HITECH Enforcement Tips Prevent Detect and Quickly Correct

  • Slides: 9
Download presentation
HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security

HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security Session 1 HIPAA Privacy Best Practices: A Panel Discussion April 16, 2010 OCR

ARRA’s HITECH Act and Enforcement Title 13: Health Information Technology for Economic and Clinical

ARRA’s HITECH Act and Enforcement Title 13: Health Information Technology for Economic and Clinical Health Act (HITECH Act) Subtitle D: Privacy (Privacy, Security & Breach Notification Rules) Sections 13409, 13410 and 13411: – – – OCR Criminal Penalties for Individuals (Employees) Noncompliance Due to Willful Neglect Distribution of Certain Civil Monetary Penalties Tiered Increases in Civil Monetary Penalties Enforcement by State Attorneys General Audits 2

ARRA’s HITECH Act and Enforcement • Enforcement Interim Final Rule (IFR) – Published Oct.

ARRA’s HITECH Act and Enforcement • Enforcement Interim Final Rule (IFR) – Published Oct. 30, 2009; Effective November 30, 2009 – Implemented section 13410(d) of the HITECH Act (statutorily effective February 18, 2009) to strengthen CMP Scheme: • • Categories of Increasing Culpability Corresponding Ranges of Penalty Amounts Revised Affirmative Defenses Nature and Extent of Violation; Nature and Extent of Harm • Pending Notice of Proposed Rulemaking (NPRM) – Noncompliance Due to Willful Neglect – Other Proposed Modifications OCR 3

Enforcement IFR: Ranges of CMP Amounts Violation Category Each Violation Did Not Know $100

Enforcement IFR: Ranges of CMP Amounts Violation Category Each Violation Did Not Know $100 $50, 000 Reasonable Cause $1, 000 $50, 000 Willful Neglect$10, 000 Corrected $50, 000 Willful Neglect-Not $50, 000 Corrected OCR All Identical Violations per Calendar Year $1, 500, 000

Enforcement IFR: Affirmative Defenses • Violations Occurring Before the HITECH Act (before February 18,

Enforcement IFR: Affirmative Defenses • Violations Occurring Before the HITECH Act (before February 18, 2009): – Disclosure is punishable criminally under § 1177; – CE did not know and reasonably would not have known that violation occurred; or – Reasonable cause and not willful neglect, and corrected during 30 -day time period. • Violations Occurring After the HITECH Act (on or after February 18, 2009): – Disclosure is punishable criminally under § 1177 (until February 18, 2011); – Disclosure is punished criminally under § 1177 (on or after February 18, 2011); or – Not due to willful neglect and corrected during 30 -day time period. OCR

Enforcement IFR: Definitions – § 160. 401 • Reasonable cause - circumstances that would

Enforcement IFR: Definitions – § 160. 401 • Reasonable cause - circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. • Reasonable diligence - the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. • Willful neglect - conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. OCR See also 70 FR 20224, 20237 -8 and 71 FR 8390, 8409 -11

Enforcement IFR: Other Key Concepts • Knowledge – that a violation has occurred, not

Enforcement IFR: Other Key Concepts • Knowledge – that a violation has occurred, not just that of the facts underlying the violation. Cannot claim lack of knowledge if such is the result of failure to inform self about compliance obligations or to investigate received complaints or other information indicating likely noncompliance. See 70 FR 20224, 20237 -8 and 71 FR 8390, 8410 • Correction – 30 -day cure period triggered “on the first date the person liable. . . knew, or by exercising reasonable diligence would have known that the failure to comply occurred. ” See 71 FR 8390, 8410 and 74 FR 56123, 56128 -9 OCR

A Few HITECH Enforcement Tips • Prevent – – Become familiar with HIPAA’s compliance

A Few HITECH Enforcement Tips • Prevent – – Become familiar with HIPAA’s compliance obligations Develop and implement compliant policies and procedures Train staff accordingly Invoke Breach Notification safe harbor (properly secure PHI) • Detect – Bolster complaints process to resolve cases prior to federal claim – Provide for, and respond to, internal indications of non-compliance • Quickly Correct – Promptly address the source, discontinue violation – Bring noncompliant policies and procedures into compliance – Follow HIPAA’s relevant remediation requirements OCR 8

Want More Information? Enforcement IFR (74 FR 56123): http: //www. hhs. gov/ocr/privacy/hipaa/administrative/e nforcementrule/hitechenforcementifr. html

Want More Information? Enforcement IFR (74 FR 56123): http: //www. hhs. gov/ocr/privacy/hipaa/administrative/e nforcementrule/hitechenforcementifr. html OCR website: http: //www. hhs. gov/ocr/privacy/ Listserv notices of new postings, news, etc: http: //www. hhs. gov/ocr/privacy/hipaa/understanding/c overedentities/listserv. html OCR 9

HITECH Enforcement Tips Prevent Detect and Quickly CorrectHITECH Enforcement Tips Prevent Detect and Quickly Correct
History Game Correct Correct Correct Correct Correct IncorrectHistory Game Correct Correct Correct Correct Correct Incorrect
Understanding HITECH Impact of HITECH Act on HIPAAUnderstanding HITECH Impact of HITECH Act on HIPAA
HiTech Group The HiTech Group specializes in providingHiTech Group The HiTech Group specializes in providing
HITECH FOR AUTOMOTIVE LATAR BELAKANG APLIKASI HITECH FORHITECH FOR AUTOMOTIVE LATAR BELAKANG APLIKASI HITECH FOR
HiTech Group The HiTech Group specializes in providingHiTech Group The HiTech Group specializes in providing
The Prevent Duty What is PREVENT Prevent isThe Prevent Duty What is PREVENT Prevent is
Ensuring correct patient correct procedure and correct sitesideEnsuring correct patient correct procedure and correct siteside