HIPAA Privacy Rule Compliance Issues

Similar documents
HIPAA Enforcement Rule. Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006

RESOLUTION AGREEMENT. I. Recitals

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution?

HIPAA -- Compliance and Enforcement Issues

HIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA

Investigating Privacy Breaches under HITECH and HIPAA

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Breach Notification and Enforcement

HIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

BUSINESS ASSOCIATE AGREEMENT

TRICARE Operations Manual M, April 1, 2015 Administration. Chapter 1 Section 5

HIPAA DATA USE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Help Shape Colorado s Lobbyist Rules

Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015

BUSINESS ASSOCIATE AGREEMENT

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

Reflections on Privacy: Recent Developments in HIPAA Privacy Rule

Policies and Procedures No. 56

Security Breach Notification Chart

Security Breach Notification Chart

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

Discrimination and Harassment Complaints and Investigations Administrative Procedure (3435)

Participation of attorneys in resolution meetings when the parent is not accompanied by an attorney

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

10/14/2015. Introduction: Exclusion, Revocation, and Civil Monetary Penalties. OIG Exclusion and CMS Billing Revocation. OIG Civil Monetary Penalties

DISCRIMINATION, HARASSMENT AND BULLYING COMPLAINT PROCEDURE

Policy on Minimum Substantive and Procedural Standards for Student Disciplinary Proceedings

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

A CITIZEN S GUIDE TO FILING A DISPARATE IMPACT ENVIRONMENTAL DISCRIMINATION COMPLAINT WITH THE U.S. ENVIRONMENTAL PROTECTION AGENCY UNDER

FILED 12/01/2017 1:43 PM ARCHIVES DIVISION SECRETARY OF STATE

DEPARTMENT OF DEFENSE BILLING CODE

DISCRIMINATION, HARASSMENT AND BULLYING COMPLAINT PROCEDURE Policy Code: 1720/4015/7225

July 22, Summary: This letter summarizes the final regulations implementing statutory changes to the Clery Act.

RENOWN HEALTH NETWORK POLICY

DEPARTMENT OF DEFENSE BILLING CODE Defense Contract Audit Agency (DCAA) Privacy Act Program

Security Breach Notification Chart

Security Breach Notification Chart

Model Business Associate Agreement

Health Practitioners Competence Assurance Act 2003 Complaints and Discipline Process

Working Draft of Proposed Rules (Redline Version)

Self-Report? 10/15/2017. Three Competing Perspectives on Federal Health Care Enforcement Trends: Federal Prosecutor, In-House Counsel, Outside Counsel

ISSUING AGENCY: New Mexico Public Regulation Commission. [ NMAC - N, ]

OVERVIEW OF RELEVANT HEALTHCARE LAWS

Professional Responsibility: Beyond Pure Ethics and Circular 230 (Outline)

Contract Assurances Attachment 4. Contract Assurances

FINAL RULES: Long-Term Care Ombudsman Program 1

Department of Labor. Part IV. Friday, September 12, Research Misconduct; Statement of Policy; Notice

COLORADO COMMUNITY COLLEGE SYSTEM SYSTEM PRESIDENT S PROCEDURE STUDENT GRIEVANCE PROCEDURE

City of Bristol Tennessee Title VI Nondiscrimination Statement

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

FEDERAL TRANSIT ADMINISTRATION REQUIREMENTS FOR PROFESSIONAL SERVICES CONTRACTS > $10,000

WILKES-BARRE AREA SCHOOL DISTRICT

a. Collectively, this law and regulations adopted under this title are to be known as the Mashantucket Pequot Tribal Clean Air Program (CAP).

(a) Enlisted Personnel Administrative Boards Manual, PSCINST M (series) (b) Military Separations, COMDTINST M (series)

S10A0994. BAKER et al. v. WELLSTAR HEALTH SYSTEMS, INC. et al. This action originated with a medical malpractice complaint filed on

Department of Health and Human Services DEPARTMENTAL APPEALS BOARD. Civil Remedies Division

Sales Order (Processing Services)

Hearings Policy Manual

Workforce Investment Act State Compliance Policies. SECTION: 4.3 Discrimination Grievance/Complaint Procedures August 2007

STANDING RULES, POLICIES AND PROCEDURES MANUAL. IAWP 3267 Bee Caves Road Suite Austin, Texas

ACF Administration for Children

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

Olympia School District Complaint Procedures: Discrimination and Sexual Harassment-Personnel

Submitted to: Healthcare Supply Chain Association 2025 M Street, NW, Suite 800 Washington DC Prepared by:

Title IX Investigation Procedure

PART 25-GOVERNMENTWIDE DEBARMENT AND SUSPENSION (NONPROCUREMENT) AND GOVERNMENTWIDE REQUIREMENTS FOR DRUG-FREE WORKPLACE (GRANTS) Subpart A-General

BUSINESS ASSOCIATE AGREEMENT

STATE BOARD FOR TECHNICAL AND COMPREHENSIVE EDUCATION PROCEDURE FREEDOM OF INFORMATION

Non-Discrimination and Anti-Harassment Policy

Attachment 1 Federal Requirements for Procurements in Excess of $150,000 Not Including Construction or Rolling Stock Contracts

MISSISSIPPI MEDICAID SUPPLEMENTAL DRUG REBATE AGREEMENT

LAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS. North Carolina Society of Healthcare Attorneys

AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017

MEMORANDUM OF UNDERSTANDING

Ethics and Compliance Committee Operating Rules

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

Limited Data Set Data Use Agreement

EXPRESSJET AIRLINES AVIATION SAFETY ACTION PROGRAM (ASAP) FOR FLIGHT ATTENDANTS MEMORANDUM OF UNDERSTANDING

Disclosure and Barring Service Policy

FEDERAL ELECTION COMMISSION [NOTICE ] Price Index Adjustments for Contribution and Expenditure Limitations and

States Attempt to Prohibit Bad-Faith Patent Infringement Claims

BUSINESS ASSOCIATE AGREEMENT

Government Investigations Into Cybersecurity Breaches In Healthcare

Chapter 3 - General Institution

CHAPTER 38: CODE ENFORCEMENT

OVERVIEW OF RELEVANT HEALTHCARE LAWS

WEST CONTRA COSTA UNIFIED SCHOOL DISTRICT Annual Notification Regarding UNIFORM COMPLAINT PROCEDURES. Revised

NYU RESOURCE GUIDE SEXUAL MISCONDUCT

Technical Corrections to the HIPAA Privacy, Security, and Enforcement Rules. AGENCY: Office for Civil Rights, Department of Health and Human Services.

Sexual Misconduct Policy

LOUISIANA ATTORNEY DISCIPLINARY BOARD IN RE: HILLIARD CHARLES FAZANDE III DOCKET NO. 18-DB-055 REPORT OF HEARING COMMITTEE # 37 INTRODUCTION

Student and Employment Discrimination Complaint Procedures Legal Opinion 16-03

Point of Contact (POC): District s contact person when SDDCI sends out Audit information, the contact person when an onsite Audit is scheduled.

HIPAA Compliance During Litigation and Discovery

Certifications. Form AD-1047 (1/92)

Transcription:

HIPAA Privacy Rule Compliance Issues Presentation for AAPM Myra N. Moran J.D. HHS/OCR August 2, 2006 DISCLAIMER My goal in speaking with you today is to explain Privacy Rule compliance issues. I can make factual statements, including pointing to formal interpretations of the Office for Civil Rights (OCR), but I am unable to provide official interpretations of the Rule. To the extent that I provide interpretations in this presentation, those interpretations are solely my individual opinion and do not represent official interpretations of the Department of Health and Human Services.

Office for Civil Rights Enforces Civil Rights laws and the Privacy Rule 2

Ten Regions Ten regional offices-each covers multiple states. Region IV-Georgia, Florida, Tennessee, Mississippi, Alabama, North Carolina, South Carolina, and Kentucky. Regional Manager and EOS staff HQ Compliance Advisor 3

Compliance and Enforcement Technical assistance for voluntary compliance Any person or organization can file complaints with OCR (generally within 180 days) OCR may investigate complaints and may conduct compliance reviews OCR shall attempt to resolve noncompliance by informal means 4

HIPAA Privacy Rule Complaints Received Year (calendar) 2003 Receipts 3,745 Closed (April 14, 2003 to June 30, 2006) 2004 6,507 2005 6,886 2006 (as of June 30, 2006) Total 3,709 20,847 75% 5

Most Complaints Are Filed Against These CEs 1. Private health care practices 2. General hospitals 3. Outpatient facilities 4. Group health plans and health insurance issuers 5. Pharmacies 6

Top Complaint Allegations 1. Impermissible use or disclosure of an individual s identifiable health information 2. The lack of adequate safeguards to protect identifiable health information 3. Refusal or failure to provide the individual with access to or a copy of his/her records 4. The disclosure of more information than is minimally necessary to satisfy a particular request for information 5. Failure to have the individual s valid authorization for a disclosure that requires one 7

Enforcement Rule Key Dates Proposed rule published April 18, 2005 (70 FR 20224) Final rule published February 16, 2006 (71 FR 8390) Effective March 16, 2006 Applicable to all Administrative Simplification Rules Privacy Rule (OCR) Security Rule (OESS/CMS) 8

What Does the Enforcement Rule Do? Establishes requirements for investigation and informal resolution of compliance issues Establishes procedures for imposition of a civil money penalty (CMP) when a compliance issue is not resolved informally Defines basis for liability for a CMP; how CMPs are calculated; defenses that can be raised to the imposition of a CMP 9

What Does the Enforcement Rule Do? (cont d) Strengthens OCR s authority to enforce Privacy Rule Requires OCR to attempt to reach a resolution of the matter satisfactory to the Secretary by informal means, including demonstrated voluntary compliance or completed corrective action plan (45 CFR 160.312) CMPs can be imposed by OCR in a Notice of Proposed Determination: $100 per violation; capped at $25,000 for each calendar year for each identical requirement or prohibition that is violated; Covered entity has a right to notice and a hearing before a CMP becomes final 10

Why Informal Resolution of Complaints and Compliance Reviews? Most effective way to obtain industry compliance with the Privacy Rule Most prompt for all: complainants, covered entities, and OCR Most efficient use of enforcement resources Can help mitigate civil money penalties (CMPs) on irresolvable issues Resolution must be satisfactory to the Secretary 11

OCR Referrals to Department of Justice Section 1177 of HIPAA (42 USC 1320d-6) defines HIPAA criminal violations: A person who knowingly and in violation of the Privacy Rule discloses or obtains individually identifiable health information OCR refers complaints alleging actions that meet these requirements to DOJ for review - 332 as of June 30, 2006 DOJ accepts or declines for prosecution OCR receives DOJ declined cases for administrative enforcement 12

OCR Referrals to CMS/OESS OCR refers complaints alleging actions that would violate the Security Rule to the Office of E-health Standards and Services (OESS) of CMS There is a coordinated investigative and enforcement process for complaints that allege facts that may be potential violations of the Privacy Rule and Security Rule For example, notification letter to the CE will mention both rules and indicate that OCR is the lead agency for communications (such as data requests) with CE Each agency retains its own authority to investigate compliance with its rule and make its own determination (e.g., no violation, informal resolution, or CMP) 13

160.402(c) Liability for Acts of Workforce A workforce member is an agent of the covered entity, and the CE is liable for the violations by its agents within the scope of their agency. Employees, volunteers, and trainees will always be workforce members. Independent contractors may be workforce members, but more likely are business associates; the issue is whether they are under the direct control of the CE. 14

Business Associates Agents, contractors, others hired to do work of or for covered entity that requires use or disclosure of protected health information Require satisfactory assurance usually a contract that a business associate will safeguard protected health information, limit use and disclosure 15

160.402(c) Liability for Acts of Business Associates Whether a business associate is an agent of the CE must be determined. A CE is liable for a violation by a business associate agent, unless it is in compliance with the business associate provisions of the Privacy Rule, i.e. It has a business associate contract or other arrangement in place that complies with 164.504(e); and It did not know of the violation; or If it knew of the violation, has taken steps as required by 164.504(e)(1)(ii). 16

160.410 Affirmative Defenses An affirmative defense is a defense which, if shown, bars imposition of the CMP. Three statutory affirmative defenses: The act is a criminal offense under HIPAA; The CE lacked knowledge of the violation; or The violation was due to reasonable cause and not willful neglect and is timely corrected. The second and third affirmative defenses are waived if not raised in the RFH; the first affirmative defense may be raised at any time. 17

Tips for CE Privacy Officers During an OCR Investigation Not all cases result in an investigation First, desk review of complaint; contact with complainant; may be closed at this point if alleged facts would not be a violation Notification letter to CE signals formal investigation When notification letter is received, contact investigator named in letter. Establish effective communication with investigator. Contact investigator for assistance with questions, such as, How does this work? Respond within stated time frames. If CE cannot make the due date, let investigator know. Request a reasonable extension of time enough so CE can accomplish the requested task. Avoid multiple requests for time extensions. Return telephone calls from the OCR investigator promptly. 18

Tips for CE Privacy Officers During an OCR Investigation (cont d) If CE is aware of a Privacy Rule incident even before receiving notification letter, start gathering relevant materials and facts. Formulate corrective action plan (CAP) and execute it. An executed CAP will then be ready to deliver to the investigator when notification letter is received. Be specific in your responses to requests for data and information. For example, if training was provided, provide all the facts when, who was trained (sign-in sheet), topics covered; if a policy has been revised, send a copy of the old policy and the new policy. Do not send entire privacy policies and procedures manual unless specifically requested. 19

Tips for CE Privacy Officers During an OCR Investigation (cont d) Understand that investigations take place over an extended period of time. OCR investigator will work hard to be timely, but some investigations take longer than others. Be cooperative with the OCR investigator. Facts need to be confirmed by OCR. If OCR requests to interview an employee or requests contact information for former employees, provide this information in a timely manner. If you cannot, explain why. Ask for technical assistance if you do not understand what is expected by a particular requirement of the Privacy Rule. 20

Tips for CE Privacy Officers During an OCR Investigation (cont d) Be forthcoming and acknowledge errors if they occurred. Remember, the goal is informal resolution through voluntary compliance and completed corrective action. Respond. Ignoring the investigation will exacerbate the matter. 21

Our Mutual Goal Ensuring the privacy of each individual s health information in accordance with the standards and requirements of the HIPAA Privacy Rule 22

Additional Information www.hhs.gov/ocr/hipaa/ 23

24

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback