Module 6: Investigating and Prosecuting Potential HIPAA Violations


Louis Altarescu
Length: 101:54 | Format: Video with PowerPoint
Related Content: Module 6 Investigating and Prosecuting Potential HIPAA Violations.pdf

 
Loading the player ...
 




TRANSCRIPTION
Expand/Retract
Okay, why don’t we try to get started now if we can. The essay began to point it out yesterday on the dinosaur then out office for civil rights since the beginning of A can actually I've been there for over 22 years and it's actually my dentist that hopes I retire and I can explain why when I started working at OCR of the first issues we're working on was AIDS using universal precautions I went to my dentist office and told him he and his staff really should be using gloves when treating all patients that you need to use universal precautions because you don't know has HIV and who doesn't and you shouldn't be asking about that. So he did that and then I worked on the first Americans with disabilities act until my dentist when he was renovating his office pizza makes the bathroom handicapped accessible and he did that and I went head-to-head you can imagine what we wanted to give a talk to me about all the famous patients that he's treated and I told him it really can't be talking about this anymore and so and so he's convinced him his most expensive patient just hope I don't want to have to do something else because because you can imagine what that could be what I haven't seen any Medicare for all that I would suspect a publish and bring up if I want to keep my teeth. The prior two by OCR work I work for the Maryland attorney general's office that was a great experience for some feel for what. The, as Sue McAndrew pointed out yesterday, the dinosaur who’s been at the Office for Civil Rights since the beginning of HIPAA and I actually I’ve been there twenty-two years. The..it’s…it’s actually my my dentist who’s hoping that I would retire. I’ll explain. When I started working at OCR, the…one of the first issues that we were working on was AIDS and universal precautions and I went onto my dentist’s office and told him he and his staff should really be using gloves and treating all patients, that you need to be universal precautions because you never know who has HIV and who doesn’t and you really shouldn’t be asking about that. So, he did that and then I worked on the first Americans with Disabilities Act regulations and told my dentist when he was renovating his office that he needs to make the bathroom accessible and then he did that. And then when HIPAA hit, you could just imagine what we went into. I mean, he had been talking to me and others about all the famous patients that he was treating and I said to him, “You really can’t be talking about this anymore.” And so, he’s convinced I’m…I’m his most expensive patient. Just hope that I don’t move on from HIPAA into something else because he can’t imagine what that would be. So, but I…I haven’t seen any Medicare fraud that I’ve suspected. I probably shouldn’t bring it up if I wanna keep my teeth. The….prior to my OCR work, I worked for the Maryland Attorney General’s Office and that was a great experience, SO I have some feel for what it means to be doing the jobs that you’re doing. I actually worked on privacy issues. I represented the state mental health facilities and substance abuse facilities around the state of Maryland. And, I remember going out to Kent County, a rural county in Maryland, and telling them, telling the judge that because of federal substance abuse regulations that certain information can’t be disclosed and he said, “This is Kent County, I don’t want to hear about federal laws.” So, I know some of the frustrations and trying to argue federal law before local magistrates. The one thing if wanted to…if I could do the overhead for a second…the…this is not working. Okay, good. The one thing that I wanted to make sure to address, if you could remind me of this at the end because a couple of people brought up the question about state attorney generals as BAs of covered entities. So, a lot of state agencies are themselves covered entities and sometimes people in a state AG’s office are attorneys for those agencies and and how that could work or does work in practice. So I want to get to that, but I need to move ahead with Module 6. So, we’re going to be talking about investigating HIPAA violations by state AGs and the enforcement process as provided under HITECH. The…what I particularly wanted to talk about is the way that you could maximize the amount of money that you get because a hundred dollars per violation sounds very small, but there’s ways you can maximize it and I’ll be getting into that. And then we will have some exercises as you had with the previous groups. So, the…there are a number of situations where OCR as you’ve heard of the last two days has brought actions and some of the major areas…are areas that you may find you want to focus on. So if you get a complaint from somebody, as Verne indicated, sometimes there are other things going on. And while OCR uses the term “compliance reviews”, that’s not a term that you necessarily need to use or that really applies to you. But if you get a complaint about an improper disclosure, you could also look at whether there are safeguards, whether the individuals have been provided access to their records and some of these other things. So these are the major areas where OCR has achieved corrective action against covered entities and was indicated, very often, it starts with one issue, but then OCR looks into it and then there are other issues. These are some of the other major areas where OCR has brought action. And then in the Security Rule, these are the most frequently dealt-with issues that have come up there. So, you’ll be, in your Appendix, you have a copy of the entire Privacy Rule and the Security Rule and you should use that as a guide in terms of how many violations you could possibly find, what kind of problems exist with this covered entity or this business associate, where we might be able to seek penalties. The…..so this slide talks about the when investigating violations. Again, reiterating a little bit what was presented previously, looking at to whom the information was given, why it was given, was it permitted by the rule, required by the rule, was there an authorization. So, if you could take a couple of minutes. This is a case study that we have, and if each table could look at 1 and 2 and the answer, the questions here. The questions as indicated here of what violations do you think apply in each of these cases? And what corrective action do you think should take? Okay, so why don’t we start with Case Study #1? This is the employee of a major health insurer impermissibly disclose the PHI of one of its members, members meaning one of the beneficiaries or enrollees in the health plan, based on an invalid authorization. Disclosure was made without following the insurer’s authorization and verification procedures. So, any thoughts about what violations were here? Want to start at this table here? (from the audience):(long pause followed by inaudible speech) “Um, well, in terms of violations, I guess uh the first ones that we thought of was obviously the invalid authorizations…”Up. I’m sorry. It’s…(from the audience):“I’m sorry. The invalid authorization and then without following the proper procedures obviously, you know, certain training, sanctions and proper policies to have in place. Um, and we also had a question whether this may be a breach or not, which it obviously it’d be its own violation.” So, there there could be a breach of PHI here along with just the regular disclosure and whether they violated the breach requirements. (from the audience):“Yeah, that’s what we were thinking. I mean obviously there’s not enough facts in here right now to tell, but, yeah, that’s what we were thinking.”Mm hmm. And, you were mentioning the training, is that what you said? (from the audience):“Uh, yes.” Right. (from the audience):“Towards employing training on only disclosing pursuant to a proper authorization. You know, what to look for and make sure the authorization’s proper, uh and also the minimum necessary in terms of what information’s actually disclosed.”Right. Yeah, we we don’t know minimum necessary was mentioned and it was an invalid authorization and we don’t know what about the authorization was invalid and whether the authorization did not specify the PHI to be disclosed and whether more information was disclosed than was provided by an authorization. The authorization has to identify the PHI to be disclosed, so an authorization may just say only disclosed information regarding my knee injury. You know, yesterday’s scenario and the person may disclose something that’s way beyond that. Any other thoughts on Case Study 1? (from the audience):“We were suggesting also that there be a risk analysis...well, I’m sorry, well, not in terms of violations, but we’re talking about corrective actions…”Right. (from the audience):“that there be a risk analysis done and to create safeguards. And, also someone suggested, perhaps have some…a supervisor verify that the authorization is valid, so that would, you know, go to the proper policies and procedures. I’m sorry...and…you know, to have in place, so that you make sure this doesn’t happen again. Right. Yes. All that sounds good. Risk analysis, as you know, comes into play when there’s a electronic PHI. So, we don’t know in this scenario whether there’s electronic PHI involved or not. If there’s electronic PHI, then the Security Rule applies and the Security Rule requires that there be a risk analysis to determine what risks exists, what vulnerabilities there are within the covered entity structure and where PHI might be properly disclosed. And they may have a electronic authorization online or they may have a system to verify whether an authorization is valid or some electronic system and maybe there’s something wrong with that and that could lead to a use of an improper disclosure along these lines. Any other thoughts on Case Study #1? So, we have a employee here that did something wrong, so what is a covered entity required to do if in fact, there’s some wrongful act by an employee? (from the audience):“Sanctions.” Thanks. Thanks. Sanctions. That’s right. Exactly. So, there would need to be some sanctions imposed against the employee. So, a corrective action plan may involve a requirement for sanctions or if you’re seeking damages and sanctions were not imposed, then you could impose a penalty for the failure to…to…institute sanctions against an employee who violated the…the rule by making an improper disclosure. The…we...we also don’t know if somebody might have been harmed, that maybe the disclosure said that the information should go to a particular doctor and it was sent to somebody else and as a result of that, there was some harm. So, there may be some harm that somebody experienced and then may be a requirement to mitigate that harm. So, moving on to Case Study #2. An employee of a large health plan impermissibly accessed a co-worker’s health plan members’ records. Witness accounts and records and records audits confirmed the use. So, any thoughts about what violation…might be involved here? The one in the middle table. You wanna take that on? (long pause) Thank you. (from the audience):“Well, we thought that this was…uh willful violation, at least on behalf of the co-worker. Um, so that there may be some criminal probability here. And, um…also, um…there would be…issues with safeguards…um…and...both physical safeguards and that there may be um…some training and the fact that the witnesses…um…saw what happened may mean that there was…um…that they were having access to information that they shouldn’t have to start with. So, there may be some (unintelligible) necessary issues as well. Okay, those are all very good points. On the first point, in terms of criminal liability, under HIPAA 11-77 of the Social Security Act, the Department of Justice has jurisdiction where there’s an improper disclosure or improper obtaining of information. Now, as was indicated a use is defined differently than a disclosure. A use is a sharing of information within a covered entity, so the…this is where an employee of a covered entity accessed information. So, we conceptualize that and define that as a use because they’re using information as opposed to information going outside the covered entity. Department of Justice can bring action where there’s an improper disclosure, meaning that somebody within the covered entity shares the information with someone outside the covered entity, so that would be a disclosure. The statute says that Department of Justice could also bring action for illegally, in violation of the Privacy Rule, obtaining protected health information, which is very odd turn because none of the provisions in the Privacy Rule really talk about obtaining information. But, Department of Justice has brought actions under…under HIPAA, but also under aiding and abetting statutes and has…interpreted this somewhat broadly to bring action against individuals, not only covered entities. And, as was pointed out yesterday in HITECH, Congress clarified that and said yes, Department of Justice has jurisdiction to bring action against individuals, employees of covered entities or private individuals who disclose or obtain PHI improperly. So, they could, we and you all are limited to going after covered entities and business associates. Department of Justice could go after individuals and a woman was sent to jail in Florida last month for taking somebody’s medical records and trying to sell them. So, there’s been a number of criminal actions brought and they’ve all been brought against individuals, often employees, but sometimes people acting in conspiracy with employees to do identity theft or otherwise misuse information. So, it is theoretically possible for Department of Justice to go after this employee for…for obtaining information in violation of the Privacy Rule, but generally they deal with disclosures. Any other thoughts? In Case Study 2, it’s it’s not clear whether this is electronic PHI or not. So, if it’s electronic PHI, then there could be information regarding information accessed, management controls or other type of controls with the system. You know…the…whether they had proper password protection, whether the…whether they had a system where the computer shutoff in a certain amount of time. There’s all different things that could be explored here. Any other thoughts on…(interruption from the audience) “One other thing we had at our table was…uh…that there should be..uh… perhaps role-based access that was this employee one that needed to have access to this particular type of information? “ That’s…that’s an excellent point. As you know, under the minimum necessary, the, in terms of uses, the covered entity is required to identify who has access to what information and so that if you’re a nurse, the example yesterday, is in a cardiac unit, you just don’t need to have access to information in other people’s records. So, this is a…an unfortunately frequent occurrence where people at health facilities somehow can’t resist the temptation to look at friends’ and neighbors’ medical records. And, hopefully, with publicity to these cases and actions taken by you all and by us, you know, there’s the atmosphere and culture is changing. These…these problems still exist. So, moving on here. The…let me talk about actions that can be brought. Before….well, the…so, as has been indicated numerous times, the HITECH has given authority to Feds to bring action and the, it occurs wherever a incident could affect a state resident. And we interpret that very broadly to mean that wherever you believe that there’s a violation that occurs and somebody within your state was affected, then that’s covered even though the statute use language of the resident being threatened or adversely affected by any person who committed a violation. And so, we view it as very broad. I suppose there could be a situation where a covered entity challenges that, where somehow they look for something in…in particular. The statute also says that your authority is as parens patriae, which is actually a very odd concept to have in a statute because as you know that term is usually used where you or somebody is stepping in where somebody cannot act for themselves. So, where you’re stepping in for a child who cannot exercise their authority and cannot legally protect themselves. So, it’s odd that Congress used that terminology, but the way that it could be made applicable is that since there is no private right of action, these residents of your state really have nowhere else to go. You’re stepping in to legally protect them where they don’t have authority to seek their own HIPAA protection. So, the action you can seek is injunction or obtaining damages on behalf of residents. And, I wanted to turn to the exact language in…in HITECH so that you see where all these provisions are because I’m going to be going through them. So, in your book, if you turn to Appendix E on page 34. If you notice on page 34, it starts off with 11-76. And this is when HIPAA was written it amended the Social Security Act by adding a new provision called 11-76, and 11-76 gave authority to OCR to bring HIPAA penalties. And 11-77 gives authority to Department of Justice to bring criminal penalties. SO, when HITECH came into play, they amended 11-76 and included provisions that relates to State Attorney Generals. So, those provisions begin on page 36. So, you see there’s a new provision, D as in David, 1 Civil Action and… this…this is the exact statutory language and there’s no regulatory language, so this is all we have and all you have in terms of your enforcement authority. And this goes through all the provisions and these are in bold. Some of these provisions refer back to other provisions in 11-76 and I’ve put in bold those provisions that refer back to and I’ll be going through this as I work on these slides. Up here, you see what you’ve seen before in terms of the penalties that are available. The maximum penalties that you could seek for a violation is one hundred dollars per violation. And again, we’ll talk about how that could be expanded so that you can recover more than a hundred dollars. So, if you look on the screen, in counting penalties, you deal with how many provisions are violated. So, if…if there are…if there’s lack of training, clearly it would be very hard to equate that to an individual being damaged, however, that’s clearly a violation. So, it seems clear to me that the statute gives you the authority to seek up to a hundred dollars for the failure to provide training of this staff, covered entity’s failure to provide training and that’s based upon a violation of the regulation, not a damage to the individual. So, in computing penalties, we look at how many provisions were violated and how many times each provision is violated. So, going back to this slide here…I’m keeping them jumping back there. Let’s see. So, you can obtain damages as high as a hundred dollars per violation and up to $25,000 for the year. So, if a…if there’s a violation that occurs a hundred times, then rather than a hundred dollars, the penalty would be $10,000. If it’s a penalty, if it’s a violation that occurs two hundred and fifty times, then the penalty would be $25,000. So, what I have here…going back to this chart if we can. Sorry. The…so, if a covered entity for 250 days did not have policies and procedures. So you do an investigation and go back and there was a…a…improper disclosure or a other action in violation of the rule and they didn’t have…you find out they have not had HIPAA policies and procedures in place for the last 250 days, then that’s a $25,000 violation. Because each day we call that a continuing violation and each day that they are at a violation, there’s a penalty available. And, if you go back and they didn’t do training for 250 days, then a hundred dollars a day, then, I’m sorry… a hundred dollars a day, then that’s…then you could impose this type of penalty. And the same thing if we’re required to impose sanctions. And this is the kind of scenario that came up with Rite Aid and CVS because as you recall, in the Rite Aid case, we were able to recover a million dollars. In CVS’s case, $2.25 million. We, at that point, were under the same restrictions that you’re under. We could only impose a penalty of a hundred dollars per violation up to $25,000 per year. And despite that, we were able to get a million dollars and up. Now, the uniqueness in that situation were those were multiple covered entities. So, if you go against a particular entity and you find out, in the case of Rite Aid or CVS, that you’re really dealing with hundreds of covered entities and none of those covered entities have provided training, or have sanctioned their employees, or have had policies in place. And in those cases, we were going back two and three and more years. So, each year, there may be a max of $25,000 for each violation, but if you multiply each of those violations and you’re looking at multiple years, multiple violations and multiple covered entities, you can reach a million dollars. That’s going to be extremely unusual because hopefully there aren’t many entities out there that are been out of compliance for years and you’re not going to find many entities where there are actually multiple covered entities involved, but that could happen. And if you don’t reach a million, you know, maybe you could reach 100,000, you know, by…by using this multiplier effect and looking for the maximum number of violations. Let me move on here. So, and I’ll talk a little more about this multiplier effect as we move on. So, civil actions are…that you brought…bring are filed in District Court and the Rules of Venue apply, generally it is where any defendant resides or does business, or where the violation occurred. The…it parallels personal jurisdiction. It would really be state law that applies in terms of bringing cases. The…our view is that action could also be brought in state court and in our review of court decisions, that we found that states’ courts can generally assume subject matter jurisdiction over federal cause of action, unless Congress has determined otherwise. And in this case, there’s no Congressional determination that you only can bring a case in federal court, so you may find that it’s your advantage to bring a HIPAA action in state court. What was mentioned yesterday was bringing a federal action, as was done in Connecticut, along with…with state actions, whether it’s state breach notification rules or…or other rules, but that’s an option you could consider. The statute of limitations that applies to us also applies to you, in terms of six years to bring an action. Now, the provision that mentions the statute of limitations is in 11-76 and that’s why I said it doesn’t apply to Department of Justice. Now, they may have their own statutes of limitations that would apply to their actions, but the action…limitation that Congress provided is only for HIPAA actions provided either by you or us. If I could put the projector on. Thanks, Jim. Something’s wrong with my handwriting or…the way this is coming in, but…it’s not that clear. Anyway, what we’ve included in our resolution agreements, which you may want to consider and covered entities have signed onto this. We don’t know if it’s legally vulnerable, but what we’ve…have included is a tolling provision. So, for instance, if a violation occurs in January 2010, normally, you have six years to bring an action. For us, that means six years to do a notice of proposed determination. For you, it’s six years to bring a civil action. The six years from the time the violation occurred, let’s say you sign a resolution agreement before you bring that civil action and we sign a resolution agreement before we do a notice of proposed determination. What we put into these agreements is a agreement to stop the clock, to say that…that even though in January 2014, when we sign the resolution agreement in this scenario, the clock had run for four years, there’s two more years left to bring this notice of proposed determination, we don’t want to lose that opportunity. So, in the agreement, we say we are stopping the clock, they agree to that, and so it stops. In January 2016, let’s say the covered entity breaches the resolution agreement. At that point, we still have two years to bring an action because the…we had stopped the clock. If we didn’t out that provision in, at January 2016, the six years would have been up and we would have had no opportunity to bring an action. So, that’s why we include this provision and we’ve never had to use it in terms of bringing an action because someone breached a resolution agreement, but it’s…it’s something you may want to consider. And, our resolution agreements are posted on the OCR website and at the end of the session today, you’ll hear about the resources we have and you’ll be able to see where we’ve done that. So, let’s see. The…the statute also provides for recovering attorney fees and the cost of action brought if you bring a civil action. So…again, you could bring a civil action in federal court or state court. You have six years and…you could seek injunction or you could seek damage and costs and attorney fees. So, I am going to spend this time talking about the process and collaboration was mentioned previously and what was mentioned in particular was our work with the Connecticut Attorney General’s Office. It was John Benevelli from our office who worked with Steve Courtney, who’s here today, and others in his office in the Connecticut AG’s Office. And the collaboration is important for a number of reasons. One, is that the sooner you bring an issue to us…regarding HIPAA, the more help we could be in ensuring that your interpretation and our interpretation is consistent, so that somehow a covered entity or business associate doesn’t come at some stage in the process and say, “Wait a minute. OCR, in another case, interpreted it this way.” So, anything we could do to help bolster your case, we’d be interested in doing. And, we’re also, of course, interested in strongly enforcing the rules, so there may be actions that…that you bring and it’s in our interest to make sure those actions are as effective as possible. So, and there are certain requirements under the HITECH Act for your notifying the Office for Civil Rights and I’ll be getting into that. So, let’s see. So…so, we may be able to provide case-specific information or HIPAA Privacy and Security experience. So, as someone raised the question earlier, there may be a case that we have pending against the same covered entity for the same action or we may have resolved a case against that covered entity for that same action, and the sooner you know about that, the better. So, you can contact our regional offices and Iliana will be talking about contact information there. There’s a regional manager in every office, there are the investigators, there’s regional civil rights attorneys and the civil rights attorneys for Regions 1,2,3 and 4…1,2, and 3 are here today. So, and I think you’ve all met them and they are resources for you and you could also contact any of us in…in headquarters. So, the statute provides that you have to serve HHS prior to bringing an action, that you have to provide us a copy of your complaint and we’d like to get that as soon as possible, hopefully, within 48 hours before you bring the complaint. And, what we have on the slide here is the address where it should be sent. In addition to sending it by mail to the General Counsel’s Office, which is the process we have where there’s any legal action involving HHS. And while we’re not a party to it, since legally, we have to be notified, we use the General Counsel as the contact person. We would also hope that you would also e-mail their complaint to the OCR Regional Office, or us in headquarters, or anybody else who hopefully, you’ve been working along with in terms of developing this case. The statute also provides that where it’s not feasible, you should provide notice as soon as possible. Where it’s not feasible to give us notice prior to filing, and I suppose there could be a case where you need to bring immediate injunctive relief and there’s not time to give prior notice, although, certainly, in terms of e-mail notice, that you should be able to do that. Again, providing prior written notice…the pending federal action takes priority and I’ll be discussing that more in terms of if we already have an action pending, the statute has prohibitions on your bringing actions and I’ll get into that. And, we also have rights to intervene, which…which I’ll get into. Okay, so…under this. Ignore that (referring to slide) “OCR Intervention” at the top there. If we’ve issued a Notice of Determination, but have not yet imposed a CMP, that there’s a requirement you provide prior notification to us. So, if you look in the statute, this is what I was showing you on Page 36 under D4, “Notice to the Secretary”. So, this is the requirement that prior notice be provided to the Secretary. And, what you’ll also note here is that we have the authority to intervene in any action that you’ve brought. There’s been two actions brought, one in Connecticut and one in Vermont, and we have not intervened in those actions and we haven’t established criteria for when we will intervene or when we won’t intervene, and we’ll handle that on a case-by-case basis. And, as you see under 4B, upon so intervening, we have the right to be heard on all matters and the right to file petitions for appeal. So, that may come up where we intervene in an action and that’s something you should know about. If you look further on Page 37, there’s a Rule of Construction there, and this makes clear that nothing in here impedes the state from exercising their own powers under their own laws that attorney generals have to bring actions. So, I don’t know if that would ever come up where somebody would argue because you’re bringing a HIPAA action that somehow this restricts you from bringing other actions. Venue, which I discussed. Service of process and then most importantly, the limitation on state action where OCR action is pending. So, the way that we interpret that…let’s see here…(long pause)…the…the…the way that we interpret that is that once you notify us, that you intend to impose a civil action, which will hopefully be before you write up the complaint. Because, in order to save time, if we have something pending, you may not want to waste time developing a…a case. So, the sooner you notify us, the better. So, if there is an action pending, then you cannot bring your own action while OCR has an action pending. Now we interpret that in a very very limited way. So if we’ve already start…started an investigation, that doesn’t mean an action is pending. By “action is pending”, we mean that we’ve issued a Notice of Proposed Determination and that is very rare. We’ve only done it in one case, the Signet Case, the resolution agreements that we’ve reached, both the more informal agreements and the ones that we’ve have put in writing and put up on the web. In all of those cases, those were reached before we did the Notice of Proposed Determination. So, even if OCR has begun an investigation, even if we’ve signed a resolution agreement, you could still bring action. It’s only if we’ve done this formal finding and issued this Notice of Proposed Determination. And if we’ve done that, then you could not bring action, as long as that action is pending. The action is no longer pending if we’ve already imposed the CMP. So, let’s say we issue this Notice of Proposed Determination and the court rules in our favor, or there’s a subsequent agreement and we receive the CMP, our case is closed, it’s no longer pending, then you can bring an action. Or, arguably, the case is no longer pending if we lose the case. It goes to an ALJ, we lose there, the matter is resolved, it’s over, it’s no longer pending, then you can bring your action. There is a narrow window in which you, by the HITECH statute cannot bring an action. There questions about that? Sure. (from the audience):“If we, um, have…uh an action, but we end up resolving it by an assurance and we don’t need to end up having to file a complaint in court, are there any requirements or requests that we provide the same type of notice?” No. The…so, to repeat the question, if you’ve contacted a covered entity or when you have authority over business associates, a business associate, and told them that you think they’re violating HIPAA and you think that they should resolve this case and you reach resolution with them and you do everything short of filing a case in court, there’s no requirement to notify OCR. There’s no restriction on your reaching these resolution agreements or settlements. The restriction only comes when you’re actually gonna file in court. Again, you may wanna contact OCR just so that we could work collaboratively and we could know…you…you could find out whether we have anything going on and when we do issue a Notice of Proposed Determination and we know that you’re involved in an action against that covered entity, then we will provide you a copy with that Notice of Proposed Determination and that certainly may help any case that you’re working out with them and help any resolution that you want there. Other…other questions on that? The…we had also looked at issues of res judicata. If a case is resolved that we bring, whether that would limit you or whether if you bring a case and it’s resolved in a particular way, either to the covered entity’s satisfaction or your satisfaction and whether that would somehow restrict our bringing an action. And, our review of res judicata and collateral estoppel, what we’ve…have found or concluded is that unless we’re parties to each other’s cases, that that’s not going to restrict us from moving forward, unless somehow we control the litigation, and certainly, we’re not going to control your litigation and you’re not going to control our…ours, so we don’t see courts as somehow stopping either one of us from proceeding just because there was a resolution in one way or the other by the other party. (from the audience):(inaudible) I’m sorry. (from the audience):“What about from a…um...a penalties perspective?”From a what? (from the audience):“You issue penalties, I mean, I know it…it’s a penalty scheme versus a damages scheme, but the damages is really a penalties…would it…can both parties issue penalties for the identical conduct?” Yes. (from the audience):“…for the identical…”Right. We…we don’t see any restriction in a covered entity being…penalized by…by you and by us. That Congress gave you authority and it’s overlapping authority with ours and Congress didn’t put any restriction on saying that because they faced a financial penalty for the same action brought by you and brought by us. That somehow…that that’s a defense that we’ve already paid a penalty for that violation and it is a penalty for both cases…a violation…violations of the same statute, but Congress granted us each authority in that regard. So, not that that might not be litigated and if it is, then that would be something that we’d all be interested in…resolving. Okay. So, we have another exercise here and in terms of counting violation. And the slides talk about counting violations of…for CMPs by OCR and let’s just leave that out because that’s really not important for you all. But in terms of damages, let’s see what there are. So, there…I’ll get into the assumptions but there’s a Scenario 1 is here is a covered entity pharmacy disclosed a PHI of fifteen-hundred customers to a business associate, which the pharmacy paid to make a treatment communication on its behalf. So, this is not infrequent that a covered entity uses a BA to send out treatment communications to its…to people that use their services. However, the concern here is the pharmacy did not limit the PHI it disclosed to the minimum necessary and did not include the required information about this practice in its notice of privacy practices that the pharmacy distributed to fifteen-hundred customers. So, I don’t think we got into the specifics of what needs to be required in the notice of privacy practices, but there’s a specific provision that says that if you’re going to share information for…to send out treatment communications to your patients, then you as a covered entity must include that specifically in your notice. So, in this case, this was not included. So, what this is asking for is the maximum possible damages and we’re not going to get into CMP amounts. In 2 and 3, there’s enough to deal with with maximum possible damages. And then going back here, there’s a assumption that’s being made, so the assumption is that this is after the effective date of HITECH, so that you have authority. Informal resolution has failed, or is otherwise not an option. So, and in that doing your investigation, you…while you might discover other violations, for purposes of this activity, just look at the provisions that are relevant here that…that arise strictly from the facts in this case. Let me see what else here. There are some other assumptions that are given on this slide. Other than the deficient notice, the pharmacy had compliance policies and procedures, but did not adhere to them. The pharmacy’s actions violated minimum necessary and…requirements for the content of the notice, so that’s giving away some things, but we still have to think about the damages and what they’d amount to. And, then there’s a third assumption about reducing or (unintelligible 56:25) the penalty and the act has been determined to be willful. If you would not get into that now because we haven’t discussed that yet about the affirmative defenses that are available there, but I will get into that afterwards. So, let’s just look at this and if you could take ten minutes and try to add up possible damages. And, as you recall, I discussed…let me…let’s see…let me just show you one more overhead here. So, if I could turn on the overhead projector, Jeff. Thanks. (long pause) They should write in larger letters, I think. But as I’d mentioned previously, in computing the penalties, you look at how many provisions were violated and how many times each provision is violated. So, in looking at how many times each provision has been violated, there’s basically two ways you do that. Jim’s going to help with trying to get this (referring to projector) in a little clearer. Okay. Great. Thanks. Perfect. Okay. So, so the failure to act when required. If you’re required to give somebody a…if you’re required to use…to train employees, let’s say, and the training is required to be done as of April 2003 and you never do any training. Every day that you fail to do training, then you’re in violation of the Rule because that’s a basic requirement of the Rule to do training for individuals. Or, other provisions, you’re supposed to have policies and procedures. If you have no HIPAA policies and procedures, every day that you do not have those policies and procedures, you’re in violation. That’s continuing violation. The other major way that you look at the how many times the provision has been violated is the inaction or failure to act in regard to a particular individual. So, let’s say somebody requests access to their records and you have 30 days and you can get an extension, so it’s 60 days. You have 60 days to give it. So, if it’s 60 days after they…that period that they requested and they don’t have it, that’s one violation. But every individual who requests access and you deny access to, that’s another violation. So, if you find that there’s two hundred people…in the Signet Case, there were multiple numbers of people who did not get access to their records, and so, the the number of indiv…Number 2 deals with the number of individuals. So, if the obligation is owed to a particular individual, such like an obligation to provide access or amendment or accounting, then you look at the number of individuals affected. If it’s a provision regarding a general rule that applies to pretty much all individuals, but that applies if the covered entity has an obligation to do and has an obligation to do as of a certain date, there’s an obligation to sanction employees. So after a violation occurs, the covered entity is supposed to proceed to sanction employees. If they don’t sanction those employees when they’re required to do so and then don’t…still don’t do it 30 days later, those are 30 days of of being out of compliance. So, are there any questions about this? (from the audience):“I just have one question.” Sure. (from the audience):“…in terms of the second one…”Right. (from the audience):“..if…if it’s the number of individuals…um, and you had your example of the 60 days, then on the 61st day, they don’t give the…um…the records, but another 30 days…um…you know, after that, they still haven’t given the records, is it 30 days times the number of people?”Right. (from the audience):“Or, is it just times the number of people for that one violation?” Yeah, the the way that we’ve been interpreting it, is that it it’s one or the other. You know…you know the…if this is actually in the Rule, is it 164-04? I’m looking to my colleagues…back there. In…in 164-06 of the Rule, which is in the Appendix, it says the number of violations based…is based on the nature of the covered entity’s obligation to act or not act under the provision violated, such as is its obligation to act in a certain manor, or within a certain time, or to act with respect to certain persons. In the case of a continuing violation of a provision, a separate violation occurs each day the covered entity is in violation of the provision. So, when it talks about acting in a certain manner, or within a certain time, or with respect to certain persons, because the term “or” is used, we’ve been interpreting that it’s either 1 or 2. This provision, 164-06, in the Privacy Rule is…is is what we’ve been using. It doesn’t mean that you cannot creatively try to pursue something more than that. And, that’s a good point in that regard, but we’ve been keeping these as…separate ways, separate alternative ways of counting how many times a provision has been violated. Vern, did you want to add something there? Verne: “Is this on?”(from the audience):Yeah. Verne: “Um. Just very quickly. It…it gets into a lot of minutia, but you very quickly run into the cap amounts, so, um…” You run into what? Verne: “You run into the cap amounts…very quickly. So, you keep that in the background when you’re looking at at multiple violations and counting because you may very well run into the $25,000 cap…um, which kind of, which may very well obviate the issue of which…what you’re going to count as an individual violation.” That. That’s a good point. So, this all has to do with how many times a provision has been violated. So for each provision violated, there’s a cap per year of $25,000, so you use all of this to try to get up to that $25,000. And as Verne pointed out, using one method or the other method, you may for a particular violation, reach that $25,000. Of course, for individuals, a hundred dollars, you would need two hundred-fifty individuals who were denied access to get up to that cap. And then, then you multiply what you have here by the numbers of violations that you have. So, if you have violations of six different provisions, then…then the $25,000 would be per violation. That’s…that’s been found to be found in violation. Okay, so let’s…so there were fifteen hundred customers on the minimum necessary case. What kind of damages? Anybody? Wanna jump in? (from the audience):“Well, you’d have fifteen hundred individual violations...”Okay, so…um… (from the audience):“…times a hundred dollars each.”So, fifteen…(from the audience):“capped out”…hundred times a hundred dollars is what? (from the audience):“Well, it’s 115,000.”Okay. (from the audience):“But you cap out at 25…max out at 25, right there.” Right. Well, yeah, see that’s the thing is that…you know…as you know, we could only do 25,000. Any other thoughts about…minimum necessary? Okay. And then there was a deficient notice. Any thoughts about that? Want to? At the back table, you want to…jump in there? If you could? (from the audience):“It would be the same thing, wouldn’t it? Fifteen hundred times a hundred?” So, what is the fifteen hundred for?(from the audience):“Fifteen hundred individuals who did not have adequate notice.”Okay. (from the audience):“A hundred dollars per violation.”Alright.(from the audience):“With a maximum of 25,000.”Okay. Is there a…alternative way to look at the notice? (from the audience):“Well, couldn’t you do that when…as a per day violation? If every day that the notice was deficient...I mean, you’re still going to cap out at 25,000, but you could do it on a per day basis.” Well, uh, that that’s a good point. What if…the…what if they didn’t have a…sufficient notice for three years? (from the audience):“Well, then you could get $25,000 per year.” Right. So, so…so something like a deficient notice, I think there’s an argument that you could look at it either way. That a person has a right to receive a notice and every person who does not get a valid sufficient notice, that person’s rights have been violated. But you might be able to look at it another way, and say that a notice, for instance if you are a doctor, you have to give a patient a notice at first service delivery, the first time that they come in for treatment. And let’s say you’ve never given anybody a notice and so, or a health plan has to give a notice at the time of enrollment and they never do that. I mean, is there an argument that for every day that you have failed to give a notice, let’s say, since 2003, you know, that that you are in violation? So, there may be an argument there. Of course, we can’t go back to 2003 because we have the six-year statutes of limitations. But, you know, if somebody’s a really bad actor and for six years they didn’t give out notices, you may have a good case there in terms of multiple years of violations. And, so, that’s that’s that exercise. And as you recall, there was a…does anybody else have anything else to add?...On this exercise? The…going back…sorry…Jim? So, there was a…let’s see if I can find it here…there was an assumption here, the third one, about reducing or (unintelligible 01:09:30) penalties or willful act and as you saw, or with OCR, that there’s different penalty amounts depending upon whether it’s reasonable cause or willful neglect, and most of that’s irrelevant to you, except, unfortunately, there is a defense that’s available that could be very problematic. So, going back to…Tab…Page 30…36, in terms of enforcement by the state AGs. Page 36 in the Appendix in the back of the book and that has a reprint of the HITECH Statutory Provisions. So, if you look on Page 36 starting with D, “Enforcement By State Attorneys General”, 1: Civil Action. So this generally provides that you can bring a civil action, but it says except as provided in Subsection B. So, if you look on the Page 35, the facing page. Um…in, um, in caps, B: Limitations. So, the first limitation is one that we discussed about…discussed…Department of Justice, so if Department of Justice has jurisdiction over the matter, you can’t bring it, however, after February 2011, that that has changed. OCR, as Verne pointed out, takes that to mean when our final rule gets published, that the affirmative defense that’s here will change, such that OCR could bring an action even if DOJ has authority if DOJ decides not to impose a penalty which we take to mean not only do we know that they did not impose a penalty, but if they tell us they have no intentions of pursuing a penalty we feel that we will have authority to take it which is very good because we’ve referred over four-hundred-and-fifty to Department of Justice of improper disclosures and they have taken very very very few of those. So, there are cases that are now in a vacuum, where we don’t have authority and Justice is not taking it. So, we’ll be able to pursue those cases, where Justice doesn’t take it. So, this will allow you to also pursue those cases. But relevant here, except as provided in Subsection B, so that’s B-1 and B-2, the…generally provides that a penalty can’t be imposed. And, oddly enough, they didn’t say damages, so there’s some ambiguity as to what applies. But…the…I’m sorry…in this case, they did say…I’m sorry…they did say damages, so, no penalty may imposed under Subsection A and no damages under D, which is State AGs. If the failure to comply is corrected during the 30 day period beginning on the first day, the person is liable…that it’s occurred. So…and then it says, except as provided in Subsection B. So, if they…the way this plays out is if the…this failure is due to reasonable cause, so if you see the headline under B-2, “Failure Due To Reasonable Cause”. And, so, then you have to go to the definition of “reasonable cause”. And there’s a definition in the rule now that is going to be modified, but...the…right now what’s in the rule at 160-410, and right now, it’s defined as a situation where the…it’s…a covered entity could show that it was impossible for them to comply. So…impossible and reasonable for the covered entity to apply despite exercising reasonable diligence. So, there’s a fire in the facility and they’re unable to get access to the records within 60 days, it’s unreasonable to expect them to apply. So...um…so, if the…so if there’s reasonable cause and they exercise reasonable diligence then, and they corrected the matter within 30 days, then there’s this defense available. The…and the way that…so, there’s there’s that defense that’s available, where the…the covered entity could show that failure was due to reasonable cause. So, you know, look at that technically as that plays out in terms of your cases. But also under D-1, “Civil Action: Statutory Damages”, if you go down, there’s also…there’s in B, there’s a limitation to $25,000 and then there’s a…there’s reduction of damages, so this allows for the court reducing damages. And, this could play out in situations where the covered entity argues that there are…that it would be a financial hardship for them to pay this fine, or as Verne pointed out, it would put them out of business. So, they they do have that that defense there. So…there are circumstances where the definitions, you know the reasonable cause definition, comes into play in terms of a…this defense that may be available to a covered entity. I know that’s…that’s rather complicated, but that’s…there are different defenses that are available and CMPs, but these…this is what’s available here. So, are there any questions about that right now? The…let me move on here. (long pause) So…again, there’s intervention which I mentioned, there’s coordination, notification…whoop…I was going the wrong way. And we’ll end up at Day 1 before we get there. Sorry about that. Okay, so this is the violations that…that you found here and that we then are limited to $50,000 unless we come up with some creative theory that…that everyday someone does not get a notice that that’s a violation. And then there’s OCR. And then…we have the last activity. I think other than questions at the end in terms of general overall learning, this is the actual last activity. So, this is another scenario and again, we talk about maximum possible damages. This is a cashier of a covered entity pharmacy looked up the PHI of two-hundred fifty patients, so this is a use of PHI while trying to find contact information for a health plan. So this employee may have thought that what he or she were doing was perfectly innocent. They’re trying to find the address for a health plan, but meanwhile they’re looking up the records of two-hundred and fifty patients and it says e-PHI, electronic PHI, and printouts of remaining fifty individuals. So, two hundred of the records are e-PHI, so if it’s e-PHI, which Rule applies? (from the audience): “Security Rule.” Security Rule. Right. So, and if they’re looking at the written records, the printout, does the Privacy Rule apply or the Security Rule? (from the audience): “Privacy Rule.” So, the Privacy Rule would be the only Rule that applies here. The investigation determined that there was no willful neglect and that although the cashier had been inadequately trained by the pharmacy, she was unaware that her actions violated the Rule. The incident occurred in May 2009, they did not terminate or otherwise penalize, otherwise take action against the employee, assumed that the investigation determined that the cashier failed to comply with the security procedure of the pharmacy in order to gain access to the PHI. And, there’s a couple of assumptions here. So, there are…there are Privacy Rule and Security both have sanction requirements and that this violation lasted for twenty-nine days after the pharmacy knew about the incident. Now, the interesting thing about sanction violations is that there’s a requirement to sanction, but I’m not sure we’d all say that the requirements of sanction starts on the day that the employee/employer knows. Sometimes it takes time to investigate it and determine what the appropriate sanctions are. But assuming that sanctions should have been applied and were not applied for twenty-nine days, that’s an issue here and there…there was an impermissible use and the covered entity is liable for that impermissible use by the employee, and there was not evidence of circumstances that would reduce or bar a penalty and that doesn’t apply to your actions that may apply to OCR actions. So…so, this is the case and if you would take ten minutes and see…not Question 2 and 3, but just 1, what are the maximum possible damages? Okay, guys, why don’t we stop here. I’m sure you’re getting hungry. It’s running a little later than I expected and I’ll…after this I’ll…we’ll…we’ll break for lunch. The…so…Jim, if I could have the overhead? Okay. Okay. So, in this case, there were no sanctions applied. Any thoughts about violations here? Suzanne, at your table, any thoughts about this? (from the audience):(inaudible) I’m sorry. (from the audience): (long pause)“I thought we were supposed to be doing damages.” Damages? (from the audience):“Yeah. Yeah. Well, we…we used your two alternate methods and so we…”Well. I’m sorry. (from the audience):“We used your two alternate methods and…”Okay.(from the audience):“So, the first way we decided…um…one option to…in order to calculate the damages would be take twenty-nine days…um…at…uh a hundred…”So, um, so there were twenty-nine days that there were no sanctions applied? (from the audience):“Right, and…”Okay. (from the audience):“and multiply that by a hundred…Um…”Okay. And that’s twenty-nine hundred dollars and….(from the audience): “Correct…..and then the other way to calculate it would be take the number of individuals affected which would be two hundred and fifty and multiply it by a hundred.”So, um…two-fifty? (from the audience):“Um hmm.”And where’s the two-fifty come from?(from the audience):“Uh…there were two-hundred and fifty individuals affected, so two-hundred…um…involved in the e-PHI and fifty involved in the…”Two-hundred and fifty people affected?(from the audience):“Correct.” Yeah, and um…I guess our thinking would be that even though two-hundred fifty people were affected…um…theoretically, because sanctions were not applied…I mean, is that what your thinking is?”(from the audience):“Correct.” Yeah, the…uh… I think the view OCR would take would be that…that the sanctions are not related to particular individuals, so that whether it was one individual, fifty or two-hundred fifty individuals, there’s still the requirement to apply sanctions. Now, maybe the type of sanctions applied would be… would be different, but OCR would not look at the failure to provide sanctions the same way as a failure to provide an individual with access because this…the sanctions are not specific to a particular individual, so, um…um…we…OCR would not take that view on if a state AG wants to try to make that case…um, they can, but generally that’s as OCR has discussed, how this would be applied, they were not thinking of sanctions that way. Are there any other theories for…um…how…money can be achieved in damages…for…um…failure to provide sanctions? And there’s a hint up there on the…on the…chart. (from the audience):“Well, you’re violating two rules, so you have…damages under both of the rules.”Exactly. (from the audience):“Twenty-nine times a hundred…times two.” Right. Because…um…what you…here, we’re talking about the…um…failure to sanction employees for violating the Privacy Rule, which is one provision, the 530 E, because some of these were paper records and some of these were electronic records, so there’s another separate Security Rule violation because in terms of the electronic PHI, um…there were twenty-nine days that there was a failure to provide sanctions. So, um…we um…it’s…it…it seems like there’s a good argument that you can…um…proceed…for violations of both of those provisions. Now, while everything in the Secur…the Privacy Rule applies everything to the Security Rule, if all of this information was under the Security Rule was electronic PHI, we wouldn’t say that you could violate 530 E and 38 A13B because they’re really a duplicate of each other. So, but because some of the information is electronic and some of it is paper, um…you could pursue action, we’re thinking under…under both of these. What about for the impermissible use…of information? (long pause) Any thoughts there?...You wanna go for that? (from the audience):“On the…the failure to sanction, I think we were thinking because it was the twenty-nine days from when they found out that it was within the thirty, so we’re not even sure that you could get…the penalty…”I’m sorry. (from the audience):“I said, we’re not even sure that you would even be able to get the penalty anyway because it was corrected within the thirty days…” Um…that’s a good point. That’s a good point. So, if it’s corrected within thirty days and um…there’s um…reasonable cause, then you may not be able to get it. Again, look at the technical definition of reasonable cause and that definition is going to change with the final HIPAA Privacy Rule, but there…there may be a limitation on your being able to get it. Um, there’s…if it’s willful neglect, you may be able to get it and willful neglect is really a situation where there’s absolutely no good faith, where there’s some deliberate, conscious violation and the covered entity did not show any good faith at all. And I guess the Signet Case is the best example of that. So on the…um…impermissible use violation, any ideas about damages there? Anybody wanna take it? Wanna take it from that table there? Any thoughts on impermissible use? (from the audience):(inaudible) And…um…why perhaps not? Perhaps? (from the audience):(inaudible) Right. But an impermissible use…I mean, there’s a particular individual’s PHI involved. (from the audience):“Right. That’s right.” Right. So two-hundred fifty would apply there as opposed to sanctions where there’s nothing particular to an individual. (from the audience):“Sure.”But here you have two-hundred fifty individuals whose information was impermissibly used. So, um…how much per violation? (from the audience):(inaudible) Okay. So, even though you have the right to do less than a hundred…I think everybody’s going to try to go for the max…there’s no reason why not. And um, so that’s um…$25,000. Okay…um…so that’s where we come up there…um…any other ideas in regards to this exercise? The um…let me…scoop ahead here. (long pause) So, um…so this is what um…this resulted in. Um…of total damages of $30,800. You know, which may be worth your pursuing in a case like that. Um…and um…So again, we talked about your authority, filing actions, notifying HHS…um…injunction and damages being available and um…that um…you know, as a result of that, as I’m sure you understand, the enforcement action you can take and um…under HITECH. So, um…we’re gonna break for lunch. How? I’m sorry. (from the audience):“I know people are ready for lunch, but could you briefly touch on that question of…uh…the business associate agreement before lunch?”Oh. Sure. (from the audience):“We have to leave early…and, uh…”Sure. No problem. So, um, as you know, in fact, let me…um…let me draw this out for you here. So, um, (long pause) so, um…Jim, if we could switch again…this is the last time…promise you. So…um…so, if you have a um…a state health department…um, that’s a covered entity and they…they may…they’re likely to be a hybrid entity because they may have a TB clinic that bills Medicare and that’s the covered functions, but they have other functions that aren’t…um…and um…so they may uh…um, you know…this may be their hybrid function here. I’m…I’m sorry…their healthcare component, this is the entity that provides healthcare services and bills Medicaid, but they have so many other functions, they don’t want those that have to be subject to HIPAA. And then you have the state AG, which is a separate agency from the health department. But let’s say…uh…an attorney from the state AG’s office is providing ongoing legal advice to the state health department and needs protected health information to do that, which is not unusual. So, um…they…they’re…they’re…they’re going to be considered a business associate of the state health department and so there would be…there’s either two ways that could be done. You could have a…um…a MOU with the state…um attorney general’s office and those people could be consid…still be outside of the healthcare component or…um…you could have an agreement with the state attorney generals with those attorneys are considered part of the healthcare component. Now, that doesn’t mean that they physically move or it doesn’t mean that they’re considered employees of the state health department, but it does mean that they could share information as a use within the state health department and where that role. Now, you…you get into potential conflicts there because you’re also prosecuting HIPAA actions and, you know, can you prosecute an action against the state health department, and what about this attorney, you know, who is actually being considered part of the healthcare component of the state health department. And OC…uh HHS has been faced with a similar situation. HHS is a massive organization. We have three healthcare components, the Medicare Program, covered entity, Indian Health Service, covered entity, Commission Corps, which is a health plan, and we have three healthcare components. We also have parts of HHS that get individually identifiable health information. In fact, we have the NIH…uh…Clinical Center that does treatment. Now they do not bill health plans, so they are not a covered entity. So, we set it up and we have a designation of healthcare components, which um…um…I don’t know if it’s on our website, but we can make it available. Um, it’s public and this designation says that if Indian Health Service, Commission Corps, CMS, Medicare are our healthcare components, the rest of HHS is not. And, there are…um…agreements between Indian Health Service and the General Counsel’s Office, where by General Counsel attorneys…um…work with…as…consultants to Indian Health Service as business associates and receive PHI. Now, I deal with those attorneys all the time, but they would…always be wearing the hat of a attorney for the covered entity and they would…uh…talk to me knowing that they’re wearing that hat. And, they may ask me for advice about how HIPAA works just as any covered entity’s attorney calls and asks me about how HIPAA works and I would talk to them that way and there’d be an arm’s length discussion in that regard. Um…they know that um…the attorney for OCR and OCR may end up dealing with a complaint against Medicare or against Indian Health Service and I’ll be consulting with OCR in that way. And, this has…um…worked out well since 2003, where this has been going on. Now, we have…may have a lot more flexibility because we have a lot of attorneys, so we could have an attorney that works with the Indian Health Service and an attorney that works for OCR. The regional attorneys that are here today face similar situations because they have attorneys in their office, who work for Medicare and for Indian Health Service and may be giving them advice…um…in their capacity as the attorney for the covered entity and they may be talking to the…um…to Fernando or Suzanne or Tierney about how HIPAA works and we encourage those discussions and it makes sense on the state level to have those discussions because people should be of the same mind regarding how HIPAA works. But, I never want to see the particulars of a particular case, I never want to see a complaint that was filed against CMS in a HIPAA action, but they can call me and talk to me about HIPAA, how HIPAA works…and…and…hopefully, we come up to the same interpretation how HIPAA works. This certainly could be a scenario where…um…the Indian Health Service is taking a different position than OCR and these things may may…um…escalate at some point., but…um…so,..um…that’s kind of how the two-hats situation works, as we look at it. I don’t know, does that answer your question? (from the audience): “Yeah, I mean, uh…my state does have…Uh…business associate agreements with various departments that are…for the most part, hybrid entities. I didn’t know whether I…in discussing with the folks here, I got…got the impression that not all states have that…”Right. (from the audience): “And, so I didn’t know, if indeed, we had gone down a road we didn’t need to go down, or whether…uh…there were some other factor involved. Right. Yeah, the um…the requirement of the rule…um, is a little different for government entities, so it does say it wouldn’t be a business associate contract, it would be a memorandum of understanding. But it…it also provides an exception…um…actually, there’s two exceptions. One is, um…where another rule applies, so if there’s a privacy act that applies to the federal government, so if the BA, um…which is another government entity is subject to comparable privacy protections, then you do not need to have an MOU that has the HIPAA language in there. Now that has pros and cons…you…I could see where, in order to protect the state health department, you would wanna make sure all their BAs are compliant with HIPAA because, you know, you wanna make sure that you’re not going to be liable for their actions, but there is that provision which, um…you should look at. There’s another provision, where the BA is legally obligated to provide certain services to you. So, the Department of Justice is legally obligated to represent federal agencies in court, and the exception was put in there for that type of situation. That, we can’t really bind them to a BA agreement, they are legally obligated to represent us and we could share information in that regard, as long as we make a good faith effort to seek a BA agreement with them, which means that we send them an agreement, we try to negotiate it. If something’s not signed, we’re still protected because this provision…um…only requires a good faith effort, so you might want to look at those provisions because as State AGs, you may be legally obligated…um, I think you are…um, to provide legal representation to…um, other state agencies, so…um, those provisions might apply. Um, does anybody have any experiences dealing with this? (from the audience): (inaudible) Sure. (from the audience): “I understand what you are saying...um, and I know…we fall into that category…By statute…Right. (from the audience): “…we’re legally obligated and it seems like the covered entity…this…the department has…uh…checked…tried to give us the…MOU, as opposed to we don’t have to reach out to them, they have to make the good faith effort…”Well, if the obligation is on the covered entity, but…(from the audience): “Right.”Um…um…coming with the implementation of the HITECH Rules, Bas will be directly liable, so if you fit under the definition of BAs, then you may wanna make sure that all of that is done. So….
 
TABLE OF CONTENT
(To use allow video to load completely)
  • Module 6: Introduction, Objectives and Overview
  • Lesson 1: Investigating Potential HIPAA Violations
  • Activity 1: Case Studies
  • Lesson 2: SAG Enforcement of HIPAA Privacy and Security Rule Violations
  • Lesson 2: Recap
  • Lesson 3: HIPAA Enforcement Process Under HITECH
  • Lesson 3: Recap
  • Module 6 Activity: Imposition of Damages and CMPs
  • Module 6: Recap and Summary




Tell a friend: