Managed Healthcare Executive - November 2008 - (Page 10) { LETTER OF THE LAW } HIPAA compliance must address organization oversight rst seek the approval of the HHS Secretary. The enforcement trend and the settlement sends a signal to the industry of the need to elevate privacy and security as a focus area of compliance. Five years later, HHS is giving HIPAA The settlement demonstrates several enforcement more teeth with fees and take-away points: corrective action plans No single egregious violation, such as hackers breaching an entity’s central IT BY JOHN ERIKSEN, ESQ. system, need be involved. Most healthcare organization have focused their HIPAA compliance primarily on propproximately ve years after the tecting centralized IT departments. Yet promulgation of the nal privacy the settlement makes clear that everyday and security regulations under business activities of employees create HIPAA, and two and a half years after compliance vulnerability. the promulgation of a nal rule adAn entity’s response to a secudressing the implementation of civil rity/privacy breach must be immediate money penalties, the rst-ever monetary and comprehensive to prevent similar settlement paid, and Resolution Agreebreaches from occurring again, to report ment/CAP, to resolve a potential violabreaches promptly and accurately, and to tion of the HIPAA privacy and security take prompt measures to preserve patient standards was entered into between con dence. Such actions will help mitiDepartment of Health and Human Sergate fears by enforcement agencies as well vices, O ce of Civil Rights (OCR) and as patients. the Centers for Medicare and MedicHHS may hold entities responsible aid (CMS) and Providence Health and even if the inappropriate disclosures are Services, Providence Health System, and a result of third-party actions, includJohn Eriksen is a senior Providence Hospice and Home Care. ing outright theft by an unknown third associate at Epstein, Providence agreed, without any party. This has even greater rami caBecker and Green, P.C. in its Health Care and Life admission of liability, to pay the govtions for covered entity relationships with Sciences practice group ernment $100,000 and implement a third-party “business associates” who and focuses primarily on comprehensive, three-year Corrective have access to protected health and other health regulatory, compliAction Plan (CAP). OCR and CMS had patient-identi able information. ance, managed care and launched their investigation after ProviNow that HHS likely believes that transactional matters. dence noti ed the state of Oregon, and covered entities have had su cient time a ected patients, of the data breach, some (approximately ve years) to come into of whom then led complaints with the compliance with HIPAA privacy and federal government. security rules, HHS may be concludThis settlement appears to be a part of ing that the time has come to add some a trend of increased complaints of viola“teeth” to its enforcement. tions and enforcement by the OCR. Also, As such, the action taken against Proviin March 2007, the OIG began auditing dence is probably not an isolated measure, covered entities’ compliance with the and is more likely the harbinger of a more privacy and security regulations as well aggressive approach to enforcement. MHE as OCR regulators being granted the authority to issue subpoenas in its civil This column is written for informational purposes privacy investigations without having to only and should not be construed as legal advice. A 10 NOVEMBER 2008
Table of Contents Feed for the Digital Edition of Managed Healthcare Executive - November 2008 Managed Healthcare Executive - November 2008 For Your Benefit Editorial Advisors Contents News Analysis State Report Politics &Policy Letter of the Law Affordable Access Economic Ripple Effect Hospitals &Providers Technology Managed Care Outlook Desktop Resource Ad/Edit Index Managed Healthcare Executive - November 2008 Managed Healthcare Executive - November 2008 - Managed Healthcare Executive - November 2008 (Page Cover1) Managed Healthcare Executive - November 2008 - Managed Healthcare Executive - November 2008 (Page Cover2) Managed Healthcare Executive - November 2008 - For Your Benefit (Page 1) Managed Healthcare Executive - November 2008 - Editorial Advisors (Page 2) Managed Healthcare Executive - November 2008 - Contents (Page 3) Managed Healthcare Executive - November 2008 - News Analysis (Page 4) Managed Healthcare Executive - November 2008 - News Analysis (Page 5) Managed Healthcare Executive - November 2008 - News Analysis (Page 6) Managed Healthcare Executive - November 2008 - News Analysis (Page 7) Managed Healthcare Executive - November 2008 - State Report (Page 8) Managed Healthcare Executive - November 2008 - Politics &Policy (Page 9) Managed Healthcare Executive - November 2008 - Letter of the Law (Page 10) Managed Healthcare Executive - November 2008 - Letter of the Law (Page 11) Managed Healthcare Executive - November 2008 - Affordable Access (Page 12) Managed Healthcare Executive - November 2008 - Affordable Access (Page 13) Managed Healthcare Executive - November 2008 - Affordable Access (Page 14) Managed Healthcare Executive - November 2008 - Affordable Access (Page 15) Managed Healthcare Executive - November 2008 - Affordable Access (Page 16) Managed Healthcare Executive - November 2008 - Affordable Access (Page 17) Managed Healthcare Executive - November 2008 - Affordable Access (Page 18) Managed Healthcare Executive - November 2008 - Economic Ripple Effect (Page 19) Managed Healthcare Executive - November 2008 - Economic Ripple Effect (Page 20) Managed Healthcare Executive - November 2008 - Economic Ripple Effect (Page 21) Managed Healthcare Executive - November 2008 - Economic Ripple Effect (Page 22) Managed Healthcare Executive - November 2008 - Hospitals &Providers (Page 23) Managed Healthcare Executive - November 2008 - Hospitals &Providers (Page 24) Managed Healthcare Executive - November 2008 - Hospitals &Providers (Page 25) Managed Healthcare Executive - November 2008 - Technology (Page 26) Managed Healthcare Executive - November 2008 - Technology (Page 27) Managed Healthcare Executive - November 2008 - Technology (Page 28) Managed Healthcare Executive - November 2008 - Managed Care Outlook (Page 29) Managed Healthcare Executive - November 2008 - Desktop Resource (Page 30) Managed Healthcare Executive - November 2008 - Ad/Edit Index (Page 31) Managed Healthcare Executive - November 2008 - Ad/Edit Index (Page 32) Managed Healthcare Executive - November 2008 - Ad/Edit Index (Page Cover3) Managed Healthcare Executive - November 2008 - Ad/Edit Index (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.