Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of the Secretary Office for Civil Rights (OCR) Update: Enforcement of the HIPAA Privacy Rule HIPAA Summit August 19, 2008.

Published byLeslie Sutton Modified over 8 years ago

Similar presentations

Presentation on theme: "Office of the Secretary Office for Civil Rights (OCR) Update: Enforcement of the HIPAA Privacy Rule HIPAA Summit August 19, 2008."— Presentation transcript:

1 Office of the Secretary Office for Civil Rights (OCR) Update: Enforcement of the HIPAA Privacy Rule HIPAA Summit August 19, 2008

2 OCR 2 2 Topics Enforcement Program Enforcement Program First Resolution Agreement First Resolution Agreement Other Activities Other Activities Genetic non-discrimination Genetic non-discrimination Patient Safety Act Patient Safety Act Nationwide Health Information Network Nationwide Health Information Network

3 OCR 3 3 Health Information Privacy Complaints Received by Calendar Year

4 OCR 4 4 Pie Chart: All Complaints

5 OCR 5 5

6 6 6 Pie Chart: Total Investigated

7 OCR 7 7 Resolution Agreement July 15, 2008 HHS entered into Resolution Agreement (RA) with Providence Health & Services July 15, 2008 HHS entered into Resolution Agreement (RA) with Providence Health & Services First RA reached for Security or Privacy Rule enforcement First RA reached for Security or Privacy Rule enforcement Agreement terms included: Agreement terms included: Resolution amount of $100,000 Resolution amount of $100,000 Corrective Action Plan Corrective Action Plan

8 OCR 8 8 Providence Health & Services Health care system based in Seattle, Washington Health care system based in Seattle, Washington The incidents giving rise to the agreement involved two entities within the system The incidents giving rise to the agreement involved two entities within the system Providence Home and Community Services and Providence Home and Community Services and Providence Hospice and Home Care Providence Hospice and Home Care

9 OCR 9 9 HIPAA Privacy Rule Complaint Process Complaint Intake & Review Resolution The violation did not occur after April 14, 2003 Entity is not covered by the Privacy Rule Complaint was not filed within 180 days and an extension was not granted The incident described in the complaint does not violate the Privacy Rule Investigation DOJ CMS DOJ declines case & refers back to OCR CMS & OCR coordinate investigation of overlap cases Possible Criminal Violation Possible Privacy Rule Violation Possible Security Rule Violation Resolution OCR finds no violation OCR obtains voluntary compliance, corrective action, or other agreement OCR issues formal finding of violation Resolution Accepted by DOJ

10 OCR 10 What is a Resolution Agreement? A contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. A contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the compliance of the covered entity with its obligations. During the period, HHS monitors the compliance of the covered entity with its obligations. RA likely will include payment of a resolution amount. RA likely will include payment of a resolution amount. These agreements are reserved for investigations with more serious outcomes. These agreements are reserved for investigations with more serious outcomes. RA is the "other agreement" provided for at 45 CFR 160.312(a): Informal means may include demonstrated compliance or a completed corrective action plan or other agreement. RA is the "other agreement" provided for at 45 CFR 160.312(a): Informal means may include demonstrated compliance or a completed corrective action plan or other agreement.

11 OCR 11 Is it a CMP? No Negotiated agreement settled investigation without having to impose a civil money penalty. Negotiated agreement settled investigation without having to impose a civil money penalty. Not an admission of liability by Providence nor a concession by HHS. Not an admission of liability by Providence nor a concession by HHS. CMP’s arise only out of the formal resolution process, which provides right to an Administrative Law Judge hearing and a Departmental Appeals Board appeal. CMP’s arise only out of the formal resolution process, which provides right to an Administrative Law Judge hearing and a Departmental Appeals Board appeal. The resolution amount & CAP are voluntary actions taken by Providence to resolve the matter to the satisfaction of HHS without having to move to a formal enforcement process. An RA is an informal resolution. The resolution amount & CAP are voluntary actions taken by Providence to resolve the matter to the satisfaction of HHS without having to move to a formal enforcement process. An RA is an informal resolution.

12 OCR 12 How does this differ from usual resolution? Usually Privacy Rule investigations that find indications of potential violations are concluded to the satisfaction of OCR Usually Privacy Rule investigations that find indications of potential violations are concluded to the satisfaction of OCR when the entity completes certain voluntary compliance actions, and when the entity completes certain voluntary compliance actions, and OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result. Resolution Agreement with a Corrective Action Plan is the next level of enforcement process. Resolution Agreement with a Corrective Action Plan is the next level of enforcement process. This written agreement is negotiated in those cases when we are not able to reach a satisfactory resolution through the covered entity’s demonstrated compliance and/or corrective action through other informal means. This written agreement is negotiated in those cases when we are not able to reach a satisfactory resolution through the covered entity’s demonstrated compliance and/or corrective action through other informal means.

13 OCR 13 Why not impose a CMP? Cooperation by Providence throughout investigation meant that HHS could satisfactorily resolve issues through informal resolution. Cooperation by Providence throughout investigation meant that HHS could satisfactorily resolve issues through informal resolution. Case resolved prior to the issuance of a Notice of Proposed Determination and the imposition of a CMP, which is formal enforcement. Case resolved prior to the issuance of a Notice of Proposed Determination and the imposition of a CMP, which is formal enforcement. Resolution Agreement is a settlement of the investigation and matter. Resolution Agreement is a settlement of the investigation and matter.

14 OCR 14 Investigation Triggered by 31 complaints submitted to OCR and CMS Triggered by 31 complaints submitted to OCR and CMS Complaints merged into joint compliance reviews by CMS and OCR Complaints merged into joint compliance reviews by CMS and OCR Practices of entities created vulnerabilities that led to massive impermissible disclosures through multiple thefts Practices of entities created vulnerabilities that led to massive impermissible disclosures through multiple thefts

15 OCR 15 Incidents Series of five incidents, September 2005 to March 2006 Series of five incidents, September 2005 to March 2006 Electronic information that was not encrypted or otherwise properly safeguarded was lost or stolen Electronic information that was not encrypted or otherwise properly safeguarded was lost or stolen Backup tapes, optical disks, and laptops, all containing unencrypted electronic PHI, were removed from the Providence premises and left unattended Backup tapes, optical disks, and laptops, all containing unencrypted electronic PHI, were removed from the Providence premises and left unattended Media & laptops then lost or stolen, compromising the PHI of over 386,000 patients Media & laptops then lost or stolen, compromising the PHI of over 386,000 patients

16 OCR 16 Why a RA in this case? Management lapses Management lapses On non-encryption, the entity had a policy that was not being followed On non-encryption, the entity had a policy that was not being followed On loss of backup media, the practice of taking media home by employees without reasonable safeguards was not consistent with policy, but was known by the information system managers and allowed to continue over long period of time On loss of backup media, the practice of taking media home by employees without reasonable safeguards was not consistent with policy, but was known by the information system managers and allowed to continue over long period of time Affected a very large number of patients—386,000 Affected a very large number of patients—386,000

17 OCR 17 Corrective Action Plan Requires Providence to: Requires Providence to: Revise its policies, procedures re physical & technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media --backup electronic media and portable devices-- containing patient information Revise its policies, procedures re physical & technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media --backup electronic media and portable devices-- containing patient information subject to HHS approval subject to HHS approval Train workforce members on safeguards Train workforce members on safeguards conduct audits and site visits of facilities conduct audits and site visits of facilities submit compliance reports to HHS for period of three years submit compliance reports to HHS for period of three years

18 OCR 18 Lessons learned Effective compliance with the Privacy & Security Rules means more than just having written policies and procedures Effective compliance with the Privacy & Security Rules means more than just having written policies and procedures HHS willing to work with cooperative entities to implement effective changes to ensure that consumers are protected. HHS willing to work with cooperative entities to implement effective changes to ensure that consumers are protected. Covered entities need to continuously monitor implementation Covered entities need to continuously monitor implementation Covered entities need to ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features Covered entities need to ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features

19 OCR 19 Part of overall enforcement strategy Resolution Agreement one of several effective enforcement tools, to be used on case by case basis Resolution Agreement one of several effective enforcement tools, to be used on case by case basis Covered entities that are not in compliance with the Privacy and Security Rules may face similar action Covered entities that are not in compliance with the Privacy and Security Rules may face similar action

20 OCR 20 Complaint Investigations Every complaint received by OCR is reviewed & allegations analyzed Every complaint received by OCR is reviewed & allegations analyzed An investigation is launched when warranted by the facts and circumstances presented by the complaint An investigation is launched when warranted by the facts and circumstances presented by the complaint OCR investigations have resulted in changes in privacy practices and other corrective actions in over 6,xxx cases since April 2003 OCR investigations have resulted in changes in privacy practices and other corrective actions in over 6,xxx cases since April 2003 Corrective action obtained by HHS from covered entities has resulted in systemic change that benefits all individuals they serve Corrective action obtained by HHS from covered entities has resulted in systemic change that benefits all individuals they serve

21 OCR 21 Tips for CE Privacy Officers During an OCR Investigation  When you receive notification letter, contact investigator.  Respond within stated time frames.  If you are aware of a privacy incident, formulate & execute a corrective action plan, even if you have not yet received a notification letter.  Be specific in your responses to requests for data & information.  Be forthcoming and acknowledge errors.  Be cooperative, ask for technical assistance if needed.  Remember, the goal is resolution through voluntary compliance

22 OCR 22 Our Mutual Goal Ensuring the privacy of each individual’s health information in accordance with the standards and requirements of the HIPAA Privacy Rule

23 Office of the Secretary Office for Civil Rights (OCR) Other Challenges

24 OCR 24 Genetic Information--GINA Genetic Information Non-Discrimination Act (signed into law May 21, 2008) Genetic Information Non-Discrimination Act (signed into law May 21, 2008) To protect individuals from discrimination in health insurance and employment on the basis of genetic information To protect individuals from discrimination in health insurance and employment on the basis of genetic information Mandates modification of the Privacy Rule to incorporate provisions specific to genetic information Mandates modification of the Privacy Rule to incorporate provisions specific to genetic information Genetic information is protected health information; Genetic information is protected health information; Disallow the use or disclosure of genetic information for underwriting Disallow the use or disclosure of genetic information for underwriting Privacy Rule Modifications anticipated in 2009

25 OCR 25 Genetic Information -- HHS Personalized Health Care Initiative Creating privacy and nondiscrimination protections to advance genomic research for gene based medicine and health care Creating privacy and nondiscrimination protections to advance genomic research for gene based medicine and health care Through AHIC, looking at how to use HIT to advance personalized health care Through AHIC, looking at how to use HIT to advance personalized health care

26 OCR 26 Patient Safety and Quality Improvement Act Creates Patient Safety Organizations (PSOs), entities recognized by the Secretary to collect & analyze patient safety events reported by health care providers Creates Patient Safety Organizations (PSOs), entities recognized by the Secretary to collect & analyze patient safety events reported by health care providers Provides Federal privilege & confidentiality protections for "patient safety work product” Provides Federal privilege & confidentiality protections for "patient safety work product” HHS’ Agency for Healthcare Research and Quality (AHRQ) to administer rules for listing qualified PSOs HHS’ Agency for Healthcare Research and Quality (AHRQ) to administer rules for listing qualified PSOs OCR to enforce confidentiality provisions OCR to enforce confidentiality provisions Establishes reporting systems for patient safety events -- information can be aggregated, assessed to improve overall patient safety & quality of care. Final rule expected by the end of 2008.

27 OCR 27 Nationwide Health Information Network Privacy and Security Are Integral to NHIN Privacy and Security Are Integral to NHIN Necessary for Public Trust Necessary for Public Trust Public Participation Is Engine for Adoption Public Participation Is Engine for Adoption HIPAA Levels Playing Field HIPAA Levels Playing Field Nationally Accepted Standards for Privacy and Security Already in Place Nationally Accepted Standards for Privacy and Security Already in Place Uniform National Baseline of Protection – More Is Still Good Uniform National Baseline of Protection – More Is Still Good

28 OCR 28 NHIN & Privacy HIPAA Privacy Rule as Facilitator – Not Obstacle to Health IT adoption HIPAA Privacy Rule as Facilitator – Not Obstacle to Health IT adoption Standards Reflect Many Hard Choices Balancing Privacy and Access in Healthcare Setting Standards Reflect Many Hard Choices Balancing Privacy and Access in Healthcare Setting Narrows Privacy Debate to New Areas of Risk and Opportunity for Consumers Narrows Privacy Debate to New Areas of Risk and Opportunity for Consumers Flexibility Allows Rules to Adapt to HIE Needs without Lowering Baseline for All Flexibility Allows Rules to Adapt to HIE Needs without Lowering Baseline for All

29 OCR 29 Gaps for Privacy & NHIN Uniformity – How Much Is Really Needed Uniformity – How Much Is Really Needed Preemption Preemption Harmonizing Federal and State Laws Harmonizing Federal and State Laws Ex: Consents Ex: Consents “Flexible and Scalable” Standards “Flexible and Scalable” Standards Harmonizing Business Practices Harmonizing Business Practices Example: Minimum Necessary Example: Minimum Necessary Privacy and Security Solutions for Interoperable Health Information Exchange Privacy and Security Solutions for Interoperable Health Information Exchange Looking for Answers Looking for Answers

30 OCR 30 Gaps for Privacy & NHIN Accountability Accountability New Players Typically Not Covered by HIPAA New Players Typically Not Covered by HIPAA Certain Health Care Providers Certain Health Care Providers Providers of Network Services Providers of Network Services Providers of Data Management Services Providers of Data Management Services Providers of PHR Services Providers of PHR Services Can Business Associate Contracts Work and Provide Adequate Accountability in the NHIN? Can Business Associate Contracts Work and Provide Adequate Accountability in the NHIN? Will Proposed Legislation in Congress Make These Covered Entities Under HIPAA? Will Proposed Legislation in Congress Make These Covered Entities Under HIPAA?

31 OCR 31 Want More Information? The full text of the Privacy Rule The full text of the Privacy Rule A HIPAA Privacy Rule summary A HIPAA Privacy Rule summary Frequently asked questions Frequently asked questions Fact sheets Fact sheets OCR enforcement program information OCR enforcement program information The OCR website, http://www.hhs.gov/ocr/hipaa/ offers a wide range of helpful information about the Privacy Rule: http://www.hhs.gov/ocr/hipaa/

Download ppt "Office of the Secretary Office for Civil Rights (OCR) Update: Enforcement of the HIPAA Privacy Rule HIPAA Summit August 19, 2008."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
1 Electronic Transactions and Code Sets Enforcement CMS Office of HIPAA Standards.

1 Electronic Transactions and Code Sets Enforcement CMS Office of HIPAA Standards.
Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.

Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.
2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.

2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.

Similar presentations

Ads by Google