The Final HIPAA Regulations are Now in Effect—Are … Final HIPAA Regulations are ... came into...
Transcript of The Final HIPAA Regulations are Now in Effect—Are … Final HIPAA Regulations are ... came into...
The Final HIPAA Regulations are Now in Effect—Are You in
Compliance?Richard D. Dvorak, JD, Partner, Tomes & Dvorak, Chartered, Vice President of EMR Legal, Inc. and
Veterans Press, Inc., Overland Park, KS
CE Credit in Five Easy Steps!1. Scan your badge as you enter each session.2. Carry your Evaluation Packet to every session so you can add session evaluation forms to it.3. Track your hours on the “Statement of Session Attendance Form” as you go.4. At your last session, total the hours and sign both pages of your Statement of Session
Attendance Form. Keep the PINK copy for your records. Put the YELLOW and WHITE copies in your Evaluation Packet. Make sure a completed Session Evaluation Form is in your Evaluation Packet for each session
you attended.• Missing one? Extras are in a file near Registration.
5. Complete the General Attendance Evaluation Form located in this Evaluation Packet—and place it back in this envelope. Write your name on the outside of this Evaluation Packet envelope, seal it, and drop it in the box near Registration. Applying for Pharmacy CPE? If you have not yet registered for an NABP e‐Profile ID, please
visit www.MyCPEmonitor.net to do so before submitting your packet. You must enter your NABP e‐Profile ID in order to receive CE credit this year!
© 2014 Richard D. Dvorak & EMR Legal 2
Disclosure Slide
The speaker is an attorney specializing in health law. Conflict of interest was resolved by peer review of this presentation.
Clinical trials and off‐label/investigational uses will not be discussed during this presentation.
© 2014 Richard D. Dvorak & EMR Legal 3
OBJECTIVES1. Explain the most recent changes to HIPAA that
came into effect in 2013, and the implications for organizations not in compliance.
2. Explain the Privacy Rule as it relates to refill reminder and other communications about drugs or biologics.
3. Review strategies for assessing gaps in your organization’s HIPAA compliance.
4. List and describe the areas that must be addressed in your corrective plan of action.
© 2014 Richard D. Dvorak & EMR Legal 4
ROAD MAP
• Brief overview of the regulatory history• Explain what it is these regulations really
require of you.• Explain how these regulations are being
enforced.• Explain how to be audit ready and how to
avoid civil money punishments.
© 2014 Richard D. Dvorak & EMR Legal 5
REGULATORY HISTORY
© 2014 Richard D. Dvorak & EMR Legal 6
HIPAA1996
HIPAA DEFINEDHealth care providers including pharmacies must maintain reasonable and appropriate safeguards to ensure the integrity and confidentiality of protected health information (PHI).• Administrative• Technical• Physical
© 2014 Richard D. Dvorak & EMR Legal 7
HIPAA DEFINED• Business Associates (B/A) – Now are
effectively Covered Entities.– Billing service, transcription service, copy service,
medical marketing service, are but a few examples• Covered Entity can now be liable for what
your Business Associates do (or fail to do).• Common Law Principals of Agency Law• “Down-stream” Business Associates
© 2014 Richard D. Dvorak & EMR Legal 8
B/A LIABILITY• Department of Health and Human Services
(DHHS), an analysis re: scope of agency – (1) time, place and purpose of a Business Associate
agent’s conduct– (2) whether a Business Associate agent engaged in a
course of conduct subject to a Covered Entity’s control– (3) whether a Business Associate agent’s conduct is
commonly done by a business associate to accomplish the service performed on behalf of a Covered Entity
– (4) whether the Covered Entity reasonably expected that a Business Associate agent would engage in the conduct in question.
© 2014 Richard D. Dvorak & EMR Legal 9
ENFORCEMENT
• Organizational commitment to privacy and security
• Ensure compliance by the organization’s officers and employees
© 2014 Richard D. Dvorak & EMR Legal 10
CRIMINAL PENALTIES
© 2014 Richard D. Dvorak & EMR Legal 11
HIPAAViolation
CRIMINAL PENALTIES• Knowingly obtains or discloses:
– $50,000 fine and imprisonment for one year
• Same done under false pretenses:– $100,000 fine and imprisonment for five years
• Same done with intent to sell, transfer or use the information for commercial advantage, personal gain or malicious harm:– A maximum fine of $250,000 and/or up to 10 years’
imprisonment
© 2014 Richard D. Dvorak & EMR Legal 12
CONVICTIONS – BE ON GUARD!• Gibson (identity theft): 14 months
• Ramirez (sale of medical records): 6 months
• Machado & Ferrer (identity theft): Machado: six months’ home confinement + three years’ probation. Ferrer: 87 months
• Howell, Meckenstock, Stevenson (identity theft) for $7mm of false Medicare claims: – Howell: 14 months– Meckenstock: 119 months. Stevenson: 168 months
© 2014 Richard D. Dvorak & EMR Legal 13
JC4
CONVICTIONS – BE ON GUARD!
• Smith (disclosure for personal gain): 2 years’ probation
• Miami Palmetto theft ring (identity theft): – Medical records employee: 2 years; accomplice: 11
months
• Doctor + 2 hospital employees in AR (accessing murder victim’s chart):– Each: 1 year of probation and community service
© 2014 Richard D. Dvorak & EMR Legal 14
CONVICTIONS – BE ON GUARD!• Insurance claims clerk and Johns Hopkins patient services worker (identity
theft): 5 years’ confinement, plus $200,000 restitution
• Huping Zhou—UCLA Health System doctor (accessed celebrity charts): 4 months’ imprisonment
• Isaac Earl Smith (identity theft—accessed PHI of United Healthcare to obtain prescription drugs): 6 years plus 2 years supervised release
• Matthew Brown—fake doctor in Georgia who used health information to fraudulently treat patients: Pled guilty to 16 counts of health care fraud, as well as one count of wrongful disclosure of individually identifiable health information in criminal violation of HIPAA, sentenced to five years and 10 months in prison, to be followed by three years of supervised release, and ordered to pay restitution totaling $1,063,004
• Helene Michel—12 years for stealing long-term care records and using them to commit identity theft
© 2014 Richard D. Dvorak & EMR Legal 15
CONVICTIONS – BE ON GUARD!• U.S. v. Salko – Middle District of Pennsylvania - On June 30,
2009, made false representations of material facts in a July 17, 2005 progress note by falsely representing that he was authorized to obtain the medical records of another elderly Medicare patient.
• U.S. v Pepala – Western District of PA – September 2010 -According to the indictment, in February 2008, Pepala, then employed at UPMC Shadyside Hospital, used information to file false tax returns in 2008. The law provides for a maximum total sentence of 80 years in prison, a fine of $4,730,000, or both.
• U.S. v. Cipolla - Buffalo, N.Y. September 2011. Recovered medical records that were abandoned in a dumpster in Cheektowaga, NY on June 2, 2010. The records belonged to Avalon Centers Inc., a former eating disorder clinic and Cipolla obtained the records in the hopes of re-opening the clinic.
© 2014 Richard D. Dvorak & EMR Legal 16
CONVICTIONS – BE ON GUARD!• U.S. v. Smith and Poole-Moore – Northern District of AL –
accessed the information of individuals who had a FSA administered by United Healthcare Inc. and a prescription drug plan sponsored by the Federal Employees Health Benefit Plan (FEHBP) to create counterfeit prescriptions in order to illegally obtain controlled substances and then sell them to third parties.
• U.S. v. Charette – Las Vegas, NV – May 4, 2011 - Conspired with the manager of the trauma resuscitation department to obtain “facesheets” in order to solicit the patients for legal and medical referrals. Charette paid the trauma resuscitation department manager for each patient who retained a personal injury attorney or chiropractor chosen by Charette.
© 2014 Richard D. Dvorak & EMR Legal 17
WHO CAN BE PROSECUTED?
• Department of Justice Memorandum:– Depending on the facts certain
Directors (i.e. Owners), Officers, andKey Employees may be criminallyliable in accordance with the generalprinciples of corporate criminalliability.
© 2014 Richard D. Dvorak & EMR Legal 18
EXPANDED JURISDICTION• CLARIFICATION OF PERSONAL
JURISDICATION FOR CRIMINAL PENALTIES CREATED BY HITECH:
• § 1177(a) of 42 U.S.C. 1320d-6(a) Amended by adding – “For purposes of the previous sentence, a “person”
now includes an employee or other individual if the information is maintained by a covered entity and the individual obtained or disclosed such information without authorization.”
© 2014 Richard D. Dvorak & EMR Legal 19
EXPANDED JURISDICTION
• Application of Civil and Criminal Penalties– In the case of a Business Associate that
violates any provision specified in the regulation, those penalties shall apply to the Business Associate, with respect to such violation, in the same manner such sections apply to a covered entity that violates such provision.
© 2014 Richard D. Dvorak & EMR Legal 20
CIVIL MONEY PUNISHMENTS (CMPs)
© 2014 Richard D. Dvorak & EMR Legal 21
On the Rise
Office of the Inspector General (OIG) AUDITS
• HITECH Act requires DHHS to conduct periodic audits of both Covered Entities and Business Associates.
• Before the Act, OIG could audit Covered Entities, but now OIG must audit.
• DHHS, in its audit program, has discovered that approximately one-third of providers’ and insurers’ non-compliance problems stemmed from lack of awareness of requirements facing them.
© 2014 Richard D. Dvorak & EMR Legal 22
AUDIT PROTOCOL LIST
• 171 Audit Protocols• Not all Protocols will apply to everyone• Need the help of an expert to walk you
through them one by one• A good start for your Gap Analysis
© 2014 Richard D. Dvorak & EMR Legal 23
OFFICE OF CIVIL RIGHTS (OCR)• 77,277 complaints since enforcement began in
April 2003. • HITECH Act requires DHHS to investigate
formally any complaints that are preliminarily determined to involve potential willful neglect.
• Penalties collected will be used to support the enforcement activities of OCR.
• Individuals whose PHI was the subject of an OCR enforcement action will get a percentage of any penalties.
© 2014 Richard D. Dvorak & EMR Legal 24
WHAT’S MY EXPOSURE?• $1,000 per violation for a violation due to
“reasonable cause and not to willful neglect” with a maximum penalty of $100,000 in a calendar year
• $10,000 for each violation that was due to willful neglect and is corrected timely, also subject to a $250,000 maximum penalty in a calendar year
© 2014 Richard D. Dvorak & EMR Legal 25
WHAT’S MY EXPOSURE?
• $50,000 for each violation if the violation is not corrected properly to a maximum penalty of $1,500,000 during a calendar year
– Note that DHHS cannot waive a penalty imposed for willful neglect.
© 2014 Richard D. Dvorak & EMR Legal 26
WHAT’S MY EXPOSURE?• CVS: $2.25mm—improper disposal PHI• Rite Aid: $1mm—improper disposal PHI• Providence Health: $100k—loss of laptops
and media (i.e. no media controls or mobile device management (MDM))
• Management Services Organization: $35k—improper disclosure for marketing
• Massachusetts General: $1mm—not protecting records during off-site transport
© 2014 Richard D. Dvorak & EMR Legal 27
WHAT’S MY EXPOSURE?• Cignet Health: $4.3mm—privacy rights
violation (denied access to records)• UCLA Health System: $865k—improper
monitoring of system activity thus allowing improper celebrity chart access
• Phoenix Cardiac Surgery: $100k—no risk analysis and deficient policies and training
• Hospice of North Idaho: $50k—same as above
• Alaska Medicaid: $1.7mm—same violations
© 2014 Richard D. Dvorak & EMR Legal 28
WHAT’S MY EXPOSURE?
• Massachusetts Eye and Ear Infirmary: $1.5 million for same violations
• Affinity Health Plan, Inc.: $1.2mm for improper handling of copy machines, no Risk Analysis and poor P&Ps
• Idaho State University: $400,000 for leaving a server firewall down
© 2014 Richard D. Dvorak & EMR Legal 29
WHAT’S MY EXPOSURE
• WellPoint, Inc.: $1.7mm for poor P&Ps, sharing passwords, & no periodic review
• Shasta Regional Medical Center: $275k—improper disclosure of PHI and failure to sanction workforce members
© 2014 Richard D. Dvorak & EMR Legal 30
CRITERIA FOR FINE AMOUNTS• In determining the amount or scope of any
penalty, assessment, or exclusion to be imposed, the Secretary shall take into account—– (1) the nature of claims and the circumstances
under which they were presented– (2) the degree of culpability, history of prior
offenses, and financial condition– (3) such other matters as justice may require
© 2014 Richard D. Dvorak & EMR Legal 31
FEDERAL TRADE COMMISSION
• Unfair and Deceptive Trade Practices– CVS: “Nothing is more central to operations
than protecting your PHI. We take the responsibility very seriously.” 2009 WL1892185 (F.T.C.)
– Rite Aid: “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. Rite Aid would like to assure you that we respect and protect your privacy.” 2010 WL 3053863 (F.T.C.)
© 2014 Richard D. Dvorak & EMR Legal 32
STATE ATTORNEYS GENERAL• Before the HITECH Act: No federal private
right of action—that is, no federal lawsuit• Under HITECH Act, state attorneys general—
– May bring a HIPAA violation case in federal court– May recover damages, attorney’s fees, and costs
• Connecticut AG v. Health Net of Ct.: $250,000• Indiana AG v. Wellpoint, parent of BCBS• MN AG v. Accretive Health, Inc.: $2.5 million (stolen,
unencrypted laptop)
© 2014 Richard D. Dvorak & EMR Legal 33
TORT LIABILITY
• State courts have recognized the regulations as the “Standard of Care” or the legal duty that you owe your patients.
• Actual damages• Including claims for punitive damages
– A New York case resulted in $300k in exemplary damages. Randi A.J. v. Long Is. Surgi-Center 46 A.D.3d 74 (2007)
© 2014 Richard D. Dvorak & EMR Legal 34
HITECH ACT
Health Information Technology for Economic Clinical Health Act
• Three main components:– Electronic medical records– A few new rights for patients– Enhanced enforcement
© 2014 Richard D. Dvorak & EMR Legal 35
OMNIBUS RULE CHANGE
• Update privacy notice NLT 9/23/2013
• Update BA agreements NLT 9/23/2014
© 2014 Richard D. Dvorak & EMR Legal 36
HOW DO I PROTECT MY ORGANIZATION?
• Comply with Privacy Rule• Comply with the Security Rule• Take advantage of DHHS Safe Harbors• Obtain assistance in conducting a gap
analysis
© 2014 Richard D. Dvorak & EMR Legal 37
HOW DO I PROTECT MY ORGANIZATION?
• Conduct a gap analysis that is reviewed by an experienced professional.
• The review should include, at a minimum, a detailed written report that identifies your compliance strengths and weaknesses
© 2014 Richard D. Dvorak & EMR Legal 38
GAP ANALYSIS– The report should suggest specific compliance
strategies to strengthen your compliance weaknesses, if any.
– After you have had the opportunity to review the report, then the professional should meet with you and your compliance committee, either in person or by phone, to discuss the report, its contents and the professional’s assessment and suggested strategies.
© 2014 Richard D. Dvorak & EMR Legal 39
GAP ANALYSIS• After completing the gap analysis then you
should perform a risk assessment – sometimes also called a risk analysis. – The key to cost-effective compliance– And even more important with the final Security
Rule!– Now essential with the dramatic effects of the
HITECH Act on HIPAA– If you haven’t done a formal written risk analysis,
any breach would result from willful neglect!
© 2014 Richard D. Dvorak & EMR Legal 40
RISK ANALYSIS-ASSESSMENT (R/A)
• Besides being a required implementation specification in the Security Management Process Standard, a R/A is how you decide whether you must implement an addressable implementation specification.
• §164.308 requires a R/A to reduce risks and vulnerabilities to a reasonable & appropriate level to comply with §164.306(a).
© 2014 Richard D. Dvorak & EMR Legal 41
RISK ANALYSIS-ASSESSMENT
• §164.530(c)(1) of the Privacy Rule requires covered entities to have reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
• You cannot select “appropriate safeguards” without first having performed a good risk analysis.
© 2014 Richard D. Dvorak & EMR Legal 42
RISK ANALYSIS-ASSESSMENT
• There are different methodologies that can be used when performing a risk assessment.
• Just as with the gap analysis, professional assistance is available.
© 2014 Richard D. Dvorak & EMR Legal 43
RISK ANALYSIS-ASSESSMENT• The risk analysis result will identify security
measures that you either will have in place or that you will need put in place.
• Most common types of safeguards are written policies and procedures, technical solutions and some physical improvements.
• Professional guidance can produce a better end result, cost savings, time savings, and will also provide evidence of good due diligence.
© 2014 Richard D. Dvorak & EMR Legal 44
RISK ANALYSIS-ASSESSMENT• A methodology
– Assemble a good team– Identify assets– Determine what risks exist– Evaluate the likelihood of the risks occurring and
the harm if they do– Select security measures to guard against those
risks– Periodically review, test and revise as appropriate
© 2014 Richard D. Dvorak & EMR Legal 45
BREACH NOTIFICATION RULE
• Must report to DHHS all breaches.• Must notify all individuals of a breach.• ≥ 500 must report immediately to DHHS.
– i.e. NLT 60 days after you became aware.• ≥ 500 from same area, then also to
prominent local media.• < 500 must report NLT February 28.
© 2014 Richard D. Dvorak & EMR Legal 46
BREACH NOTIFICATION RULEDefinition of Breach• Generally, an impermissible use or disclosure
that compromises the security or privacy of the PHI.
• An impermissible use or disclosure of PHI is presumed to be a breach unless you can demonstrate that there is a low probability that the protected health information has been compromised.
© 2014 Richard D. Dvorak & EMR Legal 47
BREACH NOTIFICATION RULETo demonstrate low probability of a compromise must do a risk assessment of at least the following factors:
1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed4. The extent to which the risk to the PHI has been mitigated
© 2014 Richard D. Dvorak & EMR Legal 48
BREACH NOTIFICATION EXCEPTIONS
• Unintentional acquisition, access, or use of PHI by a workforce member if such acquisition, access, or use was made in good faith and within the scope of authority
• Inadvertent disclosure of PHI to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates
• Good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information
© 2014 Richard D. Dvorak & EMR Legal 49
MARKETING v REFILL REMINDERS
• With limited exceptions, the Rule requires an individual’s written authorization before his or her protected health information can be used or disclosed to make a marketing communication to the individual.
• In general, marketing means to make a communication to an individual about a product or service that encourages the individual to purchase or use that product or service.
© 2014 Richard D. Dvorak & EMR Legal 50
MARKETING vs REFILL REMINDERS
• Often, the lines between a marketing communication and a communication for a treatment or health care purpose unavoidably overlap, because a necessary part of providing treatment and health care services and benefits is to encourage or advise individuals to purchase or use certain health-related products or services.
© 2014 Richard D. Dvorak & EMR Legal 51
MARKETING vs REFILL REMINDERS
• For this reason, the Privacy Rule includes important exceptions to what is considered marketing to ensure essential healthcare communications are not impeded.
• One important exception concerns communications about refill reminders and other communications about a drug or biologic currently being prescribed to the individual (“refill reminder exception”).
© 2014 Richard D. Dvorak & EMR Legal 52
MARKETING vs REFILL REMINDERS
• Financial remuneration means payment to a covered entity (or business associate, if applicable) from or on behalf of a third party whose product or service is being described.
• Financial remuneration does not include non-financial or in-kind benefits.
© 2014 Richard D. Dvorak & EMR Legal 53
MARKETING vs REFILL REMINDERS
• Two components to determining whether a communication falls within the refill reminder exception to marketing. – The first is whether the communication is about a
currently prescribed drug or biologic. – The second is whether the communication
involves financial remuneration and if it does, whether the financial remuneration is reasonably related to the covered entity’s cost of making the communication.
© 2014 Richard D. Dvorak & EMR Legal 54
MARKETING v REFILL REMINDERS
• WITHIN EXCEPTION– Refill reminders– Communications about generic equivalents of a drug
being prescribed– Communications about a recently lapsed prescription
(one that has lapsed within the last 90 calendar days)– Adherence communications encouraging individuals
to take prescribed medicines as directed– Where an individual is prescribed a self-administered
drug, communications regarding all aspects of a drug delivery system
© 2014 Richard D. Dvorak & EMR Legal 55
MARKETING v REFILL REMINDERS
• NOT WITHIN EXCEPTION– Communications about specific new formulations
of a currently prescribed medicine– Communications about specific adjunctive drugs
related to the currently prescribed medicine– Communications encouraging an individual to
switch from a prescribed medicine to an alternative medicine
© 2014 Richard D. Dvorak & EMR Legal 56
MARKETING v REFILL REMINDERS
• Examples of Permitted Communications– A pharmacy administers a medication adherence
program that involves mailing refill reminders and adherence communications to patients about their currently prescribed drugs even though the pharmacy receives financial remuneration from the pharmaceutical manufacturers, provided the financial remuneration covers only the pharmacy’s reasonable direct and indirect costs associated with the program.
© 2014 Richard D. Dvorak & EMR Legal 57
MARKETING v REFILL REMINDERS
• Examples of Permitted Communication– A pharmacy mails its diabetic patients information
concerning the diabetic pumps used to administer their insulin even though the pharmacy is paid by the manufacturer of the pumps, provided the payment covers only the reasonable direct and indirect costs associated with the communications.
– A pharmacy hires a BA to assist in administering a medication adherence program that involves mailing adherence communications to patients about their currently prescribed drugs, even though the BA is paid by the pharmaceutical manufacturers, provided the payment does not exceed the fair market value of the BA’s services.
© 2014 Richard D. Dvorak & EMR Legal 58
MARKETING vs REFILL REMINDERS
• For more details about how the refill reminders and communications about currently prescribed drugs or biologics work, look at your course materials or go to www.veteranspress.com for a series of DHHS FAQs & Answers.
• Financial remuneration means payment to a covered entity (or business associate, if applicable) from or on behalf of a third party whose product or service is being described.
© 2014 Richard D. Dvorak & EMR Legal 59
ENFORCEMENT RECAP
• Civil Torts• FTC – Federal Trade Commission• OCR – Office of Civil Rights• DOJ – Department of Justice• OIG – Office of the Attorney General• AG – State Attorney General• OMG – O – My – Gosh
© 2014 Richard D. Dvorak & EMR Legal 60
UNAVOIDABL EMPLOYEE MISCONDUCT
• Must show that the organization—– Established work rules to prevent safety violations– Adequately informed employees of the rules– Effectively enforced the rules upon discovering a violation
• These elements of the defense are consistent with our guidance:– Screen your employees before giving them access– Train them and retain training records (adequately inform them)– Conduct a risk analysis and implement reasonable and
appropriate security measures, including policies and procedures (establish work rules)
– Enforce your security measures and policies (effectively enforce the rules)
– Conduct compliance audits (effectively enforce the rules)
© 2014 Richard D. Dvorak & EMR Legal 61
COMPLIANCE RECAP
1) Implement policies and procedures2) Train employees3) Take reasonable measures to assess
compliance with your established policies and procedures
4) Employ a reasonable process for discovering and remedying risks to PHI
© 2014 Richard D. Dvorak & EMR Legal 62
WHAT DO I DO NEXT?
• Gap Analysis• Risk Analysis• Comprehensive P&Ps• Workforce training on the P&Ps• Enforce, supervise, discover, & remediate• Conduct internal audits for Privacy &
Security Rule
© 2014 Richard D. Dvorak & EMR Legal 63
QUESTIONS
[email protected]: 913‐951‐5505
Phone: 913‐385‐7990, ext. 305
RoundtablesTABLE # 02 Assessing Your Organization’s HIPAA Risks and Challenges
© 2014 Richard D. Dvorak & EMR Legal 64