Presenting a live 90 ‐ minute webinar with interactive Q&A HIPAA Privacy and Security: y y Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches THURS DAY, MAY 5, 2011 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific T d Today’s faculty features: ’ f l f Nathan A. Kottkamp, Partner, McGuireWoods , Richmond, Va. Gina M. Kastel, Partner, Faegre & Benson , Minneapolis Rebecca C. Fayed, Counsel, SNR Denton , Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .
Conference Materials If you have not printed the conference materials for this program, please complete the following steps: • Click on the + sign next to “ Conference Materials” in the middle of the left- hand column on your screen hand column on your screen. • Click on the tab labeled “ Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. Double click on the PDF and a separate page will open. • Print the slides by clicking on the printer icon.
Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: • Close the notification box • In the chat box, type (1) your company name and (2) the number of attendees at your location • Click the blue icon beside the box to send
Tips for Optimal Quality S S ound Quality d Q lit If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-888-450-9970 and enter your PIN when prompted Otherwise please send us a chat or e mail when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Qualit y To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again press the F11 key again.
HIPAA Enforcement: Th D The Dawn of a New Era f N E Nathan A. Kottkamp May 5, 2011 www.mcguirewoods.com
HIPAA Enforcement: Before HITECH All Bark and No Bite? All Bark, and No Bite? McGuireWoods LLP | 6
HIPAA Enforcement Pre-HITECH • Pre-HITECH – Penalty limited to $100 per violation or $25K for all y p identical violations • No Civil Money Penalties cases McGuireWoods LLP | 7
Providence Health & Services-2008 la di da la di da . . . McGuireWoods LLP | 8
Providence Health & Services-2008 • Providence agrees to pay $100,000 and implement a detailed • Providence agrees to pay $100 000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. • The Resolution Agreement relates to Providence's loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. • Providence agreed to perform certain obligations (e.g., staff • Pro idence agreed to erfor certain obligations (e g staff training) and make reports to HHS for three years. • During the period, HHS monitors the compliance of the covered entity with the obligations it has agreed to perform entity with the obligations it has agreed to perform. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/prov idenceresolutionagreement.html idenceresolutionagreement.html McGuireWoods LLP | 9
CVS-2009 Patient records? Patient records? McGuireWoods LLP | 10
CVS-2009 Under the Resolution Agreement, CVS agreed to pay a $2,250,000 resolution amount and implement a strong Corrective Action Plan that requires: and implement a strong Corrective Action Plan that requires: 1.revising and distributing its policies and procedures regarding disposal of protected health information; 2.sanctioning workers who do not follow them; 2.sanctioning workers who do not follow them; 3.training workforce members on these new requirements; 4.conducting internal monitoring; 5.engaging a qualified, independent third-party assessor to conduct assessments of 5.engaging a qualified, independent third party assessor to conduct assessments of CVS compliance with the requirements of the Corrective Action Plan and render reports to HHS; 6.new internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and l 7.submitting compliance reports to HHS for a period of three years. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagre ement.html McGuireWoods LLP | 11
HIPAA Penalties Under HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act revised HIPAA’s enforcement regulations: (HITECH) Act revised HIPAA s enforcement regulations: – New Penalty Tiers: • Unknowing ($100 per violation/ $25K max) • Reasonable Cause (($1K per violation /$100 K max) • Willful neglect ($10K per violation/$250K max) • Uncorrected willful neglect ($50K per violation/$1.5M g ($ p $ max) – Civil and criminal liability for HIPAA violations extended to business associates – Mandatory investigations and civil penalties for violations due to willful neglect – Increased emphasis and significant funding on enforcement Increased emphasis and significant funding on enforcement McGuireWoods LLP | 12
Rite Aid-2010 McGuireWoods LLP | 13
Rite Aid-2010 Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective l i S d i l i action program that includes: – Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers di l f d h l h i f i d i i k who do not follow them; – Training workforce members on these new requirements; – Conducting internal monitoring; and – Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteai dresagr.html g McGuireWoods LLP | 14
2011 McGuireWoods LLP | 15
Enforcement • To boost enforcement of the HIPAA security To boost enforcement of the HIPAA security rule, OCR has added investigators in 10 regional offices. • HHS is seeking $5.6 million increase in funding for Fiscal 2012 enforcement. • In FY 2010, the office received approximately 9,400 complaints associated with HIPAA privacy and security rules i d i l McGuireWoods LLP | 16
Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 Penalty February 4 2011 Today the message is loud and clear: HHS is y g “ “ serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our ensuring provider cooperation with our enforcement efforts.” -OCR Director Georgina Verdugo http://www hhs gov/ocr/privacy/hipaa/enforcement/examples/cign http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cign etresolutionagreement.html McGuireWoods LLP | 17
Cignet Health of Prince George’s County McGuireWoods LLP | 18
Cignet Health of Prince George’s County, MD-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 HIPAA Civil Monetary Penalty, February 4, 2011 • The first-ever civil money penalty of $4.3 million The first ever civil money penalty of $4.3 million • Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. – The HIPAA Privacy Rule requires that a covered entity provide The HIPAA Pri acy Rule re uires that a co ered entity ro ide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. – The CMP for these violations is $1.3 million. • Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. – Covered entities are required under law to cooperate with the Covered entities are required under law to cooperate with the Department’s investigations. – The CMP for these violations is $3 million. McGuireWoods LLP | 19
Cignet Health-Landmark HIPAA Civil Monetary Penalty February 4 2011 Penalty, February 4, 2011 Covered entities and business associates must “ “ uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements . . . . The y q U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly g g g y disregard their obligations under these rules.” -OCR Director Georgina Verdugo OCR Director Georgina Verdugo http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cign etresolutionagree etresolutionagreement.html ent ht l McGuireWoods LLP | 20
Recommend
More recommend