HIPAA Update

Since the passage of the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. ” 17921-17954 (HITECH) in 2009, HIPAA-covered entities have been living in a new era of increased responsibility and enforcement by the Department of Health and Human Services Office of Civil Rights (OCR). Prior to the passage of the HITECH Act, the OCR learned about violations primarily through complaints by a third party (often patients) or from infrequent compliance reviews. HITECH gave the OCR new enforcement tools in the form of breach notification by covered entities, audit capabilities and increased Civil Monetary Penalties (CMPs). Since 2008, the OCR has entered into 10 settlement agreements and has assessed CMPs in one instance.

In 2012, OCR has so far entered into four settlement agreements with Corrective Action Plans (CAPs), more than in any year since HITECH went into effect; three of these arose from breach notifications, which had not happened before. Also in 2012, the OCR released the results of its first 20 audits, and its audit protocol for future audits.

Brief Background

HIPAA, among other things, protects the privacy and security of Protected Health Information (PHI). The latter is “individually identifiable health information ' that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.” 45 C.F.R. ' 140.103. Under HIPAA, covered entities, which include a health plan, a health care clearinghouse or a “health care provider who transmits any health information in electronic form,” (id.) must comply with regulations known as the Administrative Simplification Rules, which are broken down into the Privacy Rule and the Security Rule. The Privacy Rule defines and limits the circumstances under which a covered entity can use or disclose PHI. It applies to both electronic and paper PHI. The Security Rule applies only to electronic PHI (ePHI). Under the Security Rule, covered entities must protect ePHI by maintaining administrative, physical and technical safeguards. (The Privacy Rule is set forth at 45 C.F.R. ” 160.102-312 and 164.500-534. The Security Rule is set forth at 45 C.F.R. ” 164.302-318.)

Under the breach notification law, a covered entity must notify affected individuals whose unsecured (e.g., not encrypted) PHI is accessed in a manner that violates the Privacy Rule. If the breach affects 500 or more individuals, the covered entity must immediately report the breach to the OCR and to the media. Breaches that affect less than 500 individuals may be reported together to the OCR in an annual report. Business associates must report breaches to the covered entity, which will make the appropriate notifications.

The OCR audit program has made compliance with the Privacy, Security and Breach Notification rules measurable by developing performance criteria used during the audit to assess covered entities' HIPAA compliance. The goal of the “pilot program” is to complete 115 audits by the end of 2012. The audits are intended to be a “compliance improvement tool” and not an investigation of any particular violations, but if an audit reveals serious noncompliance, it could trigger a separate enforcement investigation, which could result in a settlement agreement or the imposition of CMPs.

Settlement Agreements: 2012

According to OCR, settlement agreements are reserved for investigations “with more serious outcomes.” See www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html. A closer look at the 2012 settlements reveals the types of activities or omissions the OCR is focusing on, and what types of corrective actions the OCR may require of a covered entity. (This is particularly interesting with respect to the three settlement agreements resulting from Breach Reports because, since September 2011, there have been 184 Breach Reports and only three have resulted in settlement agreements.) Although in all the cases settled in 2012 the initial Breach Report or complaint was confined to the loss of portable devices containing ePHI, in each of the investigations the OCR found a systemic and ongoing lack of compliance with HIPAA, especially with respect to the Security Rule. Specifically, OCR found a lack of: 1) proper policies and procedures; 2) adequate risk analysis “of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI”; 3) adequate risk management measures in response to the risk analysis; and 4) workforce training. The CAPs all require development of new policies and procedures to address the violations found by the investigation, approval of the new policies and procedures by OCR, proof of workforce training on the new policies and procedures and reporting of any future violation of the policies and procedures by any member of the workforce. In addition, in three of the four cases, the entities were required to submit to monitoring, with the monitor in some cases conducting unannounced on-site inspections and in all cases submitting reports to the OCR at specified intervals during the term of the CAP.

The agreements were entered into “in consideration of the Parties' interest in avoiding the uncertainty, burden and expense of further investigation and formal proceedings” and the general terms of the settlements are the same. The covered entities admitted no wrongdoing or liability, but the agreements resolved any violations of the Privacy and Security rules related to the specified conduct in the OCR complaint. The six-year statute of limitations for the OCR to assess CMPs is tolled during the agreement, such that if the covered entity violates the terms of the CAP, CMPs can still be assessed.

Next month, we will review the details of the four OCR settlement agreements with Corrective Action Plans (CAPs) that have thus far been entered into in 2012.

Lacey E. Tucker is an associate at Garfunkel Wild, P.C. Barry B. Cepelewicz, MD, a member of this newsletter's Board of Editors, is a partner at the firm.

Since the passage of the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. ” 17921-17954 (HITECH) in 2009, HIPAA-covered entities have been living in a new era of increased responsibility and enforcement by the Department of Health and Human Services Office of Civil Rights (OCR). Prior to the passage of the HITECH Act, the OCR learned about violations primarily through complaints by a third party (often patients) or from infrequent compliance reviews. HITECH gave the OCR new enforcement tools in the form of breach notification by covered entities, audit capabilities and increased Civil Monetary Penalties (CMPs). Since 2008, the OCR has entered into 10 settlement agreements and has assessed CMPs in one instance.

In 2012, OCR has so far entered into four settlement agreements with Corrective Action Plans (CAPs), more than in any year since HITECH went into effect; three of these arose from breach notifications, which had not happened before. Also in 2012, the OCR released the results of its first 20 audits, and its audit protocol for future audits.

Brief Background

HIPAA, among other things, protects the privacy and security of Protected Health Information (PHI). The latter is “individually identifiable health information ' that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.” 45 C.F.R. ' 140.103. Under HIPAA, covered entities, which include a health plan, a health care clearinghouse or a “health care provider who transmits any health information in electronic form,” (id.) must comply with regulations known as the Administrative Simplification Rules, which are broken down into the Privacy Rule and the Security Rule. The Privacy Rule defines and limits the circumstances under which a covered entity can use or disclose PHI. It applies to both electronic and paper PHI. The Security Rule applies only to electronic PHI (ePHI). Under the Security Rule, covered entities must protect ePHI by maintaining administrative, physical and technical safeguards. (The Privacy Rule is set forth at 45 C.F.R. ” 160.102-312 and 164.500-534. The Security Rule is set forth at 45 C.F.R. ” 164.302-318.)

Under the breach notification law, a covered entity must notify affected individuals whose unsecured (e.g., not encrypted) PHI is accessed in a manner that violates the Privacy Rule. If the breach affects 500 or more individuals, the covered entity must immediately report the breach to the OCR and to the media. Breaches that affect less than 500 individuals may be reported together to the OCR in an annual report. Business associates must report breaches to the covered entity, which will make the appropriate notifications.

The OCR audit program has made compliance with the Privacy, Security and Breach Notification rules measurable by developing performance criteria used during the audit to assess covered entities' HIPAA compliance. The goal of the “pilot program” is to complete 115 audits by the end of 2012. The audits are intended to be a “compliance improvement tool” and not an investigation of any particular violations, but if an audit reveals serious noncompliance, it could trigger a separate enforcement investigation, which could result in a settlement agreement or the imposition of CMPs.

Settlement Agreements: 2012

According to OCR, settlement agreements are reserved for investigations “with more serious outcomes.” See www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html. A closer look at the 2012 settlements reveals the types of activities or omissions the OCR is focusing on, and what types of corrective actions the OCR may require of a covered entity. (This is particularly interesting with respect to the three settlement agreements resulting from Breach Reports because, since September 2011, there have been 184 Breach Reports and only three have resulted in settlement agreements.) Although in all the cases settled in 2012 the initial Breach Report or complaint was confined to the loss of portable devices containing ePHI, in each of the investigations the OCR found a systemic and ongoing lack of compliance with HIPAA, especially with respect to the Security Rule. Specifically, OCR found a lack of: 1) proper policies and procedures; 2) adequate risk analysis “of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI”; 3) adequate risk management measures in response to the risk analysis; and 4) workforce training. The CAPs all require development of new policies and procedures to address the violations found by the investigation, approval of the new policies and procedures by OCR, proof of workforce training on the new policies and procedures and reporting of any future violation of the policies and procedures by any member of the workforce. In addition, in three of the four cases, the entities were required to submit to monitoring, with the monitor in some cases conducting unannounced on-site inspections and in all cases submitting reports to the OCR at specified intervals during the term of the CAP.

The agreements were entered into “in consideration of the Parties' interest in avoiding the uncertainty, burden and expense of further investigation and formal proceedings” and the general terms of the settlements are the same. The covered entities admitted no wrongdoing or liability, but the agreements resolved any violations of the Privacy and Security rules related to the specified conduct in the OCR complaint. The six-year statute of limitations for the OCR to assess CMPs is tolled during the agreement, such that if the covered entity violates the terms of the CAP, CMPs can still be assessed.

Next month, we will review the details of the four OCR settlement agreements with Corrective Action Plans (CAPs) that have thus far been entered into in 2012.

Lacey E. Tucker is an associate at Garfunkel Wild, P.C. Barry B. Cepelewicz, MD, a member of this newsletter's Board of Editors, is a partner at the firm.