Enforcing HIPAALorman Education ServiceAugust 22, 2007Tacoma, Washington

Stephen D. Rose, J.D., M.B.A.K&L Gates925 Fourth Avenue, Suite 2900Seattle, Washington 98104(206) 370-8126stephen.rose@klgates.com

HIPAA Enforcement Rule — Overview

Original Enforcement Rule Published: April 17, 2003 Expiration date: September 16, 2005

New Proposal Comment period ended: June 17, 2005 70 Federal Register 20223 Final rules issued February 16, 2006 Final rules effective March 16, 2006

HIPAA Enforcement Rule — Overview

DHHS adopts a “single enforcement policy,” i.e. the HIPAA Enforcement Rule applies to all aspects of HIPAA including the Privacy, Security, and Transactions and Code Sets Standards.

OCR will administer and enforce HIPAA Privacy Rule.

CMS will administer and enforce all HIPAA non-Privacy Rules.

Subparts

Subpart A—”Person” redefined Subpart C—Compliance and Investigations

Subpart D—Imposition of Monetary Penalties

Subpart E—Procedures for Hearings [Goodbye carrot, hello stick]

Criminal HIPAA

Knowingly use or cause to be used Unlawful use or disclosure—not accidental

$50,000 and/or 1 year in jail Add false pretenses: $100,000 and/or 5 years in jail

Add intent to sell, use for commercial advantage, use for personal gain, or cause malicious harm: $250,000 and/or 10 year in jail

“Person”

Person means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.

Person

The term “person” appears throughout the HIPAA rules, and the definition of the term we propose is a universal one that should work in each of the contexts in which the term “person” occurs. 70 FR 20227

Person

Does “person” include or not include covered entities?

The Gibson Case

PHI of a cancer patient was stolen by the employee (phlebotomist) of a covered entity.

Employee used this information to obtain credit cards which he used.

Gibson could have been prosecuted under numerous federal identity theft laws.

The Gibson Case

Prosecutor opted to prosecute under HIPAA as the information collected was the PHI of a patient hospitalized in a covered entity.

Prosecuting attorney stated that whether Mr. Gibson was or was not a covered entity was not of great concern.

The Gibson Case

Gibson entered into a plea agreement and is currently in jail.

DOJ unofficially indicated that prosecutions would be based on a broad definition of “person.”

DOJ issued a formal opinion that HIPAA only applies to covered entities. In the Gibson case he was not a covered entity so prosecution under HIPAA would not be possible today.

Department of Justice

On June 1, 2005 the U.S. Department of Justice issued a Memorandum Opinion stating: “we do not read the term “person” at the beginning [of this statute] to mean “covered entity.” Opinion at p. 7.

Department of Justice

As matters currently stand, based on the DOJ Memorandum, “person” does not include “covered entity” for purposes of criminal prosecution under HIPAA.

Complaint Process

Complaints filed with the Secretary of HHS or its designee, OCR.

Can be filed by anyone who believes the CE is not complying with HIPAA. Competitor Disgruntled former (current) employee Patient or patient’s family

Complaint

Must be in writing. but can be filed by paper or electronically.

Must be detailed. must name person and act or omission.

Must be filed within 180 days of when complainant knew or should have known of the violation. DHHS may waive the 180 day requirement for “good cause shown.”

Discretion to Investigate Complaints

Investigation. The Secretary may investigate complaints filed under this section. Such investigation may include a review of the pertinent policies, procedures, or practices of the covered entity and of the circumstances regarding any alleged violation.

Complaints Remaining

Open

5,997 22% of Total

Complaints Resolved

21,801 78% of Total

Total Complaints Received

27,778  

Corrective Action Obtained (Change Achieved)4,732 68% of Total

No Violation 2,282 32% of Total

Total Complaints Investigated 7,014  

                                                                                                                                                                                                         

Last revised: June 14, 2007

Compliance Reviews

An additional route by which you can come to the Secretary’s attention is by way of a Compliance Review.

The Secretary may conduct compliance reviews to determine whether entities are complying with the applicable administrative simplification provisions.

Compliance Reviews

“We cannot project the variety of circumstances under which compliance reviews might be undertaken. Therefore, we do not propose to limit the situations in which this authority could be exercised. 70 FR 20244

Compliance Reviews

While DHHS has the authority to conduct compliance reviews, DHHS recently stated that compliance and enforcement activities will remain primarily complaint-driven.

DHHS states that they still want to remain focused on promoting voluntary compliance.

Compliance

New rule clarifies that the Enforcement Rule applies to both “acts” and “omissions.” “a violation occurs when a covered entity fails to take an action required by a HIPAA rule, as well as when a covered entity takes an action prohibited by a HIPAA rule.” 70 FR 20229

Resolution of Complaint

The Secretary has two choices: Resolution where non-compliance is indicated.

Resolution where no violation is found. Secretary notifies CE and complaining party that no violation has been found.

Informal Resolution Where Non-Compliance is Indicated The Secretary will attempt to reach a resolution of the matter satisfactory to the Secretary by informal means.

Informal means may include demonstrated compliance or a completed corrective action plan or other agreement. Inform complainant, if any, of resolution. Vast majority of cases are settled under this section.

Informal Resolution Where Non-Compliance is Indicated If DHHS determines that the matter cannot be settled by informal means, DHHS must notify the covered entity and any complainant in writing.

Covered entity is then provided the opportunity to submit written evidence of mitigating factors or affirmative defenses.

Resolution

Secretary may settle the matter at any time.

Secretary may compromise the penalty at any time.

Mitigating Factors

If the matter is not resolved informally, the CE may submit written evidence of mitigating factors or affirmative defenses. Secretary will issue formal finding that the matter is not resolved and that imposition of a CMP is warranted. Once this finding is issued you have 30 days to submit affirmative defenses or other mitigation.

Mitigating Factors

The number of impermissible actions or failures to take required actions.

The number of persons involved. The amount of time during which the violation occurred.

Whether violation covered physical harm.

Whether violation caused financial harm.

Mitigating Factors

Whether action was intentional. Whether action was beyond the direct control of the CE.

History of prior offenses. Financial condition of the CE. Size of the CE. Other matters as justice may require.

Mitigating Factors

“. . . As justice may require” includes: CE’s trustworthiness CE’s lack of veracity and remorse Damages to the government Effect of penalty on the CE’s rehabilitation

CE’s unprompted diligence in correcting the violations

Mitigating Factors

This is a very subjective and very uncertain set of “standards.” The feds do not give any details of how this formula actually works, i.e. how the categories are weighted, if at all.

Affirmative Defenses

Act is punishable criminally. [Don’t fine me, I’d rather go to jail?!?!]

Covered entity did not have knowledge. Covered entity would not have known through the exercise of reasonable diligence. Might have to explain why your compliance plan did not catch the violation.

Affirmative Defenses

Violation is due to reasonable cause and not willful neglect (or worse) and corrected within 30 days of knowledge (discovery) or such other time as Secretary determines. Critical to address any reported (alleged) violations as quickly as possible.

Affirmative Defenses

DHHS may waive CMPs if the party asserting the defense can show that failure to comply was due to reasonable cause even though the violation was not corrected within the 30 day time period required by that defense.

Demonstrate that payment of the penalty would be excessive relative to the compliance violation.

Exit Quickly If You Can

Investigate quickly. Identify affirmative defenses, if any, and present them to the Secretary ASAP to try to end inquiry.

Fix it—the sooner the better especially if you take steps to fix it prior to investigation.

Mitigate.

Exit Quickly If You Can

If you cannot fix prior to investigation starting, try to demonstrate compliance since the filing of the complaint, develop a corrective action plan, or other agreement to settle via “informal means.”

Exit Quickly If You Can

No formal record of proceedings Limited notice to outside world Avoid/mitigate penalties

Formal Investigation

Secretary may issue subpoenas Require attendance of witnesses and production of any other evidence

Formal Investigation

Investigational inquiries are not public, but Testimony is taken under oath Attendance of non-witnesses is discretionary

Objections stated on record Record/transcript of proceedings Information obtained may be used by HHS in any of its activities and may be offered into evidence in any proceeding

Proposed Determination

If Secretary determines action is necessary, Secretary will issue a Notice of Proposed Determination. Statutory basis for CMP. Findings of fact (including statistical sampling if applicable).

Reason(s) why violation(s) subjected CE to a CMP.

Proposed Determination

Amount of proposed penalty. Factors considered in determining amount of the CMP.

Instructions for responding and/or requesting a hearing.

Proposed Determination

If DHHS used statistical sampling to determine the number of violations, it must provide its sampling study with the notice.

Requesting A Hearing

Must request within 90 days of issuance of Notice of Proposed Penalty/Determination.

DO NOT MISS THIS DEADLINE. Failure to request hearing in timely manner results in imposition of the CMP and loss of appeal rights.

Request A Hearing

Request must be signed by respondent or respondent’s attorney.

Request must be mailed within 90 days of Notice of Proposed Determination.

Must clearly admit, deny, or explain findings of fact.

Restate affirmative defenses or arguments in mitigation.

First Meeting

Parties are required to schedule a prehearing conference with at least 14 days advanced notice to: Define the issues to be addressed at the Hearing, and

Consider ways to protect the PHI during the Hearing.

ALJ’s First Review

ALJ must dismiss request for hearing if: Not mailed within 90 days of Notice of Proposed Penalty/Determination

Not properly filed Upon withdrawal or abandonment Failure of CE to raise issue that may be properly addressed

NOTE: Secretary may settle without ALJ consent.

Conduct of Hearing

Fair and impartial. Set date, place and time of hearing. Conduct conferences, motion hearing, examination of witnesses, issue subpoenas, and regulate process. Not bound by federal rules of evidence but may choose to follow them.

Hearing must be public unless good cause shown.

Post-hearing briefs may be filed, no later than 60 days following close of hearing.

ALJ May NOT

Ignore or invalidate federal law or Secretarial delegations of authority. Secretary can identify someone to appear in his/her place.

Issue a directed verdict. Compel settlement negotiations. Enjoin the Secretary. Review exercise of Secretary discretion.

Rights of Parties

Representation by counsel. Discovery. Stipulate to facts or law. Examine and cross-examine witnesses. Present oral argument. Submit written briefs.

Burdens of Proof

Respondent has burden of proof as to: Affirmative defenses Challenges to amount of penalty Claim for reduction or waiver of penalty

Burdens of Proof

Secretary has burden of proof as to all other issues.

Burden of proof is preponderance of the evidence.

Discovery

Request for production of documents. No other discovery is required by the regulations.

Work product is protected. Discovery motions permitted.

Motions to compel discovery.

Discovery

Parties must exchange witness lists, copies of prior statements, and copies of proposed exhibits not more than 60 days and not less than 15 days before the hearing.

ALJ may exclude evidence or witnesses not submitted in compliance with the above.

ALJ Decision

Decision made solely on the record, containing findings of facts and conclusions of law.

Must issue decision within 60 days after hearing or post-hearing briefs. If not issued, ALJ must explain reason and establish a new due date.

Unless timely appealed, ALJ decision is final and binding 60 days from date of service of decision.

Appeal of ALJ Decision

Notice of appeal must be filed with Appeal Board within 30 days of ALJ decision.

Notice of Appeal must be accompanied by brief specifying objections.

Opposition brief may be filed within 30 days of Notice of Appeal.

Appeal of ALJ Decision

No right to personally appear before the Appeals Board.

Appeals Board may not consider any issue not raised in appellate brief or which could have been raised before the ALJ.

Board may remand back to the ALJ for additional evidence.

Appeals Board Action

Board may: decline review affirm increase penalty decrease penalty reverse remand

Standard of Review

Issue of fact: ALJ decision supported by substantial evidence.

Issue of law: ALJ decision is erroneous.

Board Decision

Board must issue decision within 60 days of submission of all briefs.

Board’s decision becomes final within 60 days after service of decision.

Parties may file motion for reconsideration prior to date Board decision becomes final, i.e. within 60 days of the service of the Board’s decision.

Petition for Judicial Review

Respondent must file within 60 days of the Board’s Final Decision.

Filed in the U.S. Court of Appeals. Copy of the appeal to be provided to the General Counsel for HHS.

Petition for Judicial Review

Error in the admission or exclusion of evidence is not grounds for reversal unless error is “inconsistent with substantial justice.”

Stay of Board’s Decision

Respondent may file request for stay pending judicial review.

Filing of request automatically stays penalty effective date.

Respondent must post bond or other security.

IMPROVED HIPAA ENFORCEMENT WEB PAGE

Friday, April 20, 2007 HHS Launches New Web site on HIPAA Privacy Compliance

and Enforcement To coincide with the fourth anniversary of the

enforcement of the HIPAA Privacy Rule, the Department of Health and Human Services (HHS) announced today the launch of an enhanced Web site that will make it easier for consumers, health care providers and others to get information about how the Department enforces health information privacy rights and standards. In launching the website, Winston Wilkinson, the Director of the HHS Office for Civil Rights, noted: "HHS has obtained significant change in the privacy practices of covered entities through its enforcement program. Corrective actions obtained by HHS from these entities have resulted in change that is systemic and affects all the individuals they serve."

The Health Information Privacy Web site provides comprehensive information about the Privacy Rule, which creates important federal rights and requirements to protect the privacy of personal health information. The enhanced Web site, http://www.hhs.gov/ocr/privacy/enforcement provides information for consumers, health care providers, health plans and others in the health care industry about HHS’s compliance and enforcement efforts. The new information describes HHS activities in enforcing the Privacy Rule, the results of those enforcement activities, and statistics showing which types of complaints are received most frequently and the types of entities most often required to take corrective as a result of consumer complaints. The other information on the Web site covers consumers’ rights to access their health information and significantly control how their personal health information is used and disclosed, as well as guidance about how to submit complaints about possible violations of the law and extensive guidance for entities who must comply with the rule.

HHS issued the patient privacy protections pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The first and only comprehensive federal privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers took effect on April 14, 2003. Developed by HHS, these standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. The regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically. HHS has conducted extensive outreach and provided guidance and technical assistance to providers and businesses to help them to implement the new privacy protections. These materials are available at http://www.hhs.gov/ocr/hipaa.

Revision date: April 20, 2007

These materials are provided for educational purposes only, and are not legal advice or intended to be substituted for legal advice Parties affected by the issues discussed in these materials should consult with their legal counsel as the specific facts of any given case will greatly influence the legal advice given.

It is important to note that these materials address an area of the law that is volatile and expected to have significant changes in the very near future which may completely alter the applicability of these materials to any situation.

Disclaimer

QUESTIONS

Stephen D. Rose, J.D., M.B.A.K&L Gates925 Fourth Avenue, Suite 2900Seattle, Washington 98104(206) 370-8126

stephen.rose@klgates.com