HIPAA Enforcement Past, Present and Future - PowerPoint PPT Presentation


PPT – HIPAA Enforcement Past, Present and Future PowerPoint presentation | free to download - id: 76638d-OWNlN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

HIPAA Enforcement Past, Present and Future


HIPAA Enforcement Past, Present and Future [Cyndi Moore] [Kevin Bernys] Rose Willis Dickinson Wright PLLC HIPAA Enforcement Past, Present and Future HIPAA Enforcement ... – PowerPoint PPT presentation

Number of Views:165
Avg rating:3.0/5.0
Slides: 25
Provided by: dickin2
Learn more at: http://www.dickinson-wright.com


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: HIPAA Enforcement Past, Present and Future

HIPAA EnforcementPast, Present and Future
  • Cyndi Moore Kevin Bernys
  • Rose Willis
  • Dickinson Wright PLLC

HIPAA EnforcementPast, Present and Future
  • HIPAA Enforcement Rule
  • The OCR Enforcement Process
  • Enforcement Data
  • Case Samples Corrective Actions
  • Resolution Agreements
  • Trends and Predictions

HIPAA Enforcement Rule
  • Enforcement of the Privacy Rule began April 14,
    2003 for most HIPAA covered entities
  • HIPAA covered entities were required to comply
    with the Security Rule beginning on April 20,
    2005. OCR became responsible for enforcing the
    Security Rule on July 27, 2009.
  • HITECH Act strengthened civil and criminal
    enforcement of HIPAA

Enforcement Penalties
  • The Omnibus Rule formally adopts the following
    penalty scheme for violations of the HITECH Act
    occurring on or after Feb. 18, 2009
  • For violations where a covered entity did not
    know and, by exercising reasonable diligence,
    would not have known that the covered entity
    violated a provision, a penalty of not less than
    100 or more than 50,000 for each violation
  • For a violation due to reasonable cause and not
    to willful neglect, a penalty of not less than
    1,000 or more than 50,000 for each violation
  • For a violation due to willful neglect that was
    timely corrected, a penalty of not less than
    10,000 or more than 50,000 for each violation
  • For a violation due to willful neglect that was
    not timely corrected, a penalty of not less than
    50,000 for each violation the penalty for
    violations of the same requirement or prohibition
    under any of these categories may not exceed 1.5
    million in a calendar year.

The OCR Enforcement Process
  • Right to file a complaint. A person who believes
    a covered entity or business associate is not
    complying may file a complaint with the
  • Disgruntled Employees
  • Patients
  • Investigation. The Secretary will investigate
    any complaint filed when a preliminary review
    indicates possible violation due to willful
  • Compliance Reviews. The Secretary will conduct a
    compliance review to determine whether a covered
    entity or business associate is complying when a
    preliminary review of the facts indicates a
    possible violation due to willful neglect or in
    any other circumstance.
  • Todays breach report could lead to tomorrows
    OCR Compliance Review

Enforcement Process (continued)
  • If the evidence indicates that the covered entity
    was not in compliance, OCR will attempt to
    resolve the case by obtaining
  • Voluntary compliance
  • Corrective action and/or
  • Resolution agreement.
  • Civil Money Penalties are also possible.
  • Possible referrals to the Department of Justice
    for criminal violations.
  • Michigan enforcement results from compliance
    reviews as of December 31, 2013
  • 12 (No Violation)
  • 64 (Resolved after Intake and Review)
  • 24 (Corrective Action)

The Top Fives
  • Top 5 Issues Investigated in 2013 that were
    Closed with Corrective Action
  • Impermissible uses and disclosures
  • Lack of safeguards of PHI
  • Lack of access by individuals to PHI
  • Use or disclosure of more than the minimum
    necessary PHI
  • Mitigation
  • The most common types of covered entities that
    have been required to take corrective action to
    achieve voluntary compliance are, in order of
  • Private Practices
  • General Hospitals
  • Outpatient Facilities
  • Health Plans (group health plans and health
    insurance issuers) and,
  • Pharmacies.

(No Transcript)
(No Transcript)
(No Transcript)
Enforcement by State Attorneys General
  • OCR developed HIPAA enforcement training in 2011
    to help State attorneys general use their new
    authority under the HITECH Act to enforce the
    HIPAA Privacy and Security Rules. Videos and
    slides are available on the OCR website.
  • 8 modules, including Module 6 Investigating
    and Prosecuting HIPAA Violations.
  • Includes examples of how OCR could impose civil
    money penalties to a given fact pattern.
  • State AGs have not made extensive use of their
    new enforcement power to date.
  • Minnesota AG filed complaint against Accretive
    Health, a business associate, in January 2012
    settled in July 2012 for 2.5 million.

OCR Audit Program
  • OCR Audits of covered entities and business
  • OCR will use the audit reports for the following
  • To determine what types of technical assistance
    should be developed
  • To share best practices
  • To identify what types of corrective action are
    most effective and
  • May use the report as the basis to initiate a
    compliance review that could lead to civil money

Phase 1 Audit Program
  • OCR audited 115 covered entities under the Phase
    1 Audit program, with the following aggregate
  • There were no findings or observations for only
    11 of the covered entities audited
  • Despite representing just more than half of the
    audited entities (53), health care providers
    were responsible for 65 of the total findings
    and observations
  • The smallest covered entities were found to
    struggle with compliance under all three of the
    HIPAA Standards
  • Greater than 60 of the findings or observations
    were Security Standard violations, and 58 of 59
    audited health care provider covered entities had
    at least one Security Standard finding or
    observation even though the Security Standards
    represented only 28 of the total audit items
  • Greater than 39 of the findings and observations
    related to the Privacy Standards were attributed
    to a lack of awareness of the applicable Privacy
    Standard requirement and
  • Only 10 of the findings and observations were
    attributable to a lack of compliance with the
    Breach Notification Standards

Phase 2 Audit Program
  • OCR has indicated that it plans to conduct the
    second round of audits sometime in the Fall of
    2014 (date TBD), involving 350 covered entities
    (232 healthcare providers, 109 health plans and 9
    health care clearinghouses) and 50 business
  • Entities who received an address verification
    letter in the spring were supposed to receive
    audit letters in the fall.
  • Desk reviews (not on-site visits)

Phase 2 Audit Program (continued)
  • Audits will focus on compliance with Security
    Standards and on those areas that involved high
    numbers of non-compliance in the Phase 1 audit,
  • risk analysis and risk management
  • content and timeliness of breach notifications
  • notice of privacy practices
  • individual access
  • Privacy Standards reasonable safeguards
  • training on policies and procedures
  • device and media controls and
  • transmission security. 
  • Breach reports and complaints,
  • Phase 2 Audits of business associates will focus
    on risk analysis and risk management and breach
    reporting to covered entities.

How to prepare for a Phase 2 Audit?
  • Conduct a risk assessment update your HIPAA
    Policies and Procedures
  • Update your Notice of Privacy Practices
  • Conduct a self-audit using the audit protocols at
  • Privacy Rule (81)
  • Security Rule (78)
  • Breach Notification Rule (10)
  • Have a current list of business associates and
    their contact information
  • Use encryption of ePHI to prevent breaches
  • 2 weeks to respond to an audit request No last
    minute cramming for this test!

Audit Protocol Sample Privacy Rule
  • Established performance criteria identify
    workforce members who need access to PHI
  • Key activity minimum necessary uses of PHI.
  • Audit procedure Inquire of management as to
    whether access to PHI is restricted. Obtain and
    review a sample of workforce members with access
    to PHI for their corresponding job title and
    description to determine appropriateness. Obtain
    and review policies and procedures and evaluate
    the content relative to the specified criteria
    for terminating access to PHI. Select a sample
    listing of former employees to confirm that
    access to PHI was terminated. NOTE The rule
    requires that the class/job functions that need
    to use or disclose PHI be determined, and the
    information be limited to what is needed for that
    job classification.

Case Samples Corrective Compliance Actions
  • Radiologist practice submitted a workers
    compensation claim to the patients employer
    which included patients test results. Patient
    had not indicated workers comp coverage.
    Practice had relied on incorrect billing
    information from treating hospital.
  • Private practice failed to honor patients
    request for copy of minor sons medical record.
    State regs permitted summary of record, however,
    Privacy Rule is more restrictive by permitting
    summary only if individual agrees in advance.
  • Physicians office disclosed a patients HIV
    status in a misdirected fax. Written
    disciplinary warning, apologies to patient,
    addition of confidential communication language
    on fax cover sheet and additional training

Resolution Agreements
  • What is a Resolution Agreement?
  • A contract between HHS and a covered entity in
    which the covered entity agrees to perform
    certain obligations (such as staff training) and
    make reports to HHS, generally for a 3 year
    period. During this period, HHS monitors the
    covered entitys compliance with its obligations.
    Typically includes payment of a resolution
    amount. A resolution agreement is used to settle
    investigations with more serious outcomes.

Recent Resolution AgreementsAugust 2013 June
23, 2014
  • 800,000 HIPAA Settlement in Medical Records
    Dumping Case
  • Hospital took custody of medical records to
    assist in physicians retirement
  • Returned 71 boxes of medical records at the end
    of physicians driveway (for an unknown reason)
  • Complaint came from the retiring physician
  • Data Breach Results in 4.8 Million HIPAA
  • The New York Presbyterian Hospital and Columbia
    University operated a shared data network.
  •  A physician employed by Columbia University
    attempted to deactivate a personally-owned
    computer server on the network, and the
    deactivation resulted in the ePHI of 6,800
    individuals being accessible on general internet
    search engines.
  • The entities learned of the breach after
    receiving a complaint by an individual who found
    the ePHI of the individuals deceased partner on
    the internet.
  • The Hospital and Columbia University
    self-reported the breach to the U.S. Department
    of Health and Human Services Office for Civil
    Rights who initiated an investigation.

Recent Resolution AgreementsAugust 2013 June
23, 2014
  • Concentra Settles HIPAA Case for 1,725,220
  • Unencrypted laptop stolen from Concentra facility
  • QCA Settles HIPAA Case for 250,000
  • Unencrypted laptop stolen from employees car
  • Resolution Agreement with Adult Pediatric
    Dermatology, P.C. of Massachusetts
  • Unencrypted thumb drive containing ePHI of 2,200
    individuals was stolen from a vehicle of one of
    its workforce members
  • Thumb drive was never recovered
  • PC notified patients of the theft and provided
    media notice
  • 150,000 resolution amount and corrective action

Recent Resolution AgreementsAugust 2013 June
23, 2014
  • HHS Settles with Health Plan in Photocopier
    Breach Case
  • Failure to properly erase photocopier hard drives
    prior to sending the photocopiers to a leasing
  • Affinity Health Plan notified OCR regarding the
  • 1,215,780 and entered into corrective action
  • County Government Settles Potential HIPAA
  • Skagit County inadvertently allowed public access
    to PHI on public web server and failred to notify
    individuals of the breach
  • 215,000 settlement and implementation of
    corrective action plan

Trends and Predictions
  • Todays data breach report could lead to
    tomorrows compliance investigation.
  • Resolution agreements signal that OCR is moving
    into a more aggressive enforcement phase, with
    the assessment of resolution amounts and, if it
    cannot reach agreement with the covered entity,
    civil money penalties.
  • Second round of HIPAA audits to come sometime by
    the end of 2014
  • Enforcement Actions against Business Associates
    to come
  • According to a chief regional civil rights
    counsel at HHS, the past 12 months of HIPAA
    enforcement will likely pale in comparison to
    what OCR will do in the next year.
  • OCR will share more information with other
    federal and state agencies, including the FTC,
    DOJ, OIG, State Attorneys General, to enforce
  • Covered entities need a robust compliance program
    in place and foster a culture of compliance
    within their organization.

WWOCRD?(What Would OCR Do?)
About PowerShow.com