The Final HIPAA Regulations are Now in Effect—Are … Final HIPAA Regulations are ... came into...

The Final HIPAA Regulations are Now in Effect—Are You in

Compliance?Richard D. Dvorak, JD, Partner, Tomes & Dvorak, Chartered, Vice President of EMR Legal, Inc. and

Veterans Press, Inc., Overland Park, KS

CE Credit in Five Easy Steps!1. Scan your badge as you enter each session.2. Carry your Evaluation Packet to every session so you can add session evaluation forms to it.3. Track your hours on the “Statement of Session Attendance Form” as you go.4. At your last session, total the hours and sign both pages of your Statement of Session

Attendance Form. Keep the PINK copy for your records. Put the YELLOW and WHITE copies in your Evaluation Packet. Make sure a completed Session Evaluation Form is in your Evaluation Packet for each session

you attended.• Missing one? Extras are in a file near Registration.

5. Complete the General Attendance Evaluation Form located in this Evaluation Packet—and place it back in this envelope. Write your name on the outside of this Evaluation Packet envelope, seal it, and drop it in the box near Registration. Applying for Pharmacy CPE? If you have not yet registered for an NABP e‐Profile ID, please

visit www.MyCPEmonitor.net to do so before submitting your packet. You must enter your NABP e‐Profile ID in order to receive CE credit this year!

© 2014 Richard D. Dvorak & EMR Legal 2

Disclosure Slide

The speaker is an attorney specializing in health law. Conflict of interest was resolved by peer review of this presentation.

Clinical trials and off‐label/investigational uses will not be discussed during this presentation.


OBJECTIVES1. Explain the most recent changes to HIPAA that

came into effect in 2013, and the implications for organizations not in compliance.

2. Explain the Privacy Rule as it relates to refill reminder and other communications about drugs or biologics.

3. Review strategies for assessing gaps in your organization’s HIPAA compliance.

4. List and describe the areas that must be addressed in your corrective plan of action.


ROAD MAP

• Brief overview of the regulatory history• Explain what it is these regulations really

require of you.• Explain how these regulations are being

enforced.• Explain how to be audit ready and how to

avoid civil money punishments.


REGULATORY HISTORY


HIPAA1996

HIPAA DEFINEDHealth care providers including pharmacies must maintain reasonable and appropriate safeguards to ensure the integrity and confidentiality of protected health information (PHI).• Administrative• Technical• Physical


HIPAA DEFINED• Business Associates (B/A) – Now are

effectively Covered Entities.– Billing service, transcription service, copy service,

medical marketing service, are but a few examples• Covered Entity can now be liable for what

your Business Associates do (or fail to do).• Common Law Principals of Agency Law• “Down-stream” Business Associates


B/A LIABILITY• Department of Health and Human Services

(DHHS), an analysis re: scope of agency – (1) time, place and purpose of a Business Associate

agent’s conduct– (2) whether a Business Associate agent engaged in a

course of conduct subject to a Covered Entity’s control– (3) whether a Business Associate agent’s conduct is

commonly done by a business associate to accomplish the service performed on behalf of a Covered Entity

– (4) whether the Covered Entity reasonably expected that a Business Associate agent would engage in the conduct in question.


ENFORCEMENT

• Organizational commitment to privacy and security

• Ensure compliance by the organization’s officers and employees


CRIMINAL PENALTIES


HIPAAViolation

CRIMINAL PENALTIES• Knowingly obtains or discloses:

– $50,000 fine and imprisonment for one year

• Same done under false pretenses:– $100,000 fine and imprisonment for five years

• Same done with intent to sell, transfer or use the information for commercial advantage, personal gain or malicious harm:– A maximum fine of $250,000 and/or up to 10 years’

imprisonment


CONVICTIONS – BE ON GUARD!• Gibson (identity theft): 14 months

• Ramirez (sale of medical records): 6 months

• Machado & Ferrer (identity theft): Machado: six months’ home confinement + three years’ probation. Ferrer: 87 months

• Howell, Meckenstock, Stevenson (identity theft) for $7mm of false Medicare claims: – Howell: 14 months– Meckenstock: 119 months. Stevenson: 168 months


JC4

CONVICTIONS – BE ON GUARD!

• Smith (disclosure for personal gain): 2 years’ probation

• Miami Palmetto theft ring (identity theft): – Medical records employee: 2 years; accomplice: 11

months

• Doctor + 2 hospital employees in AR (accessing murder victim’s chart):– Each: 1 year of probation and community service


CONVICTIONS – BE ON GUARD!• Insurance claims clerk and Johns Hopkins patient services worker (identity

theft): 5 years’ confinement, plus $200,000 restitution

• Huping Zhou—UCLA Health System doctor (accessed celebrity charts): 4 months’ imprisonment

• Isaac Earl Smith (identity theft—accessed PHI of United Healthcare to obtain prescription drugs): 6 years plus 2 years supervised release

• Matthew Brown—fake doctor in Georgia who used health information to fraudulently treat patients: Pled guilty to 16 counts of health care fraud, as well as one count of wrongful disclosure of individually identifiable health information in criminal violation of HIPAA, sentenced to five years and 10 months in prison, to be followed by three years of supervised release, and ordered to pay restitution totaling $1,063,004

• Helene Michel—12 years for stealing long-term care records and using them to commit identity theft


CONVICTIONS – BE ON GUARD!• U.S. v. Salko – Middle District of Pennsylvania - On June 30,

2009, made false representations of material facts in a July 17, 2005 progress note by falsely representing that he was authorized to obtain the medical records of another elderly Medicare patient.

• U.S. v Pepala – Western District of PA – September 2010 -According to the indictment, in February 2008, Pepala, then employed at UPMC Shadyside Hospital, used information to file false tax returns in 2008. The law provides for a maximum total sentence of 80 years in prison, a fine of $4,730,000, or both.

• U.S. v. Cipolla - Buffalo, N.Y. September 2011. Recovered medical records that were abandoned in a dumpster in Cheektowaga, NY on June 2, 2010. The records belonged to Avalon Centers Inc., a former eating disorder clinic and Cipolla obtained the records in the hopes of re-opening the clinic.


CONVICTIONS – BE ON GUARD!• U.S. v. Smith and Poole-Moore – Northern District of AL –

accessed the information of individuals who had a FSA administered by United Healthcare Inc. and a prescription drug plan sponsored by the Federal Employees Health Benefit Plan (FEHBP) to create counterfeit prescriptions in order to illegally obtain controlled substances and then sell them to third parties.

• U.S. v. Charette – Las Vegas, NV – May 4, 2011 - Conspired with the manager of the trauma resuscitation department to obtain “facesheets” in order to solicit the patients for legal and medical referrals. Charette paid the trauma resuscitation department manager for each patient who retained a personal injury attorney or chiropractor chosen by Charette.


WHO CAN BE PROSECUTED?

• Department of Justice Memorandum:– Depending on the facts certain

Directors (i.e. Owners), Officers, andKey Employees may be criminallyliable in accordance with the generalprinciples of corporate criminalliability.


EXPANDED JURISDICTION• CLARIFICATION OF PERSONAL

JURISDICATION FOR CRIMINAL PENALTIES CREATED BY HITECH:

• § 1177(a) of 42 U.S.C. 1320d-6(a) Amended by adding – “For purposes of the previous sentence, a “person”

now includes an employee or other individual if the information is maintained by a covered entity and the individual obtained or disclosed such information without authorization.”


EXPANDED JURISDICTION

• Application of Civil and Criminal Penalties– In the case of a Business Associate that

violates any provision specified in the regulation, those penalties shall apply to the Business Associate, with respect to such violation, in the same manner such sections apply to a covered entity that violates such provision.


CIVIL MONEY PUNISHMENTS (CMPs)


On the Rise

Office of the Inspector General (OIG) AUDITS

• HITECH Act requires DHHS to conduct periodic audits of both Covered Entities and Business Associates.

• Before the Act, OIG could audit Covered Entities, but now OIG must audit.

• DHHS, in its audit program, has discovered that approximately one-third of providers’ and insurers’ non-compliance problems stemmed from lack of awareness of requirements facing them.


AUDIT PROTOCOL LIST

• 171 Audit Protocols• Not all Protocols will apply to everyone• Need the help of an expert to walk you

through them one by one• A good start for your Gap Analysis


OFFICE OF CIVIL RIGHTS (OCR)• 77,277 complaints since enforcement began in

April 2003. • HITECH Act requires DHHS to investigate

formally any complaints that are preliminarily determined to involve potential willful neglect.

• Penalties collected will be used to support the enforcement activities of OCR.

• Individuals whose PHI was the subject of an OCR enforcement action will get a percentage of any penalties.


WHAT’S MY EXPOSURE?• $1,000 per violation for a violation due to

“reasonable cause and not to willful neglect” with a maximum penalty of $100,000 in a calendar year

• $10,000 for each violation that was due to willful neglect and is corrected timely, also subject to a $250,000 maximum penalty in a calendar year


WHAT’S MY EXPOSURE?

• $50,000 for each violation if the violation is not corrected properly to a maximum penalty of $1,500,000 during a calendar year

– Note that DHHS cannot waive a penalty imposed for willful neglect.


WHAT’S MY EXPOSURE?• CVS: $2.25mm—improper disposal PHI• Rite Aid: $1mm—improper disposal PHI• Providence Health: $100k—loss of laptops

and media (i.e. no media controls or mobile device management (MDM))

• Management Services Organization: $35k—improper disclosure for marketing

• Massachusetts General: $1mm—not protecting records during off-site transport


WHAT’S MY EXPOSURE?• Cignet Health: $4.3mm—privacy rights

violation (denied access to records)• UCLA Health System: $865k—improper

monitoring of system activity thus allowing improper celebrity chart access

• Phoenix Cardiac Surgery: $100k—no risk analysis and deficient policies and training

• Hospice of North Idaho: $50k—same as above

• Alaska Medicaid: $1.7mm—same violations


WHAT’S MY EXPOSURE?

• Massachusetts Eye and Ear Infirmary: $1.5 million for same violations

• Affinity Health Plan, Inc.: $1.2mm for improper handling of copy machines, no Risk Analysis and poor P&Ps

• Idaho State University: $400,000 for leaving a server firewall down


WHAT’S MY EXPOSURE

• WellPoint, Inc.: $1.7mm for poor P&Ps, sharing passwords, & no periodic review

• Shasta Regional Medical Center: $275k—improper disclosure of PHI and failure to sanction workforce members


CRITERIA FOR FINE AMOUNTS• In determining the amount or scope of any

penalty, assessment, or exclusion to be imposed, the Secretary shall take into account—– (1) the nature of claims and the circumstances

under which they were presented– (2) the degree of culpability, history of prior

offenses, and financial condition– (3) such other matters as justice may require


FEDERAL TRADE COMMISSION

• Unfair and Deceptive Trade Practices– CVS: “Nothing is more central to operations

than protecting your PHI. We take the responsibility very seriously.” 2009 WL1892185 (F.T.C.)

– Rite Aid: “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. Rite Aid would like to assure you that we respect and protect your privacy.” 2010 WL 3053863 (F.T.C.)


STATE ATTORNEYS GENERAL• Before the HITECH Act: No federal private

right of action—that is, no federal lawsuit• Under HITECH Act, state attorneys general—

– May bring a HIPAA violation case in federal court– May recover damages, attorney’s fees, and costs

• Connecticut AG v. Health Net of Ct.: $250,000• Indiana AG v. Wellpoint, parent of BCBS• MN AG v. Accretive Health, Inc.: $2.5 million (stolen,

unencrypted laptop)


TORT LIABILITY

• State courts have recognized the regulations as the “Standard of Care” or the legal duty that you owe your patients.

• Actual damages• Including claims for punitive damages

– A New York case resulted in $300k in exemplary damages. Randi A.J. v. Long Is. Surgi-Center 46 A.D.3d 74 (2007)


HITECH ACT

Health Information Technology for Economic Clinical Health Act

• Three main components:– Electronic medical records– A few new rights for patients– Enhanced enforcement


OMNIBUS RULE CHANGE

• Update privacy notice NLT 9/23/2013

• Update BA agreements NLT 9/23/2014


HOW DO I PROTECT MY ORGANIZATION?

• Comply with Privacy Rule• Comply with the Security Rule• Take advantage of DHHS Safe Harbors• Obtain assistance in conducting a gap

analysis


HOW DO I PROTECT MY ORGANIZATION?

• Conduct a gap analysis that is reviewed by an experienced professional.

• The review should include, at a minimum, a detailed written report that identifies your compliance strengths and weaknesses


GAP ANALYSIS– The report should suggest specific compliance

strategies to strengthen your compliance weaknesses, if any.

– After you have had the opportunity to review the report, then the professional should meet with you and your compliance committee, either in person or by phone, to discuss the report, its contents and the professional’s assessment and suggested strategies.


GAP ANALYSIS• After completing the gap analysis then you

should perform a risk assessment – sometimes also called a risk analysis. – The key to cost-effective compliance– And even more important with the final Security

Rule!– Now essential with the dramatic effects of the

HITECH Act on HIPAA– If you haven’t done a formal written risk analysis,

any breach would result from willful neglect!


RISK ANALYSIS-ASSESSMENT (R/A)

• Besides being a required implementation specification in the Security Management Process Standard, a R/A is how you decide whether you must implement an addressable implementation specification.

• §164.308 requires a R/A to reduce risks and vulnerabilities to a reasonable & appropriate level to comply with §164.306(a).


RISK ANALYSIS-ASSESSMENT

• §164.530(c)(1) of the Privacy Rule requires covered entities to have reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

• You cannot select “appropriate safeguards” without first having performed a good risk analysis.


RISK ANALYSIS-ASSESSMENT

• There are different methodologies that can be used when performing a risk assessment.

• Just as with the gap analysis, professional assistance is available.


RISK ANALYSIS-ASSESSMENT• The risk analysis result will identify security

measures that you either will have in place or that you will need put in place.

• Most common types of safeguards are written policies and procedures, technical solutions and some physical improvements.

• Professional guidance can produce a better end result, cost savings, time savings, and will also provide evidence of good due diligence.


RISK ANALYSIS-ASSESSMENT• A methodology

– Assemble a good team– Identify assets– Determine what risks exist– Evaluate the likelihood of the risks occurring and

the harm if they do– Select security measures to guard against those

risks– Periodically review, test and revise as appropriate


BREACH NOTIFICATION RULE

• Must report to DHHS all breaches.• Must notify all individuals of a breach.• ≥ 500 must report immediately to DHHS.

– i.e. NLT 60 days after you became aware.• ≥ 500 from same area, then also to

prominent local media.• < 500 must report NLT February 28.


BREACH NOTIFICATION RULEDefinition of Breach• Generally, an impermissible use or disclosure

that compromises the security or privacy of the PHI.

• An impermissible use or disclosure of PHI is presumed to be a breach unless you can demonstrate that there is a low probability that the protected health information has been compromised.


BREACH NOTIFICATION RULETo demonstrate low probability of a compromise must do a risk assessment of at least the following factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

2. The unauthorized person who used the PHI or to whom the disclosure was made

3. Whether the PHI was actually acquired or viewed4. The extent to which the risk to the PHI has been mitigated


BREACH NOTIFICATION EXCEPTIONS

• Unintentional acquisition, access, or use of PHI by a workforce member if such acquisition, access, or use was made in good faith and within the scope of authority

• Inadvertent disclosure of PHI to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates

• Good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information


MARKETING v REFILL REMINDERS

• With limited exceptions, the Rule requires an individual’s written authorization before his or her protected health information can be used or disclosed to make a marketing communication to the individual.

• In general, marketing means to make a communication to an individual about a product or service that encourages the individual to purchase or use that product or service.


MARKETING vs REFILL REMINDERS

• Often, the lines between a marketing communication and a communication for a treatment or health care purpose unavoidably overlap, because a necessary part of providing treatment and health care services and benefits is to encourage or advise individuals to purchase or use certain health-related products or services.



• For this reason, the Privacy Rule includes important exceptions to what is considered marketing to ensure essential healthcare communications are not impeded.

• One important exception concerns communications about refill reminders and other communications about a drug or biologic currently being prescribed to the individual (“refill reminder exception”).



• Financial remuneration means payment to a covered entity (or business associate, if applicable) from or on behalf of a third party whose product or service is being described.

• Financial remuneration does not include non-financial or in-kind benefits.



• Two components to determining whether a communication falls within the refill reminder exception to marketing. – The first is whether the communication is about a

currently prescribed drug or biologic. – The second is whether the communication

involves financial remuneration and if it does, whether the financial remuneration is reasonably related to the covered entity’s cost of making the communication.



• WITHIN EXCEPTION– Refill reminders– Communications about generic equivalents of a drug

being prescribed– Communications about a recently lapsed prescription

(one that has lapsed within the last 90 calendar days)– Adherence communications encouraging individuals

to take prescribed medicines as directed– Where an individual is prescribed a self-administered

drug, communications regarding all aspects of a drug delivery system



• NOT WITHIN EXCEPTION– Communications about specific new formulations

of a currently prescribed medicine– Communications about specific adjunctive drugs

related to the currently prescribed medicine– Communications encouraging an individual to

switch from a prescribed medicine to an alternative medicine



• Examples of Permitted Communications– A pharmacy administers a medication adherence

program that involves mailing refill reminders and adherence communications to patients about their currently prescribed drugs even though the pharmacy receives financial remuneration from the pharmaceutical manufacturers, provided the financial remuneration covers only the pharmacy’s reasonable direct and indirect costs associated with the program.



• Examples of Permitted Communication– A pharmacy mails its diabetic patients information

concerning the diabetic pumps used to administer their insulin even though the pharmacy is paid by the manufacturer of the pumps, provided the payment covers only the reasonable direct and indirect costs associated with the communications.

– A pharmacy hires a BA to assist in administering a medication adherence program that involves mailing adherence communications to patients about their currently prescribed drugs, even though the BA is paid by the pharmaceutical manufacturers, provided the payment does not exceed the fair market value of the BA’s services.



• For more details about how the refill reminders and communications about currently prescribed drugs or biologics work, look at your course materials or go to www.veteranspress.com for a series of DHHS FAQs & Answers.

• Financial remuneration means payment to a covered entity (or business associate, if applicable) from or on behalf of a third party whose product or service is being described.


ENFORCEMENT RECAP

• Civil Torts• FTC – Federal Trade Commission• OCR – Office of Civil Rights• DOJ – Department of Justice• OIG – Office of the Attorney General• AG – State Attorney General• OMG – O – My – Gosh


UNAVOIDABL EMPLOYEE MISCONDUCT

• Must show that the organization—– Established work rules to prevent safety violations– Adequately informed employees of the rules– Effectively enforced the rules upon discovering a violation

• These elements of the defense are consistent with our guidance:– Screen your employees before giving them access– Train them and retain training records (adequately inform them)– Conduct a risk analysis and implement reasonable and

appropriate security measures, including policies and procedures (establish work rules)

– Enforce your security measures and policies (effectively enforce the rules)

– Conduct compliance audits (effectively enforce the rules)


COMPLIANCE RECAP

1) Implement policies and procedures2) Train employees3) Take reasonable measures to assess

compliance with your established policies and procedures

4) Employ a reasonable process for discovering and remedying risks to PHI


WHAT DO I DO NEXT?

• Gap Analysis• Risk Analysis• Comprehensive P&Ps• Workforce training on the P&Ps• Enforce, supervise, discover, & remediate• Conduct internal audits for Privacy &

Security Rule


QUESTIONS

[email protected]: 913‐951‐5505

Phone: 913‐385‐7990, ext. 305

RoundtablesTABLE # 02 Assessing Your Organization’s HIPAA Risks and Challenges


The Final HIPAA Regulations are Now in Effect—Are … Final HIPAA Regulations are ... came into...

Documents

Transcript of The Final HIPAA Regulations are Now in Effect—Are … Final HIPAA Regulations are ... came into...