At the American Bar Association's Physician Legal Issues Conference, Celeste Davis, Esq., of the Office for Civil Rights announced that, effective Monday, June 15, 2015, the Kansas City branch of the Office for Civil Rights will consolidate with the Chicago branch to form the new Department of Health and Human Services, Office for Civil Rights, Midwest Region. The new Midwest Region will still maintain offices in both Chicago and Kansas City. This will be the first consolidation in the history of the Office for Civil Rights. Ms. Davis stated that the consolidation will allow the agency to work quicker, smarter, and to be more available to covered entities to assist with compliance.
Recently in HIPAA Category
New York Presbyterian Hospital & Columbia University Pay $4.8 Million to Settle Alleged HIPAA Violations
On May 7, 2014, the Department of Health and Human Services ("HHS"), New York-Presbyterian Hospital ("NYP") and Columbia University ("CU") agreed to collectively pay $4.8 million to settle charges of alleged violations of the HIPAA Privacy and Security Rule marking the largest HIPAA settlement to date.
OCR initiated an investigation of NYP and CU after receiving a joint breach report in September 2010 regarding the disclosure of the electronic protected health information ("ePHI") of 6,800 individuals. Due to a lack of technical safeguards, protected health information including patient status, vital signs, medications, and laboratory results were made publically accessible using Internet search engines.
At the close of the investigation, OCR determined that neither NYP nor CU had conducted an accurate and thorough risk analysis or developed an adequate risk management pan. OCR further determined that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
In addition the $4.8 million settlement (NYP to pay $3.3 million and CU to pay $1.5 million), both parties will also be required to implement a substantive corrective action plan to correct deficiencies in their HIPAA compliance programs including:
• Undertaking a thorough risk analysis;
• Developing and implementing a risk management plan;
• Reviewing and revising policies and procedures on information access management and device and media controls;
• Training staff that have access to ePHI; and
• Providing progress reports
Notably, this settlement highlights the significance of conducting routine risk and vulnerability assessments, having adequate written policies in place, and conducting workforce training on HIPAA privacy and security policies. It is imperative that all covered entities and business associates proactively review the mandatory requirements under HIPAA and carefully evaluate and monitor to compliance.
On April 30, 2013, the Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR") announced the availability of new tools to educate health care providers and consumers about the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules. Specifically for health care providers, three HIPAA education modules (offering free CME credits) have been made available with a free account through Medscape. These include:
• Patient Privacy: A Guide for Providers
• HIPAA and You: Building a Culture of Compliance
• Examining Compliance with the HIPAA Privacy Rule
The OCR has also produced a video, entitled "HIPAA Security Rule", designed for providers in small practices. Additional videos and materials related to consumer education about HIPAA are available through the OCR's YouTube site and the OCR Consumer Guidance website.
Highlights From Leon Rodriguez, Executive Director of OCR's, Speech at ABA's EMI Conference in Miami
To view this article, please click here.
Stay tuned for many further developments - The Health Law Partners will be providing numerous valuable educational resources for its clients.
The announcement and links are below.
January 17, 2013
The U.S. Department of Health and Human Services (HHS) has announced a new rule to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient's privacy protections, provides individuals new rights to their health information, and strengthens the government's ability to enforce the law.
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The changes announced today expand many of the privacy and security requirements to business associates that receive protected health information, such as contractors and subcontractors. Business associates may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes, and prohibits the sale of an individual's health information without their permission.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The Rulemaking announced today may be viewed in the Federal Register at https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf.
The HHS Press Release can be found on the HHS News page: http://www.hhs.gov/news/.
HHS Announces First Settlement for Breach of HIPAA Privacy Rule Involving Fewer Than 500 Individuals
A press release from the U.S. Department of Health and Human Services ("HHS") published on January 2, 2013 announced that the Department had reached its first settlement with a covered entity for a breach of the Health and Information Portability and Accountability Act ("HIPAA") Privacy Rule affecting fewer than 500 individuals. The settlement agreement with the Hospice of North Idaho ("HONI") was the result of an investigation into HONI's privacy practices initiated after the entity self-reported to the HHS Office of Civil Rights ("OCR") that a laptop containing the unencrypted electronic protected health information ("ePHI") of 441 individuals was stolen in June of 2010.
During its investigation, OCR found that HONI had failed:
• To conduct an adequate risk analysis of the unencrypted ePHI on portable devices that HONI used for the entity's field work;
• To subsequently adopt, implement, and maintain appropriate security measures to ensure the confidentiality of the ePHI on the portable devices that it used to create, maintain, and transmit the ePHI; and
• To document the decisions it made with regards to security measures.
As a result of the settlement, HONI agreed to pay HHS $50,000 and enter into a Correct Action Plan. While the settlement resolves the investigation under the privacy and security rule, it does not absolve HONI of liability under other provisions that may apply such as section 1177 of the Social Security Act for knowing or intentional releases of PHI.
For breaches involving 500 or more individuals, the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report the breach within 60 days after the discovery. Smaller breaches under 500 individuals, such as the one involving the settlement with HONI, must be reported to the Secretary on an annual basis.
Given the increased enforcement activity in the HIPAA area, providers are well advised to ensure that they have appropriate HIPAA privacy and security measures in place.
The Massachusetts Attorney General's Office announced Thursday that it has settled, for $750,000, a data breach lawsuit filed against South Shore Hospital under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA).
The alleged HIPAA violation arose from unencrypted back-up tapes that South Shore sent offsite to a data archiving company to be erased and re-sold as blank media. However, the hospital did not inform the data company that the tapes contained protected health information (PHI), did not determine whether the data company had appropriate safeguards in place to protect the PHI, and did not enter into a business associate agreement with the company. In shipment, two of three boxes containing the PHI were lost and have not been recovered.
The lawsuit, brought by the Massachusetts Attorney General's Office, is only the third of its kind. Through the Health Information Technology for Economic and Clinical Health (HITECH), passed in 2009, Congress: (i) dramatically increased the HIPAA monetary penalties that could be levied against providers; (ii) granted authority to state attorneys general to prosecute HIPAA privacy and security violations; and (iii) perhaps most importantly, allows state attorney generals to share in any monetary penalties that they are able to collect (e.g., a "bounty sharing" provision). The changes were in response to a perceived lack of enforcement of the HIPAA regulations by the Office for Civil Rights of the Department of Health and Human Services (HHS).
While only the Vermont and Connecticut Attorneys General have initiated lawsuits under HITECH, the legislation is expected to add serious teeth to healthcare privacy laws. Under HITECH, an attorney general receiving a complaint from a resident may sue in federal district court for an injunction and monetary damages. In all three cases, the attorneys general have brought suit under both HIPAA and state privacy laws, and HHS has actively supported the initiative by offering in-person and computer-based training to state attorneys generals nationwide, and even assisting the Connecticut Attorney General's Office in its prosecution.
South Shore Hospital, which settled for $750,000, was the largest of the three AG-initiated lawsuits. As the size of HIPAA violation settlements continue to grow, so too will the interest of states in exercising their new-found authority. Attorneys general may also be more inclined to initiate HIPAA lawsuits because of the positive impression such actions will make on constituents.
As the HITECH incentives catalyze the shift toward electronic health records, privacy issues will be at the forefront, attracting much greater attention than in the past. Hospitals, physicians, health care providers, Business Associates, and all other parties subject to HIPAA regulations are well advised to ensure that they have appropriate HIPAA policies, procedures, and safeguards in place to protect patient privacy, avoid violating HIPAA, and avoid attracting the attention of a much more aggressive, financially incentivized, state attorneys general corps.
On November 17, 2011, the Centers for Medicare and Medicaid Services ("CMS") announced that it will delay enforcement action until March 31, 2012 for those Health Information Portability and Accountability Act ("HIPAA") covered entities that are not in compliance with the ASC X12 Version 5010, NCPDP Telecom D.0 and NCPDP Medicaid Subrogation 3.0 standards. CMS stated, however, that the compliance date remains January 1, 2012, but it will have discretionary application of its enforcement authority. In fact, according to an FAQ posted on the CMS website:
What will be the level of enforcement during the enforcement discretion period for X12 Version 5010 (Version 5010), NCPDP Telecom D.0 (NCPDP D.0) and NCPDP Medicaid Subrogation 3.0 (NCPDP 3.0) implementation?
The compliance date for implementation of these updated standards remains January 1, 2012. Because trading partner testing has not reached a threshold whereby a majority of covered entities may be able to comply by the compliance date, the Centers for Medicare & Medicaid Services' Office of E-Health Standards and Services (OESS), has announced that it would exercise its enforcement discretion with respect to any HIPAA covered entity that a complaint is filed against for violation of compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 standards. The enforcement discretionary period is for 90 days after the January 1, 2012 compliance date.
If a complaint is received by CMS after January 1, 2012, the entity against which the complaint has been filed will be evaluated to determine its level of compliance. An assessment will be made of the filed-against entity's efforts to test and become compliant. OESS will take appropriate actions as permitted under the authority of the HIPAA enforcement rule, but will not assess any penalties and/or civil monetary penalties during this 90-day period.
Please note: this requirement applies to everyone who is covered by HIPAA, not just those who submit Medicare or Medicaid claims.
CMS' ICD-10 page may be found here.
In August, we posted an entry regarding the newly announced Health Information Portability and Accountability Act of 1996 ("HIPAA") audits that would be underway, pursuant to Section 13411 of the Health Information Technology for Economic and Clinical Health Act ("HITECH"). Section 13411 provides, in its entirety:
SEC. 13411. AUDITS.
The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.
In implementing this provision, the Office of Civil Rights ("OCR") is conducting a pilot program ("Pilot") in which it will "perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the Pilot will begin November 2011 and conclude by December 2012." Business associates will not be audited at this time.
The OCR has promulgated a 3-step process for the Pilot:
(1) Developing audit protocols,
(2) Conducting a limited number of audits (20) to test the protocols, which includes the following four steps:
a. Auditee selection
b. Auditee notification
c. Test of protocol
d. Period of review and adjustment of protocols
(3) Conducting a full range of audits using revised protocol materials
The OCR aims at auditing a wide range of types and sizes of covered entities, including covered individual and organizational providers, health plans and healthcare clearing houses.
Covered entities being audited by the OCR can generally expect the following:
- Written notification by OCR that the covered entity has been selected for an audit and a request to provide documentation of the covered entity's privacy and security compliance efforts (OCR provides this sample Initial Notification Letter on its website)
- The covered entity will have 10 business days to supply the requested information
- Within 30-90 days from the date of the initial written notification, the OCR will conduct a site visit (lasting between 3 and 10 business days) involving interviews of key personnel and observations of processes and operations to determine compliance
- The auditors will develop a draft audit report and share it with the covered entity
- The covered entity will have 10 business days to discuss the identified concerns and describe corrective actions it has implemented to address the identified concerns
- Within 30 business days after receipt of the covered entity's response, the OCR will submit a final audit report, which will incorporate the steps the covered entity has already taken to resolve compliance issues
According to the OCR, "[a]udits are primarily a compliance improvement activity....Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem."
On September 14, 2011, the Centers for Medicare and Medicaid Services ("CMS") published in the Federal Register a proposed rule amending the Clinical Laboratory Improvement Amendments of 1988 ("CLIA") and the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") to specify that, upon request, a patient may gain access to his/her completed test reports directly from a laboratory ("Proposed Rule").
Currently, CLIA provides that a laboratory may only disclose test results to three categories of individuals: (1) an "authorized person," (2) the person responsible for using the test results in the treatment context, and (3) the referring lab (42 CFR 493.1291(f)). "Authorized person" is defined as "the individual authorized under State law to order or receive test results, or both." Moreover, even though HIPAA requires patients have access to their protected health information ("PHI"), this right of access does not extend to PHI maintained by a covered entity that is subject to CLIA or exempt from CLIA (this exception can be found at 45 CFR 164.524(a)(1)(iii)).
Under the Proposed Rule, CMS proposes to remove such restrictions in the patient-access rules thereby allowing patients to obtain the laboratory testing results directly from the laboratory. CMS proposes to amend CLIA to allow patients, upon request, to have direct access to their laboratory test reports. In the preamble to the regulations, CMS stated that it would not dictate under CLIA how patients could request such access:
[T]he CLIA regulations would not spell out the mechanism by which patient requests for access would be submitted, processed, or responded to by the laboratories. In providing this latitude, we intend to allow patients and their personal representatives' access to patient test reports in accordance with the requirements of the HIPAA Privacy Rule.
CMS likewise proposes amending the HIPAA Privacy Rule to require covered entities that are laboratories subject to CLIA and those that are CLIA-exempt to have the same obligations as other covered entities with respect to providing individuals access to their PHI in accordance with the requirements 45 CFR 164.524. In other words, CLIA laboratories and CLIA-exempt laboratories would no longer be excepted from the requirement to give patients access to their PHI upon request.
CMS also notes that even though there may be a number of state laws prohibiting laboratories from releasing test reports directly to patients, the new regulations, if adopted, would preempt such laws.
The Health Information Technology for Economic and Clinical Health Act ("HITECH") requires the Office of Civil Rights ("OCR") to conduct periodic audits of covered entities in connection with complying with the privacy and security requirements set forth in Health Insurance Portability and Accountability Act ("HIPAA"). In June, the OCR awarded KPMG, LLP (the "Contractor") a $9.2 million contract to administer HIPAA audits. During the first phase of audits, the OCR plans to visit 150 covered entities.
According to the Federal Business Opportunities website, after developing the audit protocol, the Contractor must meet the entities and perform the following audit activities:
• Site Visits - Site visits include interviewing with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management director, etc.), examining physical features and operations, evaluating the consistency of process to policy, and observing compliance with regulatory requirements;
• Audit Report - Submitting an audit report after each site visit consisting of the following:
o A timeline and methodology of the audit, best practices, raw data collection materials (e.g., completed checklists and interview notes), a certification indicating the audit is complete;
o Specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan;
o Recommendations to the contracting officer's technical representative ("COTR") regarding continued need for corrective action, if any, and description of future oversight recommendations; and
o A final report including, at a minimum:
- Identification and description of the audited entity--full name, address, EIN and contact person;
- Methods used to conduct the audit; and
- For each finding:
• Condition: The defect or non-compliant status observed, and evidence of each;
• Criteria: A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules;
• Cause: The reason that the condition exists, along with identification of supporting documentation used;
• Effect: The risk or non-compliant status that results from the finding;
• Recommendations for addressing each finding;
• Entity corrective actions taken, if any;
• Acknowledgement of any best practice(s) or success(es); and
• Overall conclusion paragraph.
In an August 1, 2011 letter to the U.S. Department of Health and Human Services Secretary, Kathleen Sebelius, the American Hospital Association ("AHA") urges the Centers for Medicare and Medicaid Services ("CMS") to reevaluate its HIPAA Privacy Rule Accounting of Disclosures Proposed Rulemaking ("Proposed Rule"). The AHA is the latest healthcare organization to urge the reconsideration of the Proposed Rule.
In its plea, AHA writes that the Proposed Rule is unable to "appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities, including hospitals." Further, AHA points out that the potential length of the reports required under the Proposed Rule would likely create a large burden for the covered entities without much benefit to the patients.
In conclusion, the AHA letter includes the organization's recommendations for improvements to the disclosure rule. The AHA requests that HHS:
• "clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions" and preserve "a 60-day response requirement and limit an accounting to three years,"
• "reissue a request for information aimed at better reflecting the statutory requirements, the technological realities, and better alignment of the regulation's effectiveness with the compliance burdens" instead of creating the "new individual right to an access report,"
• withdraw "the preamble discussion in order to reflect longstanding department guidance,"
• adopt other changes in the event that it does not to abandon the access report.
The entire text of the letter may be viewed here.
On May 31, 2011, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking ("Proposed Rule") in relation to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule ("Privacy Rule"). The Proposed Rule concerns changes to the accounting disclosures requirement of the Privacy Rule.
The Proposed Rule intends to divide §164.528 of the Privacy Rule (the accounting of disclosures of protected health information provision) to provide two distinct, but complementary, rights for individuals. These rights would include an individual's expanded accounting of disclosures right and an individual's right to a report revealing who has accessed his or her protected health information contained in an electronic designated record set.
The revised accounting of disclosures right, to be modified by HHS under HIPAA authority, intends to improve the workability and effectiveness of the provision. This right would provide information about hardcopy and electronic disclosures made from a designated record set to outside persons and the covered entity's business associates for specific purposes (e.g., legal actions, workers' compensation). The full accounting of disclosures would provide more detailed information for certain disclosures that would most likely impact an individual. The information would be maintained for a three-year period (a reduction from the current six-year requirement). HHS proposes that all covered entities and business associates implement the modified requirements of the accounting of disclosures provision starting 180 days from the final date of the regulation (240 days after publication).
As part of its authority under the Health Information Technology for Economic and Clinical Health Act ("HITECH"), HHS is proposing to create the right to an access report. This right intends to give individuals information about others' access to the patients' protected health information contained in an electronic designated record set. The right would cover a three-year period as well, but it would only provide individuals with a report of who accessed the electronic record and would not include the reasons for the access. The date, time, and name of person accessing the information (or the entity if the individual's name is unavailable) would be included in the report; the description of the type of information disclosed and the user's action would also be included if available. No distinction would be made between "uses" and "disclosures" of the information in the report. HHS proposes that business associates and covered entities provide individuals with the access report right under the provision beginning January 1, 2013 (for electronic designated record set systems acquired after January 1, 2009) or January 1, 2014 (for electronic designated record set systems acquired as of January 1, 2009).
Since the rights within the provision are limited to protected health information within a designated record set, some business associates will not be affected by the requirement that covered entities include the applicable disclosures and uses of their business associates.
Public comments on the Proposed Rule will be accepted until August 1, 2011. Comments may be submitted online at http://www.regulations.gov/ (search for the Proposed Rule).
In its first civil monetary penalty issued for a covered entity's violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Department of Health and Human Services (HHS), through its Office of Civil Rights (OCR), imposed a $4.3 million penalty on Cignet Health of Prince George's County, Maryland (Cignet) in its Notice of Final Determination. In the October 20, 2010 Notice of Proposed Determination, the OCR found that Cignet denied 41 patients access to their medical records when requested. Subject to certain exceptions, 45 CFR 164.524 provides that an individual has a right of access to inspect and obtain a copy of his/her protected health information in a designated record set no later than 30 days (60 days for information that is not maintained or accessible to the covered entity on-site) after the covered entity's receipt of the request. Moreover, the OCR found that Cignet failed to cooperate with the OCR's investigations and that the failure to cooperate was due to Cignet's willful neglect to comply with the Privacy Rule.
For those providers and entities that think HIPAA violations are no big deal or that have yet to implement required policies and procedures, they are well advised to review the Department of Health and Human Services July 27, 2010 press release announcing a $1 million dollar settlement related to allegations of violations of HIPAA.
Rite Aid Corporation and its 40 affiliated entities (RAC) agreed to pay $1 million to settle violations under the HIPAA Privacy Rule. The Office of Civil Rights (OCR) which enforces the HIPAA Privacy and Security Rules opened its investigation of RAC after a television media station reported on incidents where pharmacies were shown to have disposed of prescriptions and labeled pills bottles that contained individuals' identifiable information in trash containers accessible to the public.
Such an act of disposing of individuals' health information in places that is accessible to an unauthorized person is in violation of several requirements found in the HIPAA Privacy Rule. The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers including pharmacies, to protect the privacy of patient information, including such information during its disposal.
As part of the settlement agreement, Rite Aid also agreed to take the following corrective action to improve its policies and procedures to safeguard the privacy of its customers: (1) revise and distribute policies and procedures regarding disposal of protected health information and sanction workers who do not follow them; (2) train employees on the new requirements; (3) conduct internal monitoring; and (4) engage a qualified and independent third-party to conduct compliance reviews and render report to HHS.