Latest Legal Developments In HIPAA and Release of Information 2016 AAHIM Annual Meeting Jim Hoover • Partner Suite 3400 • 420 North 20th Street • Birmingham, Alabama 35203 direct 205-458-5111 • jhoover@burr.com • www.burr.com
Privacy Rule Refresher • Is the foundation of HIPAA. • Although the Privacy Rule has been amended over the years, its intent remains simple: to define and limit the circumstances under which PHI may be used or disclosed by covered entities, in whatever format. • The Privacy Rule imposes a long laundry list of requirements on a covered entity when dealing with PHI. • The covered entity needs to have established written policies and procedures that restrict access and use of PHI, both internally and externally. • The policies and procedures must be reviewed regularly. • A covered entity (“CE”) and business associate (“BA”) must train its workforce members on proper handling of PHI. • It is not scalable
Security Rule Refresher • The Security Rule requires administrative, physical and technical safeguards to ensure confidentiality and security of electronic PHI (“ePHI”). • The Security Rule thus only applies to ePHI, which is considered a subset of the more encompassing PHI addressed by the Privacy Rule. • A covered entity is expected to implement audit controls, access controls, integrity controls, and electronic transmission security measures - all designed to ensure that ePHI is not being improperly accessed or altered. • Under the Security Rule, a covered entity must adopt and conduct risk analysis of its EHR systems. • As with the Privacy Rule, a designated compliance officer (Security Officer) must be named. • Failure to reasonably identify weaknesses that invite data breach may be harshly scrutinized anyway, and much more so where the entity's own routine assessment policies have been ignored. • Is Scalable
Enforcement Authority • Civil Monetary Penalties (“CMP”) may now be levied by the Office of Civil Rights. • For violations occurring after February 18, 2009, monetary penalties of $100 to $50,000 per violation may be imposed, with a calendar year cap of $1.5M. • Penalties, per se, will generally be avoided if the failure was not the result of willful neglect, and was corrected after the entity knew or should have known about the failure, or if the Department of Justice, which is responsible for criminal prosecutions, has already imposed a penalty for knowing or willful violations. • The DOJ may seek fines of up to $250,000 and/or imprisonment of up to 10 years depending on the nature of the violation.
Historical Enforcement Actions • In 2004, the total number of investigations "resolved" by the OCR was 1,516 • In 2014, that number was 17,748 • Regardless of the number or the year, the majority of complaints were "resolved" after intake and review (generally about 50%), or required corrective action (ranging between about 20% and 30%) • Complaints dismissed with a finding of "no violation" after investigation are well in the minority (ranging from 4% in 2014 to a high of 17% in 2010) • Thus, the anecdotal assumption is an OCR investigation will generally (about 75% of the time) result in a finding that will require resolution or corrective action and a finding of "no violation" once an investigation ensues has been the historical exception, not the rule
Enforcement In Alabama From April 14, 2003 through December 31, 2014: • Investigated no violation = 10% • Resolved after intake and review = 62% • Investigated and corrective action = 27%
Non-Breach Compliance Review Results 2013 & 2014
Breach Compliance Reviews Results 2013 & 2014
Feinstein Institute for Medical Research – March 17, 2016 • f/k/a North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices • Agreed to pay $3.9 million and undertake a corrective action plan to settle potential violations of HIPAA. • OCR’s investigation began after Feinstein filed a breach report. • According to the report, on September 2, 2012, a laptop computer containing the ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study. • OCR concluded that: Feinstein’s security management process was limited in scope, incomplete, and insufficient; it lacked policies and procedures for authorizing access to ePHI by its workforce members; it failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. • Importantly, OCR also found that for electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.
North Memorial Health Care March 16, 2016 • North Memorial is a comprehensive, not-for-profit health care system in Minnesota. • The settlement includes a monetary payment of $1,550,000 and a “robust” corrective action plan. • OCR initiated its investigation following receipt of a breach report on September 27, 2011. The report indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle. • The loss allegedly impacted ePHI of 9,497 individuals. • Interestingly, OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial. • North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure -- including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.
Complete P.T. Physical Therapy, Inc. February 16, 2016 • Complete P.T. is a physical therapy practice located in the Los Angeles area. • Complete P.T. agreed to payment $25,000, implement a corrective action plan, and make annual reports of compliance efforts for a one year period. • OCR received a complaint on August 8, 2012, alleging that Complete P.T. had impermissibly disclosed numerous individuals’ PHI when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations. The specific violations were: – Failed to reasonably safeguard PHI; – Impermissibly disclosed PHI without an authorization; and – Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements with regard to authorization.
Lincare, Inc. ALJ Hearing and Decision • a/k/a “A husband scorned” – The ex-husband of a manager complained to OCR that his ex-wife left him in 2008 and left behind documents containing the PHI of 278 patients. • OCR investigated the case determined Lincare violated HIPAA’s Privacy Rule. • OCR issued a letter on January 28, 2014 to Lincare that it proposed imposing a CMP of $239,800. • Lincare appealed so the matter was set for hearing in front of a DHHS’ ALJ.
Lincare (cont’d) • Prior to hearing, OCR moved for a summary judgment. • OCR submitted several affidavits to which Lincare objected. Interestingly, one of the affidavits was from Laurie Rinehart-Thomas, Director of HIMS at Ohio State University who is certified by the AHIMA as a registered health information administrator. She offered expert testimony. • According to the ALJ, Lincare did not present any evidence suggesting that OCR’s evidence is unreliable and did not “even allege that it disputes the underlying facts established by these documents.” • The ALJ concluded that Lincare did not come forward with admissible evidence showing a dispute of material fact and imposed the OCR’s suggested fine of $239,800.
Recommend
More recommend
