An RSS Feed from ushealthcarelaws.com

OCR Settles Case Concerning Improper Disposal of Protected Health Information

Wed, 16 Nov 2022 13:01:00 EST

Investigation Leads to $300,640 HIPAA Settlement and Corrective Action Plan

Today, the Office for Civil Rights (OCR) at the Department of Health and Human Services announced a settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (�NDELC�), over the improper disposal of protected health information, a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As a result, NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan to resolve this investigation. NEDLC is located in Massachusetts and provides dermatology services.

On May 11, 2021, NEDLC filed a breach report with OCR stating that empty specimen containers with protected health information on the labels were placed in a garbage bin in their parking lot. The containers� labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. OCR�s investigation, conducted by OCR�s New England Regional Office, found potential violations of the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

�Improper disposal of protected health information creates an unnecessary risk to patient privacy,� said Acting OCR Director Melanie Fontes Rainer. �HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.�

In addition to the monetary settlement, NEDLC will undertake a robust corrective action plan that includes two years of monitoring. A copy of the resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/nedlc-ra-cap/index.html

DOJ Health Care Fraud and Abuse Control Program Annual Report for Fiscal Year 2011

Fri, 16 Aug 2013 11:03:14 EST

HHS and DOJ Annual Report 2011 About the Fraud and Abuse Program

In February of this year, Health and Human Services and the Department of Justice released the Annual Report for the Health Care Fraud and Abuse Control Program for year 2011.

Some notable highlights from the Report:

During Fiscal Year (FY) 2011, the Federal government won or negotiated approximately $2.4 billion in health care fraud judgments and settlements.
In FY 2011

the DOJ opened 1,110 new criminal health care fraud investigations involving 2,561 potential defendants
Federal prosecutors had 1,873 health care fraud criminal investigations pending, involving 3,118 potential defendants, and filed criminal charges in 489 cases involving 1,430 defendants.
743 defendants were convicted of health care fraud-related crimes during the year
the DOJ opened 977 new civil health care fraud investigations and had 1,069 civil health care fraud matters pending at the end of the fiscal year
the FBI's heath care fraud investigations resulted in the operational disruption of 238 criminal fraud organizations, and the dismantlement of the criminal hierarchy of more than 67 criminal enterprises engaged in health care fraud
HHS� Office of Inspector General (HHS/OIG) excluded 2,662 individuals and entities

Where do these enforcement powers come from?

The Social Security Act Section 1128C(a), as established by the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, HIPAA), created the Health Care Fraud and Abuse Control Program, a far-reaching program to combat fraud and abuse in health care, including both public and private health plans.

As was the case before HIPAA, amounts paid to Medicare in restitution or for compensatory damages must be deposited in the Medicare Trust Funds. HIPAA requires that an amount equaling recoveries from health care investigations � including criminal fines, forfeitures, civil settlements and judgments, and administrative penalties � also be deposited in the Trust Funds. All funds deposited in the Trust Funds as a result of HIPAA are available for the operations of the Trust Funds.

HIPAA appropriates monies from the Medicare Hospital Insurance Trust Fund to an expenditure account, called the Health Care Fraud and Abuse Control Account (the Account), in amounts that the Secretary and Attorney General jointly certify as necessary to finance anti-fraud activities. The maximum amounts available for certification are specified in HIPAA. Certain of these sums are to be used only for activities of the HHS/OIG, with respect to the Medicare and Medicaid programs. In FY 2006, the Tax Relief and Health Care Act (TRHCA) (P.L 109-432, �303) amended the Act so that funds allotted from the Account are ―available until expended. TRHCA also allowed for yearly increases to the Account based on the change in the consumer price index for all urban consumers (all items; United States city average) (CPI-U) over the previous fiscal year for fiscal years for 2007 through 2010. In FY 2010, the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act, collectively referred to as the Affordable Care Act (P.L. 111-148, ACA) extended permanently the yearly increases to the Account based upon the change in the consumer price index for all urban consumers or CPI-U.

In FY 2011, the Secretary and the Attorney General certified $297.7 million in mandatory funding for appropriation to the Account. Additionally, Congress appropriated $310.4 million in discretionary funding. HCFAC appropriations generally supplement the direct appropriations of HHS and DOJ that are devoted to health care fraud enforcement and funded approximately three-fourths of HHS/OIG�s appropriated budget in FY 2011. (Separately, the FBI received $128.4 million from HIPAA.)

Resources:

Report - http://oig.hhs.gov/publications/docs/hcfac/hcfacreport2011.pdf

Who is a Business Association under HIPAA?

Fri, 02 Aug 2013 16:35:37 EST

When is a Person or Entity a Business Associate Under HIPAA?

After languishing for more than two years, the HIPAA Omnibus Rule was finally released on January 17, 2013. The Final Rule updates the HIPAA Privacy and Security Rules to comply with the changes created to the Rules by the HITECH Act.

The HITECH Act made clear that Business Associates would be directly liable for data breaches. But, based on the comments HHS received, there appeared to be some confusion about who is a business associate for the purposes of HIPAA. In addressing a comment regarding human research, HHS provided the following helpful response:

A person or entity is a business associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of 'business associate,' and in the performance of such duties the person or entity has access to protected health information.

87 F.R. 5575 (Jan. 25, 2013) (emphasis added).

As such, whether an individual or entity is a business associate is a fact specific inquiry and all circumstances must be considered. Moreover, a person or entity can be a business associate when engaging in one activity but not a business associate when engaging in another. Consider the following example provided by HHS:

[A]n external researcher is not a business associate of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research. ...

However, a researcher may be a business associate if the researcher performs a function, activity, or service for a covered entity that does fall within the definition of business associate, such as the health care operations function of creating a de-identified or limited data set for the covered entity. See paragraph (6)(v) of the definition of ��health care operations.�� Where the researcher is also the intended recipient of the de-identified data or limited data set, the researcher must return or destroy the identifiers at the time the business associate relationship to create the data set terminates and the researcher now wishes to use the deidentified data or limited data set (subject to a data use agreement) for a research purpose.

87 F.R. 5575 (Jan. 25, 2013) (emphasis added).

To determine whether an individual or entity is a business associate, the tasks the individual or entity are undertaking must be reviewed carefully.

Resources: