Enforcement

1
Update Enforcement of the HIPAA Privacy Rule
HIPAA SummitAugust 19, 2008
2
Topics

• Enforcement Program
• First Resolution Agreement
• Other Activities
• Genetic non-discrimination
• Patient Safety Act
• Nationwide Health Information Network

3
Health Information Privacy Complaints Received by
Calendar Year

4
Pie Chart All Complaints
5
(No Transcript)
6
Pie Chart Total Investigated
7
Resolution Agreement

• July 15, 2008 HHS entered into Resolution
  Agreement (RA) with Providence Health Services
• First RA reached for Security or Privacy Rule
  enforcement
• Agreement terms included
• Resolution amount of 100,000
• Corrective Action Plan

8
Providence Health Services

• Health care system based in Seattle, Washington
• The incidents giving rise to the agreement
  involved two entities within the system
• Providence Home and Community Services and
• Providence Hospice and Home Care

9
HIPAA Privacy Rule Complaint Process
DOJ
Accepted by DOJ
Complaint
Possible Criminal Violation
DOJ declines case refers back to OCR
Resolution
Intake Review
Possible Privacy Rule Violation
Investigation
OCR finds no violation OCR obtains voluntary
compliance, corrective action, or other
agreement OCR issues formal finding of violation
Possible Security Rule Violation
CMS OCR coordinate investigation of overlap
cases
CMS
Resolution
Resolution
The violation did not occur after April 14,
2003 Entity is not covered by the Privacy
Rule Complaint was not filed within 180 days and
an extension was not granted The incident
described in the complaint does not violate the
Privacy Rule
10
What is a Resolution Agreement?

• A contract signed by HHS and a covered entity in
  which the covered entity agrees to perform
  certain obligations (e.g., staff training) and
  make reports to HHS, generally for a period of
  three years.
• During the period, HHS monitors the compliance of
  the covered entity with its obligations.
• RA likely will include payment of a resolution
  amount.
• These agreements are reserved for investigations
  with more serious outcomes.
• RA is the "other agreement" provided for at 45
  CFR 160.312(a) Informal means may include
  demonstrated compliance or a completed corrective
  action plan or other agreement.

11
Is it a CMP? No

• CMPs arise only out of the formal resolution
  process, which provides right to an
  Administrative Law Judge hearing and a
  Departmental Appeals Board appeal.
• The resolution amount CAP are voluntary actions
  taken by Providence to resolve the matter to the
  satisfaction of HHS without having to move to a
  formal enforcement process. An RA is an informal
  resolution.

• Negotiated agreement settled investigation
  without having to impose a civil money penalty.
• Not an admission of liability by Providence nor a
  concession by HHS.

12
How does this differ from usual resolution?

• Usually Privacy Rule investigations that find
  indications of potential violations are concluded
  to the satisfaction of OCR
• when the entity completes certain voluntary
  compliance actions, and
• OCR notifies the person who filed the complaint
  and the covered entity in writing of the
  resolution result.
• Resolution Agreement with a Corrective Action
  Plan is the next level of enforcement process.
• This written agreement is negotiated in those
  cases when we are not able to reach a
  satisfactory resolution through the covered
  entitys demonstrated compliance and/or
  corrective action through other informal means.

13
Why not impose a CMP?

• Cooperation by Providence throughout
  investigation meant that HHS could satisfactorily
  resolve issues through informal resolution.
• Case resolved prior to the issuance of a Notice
  of Proposed Determination and the imposition of a
  CMP, which is formal enforcement.
• Resolution Agreement is a settlement of the
  investigation and matter.

14
Investigation

• Triggered by 31 complaints submitted to OCR and
  CMS
• Complaints merged into joint compliance reviews
  by CMS and OCR
• Practices of entities created vulnerabilities
  that led to massive impermissible disclosures
  through multiple thefts

15
Incidents

• Series of five incidents, September 2005 to March
  2006
• Electronic information that was not encrypted or
  otherwise properly safeguarded was lost or stolen
• Backup tapes, optical disks, and laptops, all
  containing unencrypted electronic PHI, were
  removed from the Providence premises and left
  unattended
• Media laptops then lost or stolen, compromising
  the PHI of over 386,000 patients

16
Why a RA in this case?

• Management lapses
• On non-encryption, the entity had a policy that
  was not being followed
• On loss of backup media, the practice of taking
  media home by employees without reasonable
  safeguards was not consistent with policy, but
  was known by the information system managers and
  allowed to continue over long period of time
• Affected a very large number of patients386,000

17
Corrective Action Plan

• Requires Providence to
• Revise its policies, procedures re physical
  technical safeguards (e.g., encryption) governing
  off-site transport and storage of electronic
  media --backup electronic media and portable
  devices-- containing patient information
• subject to HHS approval
• Train workforce members on safeguards
• conduct audits and site visits of facilities
• submit compliance reports to HHS for period of
  three years

18
Lessons learned

• Effective compliance with the Privacy Security
  Rules means more than just having written
  policies and procedures
• HHS willing to work with cooperative entities to
  implement effective changes to ensure that
  consumers are protected.

• Covered entities need to continuously monitor
  implementation
• Covered entities need to ensure that these
  efforts include effective privacy and security
  staffing, employee training and physical and
  technical features

19
Part of overall enforcement strategy

• Resolution Agreement one of several effective
  enforcement tools, to be used on case by case
  basis
• Covered entities that are not in compliance with
  the Privacy and Security Rules may face similar
  action

20
Complaint Investigations

• Every complaint received by OCR is reviewed
  allegations analyzed
• An investigation is launched when warranted by
  the facts and circumstances presented by the
  complaint
• OCR investigations have resulted in changes in
  privacy practices and other corrective actions in
  over 6,xxx cases since April 2003
• Corrective action obtained by HHS from covered
  entities has resulted in systemic change that
  benefits all individuals they serve

21
Tips for CE Privacy Officers During an OCR
Investigation

• When you receive notification letter, contact
  investigator.
• Respond within stated time frames.
• If you are aware of a privacy incident, formulate
  execute a corrective action plan, even if you
  have not yet received a notification letter.
• Be specific in your responses to requests for
  data information.
• Be forthcoming and acknowledge errors.
• Be cooperative, ask for technical assistance if
  needed.
• Remember, the goal is resolution through
  voluntary compliance

22
Our Mutual Goal

• Ensuring the privacy of each individuals health
  information in accordance with the standards and
  requirements of the HIPAA Privacy Rule

23
Other Challenges
24
Genetic Information--GINA

• Genetic Information Non-Discrimination Act
  (signed into law May 21, 2008)
• To protect individuals from discrimination in
  health insurance and employment on the basis of
  genetic information
• Mandates modification of the Privacy Rule to
  incorporate provisions specific to genetic
  information
• Genetic information is protected health
  information
• Disallow the use or disclosure of genetic
  information for underwriting
• Privacy Rule Modifications anticipated in 2009

25
Genetic Information -- HHS Personalized Health
Care Initiative

• Creating privacy and nondiscrimination
  protections to advance genomic research for gene
  based medicine and health care
• Through AHIC, looking at how to use HIT to
  advance personalized health care

26
Patient Safety and Quality Improvement Act
Establishes reporting systems for patient safety
events -- information can be aggregated, assessed
to improve overall patient safety quality of
care. Final rule expected by the end of 2008.

• Creates Patient Safety Organizations (PSOs),
  entities recognized by the Secretary to collect
  analyze patient safety events reported by health
  care providers
• Provides Federal privilege confidentiality
  protections for "patient safety work product
• HHS Agency for Healthcare Research and Quality
  (AHRQ) to administer rules for listing qualified
  PSOs
• OCR to enforce confidentiality provisions

27
Nationwide Health Information Network

• Privacy and Security Are Integral to NHIN
• Necessary for Public Trust
• Public Participation Is Engine for Adoption
• HIPAA Levels Playing Field
• Nationally Accepted Standards for Privacy and
  Security Already in Place
• Uniform National Baseline of Protection More Is
  Still Good

28
NHIN Privacy

• HIPAA Privacy Rule as Facilitator Not Obstacle
  to Health IT adoption
• Standards Reflect Many Hard Choices Balancing
  Privacy and Access in Healthcare Setting
• Narrows Privacy Debate to New Areas of Risk and
  Opportunity for Consumers
• Flexibility Allows Rules to Adapt to HIE Needs
  without Lowering Baseline for All

29
Gaps for Privacy NHIN

• Uniformity How Much Is Really Needed
• Preemption
• Harmonizing Federal and State Laws
• Ex Consents
• Flexible and Scalable Standards
• Harmonizing Business Practices
• Example Minimum Necessary
• Privacy and Security Solutions for Interoperable
  Health Information Exchange
• Looking for Answers

30
Gaps for Privacy NHIN

• Accountability
• New Players Typically Not Covered by HIPAA
• Certain Health Care Providers
• Providers of Network Services
• Providers of Data Management Services
• Providers of PHR Services
• Can Business Associate Contracts Work and Provide
  Adequate Accountability in the NHIN?
• Will Proposed Legislation in Congress Make These
  Covered Entities Under HIPAA?

31
Want More Information?
The OCR website, http//www.hhs.gov/ocr/hipaa/
offers a wide range of helpful information about
the Privacy Rule 

• The full text of the Privacy Rule
• A HIPAA Privacy Rule summary
• Frequently asked questions
• Fact sheets
• OCR enforcement program information