SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS

Transcription

1 Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020 Cleveland, OH Telephone (216) Fax (216) Waterford Dr. Sheffield Village, OH Telephone (440) Fax (440) SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS Franklin J. Hickman Andrea Aycinena This is a summary only and is not intended to provide legal advice. For individual issues, you should consult your attorney.

2 TABLE OF CONTENTS I. GENERAL OVERVIEW... 1 II. EFFECTIVE DATES... 2 A. General Rule... 2 B. Business Associate Agreements... 2 C. Data Use Agreements... 2 III. NOTICE OF PRIVACY PRACTICES... 3 IV. CHANGES TO PRIVACY RULES... 3 A. Business Associates Definition of Business Associate Security Rules Privacy Rules Notice of Breach When a Business Associate is an Agent of a Covered Entity Summary of Liability of Business Associates... 5 B. Sale of PHI... 5 C. Fundraising General Rules Opportunity to opt out Notice of Right to Opt Out... 7 D. Right to Receive Electronic Copies of Health Record... 7 E. Restriction on Disclosures... 8 F. Proof of Immunization... 8 G. Access to Decedent Information... 8 V. Changes in Rules on Notice of Breach... 9 A. Basic Principles on Breach Definition of a Breach Definition of Unsecured PHI Risk Assessment for Breach Determining Time for Discovery of Breach B. Notice of Breach to Individuals Timeliness of Notice to Individuals Content of Notice to Individuals Method of Notice This is a summary only and is not intended to provide legal advice. For individual issues, you should consult your attorney.

3 Page ii 4. Additional notice in urgent situations C. Other Parties Required to Receive Notice Notification to the media Notification to the Secretary of HHS VI. Enforcement A. Private Complaints to Secretary of HHS B. Investigations and Compliance Reviews C. Who Can Enforce HIPAA? VII. Penalties A. Criminal Penalties General: Scope of Criminal Penalties B. Civil Penalties General Principles Waiver of Penalty Factors in determining amount of Civil Penalty Affirmative Defenses Table of Civil Penalties VIII. Posting Changes in Privacy Notice... 18

4 I. GENERAL OVERVIEW SUMMARY OF HIPAA PRIVACY CHANGES The original HIPAA statutes, enacted in 1996, are codified at 42 USC 1320d to 1320d-8. Privacy and Security rules are 45 CFR Parts 160 and 164. This summary incorporates changes from the following sources: Health Information Technology for Economic and Clinical Health (HITECH) Act which is part of the American Recovery and Reinvestment Act of 2009 (ARRA) enacted on February 17, 2009; Genetic Information Nondiscrimination Act (GINA) enacted in 2008; Final rules amending 45 CFR Parts 160 and 164 which were issued at 78 Federal Register 5566 (January 25, 2013)(referred to as Fed. Reg. ). Changes in the 2013 rules accomplish the following: Establish that Business Associates of covered entities are now directly liable for compliance with certain of the HIPAA Privacy and Security Rules requirements. Adopt enhancements to the Enforcement Rule including definition of levels of violation and stricter enforcement of noncompliance with the HIPAA Rules due to willful neglect. Incorporate the increased and tiered civil money penalty structure provided by the HITECH Act. Alter the standards for Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule s harm threshold with a more objective standard. Expand individuals rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. Require modifications to, and redistribution of, a Covered Entity s notice of privacy practices. Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization. This is a summary only and is not intended to provide legal advice. For individual issues, you should consult your attorney.

5 Page 2 Incorporate privacy provisions of the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes. This summary does not cover some areas e.g. Research and Marketing which do not generally affect DD Boards. II. EFFECTIVE DATES A. General Rule The final rules published at 78 Fed. Reg were effective on March 26, Covered entities and Business Associates will have until September 22, 2013 (180 days after March 26, 2013) to come into compliance with most provisions. Major exceptions most likely to be applicable to DD Boards are summarized below. B. Business Associate Agreements Business Associate agreements may remain in effect if the Business Associate agreement: Was in effect prior to January 25, 2013, and Was compliant with rules in effect on January 25, 2013, and Is not renewed or modified from March 26, 2013, until September 23, A prior contract or other arrangement that meets these qualification requirements in paragraph (e) of this section shall be deemed compliant until the earlier of: The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or September 22, Business Associate agreements entered into after January 25, 2013 must conform to the regulations in effect on that date (e) 1. C. Data Use Agreements A Covered Entity may continue to disclose a limited data set pursuant to a Data Use Agreement in exchange for remuneration from or on behalf of the recipient of the protected health information until the earlier of: 1 References to rules are to 45 CFR unless otherwise noted.

6 Page 3 the date of modification of such agreement on or after September 23, 2013 or September 22, (f). III. NOTICE OF PRIVACY PRACTICES Certain changes in the legislation and recent rules must be included in the Notice of Privacy Practices. These changes are considered material by HHS (78 Fed. Reg. 5624). IV. CHANGES TO PRIVACY RULES A. Business Associates Business Associates, by action of the recent changes in rule, are separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their Business Associate contracts. The duties and liability of a Business Associate attach even if there is no formal Business Associate agreement. 78 Fed. Reg Definition of Business Associate HIPAA Rules define a Business Associate as a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information ; 78 Fed. Reg The latest rules have clarified certain aspects of the definition, including the addition of subcontractors who perform functions for or provide services to a Business Associate other than in the capacity as a member of the Business Associate s workforce, are also Business Associates to the extent that they require access to protected health information. 78 Fed. Reg Security Rules Business Associates are required to conform to all Security Rules (45 CFR Part 160 and Subparts A and C of Part 164). The Security Rule s administrative, physical, and technical safeguards requirements in (administrative safeguards), (physical safeguards) and (technical safeguards), as well as the Rule s policies and procedures and documentation requirements in , apply to Business Associates in the same manner as these requirements apply to covered entities, and that Business Associates are civilly and criminally liable for violations of these provisions. While the method of compliance may be adapted to the particular circumstances of the Business Associate, the Business Associate must meet the minimum standards. 78 Fed. Reg The Business Associate must ensure that the security requirements apply in the same manner to contracts or other arrangements between Business Associates and subcontractors. 78 Fed. Reg.

7 Page Subcontractors are required to comply with the Security Rule to the same extent as Business Associates with a direct relationship with a Covered Entity. 78 Fed. Reg The definition of subcontractor has been added to A subcontractor acting on behalf of a Business Associate can be liable for compliance even if there is no formal contract. 78 Fed. Reg Privacy Rules Business Associates are also bound by those Privacy Rules which apply to uses and disclosures of Protected Health Information (PHI) which the Business Associate makes on behalf of a Covered Entity. Any Privacy Rule limitation on how a Covered Entity may use or disclose protected health information automatically extends to a business associate. 78 Fed. Reg Business Associates are not required to comply with other provisions of the Privacy Rule, such as providing a notice of privacy practices or designating a privacy official, unless the Covered Entity has chosen to delegate such a responsibility to the Business Associate by contract. 78 Fed. Reg If a Business Associate subcontracts duties under the Business Associate s agreement with a Covered Entity, the Business Associate must ensure that the subcontractor is subject to the same privacy requirements applicable to the Business Associate. 78 Fed. Reg Notice of Breach A Business Associate is required to report to the Covered Entity any breach of unsecured PHI which occurs at or by the Business Associate (a); 78 Fed. Reg. 5639, Discussion of determination of whether a breach occurred is at V.A.1 below. The Business Associate must give notice to the Covered Entity without unreasonable delay and in no case later than 60 days from discovery of the breach. 78 Fed. Reg Business Associates must provide Covered Entities with the identity of each individual whose unsecured protected health information has, or is reasonably believed to have been, affected by the breach.78 Fed. Reg Once the Business Associate has given notice of a breach to the Covered Entity, the Covered Entity has a duty to provide further notice as summarized below. 5. When a Business Associate is an Agent of a Covered Entity A Covered Entity is liable for the actions or omissions of a Business Associate when the Business Associate is acting as an agent for the Covered Entity. HHS has adopted the Federal Common Law of agency to determine when an agency relationship exists. 78 Fed. Reg The analysis of whether a Business Associate is an agent for the Covered Entity is fact specific and must consider the totality of the circumstances involved in the ongoing relationship between

8 Page 5 the parties. The essential factor in determining whether an agency relationship exists between a Covered Entity and its Business Associate (or a Business Associate and its subcontractor) is the right or authority of a Covered Entity to control the business associate's conduct in the course of performing a service on behalf of the Covered Entity. The analysis focuses on the right to control the actions of the Business Associate in the course of performing a service on behalf of the Covered Entity, even if the Covered Entity cannot control all aspects of the Business Associate and even if the Covered Entity has not actually exercised any control. 78 Fed. Reg to If the only avenue of control is for a Covered Entity to amend the terms of the agreement or sue for breach of contract, this generally indicates that a Business Associate is not acting as an agent. 78 Fed. Reg The right or authority to control the business associate's conduct also is the essential factor in determining whether an agency relationship exists between a Business Associate and its business associate subcontractor. 78 Fed. Reg The Business Associate/subcontractor relationship is governed by the same principles applicable to the Covered Entity/Business Associate relationship. 6. Summary of Liability of Business Associates Business Associates are directly liable under the HIPAA Rules for: impermissible uses and disclosures ( (a)(3), (5)), for a failure to provide breach notification to the Covered Entity ( ), for a failure to provide access to a copy of electronic protected health information to either the Covered Entity, the individual, or the individual's designee (whichever is specified in the Business Associate agreement) ( (a)(4)(ii)), for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules ( (a)(4)(i)), for a failure to provide an accounting of disclosures, (76 Fed. Reg (May 31, 2011)) and for a failure to comply with the requirements of the Security Rule (Subpart C of Part 164). Business Associates remain contractually liable for other requirements of the Business Associate agreement. 78 Fed. Reg B. Sale of PHI A Covered Entity must obtain an authorization for any disclosure of PHI which is a sale of PHI. The authorization must state that the disclosure will result in remuneration to the covered entity.

9 Page (a)(5)(ii)(A); A sale is defined as a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information (a)(5)(ii)(B)(1). The following disclosures are not considered a sale of PHI: a. For public health purposes; b. For research purposes if the remuneration is limited to a reasonable costbased fee to cover the cost to prepare and transmit the protected health information for such purposes; c. For treatment and payment purposes; d. As part of due diligence for sale, transfer, merger or consolidation of all or part of the Covered Entity; e. To a Business Associate for activities on behalf of the Covered Entity where the remuneration is for performance of such activities; the same principles apply to payment by a Business Associate for activities of a subcontractor acting for the Business Associate; f. To an individual; g. When required by law; h. For any other purpose permitted by HIPAA rules, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law (a)(5)(ii)(B)(2). Payments under grants, contracts or for related activity are not prohibited under this section 78 Fed. Reg Health Information Exchanges may charge a reasonable fee for the service without violating the prohibition on sale of PHI. 78 Fed. Reg C. Fundraising 1. General Rules A covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization: (i) Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth; (ii) Dates of health care provided to an individual; (iii) Department of service information; (iv) Treating physician;

10 Page (f)(1). (v) Outcome information; and (vi) Health insurance status. An Institutionally Related Foundation is a nonprofit charitable foundation qualified under section 501(c)(3) of the Internal Revenue Code that has an explicit linkage to the covered entity in the foundation s charter statement of charitable purposes. 2. Opportunity to opt out With each fundraising communication made to an individual, a Covered Entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications (f)(2). Covered Entities have flexibility on implementing this requirement, but the method of opting out cannot unduly burden an individual. Requiring individuals to opt out by letter is considered unduly burdensome. 78 Fed. Reg Notice of Right to Opt Out The Notice of Privacy Practices must include statements that the Covered Entity may contact the individual to raise funds for the Covered Entity and the individual has a right to opt out of receiving such communications (f)(2)(ii). D. Right to Receive Electronic Copies of Health Record If an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the Covered Entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual, with the expectation that there would be at least a machine readable form of the record (c)(2)(ii); 78 Fed. Reg The Department of HHS considers machine readable data to mean digital information stored in a standard format enabling the information to be processed and analyzed by computer. For example, this would include providing the individual with an electronic copy of the protected health information in the format of MS Word or Excel, text, HTML, or text-based PDF, among other formats. 78 Fed. Reg A hard copy may be provided if the individual decides not to accept any of the electronic formats offered by the covered entity. 78 Fed. Reg An individual may instruct the Covered Entity to convey electronic versions of PHI to third parties (c)(3)(ii). The request must be made in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the protected health information (c)(3)(ii).

11 Page 8 Requested records must be provided within 30 days of the date of request with provision for a single extension of an additional 30 days (b)(2). If an extension of not more than 30 days is required, the Covered Entity must notify the individual of the reasons for the delay and the likely date of delivery (b)(2)(ii). The Covered Entity may charge a reasonable cost-based fee for complying with the individual s request for records. Permissible costs include: (c)(4). (i) Labor for copying the protected health information requested by the individual, whether in paper or electronic form; (ii) Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media; (iii)postage, when the individual has requested the copy, or the summary or explanation, be mailed; and (iv) Preparing an explanation or summary of the protected health information, if agreed to by the individual. E. Restriction on Disclosures A Covered Entity is required to agree to a request to restrict disclosure of PHI to a health plan if the disclosure is for payment or health care operations and pertains to a health care item or service for which the individual has paid out of pocket in full (a)(1)(vi). The Notice of Privacy Practices must include such a statement (b)(1)(iv)(A). F. Proof of Immunization Recent changes in (b)(1) permit a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. RC imposes such a requirement in Ohio. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor (b)(1)(vi); 78 Fed. Reg G. Access to Decedent Information In general, PHI of deceased individuals is protected to the same extent as that of living individuals. This protection now expires 50 years after the death of the individual (f); 78 Fed. Reg In the meantime, PHI may be disclosed to authorized representatives of the decedent, such as an executor or administrator, or to a family member involved in the individual's care or payment for health care prior to the individual's death, if the PHI is relevant

12 Page 9 to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the Covered Entity (b)(5). V. Changes in Rules on Notice of Breach All HIPAA Covered Entities and their Business Associates are required to provide notice in the event of a breach of unsecured protected health information (PHI). 78 Fed. Reg Covered Entities must notify the affected individual, the Secretary of HHS and under some circumstances even the media. Business Associates must provide notice of a breach to the Covered Entity. Failure to comply may lead to substantial civil penalties. Business Associates are independently liable for civil penalties for HIPAA, as well as for violations of subcontractors carrying out functions on behalf of the Business Associate. See section IV.A.6 above. Recent changes to the rule have defined a more objective standard to define a breach A. Basic Principles on Breach Notification requirements apply to breaches of unsecured PHI. To determine whether notification is required, the Covered Entity or Business Associate must first determine (1) whether there is a breach, and (2) whether the breach includes unsecured PHI. Any impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates by a risk assessment that there is a low probability that the protected health information has been compromised. 78 Fed. Reg. 5641; The rules remove the earlier standard relating to risk of harm to the individual. 78 Fed. Reg Definition of a Breach Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under HIPAA rules which compromises the security or privacy of the protected health information. The definition of Breach excludes: a. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under HIPAA Privacy Rules. b. Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care

13 Page 10 arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under HIPAA Privacy Rules. c. A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information (1)(i)-(iii). 2. Definition of Unsecured PHI Unsecured PHI means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued and made available at 2 The Secretary has, in summary, specified that only encryption and destruction, consistent with National Institute of Standards and Technology (NIST) guidelines, renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals such that notification is not required in the event of a breach of such information. 78 Fed. Reg Risk Assessment for Breach A Covered Entity or Business Associate must conduct a risk assessment to determine whether there is a low probability that data has been compromised (2). A risk assessment must document that the following areas have been considered: (a) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (b) The unauthorized person who used the protected health information or to whom the disclosure was made; (c) Whether the protected health information was actually acquired or viewed; and ; The commentary to the 2009 interim final rule notes that unsecured PHI can include information in any form or medium, including electronic, paper, or oral form. 74 Fed. Reg

14 Page (2)(i)-(iv). (d) The extent to which the risk to the protected health information has been mitigated. 4. Determining Time for Discovery of Breach A breach shall be treated as discovered by a Covered Entity or Business Associate as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency, including a Business Associate acting as an agent (a)(2); (a)(2); 78 Fed. Reg For definition of when a Business Associate is deemed an agent, see section IV.A.5. When a Business Associate who is not acting as an agent, discovers a breach, the date of discovery for the Covered Entity is the date when the Business Associate notified the Covered Entity of the breach. 78 Fed. Reg An agent that fails to notify a covered entity or business associate may be acting outside its scope of authority as an agent. In such a circumstance, the agent's knowledge is not considered to have been available to the covered entity or business associate under the Federal Common Law of Agency. 78 Fed. Reg B. Notice of Breach to Individuals. A covered entity shall, following the discovery of a breach of unsecured PHI, notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach (a). All individuals affected by a breach must be notified, regardless of the number of individuals involved. 78 Fed. Reg Timeliness of Notice to Individuals Covered entities are required to notify individuals of a breach without unreasonable delay but in no case later than 60 calendar days from the discovery of the breach, except in certain circumstances where law enforcement has requested a delay (b). 2. Content of Notice to Individuals

15 Page 12 The notice must be written in plain language and to the extent possible, must include all of the following: (c). a. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; b. A description of the types of unsecured PHI involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); c. Any steps individuals should take to protect themselves from potential harm resulting from the breach; d. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and e. Contact procedures for individuals to ask questions or learn additional information, which shall include a tollfree telephone number, an address, Web site, or postal address. 3. Method of Notice The Covered Entity must provide notice in one of the following three formats, depending on circumstances ( (d)): a. Written notice. Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail (d)(1)(i). If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first class mail to either the next of kin or personal representative of the individual (d)(1)(ii). b. Substitute notice. In the case that contact information is not available, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in where the individual is deceased.

16 Page 13 (i) In the case in which contact information is not available for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. (ii) In the case in which contact information is not available for 10 or more individuals, then such substitute notice shall: (A) Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and (d)(2). (B) Include a toll-free phone number that remains active for at least 90 days that an individual can call to learn whether the individual s unsecured PHI may be included in the breach. 4. Additional notice in urgent situations. In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured PHI, the covered entity may, in addition to providing written notice, contact individuals by telephone or other means, as appropriate (d)(3). C. Other Parties Required to Receive Notice In addition to providing notice to the individual, the Covered Entity must notify the following entities: 1. Notification to the media For a breach of unsecured PHI involving more than 500 residents, a covered entity shall, notify prominent media outlets serving the State or jurisdiction. The content of the notice shall be the same as the notice provided to the individual. Notice to the Media must occur without unreasonable delay and in no case later than 60 calendar days after discovery of a breach Notification to the Secretary of HHS. For a breach of unsecured PHI involving more than 500 residents, a covered entity shall, notify the Secretary of HHS in the manner specified on the HHS Web site. Notice involving more than 500 residents must be made to the Secretary of HHS at the same time as notice is given to the individuals involved

17 Page 14 For breaches of unsecured PHI involving less than 500 individuals, the covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide notice to the Secretary of HHS of breaches discovered during the preceding calendar year, in the manner specified on the HHS Web site (c). VI. Enforcement A. Private Complaints to Secretary of HHS Any person may file a complaint with HHS raising issues of non-compliance, whether or not the person is the subject of the violation (a). The complaint must be in writing and filed with the Secretary within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown (b). B. Investigations and Compliance Reviews When a preliminary review of the facts indicates a possible violation due to willful neglect, the Secretary of HHS will conduct an investigation or compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions (c)(1); (a). The Secretary may conduct compliance reviews in any other circumstance (b). Hearing procedures are set forth in ff. C. Who Can Enforce HIPAA? There is no private right of action under the HIPAA laws. 65 Fed. Reg (12/28/2000). Enforcement may be through the HHS Office of Civil Rights. 65 Fed. Reg (12/28/2000) or through the State Attorney General. 42 USCS 1320d-5(d). The scope of relief available through an Attorney General is substantially lower than what is available from HHS: $100 per violation with a maximum of $25,000 per year for identical violations. VII. Penalties A. Criminal Penalties 1. General:

18 Page 15 Criminal penalties may be imposed if any person knowingly, and in violation of HIPAA requirements: a. uses or causes to be used a unique health identifier; b. obtains individually identifiable health information relating to an individual; or c. discloses individually identifiable health information to another person. 42 U.S.C. 1320d-6(a) 2. Scope of Criminal Penalties Penalties are as follows for persons who knowingly violate HIPAA requirements: a. Fine of not more than $50,000, imprisoned not more than 1 year, or both; b. If the offense is committed under false pretenses, a fine of not more than $100,000, imprisoned not more than 5 years, or both; and c. If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000, imprisoned not more than 10 years, or both. 42 U.S.C. 1320d-6(b)

19 Page 16 B. Civil Penalties 1. General Principles Rules promulgated in January, 2013 implement the strengthened the civil sanctions which apply to violations of HIPAA. ARRA The sanctions apply to any violation of the HIPAA Privacy or Security rules There are provisions for individuals to receive a portion of penalties received by HHS after the General Accounting Office conducts a study and HHS adopts rules for such distributions. ARRA 13410(c). Covered Entities are responsible for the acts of agents of the Covered Entity, including a Business Associate who is acting as agent, if the violations occurred while the agent was acting within the scope of agency (c)(1). A Business Associate is liable for civil penalties arising from violations of a subcontractor acting as agent for the Business Associate which occurred while the agent was acting within the scope of agency (c)(2). For definition of when a Business Associate is deemed an agent, see section IV.A.5. Fines for a succession of identical penalties are capped at $1.5M. If there are successions of different violations, the Secretary may impose the limit of $1.5M for each group of violations. 78 Fed. Reg Waiver of Penalty The Secretary may waive penalties, except for violations showing willful neglect. 3. Factors in determining amount of Civil Penalty Section lists the factors to be considered in determining the amount of a civil penalty. In summary, the factors include: a. The nature and extent of the violation; b. The nature and extent of the harm resulting from the violation; c. The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate; d. The financial condition of the covered entity or business associate; e. Such other matters as justice may require. 4. Affirmative Defenses Civil penalties may not be imposed on or after February 18, 2011, if the Secretary has imposed criminal penalties on the Covered Entity or Business Associate (b). Civil penalties cannot be imposed for violations prior to February 18, 2011 if the Covered Entity or Business

20 Page 17 Associate establishes the violation was punishable under the criminal sections (a). Secretary may not impose a civil money penalty on a covered entity or business associate for a violation occurring on or after February 18, 2011 if the covered entity or business associate establishes to the satisfaction of the Secretary that the violation is (1) Not due to willful neglect; and (2) Corrected during either: (i) The 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred; or (ii) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply (c); definitions of reasonable cause, reasonable diligence and willful neglect are at There are separate affirmative defenses for violations occurring prior to February 18, (b). 5. Table of Civil Penalties The following table shows categories of violations and respective penalty amounts available as set forth in : Violation category Section 1176(a)(1) Each violation All such violations of an identical provision in a calendar year (A) Did Not Know... $100 $50,000 $1,500,000 (B) Reasonable Cause... 1,000 50,000 1,500,000 (C)(i) Willful Neglect Corrected.. 10,000 50,000 1,500,000 (C)(ii) Willful Neglect Not Corrected 50,000 1,500,000 Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. For violations occurring on or after February 18, 2009, the following affirmative defenses are available under :

21 Page The violation is subject to criminal penalties, or 2. The covered entity establishes that the violation is: (a) (b) Not due to willful neglect and Corrected during either: (i) (ii) The 30 day period on which the covered entity knew or reasonably should have known, that the violation occurred; or Such additional time as the Secretary of HHS determines to be appropriate. The Secretary has authority to waive imposition of civil penalties if a penalty would be excessive relative to the violation VIII. Posting Changes in Privacy Notice DD Boards are required to amend their Notice of Privacy Practice to incorporate changes in the rules. Since DD Boards operate as Health Plans, DD Boards must (1) Prominently post the material change or its revised notice on its web site by the effective date of the material change to the notice (e.g., the compliance date of this final rule) and (2) provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan (c)(1); 78 Fed. Reg DD Boards as providers are not required to print and hand out a revised Notice of Privacy Practices to all individuals seeking treatment; DD Boards must post the revised Notice or a summary in a clear and prominent location and have copies of the Notice at the delivery site for individuals to take with them. Providers are only required to give a copy of the Notice to, and obtain a good faith acknowledgment of receipt from, new persons receiving DD Board services. 78 Fed. Reg