HIPAA Enforcement Under the HITECH Act; The Gloves...
Transcript of HIPAA Enforcement Under the HITECH Act; The Gloves...
©2011 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
HIPAA Enforcement Under the HITECH Act; The Gloves Come Off
Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011
©2011 Foley & Lardner LLP
Topics Covered Enforcement of HIPAA under the Health
Information Technology for Economic and Clinical Health Act (HITECH)
Overview of changes made by HITECH What HITECH means for Business Associate
relationships Changes in the rules governing marketing
and other highlights and lowlights under HITECH
©2011 Foley & Lardner LLP
Enforcement Before and After HITECH Prior to HITECH, focus was almost exclusively on
achieving voluntary compliance Now there is a significant punitive element HITECH increased penalties
– For the most egregious violations (those caused by willful neglect which are not timely corrected), HITECH provides civil penalties of at least $50,000 per violation up to a maximum $1.5 million a year for the same violation
– Frequently the same incident involves violations of multiple provisions
©2011 Foley & Lardner LLP
Enforcement After HITECH Requires OCR to investigate any complaint
where there is a possible violation due to “willful neglect” and to levy fines for uncorrected violations due to “willful neglect”
Clarifies that directors, officers and employees can be individually liable
©2011 Foley & Lardner LLP
Creating Enforcement Incentives Fines collected through enforcement go
back to OCR to fund additional enforcement GAO is required to conduct a study into
mechanisms for returning a percentage of recoveries to persons injured by a violation
©2011 Foley & Lardner LLP
Enforcement Statistics To date, OCR has received over 62,000
complaints. Over 91% have been resolved In about 63% of the cases, HHS determined that
the complaint did not present an eligible case for enforcement of the Privacy Rule. – Eg, the complaint was filed more than 60 days after the
alleged violation In about 25% of the cases, OCR required changes
in the organization’s privacy practices or other corrective action by the covered entity.
In about 12% of the cases, OCR found no violation.
©2011 Foley & Lardner LLP
Most Common Violations Impermissible access to, or use or disclosure of,
protected health information (PHI) Lack of safeguards of PHI Lack of patient access to their PHI Uses or disclosures of more than the Minimum
Necessary PHI Complaints to the covered entity went unanswered
©2011 Foley & Lardner LLP
Mass General Hospital (Feb 2011) Employee left PHI on a subway (a patient schedule
and billing encounter forms containing names and medical record numbers for 192 infectious disease patients, including diagnosis for 66 of those patients, some of which had HIV/AIDS).
Paid $1 million and entered into a Resolution Agreement
(1) Unauthorized disclosure caused by (2) inadequate safeguards (3) compounded by failure to train and (4) absence of employee sanctions
©2011 Foley & Lardner LLP
Resolution Agreements Corrective action plan typically requiring
detailed policies and procedures Appointment of independent monitor who
makes semi-annual reports Annual implementation reports Self-reporting requirements Training of work force Three year term
©2011 Foley & Lardner LLP
Cignet Health (Feb 2011) Denied access to 41 patients seeking their
medical records and then failed to respond to OCR subpoenas and letters
Paid $4.3 million and entered into Resolution Agreement
©2011 Foley & Lardner LLP
UCLA (July 2011) employees repeatedly and without
permissible reason looked at the electronic PHI of two celebrity patients
UCLA paid $865,500 in fines and entered into Resolution Agreement
©2011 Foley & Lardner LLP
CVS/Caremark (Feb 2009) CVS failed to implement adequate policies to
appropriately safeguard PHI during the disposal process and
did not maintain a sanctions policy for members of its workforce who failed to comply with its disposal policies
Paid $2,250,000 and entered into a Resolution Agreement
Rite Aid—similar allegations, paid $1 million (Feb 2010)
©2011 Foley & Lardner LLP
HIPAA’s Criminal Penalties Knowingly obtaining and disclosing PHI
– $50,000 and imprisonment for one year Same offense committed under false pretenses
– $100,000 fine and imprisonment for five years Obtaining or disclosing PHI with the intent to sell,
transfer or use for commercial advantage, personal gain or malicious harm – $250,000 and ten years imprisonment
©2011 Foley & Lardner LLP
Criminal Enforcement OCR had made approximately 500 referrals
to the Department of Justice for criminal investigation
DOJ has brought 22 criminal prosecutions – 19 convictions by plea bargain – One convicted by jury – Two pending
Often handled by local US Attorneys’ offices
©2011 Foley & Lardner LLP
Criminal Prosecutions Most cases have been against persons
accessing records for personal gain (e.g., identity theft, selling PHI to the media, filing false Medicare claims)
However, five prosecutions brought against people who accessed PHI without a motive for personal gain
©2011 Foley & Lardner LLP
Examples of Criminal Violations Employee at UCLA who accessed medical records
of celebrities out of curiosity – Paid $2000 and spent 4 months in prison
Doctor in Arkansas pled guilty to a HIPAA violation after logging in to the medical record of a murdered news anchor – Paid $5000 and sentenced to 50 hours community
service educating professionals on HIPAA A nurse who accessed a patient’s records, without
authorization, at the request of a psychologist evaluating the patient’s fitness to have custody,
©2011 Foley & Lardner LLP
State AG Enforcement Authority State Attorneys General can bring civil
actions on behalf of state residents for HIPAA violations (as well as state law claims) – can obtain damages in the amount of up
$25,000 per year for all violations of an identical requirement,
– can enjoin further violations – Can recover attorneys’ fees
OCR has provided HIPAA Enforcement Training to SAGs and their staffs
©2011 Foley & Lardner LLP
SAG Actions by Conn. & Vermont HealthNet lost a hard drive containing more
than 500,000 individuals’ records, including clinical data and social security numbers
Paid $250,000, with possibility of another $500,00 if it is determined that information is accessed and used illegally – Settlement noted that HealthNet had spent $7
million investigating and had not found evidence that the data had been accessed
©2011 Foley & Lardner LLP
OCR Compliance Audits The HITECH Act requires compliance audits OCR awarded a $9.2 million contract to
KPMG to develop and implement the audits – developed audit protocols – Will conduct 20 pilot audits and revise the
protocols – Will be followed by up to 130 on site audits,
likely to be completed by the end of 2012
©2011 Foley & Lardner LLP
OCR Compliance Audits OCR is targeting a wide range of covered
entities for initial audits (and later BAs) Letters to be sent announcing audit and
requesting policies and compliance records Site visits to last from 3 to 10 days Audited entity will have an opportunity to
comment on draft results before finalized OCR will not make the audit results public in
a way that will identify the audited entities
©2011 Foley & Lardner LLP
Additional Requirements Imposed by HITECH Act Breach Notification
– Breach notification Interim Final Rule (8/24/09) – Guidance on Unsecured PHI – (4/17/09)
Modifications to Security, Privacy, and Enforcement Rules – Proposed Rule (7/14/10) – Omnibus Final Rule pending (to include breach notification and
security, privacy, and enforcement) Accounting for Disclosures
– Proposed rule – (5/31/2011) – Final Rule pending
Enforcement Final Rule (10/29/09) Minimum Necessary rule/guidance pending
©2011 Foley & Lardner LLP
Additional HITECH Act Requirements Breach notification requirements Enforcement of HIPAA privacy and security compliance on
downstream entities – Business Associates (BAs) (including subcontractors), Health
Information Organizations, E-Prescribing Gateways, other persons that provide data transmission services, Personal Health Record vendors if service provided for Covered Entity (CE)
– Expanded definition of “workforce member” to include volunteers, trainees, others
Restrictions on uses of PHI – Restrictions on marketing, fundraising, prohibitions on sale of PHI – Minimum necessary requirements
©2011 Foley & Lardner LLP
Additional HITECH Act Requirements Expansion of individual rights
– Access to and Accounting for Disclosures of PHI in Electronic Health Records (EHRs)
– Enhancements to Notice of Privacy Practices – Health Plan disclosure restrictions – Access to PHI of decedents
Research – Compound authorizations – Authorizations for future research
©2011 Foley & Lardner LLP
Liability for BAs Under HITECH Pre-HITECH
– Requirements for Business Associate Agreement (BAA) defined in regulation
– BAAs imposed contractual liability on BAs for meeting the requirements set forth
– CE was liable for its own acts and for the acts of its BAs who met the federal common law definition of an “agent” unless the requirements for a BAA were met, the CE did not know of a pattern or practice of the BA violating the agreement, and the CE did not fail to act as required by HIPAA in response to the violation
©2011 Foley & Lardner LLP
Liability for BAs Under HITECH Post-HITECH: New Framework for Liability
– BAs are directly liable for violations of HIPAA and HITECH, even if entities failed to enter into BAA Defines subcontractors of BAs as “Business
Associates” “Subcontractors” are those persons who perform
functions for or provide services to a Business Associate other than in the capacity of a workforce member
©2011 Foley & Lardner LLP
Additional Privacy & Security Requirements for Business Associates Directly subject to certain Privacy Rules
– Disclose PHI to HHS for compliance purposes – Disclose PHI in electronic format for access to PHI – Provide accounting for disclosures in Electronic Health
Record (EHR) – Comply with minimum necessary standard – Take reasonable steps to cure a material breach of
subcontractor Directly subject to Security Rule
– Implement administrative, physical, and technical safeguards, and meet policy and documentation requirements
©2011 Foley & Lardner LLP
Expanded Requirements for Business Associate Agreements Proposed Rule requires the following
provisions for BAs be incorporated into BAA – Compliance with 45 C.F.R. 164.308, 164.310,
164.312, and 164.316 of the Security Rule with regard to e-PHI
– Report Breaches of Unsecured PHI to CEs – Ensure that any subcontractors that create or
receive PHI on behalf of BA agree to the same restrictions and conditions that apply to BA with respect to such information
©2011 Foley & Lardner LLP
Liability for Agents Under HITECH Proposed Rule imputes liability to CEs for
violation by BAs if agency relationship exists – Also imputes liability to BAs for violations by
subcontractors
Agency relationship defined under federal common law of agency (fact-specific)
Removes any exception to vicarious liability for violations of agent
©2011 Foley & Lardner LLP
Implications for Business Associate Agreements Increased emphasis on issues relevant to
indemnification – Costs and expenses associated with breach
notification and mitigation of harm – Responsibility for/involvement with risk
assessment and breach notification – Limits on liability – Determination of whether “agency relationship”
exists that imputes liability to CE or BA
©2011 Foley & Lardner LLP
Implications for Business Associate Agreements
Related issues – Damages arising from civil actions brought by
State Attorneys General for HIPAA violations – Costs and expenses associated with
investigations of HIPAA violations, criminal conduct, etc.
– Other damages associated with breach
©2011 Foley & Lardner LLP
Compliance Ambiguities Regarding Compliance
– HITECH changes (including requirements for BAs) in Subtitle D generally effective February 1, 2010
– Proposed Rule provides for compliance date of 180 days after effective date of Final Rule
– Transition provision would grandfather existing BAAs for up to one year beyond the compliance date of the Final Rule, if not BAAs not modified between effective date and compliance date of Final Rule
– Final Rule still pending
©2011 Foley & Lardner LLP
Compliance CEs
– Review of service agreements with third parties – Negotiation of liability issues
BAs – Implementation of BAAs with subcontractors – Compliance with Security Rule
Gap assessment Written HIPAA Security Plan that addresses the required and
addressable implementation standards for administrative, technical, and physical safeguards
©2011 Foley & Lardner LLP
HIPAA Restrictions on Marketing Previous HIPAA framework for marketing
– Authorization required to use or disclose Protected Health Information for marketing
– Marketing means A communication about a product or service that encourages
recipients of the communication to purchase or use the product or service (with certain exceptions), or
An arrangement whereby the Covered Entity discloses Protected Health Information to a third party for marketing in exchange for direct or indirect remuneration
Marketing communications allowed without authorization if – Face-to-face communication – Promotional gifts of nominal value to the individual
©2011 Foley & Lardner LLP
HIPAA Restrictions on Marketing Pre-HITECH Did Not Include as Marketing
– Health care operations communications to describe a health-related product or service that is provided by or included in a plan of benefits of, the CE making the communication; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits
– Communications for case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual
– Communications for the treatment of the individual – Even if indirect or direct payment from a third party was
involved
©2011 Foley & Lardner LLP
HITECH Revised Framework for Marketing Limits Cross-promoting Products or Services of
Other Entities Without Individual’s Authorization – Certain health care operations communications
permitted without authorization, but only if no financial remuneration is received in exchange for making communication
Defines Financial Remuneration as – Direct or indirect payment from or on behalf of a third
party whose product or service is being described. – Does not include any payment for treatment of an
individual.
©2011 Foley & Lardner LLP
HITECH Revised Framework for Marketing Permits individuals to opt out of treatment communications
(including case management and care coordination) if remuneration is received in exchange for making the communication – Requires that the Notice of Privacy Practices inform individuals
about the remuneration and provides them the right to opt out of receiving further communications; and
– The treatment communication must also disclose the remuneration and provides a clear and conspicuous opportunity to opt out of further communications.
Permits communications to provide prescription refill reminders or about a currently prescribed drug, provided the amount of the remuneration to the CE is reasonably related to the CE’s cost in making the communication
©2011 Foley & Lardner LLP
HITECH Revised Framework for Marketing HITECH clarifies prohibition on sale of PHI
– CE or BA may not receive “direct or indirect” remuneration in exchange for disclosure of PHI, unless valid authorization provided (with certain specified exceptions, e.g., treatment, payment, public health, research, for sale/transfer/merger consolidation of CE, to or by a BA on behalf of the CE, to an individual, required by law, or for copies of PHI.)
Proposed Rule requires that the individual authorization state that the disclosure will result in financial remuneration to the CE
©2011 Foley & Lardner LLP
HITECH Revisions to Fundraising Individuals have right to opt out
– Proposed Rule require that a CE provide, with each fundraising communication, a clear and conspicuous opportunity to opt out of receiving future fundraising communications No undue burden on individual CE cannot condition treatment or payment on an individual's
choice to receive or not to receive fundraising communications When an individual has opted out of receiving fundraising
communications, CE may not send such information to them (reasonable efforts are insufficient)
– Must include information about fundraising communications in Notice of Privacy Practices
©2011 Foley & Lardner LLP
Compliance Issues
– Review of relationships involving potential marketing of products or services of third parties
– Determination of whether financial remuneration involved in communications
– Revisions of Notice of Privacy Practices, to the extent that financial remuneration received for communication or for fundraising communications
– Implementation of opt-out requirements – Effective date of compliance, given that final rule has
not yet been issued
©2011 Foley & Lardner LLP
More to Come Definition of “subcontractor” of Business
Associate Amount of payment allowable for communications
about drugs , scope of exception to marketing Scope of opt-out for treatment communications
and fundraising Exceptions to sale of PHI Whether/how to allow targeted fundraising
campaigns by CEs
©2011 Foley & Lardner LLP
Contact Information Leeanne Habte
[email protected] 213-972-4500 R. Michael Scarano, Jr
[email protected] 858-847-6712