HIPAA POST-“HITECH”: Health Information Privacy Enforcement American Osteopathic Association of Medical Informatics November 4, 2009 12:30 to 2:00 pm Ian.

Slides:



Advertisements
Similar presentations
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.
Confidentiality and HIPAA
HIPAA Privacy Rule Training
Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.
HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA In The Workplace What Every Employee Should Know and Remember.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)
1 Electronic Transactions and Code Sets Enforcement CMS Office of HIPAA Standards.
OCR HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security Session 1 HIPAA Privacy Best Practices:
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Implementing and Enforcing the HIPAA Privacy Rule.
Office of the Secretary Office for Civil Rights (OCR) HIPAA Privacy and Security Rules Updates HIPAA COW 2010 Spring Conference April 16, 2010.
The M.I.N.E.R. Act of 2006 UNITED STATES PUBLIC LAWS 109th Congress - Second Session Convening January 7, 2005 PL (S 2803) June 15, 2006.
HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 5 HIPAA Enforcement HIPAA for Allied Health Careers.
HIPAA PRIVACY AND SECURITY AWARENESS.
Customer Service Enforcement After AB 2987 John Risk Communications Support Group, Inc. (c) 2006 John Risk Communications Support Group, Inc. (c) 2006.
HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)
Compliance and Enforcement of the Privacy Rule. HHS/OCR February/March Compliance Date  April 14, 2003 – Compliance for all but small health plans.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Constangy, Brooks & Smith, LLP Jeffery L. Thompson Constangy, Brooks & Smith, LLP Telephone: Latest Labor.
PRIVACY AND HIPAA THE RIGHT THING TO DO. WHAT’S WRONG WITH THIS PICTURE? ? “ Did you hear that Jane from the 5 th floor is in the hospital?” “No!! Let’s.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
HIPAAand Disaster Situations By LYNDA M. JOHNSON Friday, Eldredge & Clark.
Practicing In Harmony with HIPAA The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
1 Privacy and Security Enforcement: An In-Depth Exploration of Federal Civil Enforcement Gerald “Jud” E. DeLoss Krahmer & Bishop, P.A. Fairmont, MN.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
Flowers Hospital General Compliance Training-Students 2013.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
 Health Insurance and Accountability Act Cornelius Villalon Jr.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded.
Health Insurance Portability and Accountability Act of 1996
Enforcement, Business Associates and Breach Notification. Oh my!
Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Health Advocate HIPAA Privacy Information
Disability Services Agencies Briefing On HIPAA
Compliance and Enforcement of the Privacy Rule
Presentation transcript:

HIPAA POST-“HITECH”: Health Information Privacy Enforcement American Osteopathic Association of Medical Informatics November 4, :30 to 2:00 pm Ian C. Smith DeWaal, Senior Counsel Criminal Division, Fraud Section United States Department of Justice* * The views expressed during this presentation do not necessarily represent the views of the Department of Justice or of the United States.

What I will Cover: What I will Cover: Protected Health Information Privacy Enforcement Pursuant to the Original HIPAA provisions Protected Health Information Privacy Enforcement Pursuant to the Original HIPAA provisions Statutory Changes enacted by the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (Pub. L ) Statutory Changes enacted by the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (Pub. L ) Future Enforcement Future Enforcement Resources Available Resources Available WILL NOT cover all non-enforcement changes WILL NOT cover all non-enforcement changes I – INTRODUCTION

Civil Monetary Penalties Enforced by the Secretary of Health and Human Services Civil Monetary Penalties Enforced by the Secretary of Health and Human Services Federal criminal statute enforced by the Attorney General by prosecution through the United States Attorneys or Department of Justice criminal trial attorneys Federal criminal statute enforced by the Attorney General by prosecution through the United States Attorneys or Department of Justice criminal trial attorneys II. Original HIPAA Enforcement

III. Review: Civil Monetary Penalties: Pre-HITECH Civil Monetary Penalties established by HIPAA Civil Monetary Penalties established by HIPAA – 42 U.S.C. 1320d-5 Enforced by the Secretary of Health and Human Services Enforced by the Secretary of Health and Human Services Delegated to the HHS Office of Civil Rights. Delegated to the HHS Office of Civil Rights. Website: Website: Enforced only against covered entities Enforced only against covered entities

III.Review: Civil Monetary Penalties: Pre-HITECH Violations of HIPAA punished by $100 CMP – maximum of $25,000 per calendar year for violations of an identical provision CMP may not be imposed if: Reasonable cause and not willful neglect (in certain situations can be reduced, instead of waived); and Corrected within 30 days of discovery or the date on which it should have been discovered with the exercise of due diligence. The Secretary could extend the 30 day period based on nature and extent of the failure to comply Under § (b)(2), if covered entity establishes that did not have knowledge of the violation, and by exercising reasonable diligence, would not have known that the violation occurred

III. Review: Civil Monetary Penalties: Pre-HITECH Secretary prohibited from imposing CMP if “the act constituted an offense punishable under section 1320d- 6 of this Title” (42 U.S.C. § 1320d-6 – the criminal statute) Secretary prohibited from imposing CMP if “the act constituted an offense punishable under section 1320d- 6 of this Title” (42 U.S.C. § 1320d-6 – the criminal statute) Referral protocol adopted to permit DOJ to review matters that might “constitute an offense.” Referral protocol adopted to permit DOJ to review matters that might “constitute an offense.” Matters not opened as criminal investigations were returned to the Secretary for further administrative action. Matters not opened as criminal investigations were returned to the Secretary for further administrative action. As of 9/30/09, HHS-OCR made over 464 referrals to DOJ since the April 2003 enforcement date As of 9/30/09, HHS-OCR made over 464 referrals to DOJ since the April 2003 enforcement date

III. Review: Civil Monetary Penalties: Pre-HITECH HHS-OCR HIPAA Statistics Through 9/30/09 HHS-OCR HIPAA Statistics Through 9/30/09 Investigated and resolved over 9,318 cases by requiring changes in privacy practices and other corrective actions by the covered entities. Investigated and resolved over 9,318 cases by requiring changes in privacy practices and other corrective actions by the covered entities. In 4,680 cases, HHS-OCR investigations found no violation had occurred. In 4,680 cases, HHS-OCR investigations found no violation had occurred. In the remaining completed 26,964 cases, HHS-OCR determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. In the remaining completed 26,964 cases, HHS-OCR determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. Since the compliance date in April 2003, HHS has received over 46,973 HIPAA Privacy complaints and resolved over eighty percent of complaints received (over 40,962): Since the compliance date in April 2003, HHS has received over 46,973 HIPAA Privacy complaints and resolved over eighty percent of complaints received (over 40,962):

III. Review: Civil Monetary Penalties: Pre-HITECH A Resolution Agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a Resolution Agreements: A Resolution Agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a Resolution Agreements: Resolution Agreement with Providence Health and Services (7/16/2008) Resolution Agreement with Providence Health and Services (7/16/2008) Resolution Agreement with CVS Pharmacy (1/16/2009) Resolution Agreement with CVS Pharmacy (1/16/2009) examples/index.html examples/index.html examples/index.html examples/index.html

IV. Review: Criminal Statute: Pre-HITECH Violations of 42 U.S.C. § 1320d-6 Violations of 42 U.S.C. § 1320d-6 A person who knowingly and in violation of this part: A person who knowingly and in violation of this part: Uses or causes to be used a unique health identifier Uses or causes to be used a unique health identifier Obtains individually identifiable health information relating to an individual Obtains individually identifiable health information relating to an individual Discloses individually identifiable information to another person Discloses individually identifiable information to another person

IV. Review: Criminal Statute: Pre-HITECH IV. Review: Criminal Statute: Pre-HITECH Penalties: Penalties: General – Fine of not more than $50,000, Not more than one year imprisonment, or both General – Fine of not more than $50,000, Not more than one year imprisonment, or both Offense committed under false pretenses - Fine of not more than $100,000, not more than five years imprisonment, or both Offense committed under false pretenses - Fine of not more than $100,000, not more than five years imprisonment, or both Offense committed under with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm - Fine of not more than $250,000, not more than ten years imprisonment, or both Offense committed under with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm - Fine of not more than $250,000, not more than ten years imprisonment, or both

IV. Review: Criminal Statute: Pre-HITECH DOJ Office of Legal Counsel Opinion (6/1/05) DOJ Office of Legal Counsel Opinion (6/1/05) Construed the HIPAA criminal statute to be directly enforceable only against “covered entities” Construed the HIPAA criminal statute to be directly enforceable only against “covered entities” Health care providers Health care providers Health plans Health plans Health care clearinghouses Health care clearinghouses Observed that legal doctrines of aiding and abetting, conspiracy and corporate criminal liability would also apply Observed that legal doctrines of aiding and abetting, conspiracy and corporate criminal liability would also apply

IV. Review: Criminal Statute: Pre-HITECH Approximately 10 HIPAA convictions since April 2003 enforcement date of HIPAA privacy regulations Approximately 10 HIPAA convictions since April 2003 enforcement date of HIPAA privacy regulations Types of cases – Types of cases – Patient credit identity theft Patient credit identity theft Sale of Medicare/Medicaid patient numbers Sale of Medicare/Medicaid patient numbers Identify law enforcement undercover agent Identify law enforcement undercover agent Defendants: Health care workers and outsiders Defendants: Health care workers and outsiders

V. HITECH Universal Changes to HIPAA Application of CMPS and HIPAA criminal statute expanded to include “business associates” ARRA § 13404(c) ( Application of CMPS and HIPAA criminal statute expanded to include “business associates” ARRA § 13404(c) (eff. 2/17/2010) § New patient notification requirements ARRA § Notification on the occurrence of certain breaches of protected health information not secured according to standards specified by the Secretary of Health and Human Services (“HHS”) Effective 30 days after publication of interim final regulations. Interim final rules on breach notification were published on August 24, 2009 (74 Fed. Reg ); eff. 9/23/2009.

V. HITECH Changes to CMPs ARRA § Increased CMPs NEW Tiered CMPS tied to egregiousness of violation, effective 2/18/09 (Note – rulemaking pending): The person did not know, and by exercising reasonable diligence would not have known, that such person had violated a provision At least $100, not to exceed the amount specified in paragraph D. The violation was due to reasonable cause and not willful neglect At least $1,000, not to exceed the amount specified in paragraph D.

V. HITECH Changes to CMPs ARRA § Mandatory CMP for Willful Neglect: Section 1320d-5 is amended by adding new subsection (c) - mandates that the Secretary impose a CMP when a violation of HIPAA is due to willful neglect, though as described previously, the amount of the mandatory penalty for willful neglect can be mitigated by timely correction of the violation. ARRA § Bar to Civil Monetary Penalties when action constitutes a criminal violation narrowed: Current section 1320d-5 (b)(1) which precludes assessment of a civil monetary penalty if an act constitutes an offense under section 1320d-6 is amended to preclude a CMP only if a penalty has been imposed pursuant to section 1320d-6. (Eff. 2/17/2011).

V. HITECH Changes to CMPs The violation was due to willful neglect, and WAS CORRECTED as provided, within 30 days of the date on which the person liable for violation, knew, or exercising reasonable diligence would have known that the failure to comply occurred At least $10,000, not to exceed the amount specified in paragraph D. WAS NOT CORRECTED At least $50,000, but the total amount imposed on a person for violation on an identical requirement or prohibition, during a calendar year may not exceed $1,500,000.

V. HITECH Changes to CMPs New enforcement power conferred on state Attorneys General (ARRA § 13410(e) State AG may bring a civil action in federal district court, parens patriae, for injunctive relief and to obtain statutory damages for one or more state residents whose interest has been threatened or adversely affected by any person who violates HIPAA. This subsection caps the statutory damages at $100 maximum per violation, and $25,000 maximum for all violations of an identical requirement or prohibition during a calendar year. The court may consider the identical factors enumerated in § 1320d-5 (a), which may be considered by the Secretary in determining the amount of damages to be assessed, and may award costs and reasonable attorneys fees to the successful state Attorney General.

V. HITECH Changes to CMPs Prior written notice of an action or if not feasible, immediate notice on commencing an action, must be provided to the HHS Secretary, who will then have the right to intervene, be heard on all matters in the case, and have the right to appeal. If the Secretary has instituted a HIPAA action against a person under subsection (a) with respect to a specific violation of this part, NO State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action. State AG action not permitted if a criminal penalty already has been imposed (eff. 2/17/2011 – before this date, if the conduct was a violation of 42 U.S.C. §1320d-6.

V. HITECH Changes: Criminal Statute ARRA § Section Clarification of the definition of “person” added to criminal statute – 42 U.S.C. § 1320d-6 (a) (eff. 2/17/2010) “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9(b)(3) of this title) and the individual obtained or disclosed obtained or disclosed such information without authorization.”

V. HITECH Changes: Criminal Statute Conference Report for ARRA (Pub. L ) ("the Report"), p. 500 stated that: “In July 2005 the Justice Department Office of Legal Counsel (OLC) addressed which persons may be prosecuted under HIPAA and concluded that only a covered entity could be criminally liable.” (sic, apparently referring to the June 1, 2005 OLC opinion) The Report states the amendment to § 1320d-6 “clarifies that criminal penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by a covered entity, whether they are employees or not.” As of 2/17/2010, a violation of HIPAA will be deemed to have occurred when a person, now defined to include an employee of a covered entity or another individual, obtains or discloses protected health information, which was maintained by a covered entity and the individual obtained or disclosed the such information without authorization.

VI. Conclusion Congress intended to step up enforcement of health information privacy violations Congress intended to step up enforcement of health information privacy violations HHS will continue to work with covered entities and now, business associates on training, and correction of non-criminal violations HHS will continue to work with covered entities and now, business associates on training, and correction of non-criminal violations When HHS-OCR determines a violation arose from willful neglect, a CMP will be mandatory When HHS-OCR determines a violation arose from willful neglect, a CMP will be mandatory Business associates will subject to new administrative and criminal scrutiny. Business associates will subject to new administrative and criminal scrutiny. Uncorrected, willful violations will invite administrative or criminal sanction Uncorrected, willful violations will invite administrative or criminal sanction Some state Attorneys General may emerge as an additional enforcement resource with respect to CMPs. Some state Attorneys General may emerge as an additional enforcement resource with respect to CMPs.

VI. Conclusion Resources: Resources: Ian C. Smith DeWaal, Senior Counsel Ian C. Smith DeWaal, Senior Counsel Criminal Division, Fraud Section or (202) HHS Office of Civil Rights HHS Office of Civil Rights “If you don't find the information you were seeking, you may submit an to Unfortunately, we do not provide individual responses to all of the questions received. However, in some situations we may be able to forward your questions to an appropriate person or agency.” “If you don't find the information you were seeking, you may submit an to Unfortunately, we do not provide individual responses to all of the questions received. However, in some situations we may be able to forward your questions to an appropriate person or Address inquiries to the OCR Regional Manager. Address inquiries to the OCR Regional Manager. Contact the OCR regional office for your State or Territory, or the headquarters office for further information: Contact the OCR regional office for your State or Territory, or the headquarters office for further information:

VII. Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.