HIPAA EnforcementPast, Present and Future

[Cyndi Moore] [Kevin Bernys]Rose Willis

Dickinson Wright PLLC

HIPAA EnforcementPast, Present and Future

• HIPAA Enforcement Rule• The OCR Enforcement Process • Enforcement Data• Case Samples Corrective Actions• Resolution Agreements• Trends and Predictions• WWOCRD?

2

HIPAA Enforcement Rule

• Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities

• HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009.

• HITECH Act strengthened civil and criminal enforcement of HIPAA

33

Enforcement Penalties

• The Omnibus Rule formally adopts the following penalty scheme for violations of the HITECH Act occurring on or after Feb. 18, 2009:

• For violations where a covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, a penalty of not less than $100 or more than $50,000 for each violation

• For a violation due to reasonable cause and not to willful neglect, a penalty of not less than $1,000 or more than $50,000 for each violation

• For a violation due to willful neglect that was timely corrected, a penalty of not less than $10,000 or more than $50,000 for each violation

• For a violation due to willful neglect that was not timely corrected, a penalty of not less than $50,000 for each violation; the penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1.5 million in a calendar year.

4

The OCR Enforcement Process

55

Enforcement Process (continued)

• If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case by obtaining:– Voluntary compliance;

– Corrective action; and/or

– Resolution agreement.

• Civil Money Penalties are also possible.

• Possible referrals to the Department of Justice for criminal violations.

• Michigan enforcement results from compliance reviews as of December 31, 2013:– 12% (No Violation)

– 64% (Resolved after Intake and Review)

– 24% (Corrective Action)

6

The Top Fives

• Top 5 Issues Investigated in 2013 that were Closed with Corrective Action– Impermissible uses and disclosures

– Lack of safeguards of PHI

– Lack of access by individuals to PHI

– Use or disclosure of more than the minimum necessary PHI

– Mitigation

7

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:•Private Practices;•General Hospitals;•Outpatient Facilities;•Health Plans (group health plans and health insurance issuers); and,•Pharmacies.

7

8

9

10

Enforcement by State Attorneys General

• OCR developed HIPAA enforcement training in 2011 to help State attorneys general use their new authority under the HITECH Act to enforce the HIPAA Privacy and Security Rules. Videos and slides are available on the OCR website. – 8 modules, including Module 6: “Investigating and Prosecuting HIPAA Violations.”

– Includes examples of how OCR could impose civil money penalties to a given fact pattern.

• State AGs have not made extensive use of their new enforcement power to date.

• Minnesota AG filed complaint against Accretive Health, a business associate, in January 2012; settled in July 2012 for $2.5 million.

1111

OCR Audit Program

• OCR Audits of covered entities and business associates

• OCR will use the audit reports for the following purposes:– To determine what types of technical assistance should be developed;

– To share best practices;

– To identify what types of corrective action are most effective; and

– May use the report as the basis to initiate a compliance review that could lead to civil money penalties

1212

Phase 1 Audit Program

• OCR audited 115 covered entities under the Phase 1 Audit program, with the following aggregate results:– There were no findings or observations for only 11% of the covered entities audited;

– Despite representing just more than half of the audited entities (53%), health care providers were responsible for 65% of the total findings and observations;

– The smallest covered entities were found to struggle with compliance under all three of the HIPAA Standards;

– Greater than 60% of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider covered entities had at least one Security Standard finding or observation even though the Security Standards represented only 28% of the total audit items;

– Greater than 39% of the findings and observations related to the Privacy Standards were attributed to a lack of awareness of the applicable Privacy Standard requirement; and

– Only 10% of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards

1313

Phase 2 Audit Program

• OCR has indicated that it plans to conduct the second round of audits sometime in the Fall of 2014 (date TBD), involving 350 covered entities (232 healthcare providers, 109 health plans and 9 health care clearinghouses) and 50 business associates.

• Entities who received an address verification letter in the spring were supposed to receive audit letters in the fall.

• Desk reviews (not on-site visits)

1414

Phase 2 Audit Program (continued)

• Audits will focus on compliance with Security Standards and on those areas that involved high numbers of non-compliance in the Phase 1 audit, including:  – risk analysis and risk management;

– content and timeliness of breach notifications;

– notice of privacy practices;

– individual access;

– Privacy Standards’ reasonable safeguards requirement;

– training on policies and procedures;

– device and media controls; and

– transmission security. 

• Breach reports and complaints,

• Phase 2 Audits of business associates will focus on risk analysis and risk management and breach reporting to covered entities.

15

How to prepare for a Phase 2 Audit?

• Conduct a risk assessment; update your HIPAA Policies and Procedures

• Update your Notice of Privacy Practices

• Conduct a self-audit using the audit protocols at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html– Privacy Rule (81)

– Security Rule (78)

– Breach Notification Rule (10)

• Have a current list of business associates and their contact information

• Use encryption of ePHI to prevent breaches

• 2 weeks to respond to an audit request – No last minute cramming for this test!

1616

Audit Protocol Sample – Privacy Rule

• Established performance criteria: identify workforce members who need access to PHI (§164.514(d)(2)(i)).

• Key activity: minimum necessary uses of PHI.

• Audit procedure: Inquire of management as to whether access to PHI is restricted. Obtain and review a sample of workforce members with access to PHI for their corresponding job title and description to determine appropriateness. Obtain and review policies and procedures and evaluate the content relative to the specified criteria for terminating access to PHI. Select a sample listing of former employees to confirm that access to PHI was terminated. NOTE: The rule requires that the class/job functions that need to use or disclose PHI be determined, and the information be limited to what is needed for that job classification.

1717

Case Samples – Corrective Compliance Actions

• Radiologist practice submitted a worker’s compensation claim to the patient’s employer which included patient’s test results. Patient had not indicated workers comp coverage. Practice had relied on incorrect billing information from treating hospital.

• Private practice failed to honor patient’s request for copy of minor son’s medical record. State regs permitted summary of record, however, Privacy Rule is more restrictive by permitting summary only if individual agrees in advance.

• Physician’s office disclosed a patient’s HIV status in a misdirected fax. Written disciplinary warning, apologies to patient, addition of confidential communication language on fax cover sheet and additional training required.

1818

Resolution Agreements

What is a Resolution Agreement?

A contract between HHS and a covered entity in which the covered entity agrees to perform certain obligations (such as staff training) and make reports to HHS, generally for a 3 year period. During this period, HHS monitors the covered entity’s compliance with its obligations. Typically includes payment of a resolution amount. A resolution agreement is used to settle investigations with more serious outcomes.

1919

Recent Resolution AgreementsAugust 2013 – June 23, 2014

$800,000 HIPAA Settlement in Medical Records Dumping Case– Hospital took custody of medical records to assist in physician’s retirement

– Returned 71 boxes of medical records at the end of physician’s driveway (for an unknown reason)

– Complaint came from the retiring physician

•Data Breach Results in $4.8 Million HIPAA Settlements– The New York Presbyterian Hospital and Columbia University operated a shared data

network.

–  A physician employed by Columbia University attempted to deactivate a personally-owned computer server on the network, and the deactivation resulted in the ePHI of 6,800 individuals being accessible on general internet search engines.

– The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner on the internet.

– The Hospital and Columbia University self-reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights who initiated an investigation.

2020

Recent Resolution AgreementsAugust 2013 – June 23, 2014

• Concentra Settles HIPAA Case for $1,725,220– Unencrypted laptop stolen from Concentra facility

• QCA Settles HIPAA Case for $250,000– Unencrypted laptop stolen from employee’s car

• Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts– Unencrypted thumb drive containing ePHI of 2,200 individuals was stolen from a

vehicle of one of its workforce members

– Thumb drive was never recovered

– PC notified patients of the theft and provided media notice

– $150,000 resolution amount and corrective action plan

21

Recent Resolution AgreementsAugust 2013 – June 23, 2014

• HHS Settles with Health Plan in Photocopier Breach Case–Failure to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company

–Affinity Health Plan notified OCR regarding the breach

–$1,215,780 and entered into corrective action plan.

• County Government Settles Potential HIPAA Violations–Skagit County inadvertently allowed public access to PHI on public web server and failred to notify individuals of the breach

–$215,000 settlement and implementation of corrective action plan

22

Trends and Predictions

• Today’s data breach report could lead to tomorrow’s compliance investigation.

• Resolution agreements signal that OCR is moving into a more aggressive enforcement phase, with the assessment of “resolution amounts” and, if it cannot reach agreement with the covered entity, civil money penalties.

• Second round of HIPAA audits to come sometime by the end of 2014

• Enforcement Actions against Business Associates to come

• According to a chief regional civil rights counsel at HHS, the past 12 months of HIPAA enforcement will likely pale in comparison to what OCR will do in the next year.

• OCR will share more information with other federal and state agencies, including the FTC, DOJ, OIG, State Attorneys’ General, to enforce HIPAA

• Covered entities need a robust compliance program in place and foster a culture of compliance within their organization.

2323

WWOCRD?(What Would OCR Do?)

24