Hipaa final enforcement rule


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hipaa final enforcement rule

  1. 1. HIPAA Final Enforcement Rule<br />Chapter 5<br />
  2. 2. Who’s In CharGe HERE?<br /><ul><li>Office of Civil Rights (OCR),
  3. 3. Center for Medicare/Medicaid Services (CMS),
  4. 4. Office of Inspector General (OIG),
  5. 5. U.S. Department of Justice (DOJ). .
  6. 6. U.S. Health & Human Services (HHS),</li></li></ul><li>Answer: <br />“IT Depends on the nature of the alleged violation.”<br />
  7. 7. A Brief Review. . . <br /><ul><li>When Congress Passed Title II of HIPAA of 1996, The U.S. Department of Health & Human Services (HHS) was given the responsibility (and the authority) to
  8. 8. Make Standards for Electronic PHI Txns;
  9. 9. Make Rules for CE’s and Time Tables;
  10. 10. Recommend PHI Privacy Standards to Congress;
  11. 11. Determine Pre-Emption scenarios for State Laws; and
  12. 12. Provide for Penalties when HIPAA violations occur. </li></li></ul><li>The HHS “Family”<br />The Following are Agencies of the U.S. Dept. of Health & Human Services:<br /><ul><li>Office for Civil Rights (OCR)
  13. 13. Centers for Medicare/Medicaid Services (CMS)
  14. 14. Office of Inspector General (OIG)</li></li></ul><li>What Other Federal Department IS Involved in HIPAA?<br />The U.S. Department of Justice (DOJ) - AKA, “America’s Law Office”<br />The F.B.I. may, at times get involved in fraud schemes.<br />
  15. 15. Let’s Look at the Nature of the Alleged HIPAA Violation. . . <br />Employee has an unencrypted laptop with the PHI of 5,000 veterans. Laptop is stolen from employee’s car.<br />Which Rule has been violated. . . <br />HIPAA Privacy Rule or <br />HIPAA Security Rule<br />
  16. 16. Answer:<br />The HIPAA Privacy Rule. . . Because there has been an unauthorized “disclosure”, as the PHI of thousands of people has been made available to people outside the CE and its associates.<br />
  17. 17. Remember, Privacy is Considered a Civil Right in the U.S.<br />Which Agency is Responsible to Ensure that the Civil Rights of U.S. Citizens are Protected?<br /><ul><li>Office of Inspector General; or
  18. 18. Center for Medicare & Medicaid Services. . . or
  19. 19. Office of Civil Rights </li></li></ul><li>YES, It’s the OCR, Office of Civil Rights.<br />
  20. 20. BTW, Remember the many Privacy Rule Violations we heard about in class. . <br />
  21. 21. Privacy Violations from the OCR Website. . . .<br /><ul><li> Like, the situation where the CE donated an “empty” storage cabinet to a non-profit company and it was loaded with unencrypted tapes of PHI,
  22. 22. And the multiple cases of laptop theft from employees who had disabled password security or did not have encryption on their devices.</li></li></ul><li>Think About What Happened. <br />The follow-up was consistent. . .<br /><ul><li>The CE’s reported the violations to the OCR,
  23. 23. Published the losses in the media;
  24. 24. Notified citizens whose PHI was in danger;
  25. 25. Made New Policies
  26. 26. Educated Employees
  27. 27. No Mention of Civil Money Penalties. . . .</li></ul>Bearing this in mind, answer the following. . . .<br />
  28. 28. Most complaints regarding violations of the HIPAA Privacy Standard have been resolved without. . . <br />Legal Action<br />Civil Money Penalties<br />Audit Reports<br />Upcoding<br />
  29. 29. YES, The answer that makes the most sense is. . . <br />B. Civil Money Penalties.<br />Not A. Legal Action b/c, remember, violations of the Privacy Rule are generally CIVIL violations. . . (true but not best answer)<br />Not C. Audit Reports b/c the CE’s have to do some kind of follow-up audit to determine the extent of the violation.<br />Answer D is just plain dumb. <br />
  30. 30. Alleged Privacy Rule Violations that abuse a patient’s privacy rights (and do not violate state or federal laws) are CIVIL VIOLATIONS and are investigated by the O.C.R.<br />
  31. 31. Another Scenario. . . <br />Employee of a CE gives her ID and Password to a reporter friend, who uses it to look at PHI of a famous individual with the intent to exploit the information for financial gain. What HIPAA Rule has been violated by the giving of the password. . . The Privacy Rule or the Security Rule?<br />
  32. 32. YEP, It’s the Security Rule.<br />All HIPAA Non-Privacy Rule violations are investigated by the Center for Medicare/Medicaid Services (CMS).<br />So, this issue will be investigated by CMS.<br />CMS has a great deal of responsibility and authority when it comes to HIPAA. . . <br />
  33. 33. HHS has also authorized CMS to enforce these HIPAA Standards:<br /><ul><li> The Electronic Health Care Transaction and Code Set Rule (TCS);
  34. 34. The National Employer Identifier Number (EIN) Rule;
  35. 35. The Security Rule;
  36. 36. The National Provider Identifier Rule; and
  37. 37. the National Plan Identifier Rule.</li></li></ul><li>Why aren’t these Rules Familiar?<br />These are covered in Chapter 4 of your Newby Book, which we didn’t cover in this class.<br />
  38. 38. What does the Office of Inspector General (OIG) do, in terms of HIPAA Enforcement?<br /><ul><li>The OIG was established in 1976 to fight waste, fraud, and abuse in the Nation’s Medicare, Medicaid, and 300 other HHS Programs.
  39. 39. In terms of HIPAA, the OIG investigates alleged incidents of fraud and abuse.</li></li></ul><li>What’s the Difference Between “Fraud” and “Abuse”?<br />
  40. 40. Fraud is “an act of deception to take financial advantage of another person.”Fraud is an INTENTIONAL act.<br />
  41. 41. ABUSE<br />In federal law, “abuse” means actions that are not sound medical, business, or fiscal practices AND that misuse U.S. Government money, such as Medicare funds.<br />
  42. 42. “ABUSE”<br /><ul><li>Becomes a CRIMINAL matter, because is a misuse of taxpayer money. . . Not a mere violation of an individual’s rights (which would be a CIVIL matter).
  43. 43. Example: Billing for services that, although provided, were not medically necessary.
  44. 44. Abuse may be committed without intent.</li></li></ul><li>More about the OIG. . .<br />The OIG has the power to assign Civil Money Penalties (CMP) AND <br />Exclude CE’s and licensed individuals from participating in ALL FEDERAL Health Care Programs. . Making them Excluded Parties.<br />. . . It’s virtually impossible to operate in health care in the U.S. when one is an excluded party.<br />
  45. 45. Civil Money Penalties (CMP)<br />NOTE: CMP’s cannot exceed $25,000 for all violations of an identical type in a single year. (exam.)<br />
  46. 46. The GREATEST Criminal Penalty can be imposed when the crime is:<br />Using PHI for profit, gain, or harm;<br />Offenses done under false pretenses;<br />Knowingly obtaining PHI in violation of HIPAA; or<br />None of the Above<br />
  47. 47. Answer:<br />A. Using PHI for profit, gain, or harm.<br />
  48. 48. What Happens when a HIPAA violation becomes a criminal matter?<br />The Agency investigating the alleged violation refers it to the U.S. Department of Justice (DOJ)for criminal investigation and follow-up.<br />Example: The OIG or the OCR may refer criminal matters to the DOJ.<br />(See the nice chart, page 127 of Newby)<br />
  49. 49. And MORE About the OIG. . . <br />The Deficit Reduction Act (DRA) of 2005 gave the OIG authority to review and evaluate:<br />1. State false claim laws,<br />2. The compliance plans of prescription drug plan sponsors,<br /> 3.Reported deaths of patients in restraint or seclusion, and<br />4. The responses of public health personnel to emergencies created by Hurricanes Katrina and Rita.<br />
  50. 50. THE OIG Issues Fraud Alerts to Covered Entities<br />And, in so doing, advises CE’s about compliance problems that the OIG is finding in its investigations.<br />
  51. 51. Acts AND Omissions. . . <br />Remember, HIPAA standards apply to both wrongful acts as well as failure to act when an act is called for (omissions). This is provided for in the HIPAA Final Enforcement Rule.<br />
  52. 52. Who Can be Charged with a HIPAA Violation?<br />Covered Entities.<br />-Individual Employees do not get charged with HIPAA Violations. . . <br />-Business Associates (BA’s) do not get charged with HIPAA violations. . . <br /> -UNLESS. . . .<br />
  53. 53. When do CE Employees or BA’s get charged for a HIPAA violation?<br />
  54. 54. Answer:<br />When the act in question also violates other laws. . <br />Example:<br /> Jack, employee of a CE, provides Jill (his girlfriend) with names, d.o.b.’s, and SS# and together they set up a credit card number selling operation.<br />(violation of Credit Card Fraud Laws)<br />
  55. 55. Is Health Care Fraud a REAL Problem in the U.S.?<br />YES. . . The National Health Care Anti-Fraud Association estimates that about 3% of our country’s health care expenses is lost due to fraud.<br />That’s about $60,000,000,000 a year. (or, 60 Billion dollars. ) Wow.<br />
  56. 56. More U.S Laws to Protect Us from Fraud and Abuse<br />
  57. 57. The Health Care Fraud and Abuse Control Program<br /><ul><li> created by HIPAA legislation
  58. 58. Gives the OIG the task of detecting health care fraud and abuse and enforcing all laws relating to them
  59. 59. Provides a collaborative context for the OIG and the U.S. Attorney General to prosecute offenders in a criminal procedure</li></li></ul><li>The Antikickback Law of 1986<br /><ul><li> Makes it illegal to knowingly offer incentives to encourage other businesses to give you referrals for services paid for by the U.S. Government.
  60. 60. Example: X-ray company pays nursing home administrator $$ to use portable x-ray services from said company.</li></li></ul><li>“Whistleblower Law”<br />The Federal False Claims Act <br />(FCA, 31 U.S.C. § 3729)<br /><ul><li>Prohibits submitting a fraudulent claim OR making a false statement or representation in connection with a claim
  61. 61. Encourages reporting suspected fraud and abuse by protecting and rewarding people involved in whistleblowing cases</li></li></ul><li>Qui Tam Case<br />= the Legal Term for a Whistleblower Case<br /><ul><li>“Relator” is the individual who reports suspected fraud and abuse committed by a CE.
  62. 62. The law protects the relator against employer retaliation.
  63. 63. If the lawsuit results in a fine, then the relator may be entitled to 15 to 25% of the amount paid.</li></li></ul><li>Stark Laws, I and II<br /><ul><li>A federal law governing self-referrals
  64. 64. A physician may NOT
  65. 65. Refer patients to an entity
  66. 66. For the furnishing of designated health services
  67. 67. If there is a financial r-ship between the physician Or his/her immediate family member and said entity
  68. 68. Unless the law makes an exception.</li></li></ul><li>Stark Law I and II<br />What kind of “entities” are we talking about here?<br /><ul><li>clinical laboratory services, P.T., O.T., S.L.P. services, Radiology services & supplies, Durable Medical Equipment (DME) and supplies, Parenteral (IV), Enteral (tube-feeding) equipment and supplies, Prosthetic services, Orthotics,. . .</li></li></ul><li>Stark I and II “Entities” cont’d<br /><ul><li>Home Health Services,
  69. 69. Outpatient Prescription Drugs,
  70. 70. Hospital Services—Inpatient and Outpatient.</li></ul>WHEW! <br />
  71. 71. Stark Law II<br />Expanded the “entities” list from Stark I and provides for civil money penalties up to $100,000 for each “arrangement or scheme” that a person knows or should know would violate the statute.<br />
  72. 72. What if a physician violates the Stark Laws?<br />In addition to CMP’s<br />The government may withhold payments for the illegal referrals and seek to make the violator pay back past payments made under the illegal “arrangements or schemes.”<br />Bottom line: Doctors have to be careful when they invest in other businesses!<br />
  73. 73. Stories about Fraud, Kickbacks, and Theft<br />There are some good examples of each on page 130 of your book in the orange “FYI” box. <br />Take a Look! <br />
  74. 74. ONE MORE LAW. . . .Sarbanes-Oxley Act of 2002<br />Bottom Line for Health Care: If a health care corporation operates for profit and publicly traded, then it must attest to the soundness of its financial management.<br />(Gives another opportunity for the whistleblowers as well.)<br />
  75. 75. What is the PURPOSE of Sarbanes-Oxley?<br />After a few Fortune 500 companies defrauded investors and the American public by lying about their worth, there was an alleged “public outcry” for the SEC to have the authority to examine records of publicly traded companies for transparency in their valuation techniques. People lost a lot of money because of the past fraudulent conduct.<br />
  76. 76. Besides Whistleblowers, How are Fraudulent and Abusive Acts Discovered?<br /><ul><li>Every year, the OIG establishes and publishes a work plan, defining areas of focus for government investigations.
  77. 77. The Focus could be on ANY type of health care billing and finance.
  78. 78. They proceed accordingly and publish findings.</li></li></ul><li>HIPAA COMPLIANCE PLANNING<br />Let’s Get It Right!<br />
  79. 79. CE Compliance Plan<br /><ul><li> “A written document prepared by a compliance officer and committee to prepare a plan to:
  80. 80. Audit and monitor compliance w/government regulations;
  81. 81. Have consistent policies & procedures;
  82. 82. Provide for ongoing staff training & education; AND
  83. 83. Respond to and correct errors”</li></li></ul><li>Are Compliance Plans All About HIPAA?<br />No. There are compliance plans for all areas of government regulations.<br />Examples: <br /><ul><li> Equal Employment Opportunity Commission (EEOC),
  84. 84. Occupational Safety & Health Administration</li></ul>(OSHA)<br />
  85. 85. Parts of a Compliance Plan(Required by the OIG)<br /><ul><li>Written Policies and Procedures,
  86. 86. Appointment of a Compliance Officer and Committee,
  87. 87. Training,
  88. 88. Communication,
  89. 89. Auditing and Monitoring,
  90. 90. Disciplinary Systems
  91. 91. Responding to and Correcting Erorrs</li></li></ul><li>Question: A Compliance Plan Often Includes:<br />Work plans, codes of conduct, and advisory opinions<br />Codes of conduct, ongoing training programs, and corrective actions<br />Previous years’ code reference manuals, encounter forms and black box edits<br />Fraud alerts, regulations, and bulletins<br />
  92. 92. B is the Correct Answer<br />
  93. 93. Oh My Goodness!We’re Done with Chapter 5 Already!<br />
  94. 94. Any Questions?<br />