HIPAA Enforcement and Compliance: Report from HHS s Office of the General Counsel

Transcription

1 HIPAA Enforcement and Compliance: Report from HHS s Office of the General Counsel Midwest Regional HCCA Conference September 23, 2011 Jerome B. Meites Chief Regional Civil Rights Counsel Region V Chicago Roger Geer Chief Regional Civil Rights Counsel - Region VI Dallas

2 Topics Brief Introduction to OCR Recent Enforcement Statistics Discussion of Publicly Announced Enforcement Actions: 1. Providence 2. CVS Pharmacy 3. Rite Aid Pharmacy 4. Management Services Organization of Washington 5. Massachusetts General Hospital 6. Cignet 7. UCLA Hospital Systems Overall Lessons Learned and Suggestions Going Forward 2

3 What is OCR? A federal administrative agency It is part of the United States Department of Health and Human Services (HHS) Office of the Secretary, as is the Office of the General Counsel. OCR was founded in 1967 to enforce Title VI of the newly enacted Civil Rights Act of Title VI prohibits discrimination in federally funded programs on account of race, color, or national origin. 3

4 What is OCR? OCR s first national director was Leon Panetta, who is currently serving as Secretary of Defense. Over time, OCR received jurisdiction over a number of antidiscrimination statutes, including Section 504 of the Rehabilitation Act of 1973, Title II of the Americans with Disabilities Act, and the Age Discrimination Act of In 2000, OCR was designated as the agency within HHS which would administer and enforce the Privacy Rule. In 2009, OCR succeeded CMS as the agency that enforces the Security Rule. OCR also enforces the privilege and confidentiality protections of the Patient Safety Act. 4

5 Your Health. Your Rights. OCR s Vision: Through investigations, voluntary dispute resolution, enforcement, technical assistance, policy development and information services, OCR will protect the civil rights of all individuals who are subject to discrimination in health and human services programs and protect the health information privacy rights of consumers. 5

6 Where is OCR? Headquarters in Washington, D.C.: Policy Administration Case management and oversight External relations 10 HHS regional offices: Enforcement Investigation Compliance reviews Public education and outreach Technical assistance 6

7 Department of Health and Human Services Office for Civil Rights Office of General Counsel, Civil Rights Division Edwin Woo Director Leon Rodriguez Deputy Director, Programs & Policy Karen Walker-Bryce Deputy Director, Enforcement and Regional Operations Valerie Morgan-Alston Deputy Director, Planning and Business Administration Stephanie Danes Smith Civil Rights Division Luis Wilmot Health Information Privacy Division Susan McAndrew Boston Peter Chan, Regional Manager New York Linda Colon, Acting Regional Manager Philadelphia Marlene Rey, Acting Regional Manager Atlanta Roosevelt Freeman, Regional Manager Chicago Celeste Davis, Acting Regional Manager 7 Dallas Ralph Rouse, Regional Manager Kansas City Frank Campbell, Regional Manager Denver Velveta Howell, Regional Manager San Francisco Michael Kruley, Regional Manager Seattle Linda Connor, Regional Manager

8 Role of OGC The Office of the General Counsel (OGC) both advises and represents OCR in its handling of Privacy and Security Rule cases. OGC assists OCR in fashioning case strategy. OGC also participates in negotiations with covered entities and in drafting both settlement documents and violation findings. OGC also has an important role in drafting relevant regulations. OGC tries cases on behalf of OCR that are heard by HHS Administrative Law Judges and the HHS Departmental Appeals Board. 8

9 Privacy Rule Complaints Received Partial

10 Privacy Cases Investigated

11 Top Issues in Privacy Rule Complaints Impermissible Uses and Disclosures of PHI Safeguards to Protect Health Information Access to Health Records Minimum Necessary Notice of Privacy Practices 11

12 Security Complaints & Reviews Opened * * Partial Year Security Rule delegated to OCR July 27,

13 Security Complaints & Reviews Resolved TOTA L Corrective Action Investigated and No Violation Found Closed Without Investigation TOTAL: Security Rule delegated to OCR July 27,

14 Security Closures by Type 80% 70% 60% 50% 40% 30% 20% 10% 0% Corrective Action Closed w/o Investigation Investigated No Violation

15 Most Frequent Security Rule Issues Standard or Specification Type of Safeguard Count Response and Reporting (R) (a)(6)(ii) Administrative 179 Awareness & Training (a)(5)(i) Administrative 144 Access Control (a)(1) Information Access Management (a)(4)(i) Workstation Security (c) Technical 141 Administrative 126 Physical 84 15

16 Breach Notification Highlights September 2009 through December reports involving a breach of over 500 individuals Theft and Loss are 67% of large breaches Laptops and other portable storage devices account for 38% of large breaches Paper records are 21% of large breaches 14,000+ reports of breaches of under 500 individuals 16

17 17 Breach Notification: 500+ Breaches by Type of Breach

18 18 Breach Notification: 500+ Breaches by Location of Breach

19 Methods of Enforcement When OCR determines from its investigation of the allegations raised in a Privacy Rule complaint or through a compliance review that a covered entity may well have violated the Privacy Rule and/or the Security Rule, OCR has various means of enforcement at its command. If feasible, OCR usually seeks voluntary compliance. Voluntary compliance often involves the covered entity changing its policies and procedures, retaining personnel, and sanctioning the members of its workforce who violated the Privacy or Security Rules. 19

20 Methods of Enforcement If OCR determines that the conduct involved warrants some sort of penalty even if voluntary compliance is forthcoming, OCR may seek to have the covered entity enter into a Resolution Agreement and Corrective Action Plan as well as pay a resolution amount. This method is often used when the problems identified by OCR are systemic. If OCR either determines that the conduct involved is so serious or if the covered entity is adamant in its refusal to cooperate in the investigation or resolution of the problem, OCR will assess a Civil Money Penalty (CMP). 20

21 What is a Resolution Agreement? A settlement agreement between HHS and covered entity It represents an other agreement under 45 C.F.R It incorporates a Corrective Action Plan which: Generally lasts for three years; Requires the covered entity to prepare new policies and procedures, subject to HHS approval; Generally requires improved training; and Requires monitoring of implementation and compliance Includes payment of a resolution amount 21

22 22 What is a Resolution Agreement? A Resolution Agreement and Corrective Action Plan do not constitute: A formal finding of facts A formal finding of a violation An admission by the covered entity A Resolution Amount is not a civil monetary penalty, fine, or other formal penalty. Because a Resolution Agreement is an informal resolution into which the covered entity enters in lieu of administrative litigation: The covered entity has no right to formal process or an administrative hearing

23 23 Elements of a Corrective Action Plan Training Recipients must certify receipt of training Training must be annually reviewed by the covered entity and updated as necessary Training must address the new policies and procedures Training must be delivered in an accessible and comprehensible fashion. OCR must approve training materials before they are used. External Monitoring can include: Unannounced site visits; Interviews with workforce members; Inspections of sample of devices; and Improvements to policies and procedures, where necessary.

24 Elements of a Corrective Action Plan External monitor assesses the covered entity s compliance with all operative provisions of the Corrective Action Plan. It also submits detailed semi-annual or annual reports to both the covered entity and OCR regarding its findings External monitor may issue violation findings during the course of the reporting term if the monitor finds a particularly serious problem. A violation in this context is a violation of the Corrective Action Plan. It may also be a violation of the Privacy or Security Rule, but does not necessarily trigger new action by OCR. 24

25 Elements of a Corrective Action Plan OCR has the right of approval of the external monitor after the covered entity has made a nomination. OCR can conduct due diligence of any nominee which would include reviewing the nominees brochures, reviewing the resumes of the management team that would oversee the nominee s monitoring efforts, interviewing each member of the management team, and requesting appropriate additional information. 25

26 Elements of a Corrective Action Plan OCR can appear unannounced at any of the unannounced visits which the external monitor conducts The external monitor must submit annual reports on compliance for each year that the Corrective Action Plan is in effect. OCR can go behind the annual report by reviewing the external monitor s work papers. 26

27 Elements of a Corrective Action Plan Internal Monitoring --The covered entity develops its own internal monitoring plan, which must be approved by OCR -- Internal monitoring usually involves the designation of an individual or group of individuals within the covered entity who are separate from those workforce members who use and create PHI. This is often an internal audit team. 27

28 Elements of a Corrective Action Plan The internal monitoring team reports directly to the privacy or Compliance Officer or someone else near the top of the corporate hierarchy so that corporate leadership takes ownership of compliance. Normally, the internal monitoring team produces semiannual or annual reports based on its work. These reports are tendered to OCR during the time that the Corrective Action Plan is in effect. 28

29 Elements of a Corrective Action Plan Reports to be Submitted by the Covered Entity to OCR Implementation Report Annual Reports If the Covered Entity Fails to Implement the Corrective Action Plan Opportunity to cure If no cure, imposition of CMPs for: Original conduct that gave rise to investigation New conduct that breached the Plan, if it also violates HIPAA 29

30 30 How does RA/CAP Differ from Other Types of Informal Resolution? Usually investigations in which there are indications of noncompliance are concluded when: The covered entity completes certain voluntary compliance actions to the satisfaction of OCR; and OCR notifies the complainant and the covered entity in writing of the resolution result. The Resolution Agreement/Corrective Action Plan approach is generally designed for cases with systemic issues where entity-wide change in policy and procedures and in the internal emphasis placed on the issue is needed to ensure compliance.

31 Facts of Providence Health and Services Case Providence is a fairly extensive health care system based in Seattle, Washington Series of five incidents occurring between September 2005 and March 2006 Incidents giving rise to the agreement involved two entities within the system Providence Home and Community Services and Providence Hospice and Home Care 31

32 Facts of Providence Health and Services Case On or about December 30, 2005, electronic protected health information ("ephi") on four backup tapes and two optical disks were left unattended overnight in the personal vehicle of an employee and were stolen. The employee took the disks and tapes from Providence Home and Community Services ("HCS"), a division of PHS-Oregon, pursuant to a practice followed at the time by HCS Information Staff with the knowledge of some HCS managers. The ephi on the tapes and disks was not encrypted. 32

33 Facts of Providence Health and Services Case Further, on the following dates, laptops containing ephi were left unattended and were stolen from workforce members: September 29, 2005, December 7, 2005, February 27, 2006, March 3, The e-phi on the stolen laptops was not encrypted. 33

34 34 Providence Investigation The investigation was triggered by 31 complaints submitted to OCR and the Centers for Medicare and Medicaid Services (CMS). The complaints were merged into a joint compliance review by CMS and OCR. It was determined that the practices of the Providence entities created systemic vulnerabilities that led to massive losses of e- PHI. Providence was cooperative throughout the investigation. Providence executed a Resolution Agreement and Corrective Action Plan in July 2009.

35 Indications of Noncompliance in the Providence Resolution Agreement OCR cited the following indications of noncompliance in the Resolution Agreement: 35 Electronic PHI was not encrypted or otherwise properly safeguarded by Providence. Backup tapes, optical disks, and laptops, all containing unencrypted e-phi, were removed from the Providence premises by members of the Providence workforce and left unattended in vehicles. Portable media and laptops were lost or stolen, compromising the e-phi of over 386,000 patients. Providence management knew of such practices, but allowed them to continue.

36 Actions to Settle Providence Case Providence paid a $100,000 resolution amount. Providence s Corrective Action Plan provided: 1. Providence would revise its policies and procedures, subject to OCR approval, by: Adopting new risk assessment and risk management tools Improving physical and technical safeguards (e.g., encryption) for offsite transport and storage of electronic media containing PHI 2. Providence would train its workforce members on electronic and other safeguards for PHI. 3. Providence would conduct internal audits and site visits of facilities to determine compliance with the Corrective Action Plan. 4. Providence would Submit implementation report and annual reports to HHS for period of three years. 36

37 Lessons Learned Effective compliance means more than just written policies and procedures. Corporate management of covered entities need to continuously monitor implementation of privacy and security policies and practices. HHS is willing to work with cooperative entities to implement effective changes to ensure that consumers are protected. Covered entities need to ensure that these efforts include: Effective privacy and security staffing Adequate employee training on privacy and security issues Physical and technical implementation in an effective manner 37

38 Facts of the CVS and Rite Aid Cases Two large United States pharmacy store chains. OCR investigations began in the fall of 2007 because of a series of television investigative reports, first in Indianapolis and then in a number of other cities about incidents in which television reporters found that PHI, including pill bottles with patient labels and written prescriptions, had been disposed of in unsecured dumpsters outside of or in the alley behind a number of CVS and Rite Aid pharmacy stores. 38

39 CVS and Rite Aid Investigations OCR conducted compliance reviews of all CVS and Rite Aid retail pharmacy policies and practices related to the safeguarding and disposal of PHI. OCR undertakes compliance reviews when it receives credible evidence that a covered entity may be violating a provision of the Privacy or Security Rule. OCR does not need to receive a complaint in order to undertake a compliance review. Indeed, compliance reviews are generally conducted in the absence of complaints. OCR uses the same methodology in conducting compliance reviews that it uses for complaint investigations. 39

40 CVS and Rite Aid Investigations The compliance reviews of CVS and Rite Aid were conducted as part of a joint investigation with the Federal Trade Commission (FTC). The FTC was determining whether CVS and/or Rite Aid had violated Section 5 of the FTC Act by their handling and disposal of the PHI that ended up in the dumpsters. Both CVS and Rite Aid cooperated fully with OCR and the FTC during the investigations. 40

41 Resolution of CVS and Rite Aid Cases Prior to issuing any formal findings in either the CVS or Rite Aid cases, OCR and the FTC met with representatives of CVS and Rite Aid to discuss the evidence that had been adduced and the possibility of resolving the matters without the issuance of formal findings and hearings before an Administrative Law Judge. These meetings were conducted pursuant to the mandate in the Privacy Rule that OCR seek voluntary compliance with the Privacy Rule whenever feasible. 41

42 Resolution of CVS and Rite Aid Cases The CVS case was resolved in January 2009 when CVS executed a Resolution Agreement and Corrective Action Plan with OCR. CVS also signed an Agreed Settlement Order with the FTC at the same time. The Rite Aid case was resolved similarly in June The Resolution Agreements and Corrective Action Plans in both cases can be found on OCR s website. 42

43 Covered Conduct in the CVS and Rite Aid Resolution Agreements Although OCR made no formal findings of Privacy Rule violations in either the CVS or Rite Aid cases, the Resolution Agreements do reflect that OCR s compliance reviews indicate[d] that the following conduct occurred: The CVS and Rite Aid policies and procedures that had been in place since April 2003 when the Privacy Rule took effect and continued to be in place when the media reports commenced were not designed to establish[] physical and administrative safeguards for their disposal of non-electronic PHI were and are not adequately designed to appropriately and reasonably safeguard PHI; 43

44 Covered Conduct in the CVS and Rite Aid Resolution Agreements CVS and Rite Aid each failed to maintain and appropriately apply a sanctions policy regarding members of their respective workforces when incidents pertaining to the improper disposal of PHI arose; and CVS and Rite Aid failed to provide and document training on their respective policies and procedures pertaining to the disposal of non-electronic PHI that was appropriate for the roles that members of their respective workforces played in the handling and disposal of PHI. 44

45 Actions to Settle CVS and Rite Aid Cases CVS paid $2.25 million as a resolution amount. Rite Aid paid $1 million as a resolution amount. Both CVS and Rite Aid executed similar Corrective Action Plans. The Corrective Action Plans required CVS and Rite Aid, respectively, to create new policies and procedures, training materials, and methods of imposing sanctions. 45

46 Actions to Settle CVS and Rite Aid Cases The Corrective Action Plans provided certain criteria or minimum lists of provisions that must be included in the policies, procedures and other materials, but the Plans did not set out with specificity what was to be contained in the policies and procedures. Instead, CVS and Rite Aid were required to prepare those documents within so many days after their Corrective Action Plans were executed and submit them for OCR s approval and later for the approval of their External Monitors. 46

47 Actions to Settle CVS and Rite Aid Cases- Internal Monitoring Both HHS and the FTC have required CVS and Rite Aid to develop and implement plans to actively monitor their compliance with the Resolution Agreement and Consent Order. This is internal monitoring. The internal monitoring is conducted by individuals who are not engaged in the ordinary course of operating the stores and can be done in a variety of ways. From OCR s perspective, in these and other Privacy and Security Rule cases involving national or regional health care entities, it is essential that corporate leadership take ownership of the changes necessary for compliance to become part of the culture of the covered entity. The internal monitoring process is an important element in ensuring compliance. 47

48 Actions to Settle CVS and Rite Aid Cases External Monitoring In addition, both HHS and the FTC required CVS and Rite Aid to choose External Monitors or Assessors. The Assessors assess the compliance of CVS or Rite Aid with the operative provisions of the Corrective Action Plan and submit annual reports for three years. There is some overlap in the Assessor s responsibilities with the Corrective Action Plan, but there are also variances. The Assessor functions for 20 years under the FTC Order, but generally submits reports on a biennial basis. The same entity can serve as the Assessor under the FTC Order as under the Corrective Action Plan. 48

49 Summary of Actions Required to Settle CVS and Rite Aid Cases CVS and Rite Aid Corrective Action Plans, provide respectively: 1. Revising and then distributing policies and procedures regarding PHI disposal to all relevant members of each entity s workforce 2. Sanctioning workers who do not follow the policies and procedures; 3. Training relevant members of workforce; 49

50 Summary of Actions Required to Settle CVS and Rite Aid Cases The Corrective Action Plan also provided for internal monitoring as well as: Engaging a third-party independent assessor for three years; New internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and Submitting annual compliance reports to HHS for a period of three years. 50

51 Lessons Learned from CVS and Rite Aid Cases Disposal of PHI in unsecured dumpsters or similar repositories is not compliant with safeguards standard of the Privacy Rule. Personnel involved in disposal must be trained in how to implement disposal safeguards. Management must continuously supervise implementation of relevant privacy policies and must make safeguarding and proper disposal of PHI, as well as adherence to all other aspects of the Privacy and Security Rules, part of the engrained culture of the covered entity. 51

52 Facts of Management Services Organization of Washington Management Services of Washinton MSO provided practice management services to individual health care providers in an around Washington State. MSO also owned an affiliated company, Washington Practice Management (WPM) which markets and sells Medicare Advantage plans to consumers for which it earns commissions. in December 8, 2009, HHS opened an investigation of MSO, based on a referral from the HHS Office of Inspector General (OIG) and Department of Justice, Civil Division (DOJ), which had been investigating MSO and its owner for violations of the Federal False Claims Act (FFCA). 52

53 Indications of Noncompliance by MSO OCR s investigation indicated that: Between January, 2007 and November, 2010, MSO impermissibly disclosed to its affiliate, WPM Health, e-phi maintained by MSO for numerous individuals to aid WPM in its marketing of Medicare Advantage plans to those individuals. MSO did not have a valid authorization to disclose the e-phi; and Further, MSO intentionally failed to have in place appropriate and reasonable administrative, technical, and physical safeguards to protect its e-phi. 53

54 Actions to Settle MSO Case MSO paid a $35,000 resolution amount. MSO executed a Corrective Action Plan that provided for the: Development and implementation of policies and procedures compliant with the Privacy and Security Rules; Training of MSO workforce members on the policies and procedures; Conduct internal monitoring for at least two years; and Submit periodic compliance reports to HHS for a period of two years 54

55 Facts of the Massachusetts General Hospital Case Massachusetts General Hospital (MGH) is a large multispecialty healthcare provider, headquartered in Boston. In March 2009, an MGH employee removed documents containing PHI from MGH premises planning to work with the documents at home. The documents consisted of billing encounter forms on which were the names, dates of birth, medical record numbers, health insurer number, health insurance policy number, diagnosis and name of the health care provider for 66 patients. 55

56 Facts of the Massachusetts General Hospital Case The documents also included daily office schedules for three days on which were listed the names and medical record numbers for 192 patients. This information contained sensitive information about the treatment for infectious diseases, including information about patients diagnosed with the HIV infection and other sexually transmitted diseases. 56

57 OCR s Investigation of MGH OCR conducted a complaint investigation after receiving a complaint and after media reports of the incident appeared in the Boston area. As a result of its investigation, OCR found that: On March 9, 2009, an MGH employee left MGH records on the Boston subway in an adjoining seat, while commuting to work. The documents were never recovered. 57

58 Covered Conduct Engaged in by MGH As a result of its investigation, OCR determined that: The MGH employee had impermissibly disclosed the PHI of 258 patients. The PHI had not been not properly safeguarded. MGH had an open door policy that allowed employees to take documents containing PHI off premises. MGH had no mechanism for tracking PHI taken from its premises. 58

59 MGH Resolution Agreement/Corrective Action Plan MGH entered into Resolution Agreement and Corrective Action Plan in February 2011, which provided that: MGH is required to develop policies and procedures, subject to OCR s review and approval, governing: i) the physical removal /transport of PHI; ii) laptop encryption; and iii) USB drive encryption; The new policies and procedures were required to address paper records AND e-phi because MGH s previous open door policy could have resulted in electronic records being disclosed; 59

60 MGH Resolution Agreement/Corrective Action Plan The new and revised policies and procedures must be distributed to all MGH employees who have access to and use PHI; MGH must provide specific training on the new policies and procedures for all of its workforce members who have access to and use PHI; and An internal monitor must be designated to oversee implementation of corrective action. Monitor to conduct assessments of implementation and compliance by MGH with the Corrective Action obligations set forth in the CAP. 60

61 MGH Resolution Amount MGH paid OCR $1,000,000 as a resolution amount. The Covered Conduct in this case, i.e. the abandonment of the records on the Boston subway, occurred in March, 2009 which was after the February 18, 2009 effective date of the HITECH Act. Section 13410(d) of HITECH Act created tiers of increasing penalty amounts under the Privacy and Security Rules that are associated with categories of culpability. Violations due to willful neglect are subject to penalty amounts from $10,000-$50,000 per violation. In this case, OCR found willful neglect because MGH knew about the open door policy, but allowed it to continue and did not instruct employees on safeguarding PHI. Although employee s conduct was a mistake, it was a preventable mistake and was an accident waiting to happen. 61

62 Lessons Learned CEs should develop and implement a comprehensive set of physical, technical, and administrative safeguard policies and procedures compliant with Privacy Rule and Security Rule governing the removal of PHI in any form from CE premises by workforce members when they are working from home or off-site or when transporting PHI or using PHI. CEs should develop and implement a comprehensive training program for staff who access or use PHI on what constitutes PHI. 62

63 Lessons Learned CEs should obtain assurances from all departments that reasonable safeguards have been implemented with respect to removing PHI from premises. CEs should implement a periodic internal monitoring program to ensure that policies and procedures are followed. CEs should conduct an effective training program for all appropriate workforce members regarding the safeguard policies for the use of portable media on which electronic PHI is stored and for safeguarding paper PHI that workforce members remove from the CE s premises for proper work-related purposes. 63

64 Cignet Health Care Cignet Health of Prince George s County, Maryland (Cignet) is a treatment provider and health plan issuer. Forty-one individuals who received physician services from Cignet sought access to their Cignet medical records pursuant to the Privacy Rule. Cignet failed and refused to provide copies of the medical records to any of the 41 patients. The patient requests to which Cignet failed to respond occurred during the period from October 2008 through April

65 OCR s Investigation of Cignet OCR began receiving complaints from Cignet patients in the fall of After issuing its usual notice letters and many telephone calls to Cignet, to none of which OCR received a response. OCR imposed an initial deadline of March 2009 for Cignet to respond to the first eleven complaints. OCR eventually imposed similar deadlines for all 41 complaints. 65

66 OCR s Investigation of Cignet Cignet did not respond to OCR's written notification of the investigations, numerous follow-up attempts to contact Cignet by telephone, or to subsequent letters informing Cignet of its obligation under 45 C.F.R to provide the individuals access to obtain a copy of the protected health information about them in the designated record sets (medical records) maintained by Cignet. 66

67 Cignet s Lack of Cooperation and OCR s Issuance of Subpoena After Cignet failed to produce the medical records as required by OCR, OCR issued an investigative subpoena duces tecum on June 26, 2009, advising Cignet that it must respond within ten days or OCR would commence formal enforcement action On February 4, 2010, through the representation of the Department of Justice, Civil Division, Federal Programs Branch, OCR filed a petition to enforce its subpoena duces tecum in the United States District Court for the District of Maryland. The Court issued an order for Cignet to show cause why it should not be held in contempt and scheduled a hearing for March 29, Cignet did not appear at the hearing, did not respond to the petition, and did not defend the action. 67

68 Cignet s Lack of Cooperation and OCR s Issuance of Subpoena On March 30, 2010, the Court granted a judgment by default against Cignet in accordance with the petition and directed Cignet to produce a copy of all of the subject medical records for the individuals listed in the OCR subpoena by April 7, On April 7, 2010, Cignet delivered 59 boxes of original medical records to the Department of Justice. Included in those 59 boxes were the medical records of the individuals listed in the OCR subpoena. The 59 boxes also contained the medical records of approximately 4,500 individuals for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to OCR. 68

69 Basis for OCR s Imposition of CMP Against Cignet Cignet failed to provide 41 individuals with timely access to their medical records which were maintained by Cignet. Cignet failed to cooperate with OCR's investigation of 27 complaints regarding Cignet's noncompliance with the HIPAA Privacy Rule. Cignet continued in its refusal to cooperate with OCR on a daily basis from March 17, 2009, to April 7, OCR determined that Cignet s failures to cooperate with the investigation constitutes violations of 45 C.F.R (b). 69

70 Amount of CMP Levied OCR calculated the amount of the CMP that it levied on Cignet as follows: A CMP of $1,300,000 attributable to failure to provide individuals access to their health records; A penalty of $3,000,000 for Cignet s failure to respond to OCR s demands to produce records and failure to cooperate with the investigation; and 70

71 Amount of CMP Levied Factors listed below were considered aggravating factors in determining the amount of the CMP: (a) These violations hindered the individuals' ability to obtain continuing health care by delaying their receipt of the PHI about them when they sought care from physicians other than those at Cignet 45 C.F.R (b)(3); and (b) OCR was forced by Cignet's inaction to issue a subpoena duces tecum and to file a petition with the U. S. District Court to obtain copies of the protected health information of these individuals, who are guaranteed by the Privacy Rule to receive a copy of the PHI about them in medical records maintained by a covered entity 45 C.F.R (f). 71

72 Facts of the UCLAHS Case In 2008, OCR received two complaints against the University of California at Los Angeles Health System (UCLAHS). In both instances, the complaints were filed on behalf of celebrity patients of UCLAHS. The complaints alleged that employees of UCLAHS had used and disclosed PHI of the celebrity patients for personal reasons or curiosity and not for any permissible reason under the Privacy or Security Rules. 72

73 Facts of the UCLAHS Case Generally, the employees obtained PHI about the celebrity patients by using UCLAHS electronic medical record data bases. Both cases were referred by OCR to the United States Department of Justice (DOJ). DOJ opened a criminal investigation and asked OCR to defer its Privacy and Security Rule investigation until DOJ concluded the criminal investigation. 73

74 Facts of the UCLAHS Case The DOJ investigation led to the indictment and guilty plea of a UCLAHS employee to one count of obtaining PHI for commercial advantage. 74

75 OCR Investigation of UCLAHS OCR began its investigation of UCLAHS in March OCR submitted several document and electronic data requests to UCLAHS. OCR also conducted an on-site visit during which it interviewed numerous UCLAHS employees. UCLAHS was cooperative with OCR throughout the investigation. 75

76 Covered Conduct by UCLAHS OCR s investigation indicated that UCLAHS had engaged in the following covered conduct: During the periods from August 31, 2005 to November 16, 2005 and again from January 31, 2008 through February 2, 2008, numerous UCLAHS employees examined electronic PHI of two celebrity patients without a reason that was permissible under the Privacy Rule; 76

77 Covered Conduct by UCLAHS Throughout the period from , one member of UCLAHS s workforce repeatedly examined the electronic PHI of many patients; Throughout the period from , UCLAHS failed to provide and/or document necessary and appropriate Privacy and Security Rule training for all members of its workforce to carry out their functions within UCLAHS; 77

78 Covered Conduct by UCLAHS During the period from 2005 through 2008, UCLAHS failed to apply appropriate sanctions on workforce members who impermissibly examined electronic PHI; and During the period from 2005 through 2009, UCLAHS failed to implement security measures sufficient to reduce the risks of impermissible access to electronic PHI of its patients by unauthorized users to a reasonable and appropriate level. 78

79 Resolution of UCLAHS Case Prior to issuing formal violation findings, OCR met with representatives of UCLAHS to discuss the evidence that had been adduced by OCR, as well as by DOJ. UCLAHS expressed a desire to resolve the issues that had arisen during OCR s investigation via settlement. Consequently, in July, 2011, UCLAHS executed a Resolution Agreement and Corrective Action Plan with OCR. These documents are on OCR s website. 79

80 Actions Taken by UCLAHS to Settle Case UCLAHS paid $865,000 as a resolution amount. The Corrective Action Plan that UCLAHS executed required it to create new or revised policies and procedures so as to prevent members of its workforce from being able to routinely obtain access to electronic PHI when there was no work-related reason for them to access that PHI. 80

81 Actions Taken by UCLAHS to Settle Case Under the Corrective Action Plan, UCLAHS was also required to develop and implement policies and procedures that addressed all other aspects of the covered conduct. UCLAHS agreed to distribute its new and revised policies and procedures to all appropriate members of its workforce and to obtain either written or electronic certification from each workforce member that they had received the policies and procedures and read them. 81

82 Actions Taken by UCLAHS to Settle Case UCLAHS agreed to train all appropriate members of its workforce on the policies and procedures within 90 days of their implementation or within 30 days of the commencement of employment of new workforce members. The Corrective Action Plan contains criteria for the types of acceptable policies and procedures, but does not specify their content. UCLAHS must submit the policies and procedures to OCR for approval before they can be formally implemented pursuant to the Plan. 82

83 Actions Taken by UCLAHS to Settle Case UCLAHS is required to nominate an Independent Monitor who will assess UCLAHS s compliance with the Corrective Action Plan for three years. OCR must approve UCLAHS s selection before the Independent Monitor can begin work. OCR will conduct standard due diligence in considering the nomination. 83

84 Actions Taken by UCLAHS to Settle Case After OCR has approved an Independent Monitor, the next step is for the Independent Monitor to draft a work plan which sets forth in detail how the Independent Monitor will assess UCLAHS s compliance with its various obligations under the Corrective Action Plan. OCR carefully reviews proposed work plans and often requires revision before approving the plan. 84

85 Actions Taken by UCLAHS to Settle Case After the work plan is approved, the Independent Monitor begins its work. The role of the Independent Monitor in this case will be similar to the role of the External Monitors in the CVS and Rite Aid cases. The Independent Monitor will submit annual reports to OCR and UCLAHS and will also submit interim reports as conditions require. 85

86 Lessons Learned from the UCLAHS Case Management of health care providers which rely strongly on electronic medical records must take affirmative steps to secure those records internally. Management needs to adopt a need to know strategy for allowing access to electronic PHI and implement that strategy throughout its electronic data systems. That is, only workforce members with a bona fide work-related reason to access a particular patient s electronic records should be able to do so. 86

87 Lessons Learned from the UCLAHS Case Management, especially the compliance department, must be vigilant in testing the reliability of its security systems for the safeguarding of electronic PHI. Management should also be proactive with respect to protecting the electronic PHI of celebrity patients. But similar problems can arise in many different scenarios. The problems identified in the UCLAHS case are not limited to celebrity patients. 87

88 Lessons Learned Do not neglect physical safeguards for areas where paper records are stored or used. Reduce risk through network or enterprise storage as alternative to local devices. Encryption of data at rest on any desktop or portable device/media storing EPHI is essential

89 Lessons Learned Clear and well documented administrative and physical safeguards on the storage devices and removable media which handle e-phi. Raise the security awareness of workforce members and managers to promote good data stewardship

90 Items Available on the OCR Website The OCR website can be very valuable for compliance officers and practitioners who often focus on the Privacy Rule, Security Rule, and Breach Notification. The website address is: Items of interest on the website include: The Privacy Rule, Security Rule, Breach Notification Rule and relevant editions of the Federal Register which accompanied their release; Several hundred frequently asked questions; 90

91 Items Available on the OCR Website A description of each of the cases described here, along with copies of the Resolution Agreements, Corrective Action Plans, Cignet CMP documents, and the like Monthly statistics on dispositions of Privacy and Security Rule Cases General information about OCR enforcement program 91

92 Our Contact Information Jerome B. Meites Chief Regional Civil Rights Counsel Region V Office of the General Counsel United States Department of Health and Human Services 233 North Michigan Avenue Suite 700 Chicago, Illinois Jerome.Meites@hhs.gov 92

93 Roger Geer Our Contact Information 93