News & Information

 

FEATURED PRODUCT

5500 Preparer's Manual for 2012 Plan Years

5500 Preparer's Manual for 2012 Plan Years
The premier resource in the field of Form 5500 preparation, 5500 Preparer's Manual will help you handle the required annual Form 5500 filings for both pension benefits and welfare benefit plans.

CCH® BENEFITS — 9/22/08

HIPAA Privacy Rule Enforcement Leans Toward Voluntary Compliance And Correction: CRS

From Spencer's Benefits Reports: Criminal convictions for violations of the Health Insurance Portability and Accountability Act’s privacy rules have been obtained only in three cases involving employees of covered entities who improperly obtained protected health information, the Congressional Research Service (CRS) reported to members of Congress in Enforcement of the HIPAA Privacy and Security Rules, issued on August 11.

HIPAA requires the Department of Health and Human Services (HHS) to adopt standards to facilitate the electronic exchange of health information for certain financial and administrative transactions. In response, the HHS adopted the HIPAA privacy rules as the national standard for the protection of individually identifiable health information and began enforcing the rules in 2003.

The privacy rules regulate the use and disclosure of protected health information by health care plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically; establish a set of basic consumer protections; permit any person to file an administrative complaint for violations; and authorize imposition of civil or criminal penalties. The HHS also may conduct privacy rule compliance reviews, but the agency’s Office of Civil Rights (OCR) states that it is conducting the reviews only where “compelling and unusual circumstances demand.”

The HHS notifies both the covered entity and a complainant of its findings with regard to compliance. If the agency finds noncompliance with the requirements, it attempts to resolve the issue informally. If the issue cannot be resolved informally, the HHS may issue a written notice of noncompliance to the covered entity, and the entity has 30 days to respond with any evidence of mitigating factors or compliance efforts. The HHS must bring any legal actions against a covered entity within six years of the violation and must provide the covered entity notice of a proposed penalty, including the entity’s right to request within 90 days a hearing before an administrative law judge. Once a penalty has been finalized, the HHS must provide a notice of the penalty to the public; state and local medical and professional organizations; state agencies administering health care programs; utilization and quality peer review organizations; and state and local licensing agencies and organizations.

Referred To Justice Department

The HHS refers to the Department of Justice (DOJ) any required criminal investigations for violations of the privacy rules.

In the first case prosecuted under the HIPAA criminal statute, a Seattle phlebotomist employed at a cancer center was sentenced to 16 months in prison and three years of supervised release in 2004 for stealing credit card information from a cancer patient and using that information to charge purchases and to apply for other credit cards. The phlebotomist also was ordered to pay the patient $15,000 in restitution (United States v. Gibson, No. CR04-374 RSM, decided by the U.S. District Court for the Western District of Washinton).

In the second case, in 2006, an employee in the office of a doctor who had a contract to provide physicals and medical treatment to FBI agents was convicted of selling an FBI agent’s medical records for $500. The employee, Ms. Ramirez, was sentenced to six months in jail and four months of home confinement, to be followed by a two-year term of supervised release. Ms. Ramirez also was ordered to pay a criminal money penalty of $100. The court found two aggravating factors–first, Ms. Ramirez had sold the confidential medical record; and second, the record belonged to a federal agent (United States v. Ramirez, No.7:05CR00708, decided by the U.S. District Court for the Southern District of Texas).

In United States v. Ferrer and Machado, an employee (Ms. Machado) of a medical clinic improperly obtained Medicare information and other patient information for more than 1,100 clinic patients and sold that information to the owner of a medical claims business for $5 to $10 each. Medical providers then used the stolen information to bill Medicare for services not rendered and equipment not supplied, resulting in a $7 million fraud to Medicare and approximately $2.5 million in payments to providers and suppliers. Because she testified against her codefendant, Ms. Machado’s sentence was reduced to three years of probation, including six months of home confinement, and also was ordered to pay more than $2.5 million in restitution.

In 2007, a jury in Naples, Fla., convicted Mr. Ferrer, the owner of the medical claims business, on all eight counts as charged (one count each of conspiring to defraud the United States, computer fraud, wrongful disclosure of individually identifiable health information, and five counts of aggravated identity theft). Mr. Ferrer was sentenced to 87 months in prison, three years of supervised release, and ordered to pay more than $2.5 million in restitution. The Ferrer and Machado case was the first HIPAA violation case to go to trial, whereas in the Gibson and Ramirez cases, the defendants entered guilty pleas (United States v. Ferrer and Machado, No. 06-60261 CR-COHN, decided by the U.S. District Court for the Southern District of Florida).

Other Enforcement Activity

In July 2008, for the first time since the privacy rules went into effect in 2003, the HHS entered into a resolution agreement with Providence Health & Services requiring the organization to pay $100,000 and to implement a corrective action plan to safeguard identifiable electronic patient information to settle potential violations of the privacy and security rules. In the Providence Health & Services case, the violations arose from the loss of backup tapes and theft of laptops containing individually identifiable health information. The resolution agreement is available at http://www.hhs.gov/ocr/privacy/enforcement/agreement.pdf.

From April 2003, when enforcement of the privacy rules began, until May 31, 2008, the HHS received approximately 36,374 health information privacy complaints. The HHS dismissed nearly 55% of these cases, but found authority to investigate and resolve 6,392 cases. In the resolved cases, the investigated entity changed its privacy practices or took other corrective actions. In 3,156 cases, the HHS found no violation of the privacy rules, while nearly 6,800 cases remain unresolved. The agency did not assess any civil penalties during the five-year period studied, but more than 435 cases were referred to the DOJ for criminal investigation of knowing disclosure or access to protected health information; and another 247 cases were referred to the CMS for investigation of cases of potential violations of the HIPAA security rules.

In response to concerns that the HHS and the DOJ have been lax in enforcing the HIPAA privacy rules, the HHS provided the following reasons for the perception: that the agency focuses on covered entity voluntary compliance and correction; that the rules cover a limited type of entity and types of health care transactions and that the rules do not apply to many other entities (including employers and workers’ compensation insurers) that maintain personal health information; that there is no private right of action under the law but only HHS and DOJ enforcement; and, finally, that a complaint may not involve a violation.

The covered entities most commonly required to take corrective action with respect to the privacy rules, in order of frequency, include private practices, general hospitals, outpatient facilities, health care plans, and pharmacies.

For more information on this and related topics, consult the CCH Pension Plan Guide, CCH Employee Benefits Management, and Spencer's Benefits Reports.

Visit our News Library to read more news stories.