HIPAA © HIPAA Solutions, LC 2007 HIPAA Enforcement Risks Rising For Healthcare In 2007 Presented by...

HIPAA

© HIPAA Solutions, LC 2007

HIPAA EnforcementRisks Rising For Healthcare In 2007

Presented by

Peter MacKoul, J.D.


Agenda

IntroductionHIPAA Evolution HIPAA Environment

RegulationsMisconceptionsCourt Rulings

Current Enforcement EnvironmentOIG Audits At Piedmont Hospital - Federal AuditsCleveland Clinic – Criminal ConvictionHerman v. Kratch – Civil ActionSorensen v. Barbudo – Civil ActionAcosta v. Byrum – Civil ActionNorthwest Memorial Hospital v. John Ashcroft AG

of US – Public RecordsState AG’s Create Enforcement Departments

Legislative & Agency Environment


Introduction

Peter MacKoul, Esq. is an attorney and technical analyst with over 15 years of legal and technical consulting experience in both public and private sectors for major organizations including Blue Cross, IBM, Nextel, General Dynamics, educational institutions and local government. His legal background includes criminal and civil law.

His expertise includes the areas of HIPAA, IT development, Internet law, healthcare issues and handicapped access to technology involving law, technology, privacy, and security. He served as a subject matter expert on HIPAA Privacy and Security in Texas for the Governor’s Health Information Technology Advisory Committee (HITAC) which created recommendations on healthcare IT issues related to privacy and security, including Regional Health Information Organizations (RHIO’s).

Mr. MacKoul has published articles on HIPAA; created compliance training resources and has been a featured speaker on issues of privacy and security for regional IT security conferences (TRISC), the Texas Healthcare Association (THA) and major technology events. He has also been referenced in technology publications such as ComputerWorld on HIPAA and privacy.


HIPAA Statutes Focused On Protection Of Patient Privacy

Chaos In Early Compliance Environment

Technology Advances Are Outstripping Business Processes

Healthcare Efficiency Pushing Technology / EMR’s

Identity Theft, Fraud, Homeland Security Raising Awareness of Security and Privacy Issues

In a report last year, the World Privacy Forum found that the number of Americans identifying themselves in government documents as victims of medical identity theft had nearly tripled in just four years, to more than a quarter-million in 2005. NBC News April 2007

HIPAA Evolution


Privacy Is At The Heart Of HIPAA

Security Compliance Cannot Be Achieved Without Addressing Privacy Issues First

HIPAA Environment - Regulations


HIPAA Compliance Is Voluntary

Only Class Action Litigation Is Allowed

Only Healthcare Providers Are Effected

State Laws Can Supercede HIPAA

HIPAA Will Ultimately Go Away

The Fed’s Are Not Enforcing HIPAA

It’s Not Necessary to Conduct Thorough Remediation

HIPAA Environment - Misconceptions


US Attorneys

District Courts

Appellate Courts

Federal Courts

Regulatory Agencies

HIPAA Environment – Court Rulings


March 8, 2007, issue of MEDICARE ADVANTAGE NEWS

In a surprise move, OIG on March 5 began the first audit of a provider's compliance with the HIPAA security regulation. The target: Piedmont Hospital in Atlanta.

Auditors are expected to stay at the hospital three to four weeks and then forward their findings to CMS, which enforces the security rule.

This is the government's first systematic hands-on examination of compliance with any HIPAA regulation.

Enforcement – OIG Audits


March 8, 2007, issue of MEDICARE ADVANTAGE NEWS

An OIG spokeswoman says, "We can't answer questions about ongoing work. The number of audits to do has yet to be determined."

OIG auditors plan to audit Piedmont's administrative, physical and technical safeguards — the core requirements under the security regulation.

This will include the hospital's policies and procedures relating to access to electronic protected health information (e-PHI); the risk assessment relative to e-PHI; electronically transmitting e-PHI; preventing, detecting, containing and correcting security violations; monitoring systems; remote access; wireless security; anti-virus mechanisms; firewalls; and other e-PHI security requirements.

Enforcement – OIG Audits


Former Hospital Employee and Co-Conspirator Sentenced to Prison for Medicare Fraud and Identity Theft In Ft. Lauderdale

. . . Machado was employed at the Cleveland Clinic when she and her cousin Ferrer stole the personal information of Cleveland Clinic and MHA patients. That information included, among other things, the patients' names, dates of birth, Social Security numbers, Medicare numbers and addresses.

Enforcement – Cleveland Clinic Criminal


Civil action against a clinic for the “unauthorized disclosure of medical information” “invasion of privacy” and the “and intentional infliction of emotional distress after clinic sent patient's personal medical records to her employer.” - Herman v. Kratch, 2006 WL 3240680 (Ohio App. 8 Dist.)

Enforcement – Herman v. Kratch - Civil


The Appellate Court found in the “unauthorized disclosure action” that the “clinic was liable for its unauthorized disclosure of patient's medical records;” and with regard to the Invasion of Privacy tort, “triable fact existed as to whether clinic's unauthorized disclosure of patient's medical records was the type of act that would cause a person of ordinary sensibilities outrage, mental suffering, shame, or humiliation.” Herman v. Kratch, 2006 WL 3240680 (Ohio App. 8 Dist.)



The court stated: “while the document authorizes the Clinic to release plaintiff's medical information for purposes of payment, that is not what occurred here.

The Clinic does not dispute that plaintiff's bills should have been sent to United Healthcare for payment, not Nestle. There is nothing in the Clinic's” [HIPAA], “notice document that authorized the release of plaintiff's medical information to the wrong payor, whether accidentally or not.”



Many HIPAA cases are used by courts in other jurisdictions to decide cases in front of them. A good example of this is Sorensen v. Barbuto and Acosta v. Byrum.

The Sorensen case, (handed down from the Appellate Court in Utah), appears to be the first case enabling a plaintiff to use HIPAA as a standard of care to bring a private cause of action involving the “intentional infliction of emotional distress.”

Enforcement – Sorensen v. Barbudo - Civil


This case provides a legal method enabling plaintiffs’ attorneys to utilize HIPAA as a “standard of care” to bring an individual action using HIPAA privacy regulations and standards instead of attempting to bring an individual lawsuit directly under HIPAA itself which is not permitted.

. . . This allegation does not state a cause of action under HIPAA. Rather, plaintiff cites to HIPAA as evidence of the appropriate standard of care, a necessary element of negligence. . .” Acosta v. Byrum, 638 S.E.2d 246, 2006

Enforcement – Acosta v. Byrum - Civil


Northwest Memorial Hospital v. John Ashcroft Attorney General of United

States

The Northwestern case involved the potential of having de-identified medical records involving partial birth abortions “made a part of the trial record in New York,” thus available to “skillful Googlers,” as characterized by the court.

Enforcement – Northwest Case – Public Records


Northwest Memorial Hospital v. John Ashcroft Attorney General of United States

The court elaborated on this Internet issue, before ruling that the Attorney General of United States could not access and use these records, let alone have them available to web surfers. . . .

This ruling is highly significant in that it interprets the HIPAA Privacy rule covering de-identification as not sufficient to protect an organization that follows the rules in a partial birth abortion case. Northwestern Memorial Hospital v. Ashcroft, 362 F. 3d. 923 at 929.

Enforcement – Northwest Case – Public Records


HIPAA Enforcement Swings from Voluntary Compliance to Punishment for Violation of Privacy and Security Laws as States Join Federal Enforcement Under Federal Mandate

(PRWeb) November 28, 2006 -- Congress passed the 2006 False Claims Act. States are ordered to actively investigate and prosecute both providers as well as business associates effective January 1, 2007. States are required to create a False Claims Division and keep the overwhelming majority of fines recovered.

Enforcement – State AG’s Create Enforcement


Since voluntary compliance has been ignored many providers for years, the Federal Government has examined how to make physical and electronic compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) reality. Whistleblowers will be awarded 15% of fines.

Enforcement – State AG’s Create Enforcement


HHS Delegates HIPAA Subpoena Authority To OCR

. . . . Notice is hereby given that I have delegated to the Director of the Office for Civil Rights the following authority vested in the Secretary of Health and Human Services.

Subpoenas for the Health Insurance Portability and Accountability Act of 1996: Authority under Section 205(d) of the Social Security Act (42 U.S.C. 405(d)), with authority to redelegate, to issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence . . . . Michael O. Leavitt, Secretary. [FR Doc. 07–1872 Filed 4–13–07; 8:45 am] . . .

Legislative & Agencies


GAO blasts HHS on IT, privacyJanuary 2007

GAO recommends that HHS define and implement an overall privacy approach that identifies milestones for integrating the outcomes of its initiatives, ensures that key privacy principles are fully addressed, and addresses challenges associated with the nationwide exchange of health information.

Legislative & Agencies


Summary

Health Care Privacy & HIPAA Are Here To Stay Courts & Prosecutors Are Using HIPAA Privacy Compliance MUST Be A First Step In Security Technology Is Not A Replacement For Sound Business Processes

Peter MacKoul, J.D.HIPAA Solutions, [email protected] Free: 877-779-3004

HIPAA © HIPAA Solutions, LC 2007 HIPAA Enforcement Risks Rising For Healthcare In 2007 Presented by...

Documents

Transcript of HIPAA © HIPAA Solutions, LC 2007 HIPAA Enforcement Risks Rising For Healthcare In 2007 Presented by...