HIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016

Similar documents
Breach Notification and Enforcement

Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution?

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA

HIPAA Privacy Rule Compliance Issues

Government Investigations Into Cybersecurity Breaches In Healthcare

Corporate Administration Detection and Prevention of Fraud and Abuse CP3030

UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT

A Review of the Current Health Care Fraud Enforcement Environment Brian McEvoy & Ellen Persons

What is Left of State Privacy Laws: Louisiana, New Mexico, Oklahoma & Texas

CHAPTER 457. (Senate Bill 796) Vehicle Laws Motor Vehicle Accident Reports Access

POLICY STATEMENT. Topic: False Claims Act Date Effective: 10/13/08. X Revised New Section: Corporate Compliance Number: 10.05

Investigating Privacy Breaches under HITECH and HIPAA

Health Care Fraud and Abuse Laws Affecting Medicare and Medicaid: An Overview

HIPAA -- Compliance and Enforcement Issues

Georgia Computer System Protection Act

View from a Federal Prosecutor: Legal Pitfalls to Avoid. Medtrade Spring March 28, 2018 Mark Rush Josh Skora

Reflections on Privacy: Recent Developments in HIPAA Privacy Rule

Health Care Compliance Association

CORI INSTRUCTIONS. The LAST SIX digits of you SSN are REQUIRED (We are not able to process with out them)

HAWAII SEX-OFFENDER REGISTRATION AND NOTIFICATION

POLICIES AND PROCEDURES FOR DETECTING AND PREVENTING FRAUD, WASTE AND ABUSE

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

BUSINESS ASSOCIATE AGREEMENT

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

BUSINESS LAW. Chapter 8 Criminal Law and Cyber Crimes

Current Developments in Privacy and Security Rule Enforcement

Michigan Medicaid False Claims Act

Matt Gehring, Legislative Analyst, Patrick McCormack, Legislative Analyst, Updated: November Legislative Ethics

AAPC REGIONAL CONFERENCE. Legal Issues in Coding Minimizing Coder Liability. Lecturer: Michael D. Miscoe Esq, CPC, CASCC, CUC, CCPC, CPCO, CHCC

Case 6:13-cv RBD-TBS Document 13 Filed 05/02/13 Page 1 of 10 PageID 117

CONSULTATION: Introducing new measures to tackle stalking

Understanding the UK Bribery Act 2010: Extraterritorial Reach of the Act

Computer Search and Seizure

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

DISCOVERY IN DECLINED QUI TAM CASES

ADDENDUM TO HEALTHCARE PARTNERS POLICY NO. HCP-TQ-09, THE CODE OF CONDUCT, AND THE SUMMARY OF FEDERAL FALSE CLAIMS ACT AND ANALOGOUS STATE LAWS

Ethics and Lobbying. Continuing Ethical Scandals

Procurement Fraud and False Claims Act Developments. Mark R. Troy Robert R. Rhoad Andy Liu Jonathan Cone

The Lawyer s Ethical and Legal Duties to protect Private Information

Chapter 8. Criminal Wrongs. Civil and Criminal Law. Classification of Crimes

False Claims Act. Definitions:

Follow this and additional works at:

Massachusetts Overhauls Accessibility to Criminal Information of Applicants and Employees

Legal Issues in Coding

Clarifying Your Rights Under the New Georgia Gun Law

AT SEA TILE. The United States of America, by and through John McKay, United States Attorney 16

Under Siege What To Do When Armed Government Agents Show Up At Your Hospital s Door With A Search Warrant

CALIFORNIA THEFT CRIMES UNDERSTANDING THE OFFENSES AND PENALTIES

TENNESSEE HEALTH CARE & MEDICAID FALSE CLAIMS ACTS

ELDERSERVE HEALTH, INC. FALSE CLAIMS ACTS SUMMARY

MICHIGAN WORKFORCE BACKGROUND CHECK CONSENT AND DISCLOSURE

107 ADOPTED RESOLUTION

DATA MATCHING AGREEMENTS ACT 1 B I L L

DISTRICT OF COLUMBIA SEX-OFFENDER REGISTRATION AND NOTIFICATION

IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA FIRST APPELLATE DISTRICT DIVISION FOUR A123145

Policies and Procedures No. 56

(d) "Incarceration" and "confinement" do not include electronic home monitoring.

PRIZE PROMOTIONS AROUND THE WORLD. Hong Kong

case 3:04-cr AS document 162 filed 09/01/2005 page 1 of 6

Criminal Offender Record Information (CORI) Personal Request Form

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

CHAPTER Senate Bill No. 540

Lobbying Disclosure Act (LDA) changes made by the Honest Leadership and Open Government Act of 2007 (enacted September 14, 2007, Pub. L. No.

Law Enforcement Targets Pharmaceutical and Medical Device Executives

OVERVIEW OF RELEVANT HEALTHCARE LAWS

Drivers Privacy Protection Act 18 U.S.C et. seq. (Public Law )

Florida. Florida State False Claims Laws

Criminal Offender Record Information CORI ACCESS and REFORM

Social Security Number Required: Enter on separate page provided in the application. 7 Dentist Address:

YOU VE been CHARGED. with a CRIME What YOU. NEED to KNOW

ENROLLED 2001 Legislature SB 540, 1st Engrossed

Four False Claims Act Rulings That Deter Meritless FCA Actions

Chapter 4. Criminal Law and Procedure

SECTION 59, CRIMINAL JUSTICE (THEFT AND FRAUD OFFENCES) ACT, 2001

SOUTH CAROLINA SEX-OFFENDER REGISTRATION AND NOTIFICATION

TECHNOLOGY AND DATA PRIVACY. Investigative Powers of the Data Protection Commissioner. by Peter Bolger, Jeanne Kelly

GRANDVUE MEDICAL CARE FACILITY APPLICATION FOR EMPLOYMENT

Cops and Docs: Law Enforcement Access to Patients and Information

ATTACHMENT A. CERTIFICATION REGARDING MINORITY BUSINESS ENTERPRISES (applicable if an MBE goal is set)

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

OF FLORIDA. An Appeal from the Circuit Court for Miami-Dade County, Mary Barzee, Judge.

IN THE DISTRICT COURT OF APPEAL OF THE STATE OF FLORIDA FIFTH DISTRICT. v. Case No. 5D

BA 303 Business Law 1. The America Le

Legal and Ethical Considerations (Chapter 3- Mosby s Dental Hygiene)

Rehabilitation of Offenders Act 1974

HIPAA Compliance During Litigation and Discovery

INSTRUCTIONS FOR PRISONERS FILING A COMPLAINT UNDER 42 U.S.C. 1983

EXPLANATORY NOTES B I L L. No. 31. An Act to amend The Local Authority Freedom of Information and Protection of Privacy Amendment Act

Chapter 10 The Criminal Law and Business. Below is a table that highlights the differences between civil law and criminal law:

OVERVIEW OF RELEVANT HEALTHCARE LAWS

Site Access Agreement. (hereinafter referred to as the

Although we encourage your participation during the presentation, it is entirely voluntary.

DATA PROTECTION LAWS OF THE WORLD. Egypt

Application for Employment

Restitution Repairing Financial Harm to Victims of Crime

Investigatory Powers Bill

S16G0662. LYMAN et al. v. CELLCHEM INTERNATIONAL, INC. After Dale Lyman and his wife, Helen, left Cellchem International, Inc.

When Trade Secrets Cases Go Criminal: Part 1

RESOLUTION AGREEMENT. I. Recitals

Transcription:

HIPAA Crimes: How the New Crime Wave Affects You May 17, 2016

Michele L. Adelman, Partner, Foley Hoag LLP White Collar Crime & Government Investigations Practice Speakers Michele brings over a decade of federal and state prosecutorial experience to her counsel of corporations and individuals in a wide range of government investigations, including healthcare fraud cases that allege violations of the Anti-Kickback Statute, False Claims Act, and the HIPAA Statute. Her practice includes internal investigations and compliance advice that often focus on issues relating to computer crimes and information privacy and security. Michele has published an extensive number of articles and blog posts, and been a regular speaker on topics relating to healthcare fraud investigations and prosecutions. Colin J. Zick, Partner, Foley Hoag LLP Chair, Data Privacy & Security Practice; Co-chair, Healthcare Practice Colin counsels clients ranging from the Fortune 1000 to start-ups on issues involving information privacy and security, including state, federal and international data privacy and security laws and government enforcement actions. He also frequently counsels technology and consumer-facing clients on issues involving information privacy and security, including the EU Privacy Shield, HIPAA and other U.S. federal and state data privacy and security laws, cloud security, cyber insurance, the Internet of Things, and data breach response. Colin is a regular contributor to the firm s "Security, Privacy and the Law" blog found at: www.securityprivacyandthelaw.com. 2015 2016 Foley Hoag LLP. All Rights Reserved. 1

What Will This Program Cover? The current environment for HIPAA enforcement Types of HIPAA incidents and enforcement actions Related data security issues affecting health care providers How these issues implicate law enforcement and the criminal law aspects of HIPAA Steps you can take to avoid getting dragged into a HIPAA enforcement action 2015 2016 Foley Hoag LLP. All Rights Reserved. 2

Examples of Actions That Could Lead to HIPAA Liability Misdirected information Insider takes information - For personal reasons - For monetary/business reasons Hackers take information - For personal reasons - For monetary/business reasons Ransomware Invasion of System to Use Resources 2015 2016 Foley Hoag LLP. All Rights Reserved. 3

Range of HIPAA Compliance and Enforcement Actions Government audits of covered entities and business associates Letter with Suggestions for Changing Practices Civil Penalty - More and bigger civil monetary settlements - Compliance Agreement/Reporting Criminal Penalty 2015 2016 Foley Hoag LLP. All Rights Reserved. 4

HIPAA Statistics From April 2003 to the present, the compliance issues most investigated are: 1. Impermissible use/disclosure of PHI 2. Lack of safeguards of PHI 3. Lack of patient access to their PHI 4. Use/disclosure of more than minimum necessary PHI 5. Lack of safeguards of electronic PHI 2015 2016 Foley Hoag LLP. All Rights Reserved. 5

HIPAA Statistics From April 2003 to the present, the most common type of Covered Entities subject to corrective action: 1. Private Practices 2. General Hospitals 3. Outpatient Facilities 4. Pharmacies 5. Health Plans 2015 2016 Foley Hoag LLP. All Rights Reserved. 6

Violations of HIPAA? Who enforces the HIPAA rules? What happens if an individual violates HIPAA rules? What happens if a company violates HIPAA rules? 2015 2016 Foley Hoag LLP. All Rights Reserved. 7

Civil enforcement by: Civil vs. Criminal Enforcement - U.S. Department of Health and Human Services Office of Civil Rights ( OCR ); or - State attorneys general Criminal enforcement by U.S. Department of Justice ( DOJ ) through local U.S. Attorney s Offices 2015 2016 Foley Hoag LLP. All Rights Reserved. 8

Civil vs. Criminal Enforcement Difference between civil and criminal enforcement is often dependent upon evidence of offender s intent Criminal enforcers often step in when violator sought to profit from the improper use or disclosure of PHI 2015 2016 Foley Hoag LLP. All Rights Reserved. 9

Civil Enforcement Stats HHS, Office of Civil Rights ( OCR ), reports as of March 31, 2016: - Since April 2003, OCR has received over 130,748 HIPAA complaints and has initiated over 885 compliance reviews - OCR has resolved 96% of those cases (125,472) - In over 24,477 cases, OCR required changes in privacy practices and corrective actions - OCR has settled 33 cases with civil monetary penalties totaling $33,689,200 - In 10,979 cases, OCR found no violation - In 13,041 cases, OCR intervened early and provided technical assistance without the need for investigation 2015 2016 Foley Hoag LLP. All Rights Reserved. 10

Criminal Cases Employee does not need to be an officer/director to face personal liability Fundamental issue: whether the employee was a rogue, dishonest employee acting for himself, or conduct was on behalf of corporation Focus on who benefited from the crime 2015 2016 Foley Hoag LLP. All Rights Reserved. 11

Criminal Cases Principles of Corporate Criminal Liability Corporation is criminally liable for acts of employee or agent who has been given authority to act on behalf of corp. There will be liability if employee was authorized to act and engaged in criminal activity in course/scope of his/her duties 2015 2016 Foley Hoag LLP. All Rights Reserved. 12

The HIPAA Criminal Statute A person who knowingly and in violation of this part: Uses or causes to be used a unique health identifier; Obtains individually identifiable health info relating to an individual; or Discloses individually identifiable health info to another person 2015 2016 Foley Hoag LLP. All Rights Reserved. 13

Tiered Civil Financial Penalties Lowest level did not know (and by exercising reasonable diligence would not have known) Second level result of reasonable cause and not due to willful neglect Third level due to willful neglect, but violation is corrected within the required time period Most severe level due to willful neglect, and violation is not corrected 2015 2016 Foley Hoag LLP. All Rights Reserved. 14

Levels of Penalties Lowest level: fined not more than $50K, imprisoned not more than 1 year, or both; False pretenses: fined not more than $100K, imprisoned not more than 5 years, or both; Intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm: fined not more than $250K, prison not more than 10 years 2015 2016 Foley Hoag LLP. All Rights Reserved. 15

What is a Knowing Violation? Requires only knowledge that are engaging in actions that constitute the violation Does not require the Government to prove that offender knew that an action would violate a provision of HIPAA 2015 2016 Foley Hoag LLP. All Rights Reserved. 16

Specific Types of Conduct That Have Been Prosecuted Under HIPAA Identity theft of patients' PHI (most common) Snooping on patients' records (usually famous patients) Failure to report breaches in a timely manner Lack of adequate safeguards to protect PHI 2015 2016 Foley Hoag LLP. All Rights Reserved. 17

Criminal HIPAA Prosecution Joshua Hippler Feb. 2015 Hospital employee accessed PHI for personal gain Guilty plea to criminal HIPAA violation Sentenced to 18 months 2015 2016 Foley Hoag LLP. All Rights Reserved. 18

Florida Hospital Employees 2011 and 2014 Florida Hospital Registration Representative, Dale Munroe, obtained PHI of patients who were involved in motor vehicle accidents Provided the information to co-conspirators who paid Munroe Co-conspirators used the information to solicit patients for lawyers and chiropractors 2015 2016 Foley Hoag LLP. All Rights Reserved. 19

Dale Munroe and Katrina Munroe Both Munroes pled guilty to criminal HIPAA charges and cooperated with the government Dale Munroe sentenced to one year and a day in prison Katrina Munroe sentenced to 2 years probation 2015 2016 Foley Hoag LLP. All Rights Reserved. 20

Dale Munroe and Katrina Munroe Accessed records of over 700,000 patients between Jan. 2009 and July 2011 Katrina Munroe, Dale s wife, also worked for Florida Hospital Between July and Aug. 2011 (one month), obtained PHI and caused the transfer of the PHI as part of the same scheme 2015 2016 Foley Hoag LLP. All Rights Reserved. 21

Florida Hospital Round 2 In May 2014, two other Florida Hospital employees illegally printed patient face sheets that contained PHI No evidence that these employees used the PHI for commercial gain Those employees were fired but not criminally prosecuted 2015 2016 Foley Hoag LLP. All Rights Reserved. 22

Huping Zhou April 2010 Research assistant at UCLA Health Systems accessed PHI of co-workers and celebrities with no legitimate reason There was no subsequent leak or sale of PHI Charged with misdemeanor crime of knowingly obtaining PHI 2015 2016 Foley Hoag LLP. All Rights Reserved. 23

Huping Zhou Conditional guilty plea to criminal HIPAA plea pending appellate review Appellate court upheld the conviction Knowing he was accessing health information was sufficient did not have to know such access violated HIPAA Sentenced to 4 months 2015 2016 Foley Hoag LLP. All Rights Reserved. 24

What s Missing? Criminal Actions Against the Real Bad Guys No prosecutions for - Ransomware - Actions of organized, state-sponsored hackers - Hacktivists Why not? Will this change in the future? 2015 2016 Foley Hoag LLP. All Rights Reserved. 25

Helpful Hints in Dealing with Law Enforcement Just because you don t think you did anything wrong, you still must be wary when dealing with law enforcement. - Don t talk to law enforcement without first conferring with counsel. - But you cannot tell others not to talk to the government. - If you are going to refer a matter that you hope will be prosecuted, the facts must be as fully developed as possible and documented. 2015 2016 Foley Hoag LLP. All Rights Reserved. 26

Policies & Procedures Are Still Important When You Are a Victim Permissible and impermissible uses and disclosures of PHI Standards for security awareness, information access, and workstation use Physical removal and transport limitations Standard business associate agreement regarding PHI limitations under HIPAA 2015 2016 Foley Hoag LLP. All Rights Reserved. 27

How to Show Your Company in the Best Light? Conduct Regular Employee Training Training needs to be regular and ongoing Establish training protocols Document employee training sessions Address all limitations and conditions on removal of PHI from premises and remote access to PHI No access to PHI without training No sharing of passwords Measure the effectiveness of the training through selfaudits and exit interviews 2015 2016 Foley Hoag LLP. All Rights Reserved. 28

Key Steps to Achieving HIPAA Compliance Perform regular self-audits Perform occasional third-party audits Document audit findings, act on those findings, and document all corrective actions Consider using unannounced site visits, penetration testing, and other tests aimed at policies, procedures, and human factors Consider when self-disclosure of problems is needed and/or beneficial 2015 2016 Foley Hoag LLP. All Rights Reserved. 29

Thank You! Michele L. Adelman, Partner, Foley Hoag LLP White Collar Crime & Government Investigations Practice 617.832.1278 madelman@foleyhoag.com Colin J. Zick, Partner, Foley Hoag LLP Chair, Data Privacy & Security Practice; Co-chair, Healthcare Practice 617.832.1275 czick@foleyhoag.com 2015 2016 Foley Hoag LLP. All Rights Reserved. 30

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback