Slide 1

Slide 2 TODAYS ENFORCEMENT HIPAA PRIVACY AND SECURITY STATUTES ARMIN J. MOELLER, JR. BALCH & BINGHAM LLP 601-965-8156 amoeller@balch.com masi Slide 3 TODAYS HIPAA ENFORCEMENT WHATS CHANGED? Increased Enforcement Substantial Civil Monetary Penalties (CMPs) and Corrective Action Plans (CAPs) Slide 4 HIPAA PRIVACY RULES Limits Circumstances by Which Individuals PHI May be Used/Disclosed by Covered Entities (CEs) PHI Permitted Use/Disclosure without Patient Authorization for Treatment, Payment or Healthcare Operations May Use/Disclose PHI Only With Patient Authorization Exceptions Public Health, Judicial, Law Enforcement, Certain Specialized Purposes Slide 5 HIPAA PRIVACY RULES - Continued Privacy Rule - Additional Obligations Accounting for Certain Disclosures Disclose Only Minimum Information Necessary Provide Notice of Privacy Practices Individuals Rights to Review/Obtain Copies of PHI Must Safeguard Protected Health Information from Inappropriate Use/Disclosure Individuals Have Right to Request Changes to Inaccurate/Incomplete PHI Maintain Administrative, Technical, Physical Safeguards to Prevent Improper Use/Disclosure of PHI Slide 6 BUSINESS ASSOCIATES (BAs) Anyone that Performs, Assists in Performance/Activity Involving Use/Disclosure of PHI on Behalf of CE Examples Claims Processing, Data Analysis, Utilization Review, Quality Assurance, Billing Benefit Management, Practice Management, Pricing Other BAs Persons Performing Legal, Actuarial, Accounting, Consulting, Data Aggregation, Management, Administration, Accreditation or Financial Services if Involves Disclosure of PHI from Covered Entity Must Maintain PHI Confidentiality as Required by Service Agreement Violations Covered Entity Must Terminate Relationship or Report Problem to HHS Slide 7 SECURITY RULE (SR) Applies to PHI in Electronic Form (EPHI) Requires CE to Maintain Administrative, Technical and Physical Safeguards to Ensure Confidentiality/Integrity/availability of all EPHI the CE creates, receives, maintains or transmits CEs must enter into an agreement with BAs who create, receive, maintain or transmit EPHI BA must provide same safeguards to protect EPHI CE not liable for violations of SR by BA unless knew BA engaged in activity that violated HIPAA SR and CE took no action Slide 8 ENFORCEMENT HISTORY DOJ Had Authority to Impose CMPs and Criminal Sanctions HHS Did Not Enforce Privacy or Security Rule Until 2008 HHS OIG in 2008 Concluded CMS Had Not Provided Effective Oversight/Enforcement of SR by CEs Prevailing View All Bark and No Bite Does Not Justify Compliance Expenses Slide 9 RECENT DEVELOPMENTS HHS Office of Civil Rights (OCR) Imposed CMPs totaling $4.35MM on Cignet Health of Prince Georges County, Maryland. Settled with Massachusetts General Hospital (Mass General) for PR Violations $1MM University of California Los Angeles Health System (UCLAHS) Potential PR and SPR/SR Violations - $865,000 HHS OIG Began to Incorporate New Advanced Electronic/Data Mining Technologies to Uncover Waste, Fraud, Violations in Federal Healthcare Programs and Ensure Regulatory Compliance Data Analytics to Conduct Risk Assessment, Pinpoint Oversight Efforts Reduce Time/Resources Required for Audits, Investigations and Program Integrity Activities Slide 10 HHS POLICY CHANGES HHS Secretary Delegates PR Enforcement to OCR April 14, 2003 PR Compliance Mandatory for Most Covered Entities Next 5 Years No Penalties/Settlement for PR Violations 2003 - HHS Secretary Delegates Authority to Enforce SR to CMS March 2006 HIPAA Enforcement Rules Implemented 2006-2009 No SR Compliance Actions 2009 Congress/HITECH Expands Enforcement/Penalties HHS Reassigns Enforcement to OCR Slide 11 HHS POLICY CHANGES - Continued 2008-2009 Enforcement/Settlement Activities July 18, 2008 - HHS Resolution Agreement with Providence Health and Services (Providence) - PR/SR Violations, Loss of Electronic Backup Media/Laptop Computers Containing PHI - Providence Pays HHS $100,000 and Implements CAP January 16, 2009 $2.25 MM Resolution Agreement/CAP with CVS Pharmacy, Inc. (CVS) - Unsecured Disposal of Pharmacy Customers PHI July 27, 2009 HHS Strips CMS of SR Enforcement and Delegates to OCR Slide 12 HITECH LEGISLATIVE CHANGES Expands Certain Provisions in PR and SR Rules to Business Associates Subjects BAs to Civil/Criminal Liability for Violations Establishes New Limits on Use of PHI for Marketing/Fund Raising Purposes Provides New Enforcement Authority for State Attorneys General to Bring Suit in Federal District Court to Enforce HIPAA Violations Increases Civil/Criminal Penalties for HIPAA Violations Slide 13 HITECH LEGISLATIVE CHANGES Continued Requires CEs/BAs to Notify Public or HHS of Data Breaches Changes Use/Disclosure Rules for PHI Expands Certain Individual Rights Mandates CEs Report to OCR Breaches of Unsecured PHI Mandatory Notifications without Immunity/Reduced Penalties for Reporting Slide 14 STATE ATTORNEYS GENERAL AUTHORITY Civil Actions Against HIPAA Privacy/Security Violators Damages Up to $100 per Violation Up to $25,000 for All Violations of Identical Requirement During Calendar Year Compliance Audits HITECH Requires HHS to Perform Periodic Audits to Ensure CE and BA Compliance with PR and SR Slide 15 ENHANCED HIPAA PRIVACY/SECURITY ENFORCEMENT ACTIVITIES Cignet Breached PR by Failing to Provide 41 Individuals Timely Access to Medical Records/Failing to Cooperate in Investigation/ Not Correcting Violations within 30 Days. Finding of Willful Neglect Not Corrected Within 30 Days Mass General Removal/Loss of PHI on Subway by Mass General Employee PHI for a total of 258 patients including with HIV/AIDS $1MM penalty plus 3 year CAP Slide 16 CURRENT CAPs Similar to Corporate Integrity Agreements Entered Into By OIG Imposes Corrective Action Obligations That Reflect Federal Sentencing Guidelines/OIG Compliance Guidance Documents Mass General CAP Develop, Distribute, Update Policies/Procedures Targeting at Alleged Violation/Rate of Activities Train Personnel on Policies/Procedures Response to Violation Monitor/Audit Performance of New Policy/Procedures Provide Reports to OCR Regarding Performance Slide 17 CURRENT CAPs - Continued UCLAHS CAP Potential Violations of PR/SR $865,500 CMP CAP to Remedy Gap in Compliance Arose From Incidents Involving Celebrity Patients/Complaints Employees Accessed PHI CAP Requires Implement PR/SR Policies Approved by OCR Conduct Regular Employee Training Sanction Offending Employees Independent Monitor to Assess Compliance for 3 Years Slide 18 HHS OIG Enhanced Technologies/Enforcement Efforts Fraud Information Technologies/Analytics to uncover fraud/target oversight efforts Data Mining/Trend Evaluations/Modeling enterprise view of questionable activities/suspected fraud trends New Data Storage/Computer Matching/Data analytic capabilities to analyze hospital data for multiple compliance risks Auditing process from weeks/months to 20 minutes per hospital Healthcare Fraud Prevention and Enforcement Action Team (HEAT) High level law enforcement from DOJ and HHS Enforce anti-fraud and other compliance obligations Began in March 2007 Operates in 7 major cities Slide 19 HHS OIG Enhanced Technologies/Enforcement Efforts Continued FY 2010 140 Indictments Filed Against 284 Defendants that Billed Medicare $590 MM 217 Guilty Pleas Negotiated 29 Jury Trials with Guilty Verdicts Against 23 Defendants 146 Defendants Sentenced/Average More than 40 Months Data Driven/Data Analytics Approach Increasingly Effective Slide 20 CONCLUSION Its Not the Passive HHS Enforcement Efforts Any More! Slide 21 THANK YOU Armin J. Moeller, Jr. Balch & Bingham, LLP amoeller@balch.com 601-965-8156