
  amount. A resolution agreement is used to settle
  investigations with more serious outcomes.

19
20
Recent Resolution AgreementsAugust 2013 June
23, 2014

• 800,000 HIPAA Settlement in Medical Records
  Dumping Case
• Hospital took custody of medical records to
  assist in physicians retirement
• Returned 71 boxes of medical records at the end
  of physicians driveway (for an unknown reason)
• Complaint came from the retiring physician
• Data Breach Results in 4.8 Million HIPAA
  Settlements
• The New York Presbyterian Hospital and Columbia
  University operated a shared data network.
•  A physician employed by Columbia University
  attempted to deactivate a personally-owned
  computer server on the network, and the
  deactivation resulted in the ePHI of 6,800
  individuals being accessible on general internet
  search engines.
• The entities learned of the breach after
  receiving a complaint by an individual who found
  the ePHI of the individuals deceased partner on
  the internet.
• The Hospital and Columbia University
  self-reported the breach to the U.S. Department
  of Health and Human Services Office for Civil
  Rights who initiated an investigation.

20
21
Recent Resolution AgreementsAugust 2013 June
23, 2014

• Concentra Settles HIPAA Case for 1,725,220
• Unencrypted laptop stolen from Concentra facility
• QCA Settles HIPAA Case for 250,000
• Unencrypted laptop stolen from employees car
• Resolution Agreement with Adult Pediatric
  Dermatology, P.C. of Massachusetts
• Unencrypted thumb drive containing ePHI of 2,200
  individuals was stolen from a vehicle of one of
  its workforce members
• Thumb drive was never recovered
• PC notified patients of the theft and provided
  media notice
• 150,000 resolution amount and corrective action
  plan

22
Recent Resolution AgreementsAugust 2013 June
23, 2014

• HHS Settles with Health Plan in Photocopier
  Breach Case
• Failure to properly erase photocopier hard drives
  prior to sending the photocopiers to a leasing
  company
• Affinity Health Plan notified OCR regarding the
  breach
• 1,215,780 and entered into corrective action
  plan.
• County Government Settles Potential HIPAA
  Violations
• Skagit County inadvertently allowed public access
  to PHI on public web server and failred to notify
  individuals of the breach
• 215,000 settlement and implementation of
  corrective action plan

23
Trends and Predictions

• Todays data breach report could lead to
  tomorrows compliance investigation.
• Resolution agreements signal that OCR is moving
  into a more aggressive enforcement phase, with
  the assessment of resolution amounts and, if it
  cannot reach agreement with the covered entity,
  civil money penalties.
• Second round of HIPAA audits to come sometime by
  the end of 2014
• Enforcement Actions against Business Associates
  to come
• According to a chief regional civil rights
  counsel at HHS, the past 12 months of HIPAA
  enforcement will likely pale in comparison to
  what OCR will do in the next year.
• OCR will share more information with other
  federal and state agencies, including the FTC,
  DOJ, OIG, State Attorneys General, to enforce
  HIPAA
• Covered entities need a robust compliance program
  in place and foster a culture of compliance
  within their organization.

23
24
WWOCRD?(What Would OCR Do?)