Add to collection(s) Add to saved
  1. Science
  2. Health Science

2012 Christiansen IT Law

advertisement 
HIPAA and HITECH:
An Update on the
New Enforcement Rules
Washington State Bar Association
Critical Issues in Health Care
June 14, 2012
© 2012 Christiansen IT Law
Presenter CV
John R. Christiansen, J.D. - Christiansen IT Law
Information Technology Law: Privacy, Security, Compliance
Contracting, and Risk Management & Due Diligence
•
Chair, ABA HITECH Megarule Task Force (2012 – present); Business Associates Task Force
(2009 – 2012); Committees on Healthcare Privacy, Security and Information Technology (2004
– 06); on Healthcare Informatics (2000 – 04); and PKI Assessment Guidelines Health
Information Protection and Security Task Group (2000 – 2003)
•
Special Assistant to Washington State Health Care Authority/HITECH and HIPAA; USDHHS Office
of Coordinator for Health Information Technology; Technical Advisor, State Health Policy
Consortium (2010 – present) and Health Information Security and Privacy Collaboration
(2005 – 2009)
•
Publications include State and Federal Consent Laws Affecting Health Information Exchange
(Nat’l Governors Association 2011); Policy Solutions for Advancing Interstate Health
Information Exchange (Nat’l Governors Association 2009); Legal Speed Bumps on the Road to
Health Information Exchange, Journal of Health and Bioscience Law (2008); An Integrated
Standard of Care for Healthcare Information Security (2005); etc.
June 14, 2012
© 2012 Christiansen IT Law
2
Our Agenda
•
•
•
•
HITECH Update
Criminal Penalties
Civil Enforcement Procedures
Civil Monetary Penalties
June 14, 2012
© 2012 Christiansen IT Law
3
HITECH Update
• HIPAA – the Health Insurance Portability and Accountability Act of
1996
– Privacy Rule
– Security Rule
– Transactions Rule
– Enforcement and Civil Monetary Penalties Rules
• HITECH – the Health Information Technology for Economic and
Clinical Health Act; part of 2009 American Recovery and Relief Act
(ARRA) stimulus legislation; supplements and amends HIPAA
June 14, 2012
© 2012 Christiansen IT Law
4
HITECH Update
• Current status of HITECH Regulations
– HITECH Breach Notification Interim Final Rule [IFR], 74 Fed.Reg.
42740 (August 24, 2009)
– HITECH Enforcement Interim Final Rule, 74 Fed.Reg. 56123
(October 30, 2009)
– HITECH Notice of Proposed Rule Making [NPRM] re
Remuneration Disclosure, Minimum Necessary, Provision of
Electronic Records and Business Associates, 75 Fed.Reg. 40868
(July 14, 2010)
– HITECH Accounting of Disclosures NPRM, 76 Fed.Reg. 31426
(May 31, 2011)
June 14, 2012
© 2012 Christiansen IT Law
5
HITECH Update
• Coming HITECH Attractions
– “Modifications to the HIPAA Privacy, Security, Enforcement, and
Breach Notification Rules”
• Submitted to OMB March 24, 2012; technically due for publication
no later than June 22, 2012
– Publication “by the end of summer.” Farzad Mostashari, National
Coordinator for Health Information Technology (June 6, 2012)
June 14, 2012
© 2012 Christiansen IT Law
6
HITECH Update
• Coming HITECH Attractions
– Included:
• Business Associate (BA), Subcontractor Security Rule and limited
Privacy Rule compliance and liability
• New penalty levels
• Updated/revised breach notification
• Privacy Rule amendments per Genetic Information
Nondiscrimination Act of 2008 (GINA)
• Also guidance on business associate contracts, de-identification, and
conduct of risk assessments to determine security breach
June 14, 2012
© 2012 Christiansen IT Law
7
HIPAA Penalties
Two types of penalty: Civil and criminal
• A HIPAA violation which “constitutes an act punishable” as a HIPAA
criminal offense may not be grounds for civil penalties
• 42 USC § 1320d-5(b)(1)
• Criminal penalty enforcement by U.S. Dep’t of Justice (DOJ)
• Civil monetary penalty (CMP) enforcement by DHHS Office of Civil
Rights (OCR)
June 14, 2012
© 2012 Christiansen IT Law
8
Criminal Penalties
Expansion of Criminal/Civil Penalties to Business Associates (BAs)
• In the case of a business associate that violates any provision of
subsection (a) or (b), the provisions of sections 1176 and 1177 of
the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply
to the business associate with respect to such violation in the
same manner as such provisions apply to a person who violates
a provision of part C of title XI of such Act.
• HITECH § 13404(c)
• 42 USC § 1320d-6: HIPAA criminal penalties
• 42 USC § 1320d-5: HIPAA civil penalties
June 14, 2012
© 2012 Christiansen IT Law
9
Criminal Penalties
HIPAA criminal penalties
• Criminal penalties may be imposed only upon proof beyond a
reasonable doubt that a “person”:
• Knowingly and
• In violation of HIPAA or any of its regulations,
• Either:
• Uses “or causes to be used” a unique health identifier (as
required by regulation, e.g. plan or provider number);
• Obtains individually identifiable health information; or
• Discloses individually identifiable health information to
another person
• 42 USC 1320d-6(a)
June 14, 2012
© 2012 Christiansen IT Law
10
Criminal Penalties
HIPAA criminal penalties
• Three levels:
• “Simple” offense (proof of all elements)
• Fine of not more than $50,000, not more than one year
imprisonment, or both
• “False pretenses” offense (proof of all elements, plus proof
offense committed “under false pretenses”
• Fine of not more than $100,000, not more than five years
imprisonment, or both
• “Bad intent” offense (proof of all elements, plus proof of “intent
to sell, transfer, or use individually identifiable health information
for commercial advantage, personal gain, or malicious harm”)
• Fine of not more than $250,000, not more than ten years
imprisonment, or both
• 42 USC 1320d-6(b)
June 14, 2012
© 2012 Christiansen IT Law
11
Criminal Penalties
HIPAA criminal penalties
• Proving the elements of the offense
• “Knowingly:” Knowledge of facts indicating the existence of a
violation, including actual and circumstantial knowledge, and
failure to inquire where circumstances are suspicious
• “In violation of” HIPAA provision: Must be required to comply as
of time of offense
• “Obtains” information: Includes any exercise of control, direct or
indirect
• Example: Supervisor instructs subordinate to copy information
• “Disclose” information: Any “release, transfer, provision of access
to or divulging in any other manner”
June 14, 2012
© 2012 Christiansen IT Law
12
Criminal Penalties
Several Prosecutions to Date; A Few Cases of Interest
• U.S. v. Holland, Miller and Griffin (2011)
– Doctor and two hospital employees snooped in celebrity patient file
– Doctor sentenced to one year probation, $50,000 fine, 50 hours community
service educating professionals about HIPAA. Other employees sentenced to one
year probation, $1,500 and $2,500 fine respectively.
• U.S. v. Zhou (2010)
– Terminated physician snooped in co-workers’, other patients medical records
– Four months in prison
• U.S. v. Smith (2008)
– Clinic nurse gave PHI to husband who used it to threaten data subject
– Two years probation, community service
• U.S. v. Gibson (2004)
– Phlebotomist at Seattle Cancer Care Alliance used PHI to obtain credit cards in
patient’s name
June 14, 2012
© 2012 Christiansen IT Law
13
Civil Enforcement
HIPAA Administrative Simplification Enforcement Rule – “one HHS”
consolidation
• Codified at 45 CFR Part 160, General Administrative Requirements
• Subpart C: Compliance and Investigation
• Subpart D: Imposition of Civil Monetary Penalties
• Subpart E: Procedures for Hearings
• Applies to all regulatory requirements: Privacy, Security and
Transactional
• Effective date: March 16, 2006
June 14, 2012
© 2012 Christiansen IT Law
14
Civil Enforcement
Basic principles
• DHHS to “seek cooperation” in “obtaining compliance”
• DHHS “may” provide “technical assistance” to assist with voluntary
compliance
• 45 CFR § 160.304
• CEs must “keep such records” and submit “such compliance reports”
as DHHS determines necessary to determine compliance
• CEs must cooperate with DHHS investigations and permit access
(during “normal business hours”) books and records, etc.
• If requested information is in possession of another who refuses to
cooperate, certify efforts to DHHS
• 45 CFR § 160.310
June 14, 2012
© 2012 Christiansen IT Law
15
Civil Enforcement
Initiation of Compliance Investigation
• Any “person who believes a [CE] is not complying with the
administrative simplification regulations” may file a complaint with
HHS
• 45 CFR § 160.306
• Every complaint is reviewed and the allegations are analyzed for
compliance implications. – Susan McAndrew, OCR Deputy Director
• HHS may conduct “compliance reviews” on own initiative
• 45 CFR § 160.308
• May be triggered by security breach notification
• Every breach involving more than 500 individuals is reviewed for privacy
and security compliance. - Susan McAndrew
June 14, 2012
© 2012 Christiansen IT Law
16
Civil Enforcement
Initiation of Compliance Investigation
• HITECH requires DHHS to provide for “periodic audits” of
compliance by CEs and BAs
• HITECH § 13411
• HITECH requires DHHS to “formally investigate” a complaint if
“preliminary investigation of the facts . . . indicate[s] . . . a possible
violation due to willful neglect”
• HITECH § 13410(a)(2)
• State attorneys general granted civil penalties jurisdiction – and
attorneys fees for successful action
• Requires notice to DHHS and opportunity to assume jurisdiction
June 14, 2012
© 2012 Christiansen IT Law
17
Civil Enforcement
Investigation of complaints
• DHHS to “describe acts or omissions which are basis of complaint at
the time of initial written communication with the CE about the
complaint”
• Need not provide copy of the complaint
• Need not include complainant’s identity
• 45 CFR § 160.306(c)
• Investigations initiated by complaint need not be limited to issues
raised by complaint – and often are not
• OCR may issue subpoenas for witnesses, production of evidence
June 14, 2012
© 2012 Christiansen IT Law
18
Civil Enforcement
Investigations in general
• Target may not “threaten, intimidate, coerce, harass, discriminate
against, or take any other action” against witness or complainant
(may be penalized separately)
• Testimony to be recorded and transcribed
• 45 CFR §§ 160.314, 316
• May result in “resolution agreements,” including payment of
“resolution amount”
• Providence Health & Services, $100,000
• CVS, $2.25 million
June 14, 2012
© 2012 Christiansen IT Law
19
Civil Enforcement
Penalty proceedings
• If informal resolution not “satisfactory,” OCR to notify CE in writing.
Burden on CE to satisfy OCR. If not satisfied, OCR may issue notice
of proposed determination of civil monetary penalties
• Notice to include findings of fact which are penalty basis
• Target must pursue administrative appeal, through administrative
law judge and internal DHHS Board of Appeals, before lawsuit
June 14, 2012
© 2012 Christiansen IT Law
20
Civil Monetary Penalties
• Pre-HITECH
– Civil monetary penalty (CMP) maximum is $100/violation, to calendar
year (Jan. 1 – Dec. 31) $25,000 maximum for “all violations of an
identical requirement or prohibition”
• Core Concepts:
– Single acts/events can implicate multiple requirements or prohibitions
– Continuing violations – “a requirement or prohibition that is of an
ongoing nature” – are counted at one per day of continuation
June 14, 2012
© 2012 Christiansen IT Law
21
Civil Monetary Penalties
• HITECH requires CMPs and monetary settlements to be used by
OCR for enforcement or distribution to affected individuals
• Distributions to “individuals harmed” by a violation to be
determined by rule per methodology to be established by GAO
– GAO report due August 2010, status unknown
– Distribution rule due February 2012, status unknown (not included in
NPRMs or IFRs)
June 14, 2012
© 2012 Christiansen IT Law
22
Civil Monetary Penalties
HITECH Penalties
– Effective February 2009 per Enforcement IFR
– “Willful neglect” definition revisions expected in Megarule
Table 1 – Categories of Violations and Respective Penalty Amounts Available
Violation Category – Section 1167(a)(1)
Each violation
All such violations of an identical
provision in a calendar year
(A) Did Not Know
$100 - $50,000
$1,500,000
(B) Reasonable Cause
$1,000 - $50,000
$1,500,000
(C) Willful Neglect - Corrected
$10,000 - $50,000
$1,500,000
(D) Willful Neglect - Corrected
$50,000
$1,500,000
June 14, 2012
© 2012 Christiansen IT Law
23
Civil Monetary Penalties
Penalty determination
• Affirmative defenses: Violation due to “reasonable cause,” not
“willful neglect,” and under correction
• 45 CFR § 160.410
• Penalty aggravation/mitigation factors: Nature, harm caused by
violation; intentional violation vs. violation “beyond control;”
compliance history; financial factors
• 45 CFR § 164.408
June 14, 2012
© 2012 Christiansen IT Law
24
Civil Monetary Penalties
• Reasonable cause means circumstances that would make it
unreasonable for the covered entity, despite the exercise of ordinary
business care and prudence, to comply with the administrative
simplification provision violated.
• Reasonable diligence means the business care and prudence
expected from a person seeking to satisfy a legal requirement under
similar circumstances.
• Willful neglect means conscious, intentional failure or reckless
indifference to the obligation to comply with the administrative
simplification provision violated.
• 45 CFR § 160.401
June 14, 2012
© 2012 Christiansen IT Law
25
Civil Monetary Penalties
Example 1: Unauthorized access
•
CE allows unauthorized employee to access PHI on 20 individuals in
[single?] computer file
•
•
•
CE has separate obligation to each individual
Unauthorized access to PHI of 20 individuals = 20 violations
If CE could not have known about this violation in the exercise of due
diligence (unlikely?): $100/violation = $2,000 penalty
If CE permitted this due to reasonable cause (what would that be?):
$1,000/violation = $20,000 penalty
If CE permitted this due to willful neglect (attended this seminar but failed
to implement): $500,000/violation = $1.5 million penalty ($10 million,
capped)
•
•
June 14, 2012
© 2012 Christiansen IT Law
26
Civil Monetary Penalties
Example 1 continued: Unauthorized access constitutes security breach
•
Unauthorized access is discovered during OCR investigation of unrelated
complaint two years after event
•
CE failed to notify 20 affected individuals for two years
– One or 20 separate continuing violations? 730 violations (2 x 360) or
14,600 violations (2 x 365 x 20)
CE failed to notify OCR within 60 days of end of calendar year of breach
– One continuing violation for ten months: 300 violations
•
•
•
•
“Could not have known:” Probably not acceptable
“Reasonable cause:” Probably not acceptable
Willful neglect, not corrected: $500,000/violation
– $3 million penalty
• 730 x $500,00 = $3.65 billion, capped at $1.5 million
• 300 x $500,000 = $1.5 billion, capped at $1.5 million
June 14, 2012
© 2012 Christiansen IT Law
27
Civil Monetary Penalties
Example 2: Defective business associate contract
•
CE enters into five business associate contracts authorizing PHI uses not
permitted by Privacy Rule and not including required safeguards provision
•
•
5 violations each of 2 separate provisions = 10 violations
If CE could not have known about this violation in the exercise of due
diligence (probably not acceptable): $100/violation = $1,000 penalty
If CE permitted this due to reasonable cause (what would that be?):
$1,000/violation = $10,000 penalty
•
•
Probably would be held CE permitted this due to willful neglect:
$500,000/violation = $1.5 million penalty
– 10 x $500,000 = $5 million, capped at $1.5 million
June 14, 2012
© 2012 Christiansen IT Law
28
Civil Monetary Penalties
Example 3: Negligent disposal of media
•
CE re-sells 100 used computers without scrubbing hard drives containing
PHI on 1,000 individuals.
•
Potential violations:
– Security Rule media re-use specification (100 violations)
– Privacy Rule “little security rule” safeguards specification (1,000
violations)
– Security Rule information access management standard (100 or 1,000
violations?)
– Privacy Rule prohibited PHI use standard (1,000 violations)
– Assume/hope there’s no indication of unauthorized access, e.g. buyer
viewing, using, selling data – security breach violations
June 14, 2012
© 2012 Christiansen IT Law
29
Civil Monetary Penalties
Example 3 continued: Negligent disposal of media
•
•
•
Security Rule media re-use specification (100 violations)
•
Didn’t know:
$10,000
•
Reasonable cause:
$100,000
•
Willful neglect:
$1.5 million ($50 million, capped)
Privacy Rule “little security rule” specification (1,000 violations)
•
Didn’t know:
$25,000 ($100,000, capped)
•
Reasonable cause:
$100,000 ($1 million, capped)
•
Willful neglect:
$1.5 million ($500 million, capped)
Security Rule information access management standard (100 or 1,000
violations? – assume 100)
•
Didn’t know:
$10,000 ($100,000, capped)
•
Reasonable cause:
$100,000 ($1 million, capped)
•
Willful neglect:
$1.5 million ($50 million, capped)
June 14, 2012
© 2012 Christiansen IT Law
30
Civil Monetary Penalties
Example 3 continued: Negligent disposal of media
• Privacy Rule prohibited PHI use standard (1,000 violations)
•
Didn’t know:
$25,000 ($100,000, capped)
•
Reasonable cause:
$100,000 ($1 million, capped)
•
Willful neglect:
$1.5 million ($500 million, capped)
• Total
• Didn’t know:
• Reasonable cause:
• Willful neglect:
June 14, 2012
$70,000
$400,000
$6 million
© 2012 Christiansen IT Law
31
Civil Monetary Penalties
Privacy Rule enforcement from April 2003 (start of enforcement)
through April 30, 2012:
• Over 70,107 complaints
– 39,283 not eligible for enforcement (no jurisdiction, etc.)
– 16,105 resolved with corrective action plans
– 8,310 finding no violation
Security Rule enforcement from October 2009 (start of enforcement
reporting) through March 31, 2012:
• 559 complaints
– 377 resolved with corrective action plans
– 257 still pending
June 14, 2012
© 2012 Christiansen IT Law
32
CMP Cases of Interest
•
Phoenix Cardiac. Small physician practice permitted its physicians to use
unencrypted, standard commercial email and cloud-based online
calendaring for communications and scheduling including unencrypted PHI.
$100,000 fine and a corrective action plan
•
Blue Cross Blue Shield of Tennessee. Health insurer experienced theft of
57 hard drives, unencrypted information on over one million individuals.
$1.5 million settlement payment and corrective action plan
Cignet Health. 41 patients of this four clinic health care provider
complained to OCR Cignet would not grant access to their records. Cignet
ignored OCR investigative requests. OCR court order for production of the
records, to which Cignet responded by producing records on some 4,500
patients, rather than the relevant 41. CMPs of $4.3 million, largely based on
continuing violations for failing to provide individuals with record access
and failing to cooperate with DHHS
•
June 14, 2012
© 2012 Christiansen IT Law
33
State Attorney General Enforcement
•
•
•
State of Minnesota v. Accretive Health (filed January 2012): Action
against debt collection agency – i.e., Business Associate – based on loss of
laptop storing unencrypted PHI on 23,531 patients of two hospital systems.
HIPAA, state privacy law violations, state debt collection violations. Seeking
penalties and injunctive relief.
State of Vermont v. Health Net (settled January 2011): Action against
health insurer based on disappearance of hard drive storing unencrypted
PHI on 1.5 million individuals, “including 525 Vermonters,” and not notifying
affected individuals for six months. HIPAA, state law violations. $55,000 fine,
consent decree including mandatory audit and reporting to State for two
years.
State of Connecticut v. Health Net (settled July 2010): Action based on
same incident as Vermont, 500,000+ Connecticut residents affected. HIPAA,
state law violations. $250,000 fine, corrective action plan.
June 14, 2012
© 2012 Christiansen IT Law
34
Avoiding/Mitigating Penalties
•
•
•
•
•
•
•
•
Well-managed compliance program
Accountable program management
Policies and Procedures
Training and awareness
Internal auditing, testing and reporting
Services provider due diligence, tight contracting, oversight
Readiness to respond to security incidents and breaches
Readiness to respond to regulatory inquiries
June 14, 2012
© 2012 Christiansen IT Law
35
Avoiding/Mitigating Penalties
Document, Document, Document!
June 14, 2012
© 2012 Christiansen IT Law
36
Questions? Thanks!
June 14, 2012
© 2012 Christiansen IT Law
37
Related documents
December 19th, 2012
December 19th, 2012
City Of River Oaks Citizen Complaint Form
City Of River Oaks Citizen Complaint Form
1065 Engagement Letter
1065 Engagement Letter
(Oral Book Report revised_Reading Rainbow Assignment(Smith
(Oral Book Report revised_Reading Rainbow Assignment(Smith
Whistleblower Policy - Twin Lakes Literacy Council
Whistleblower Policy - Twin Lakes Literacy Council
job description iowa state association of counties compliance officer
job description iowa state association of counties compliance officer
The Formation of Fold Mountains
The Formation of Fold Mountains
Based on the Federal Sentencing Guidelines
Based on the Federal Sentencing Guidelines
Download
advertisement