Following reports of improper disposal of personal health information (PHI) the OCR launched an investigation into the information practices of CVS Entities in September 2007. Their review found the following:

• Between July 2006 and May 2007 some retail CVS stores placed paper records containing personal health information in open dumpsters where they could be accessed by unauthorized individuals.
• The policies and procedures of CVS Entities prior to November 2006 were not adequate to ensure the security of PHI
• CVS did not have the appropriate administrative safeguards in place, such as disciplinary action or sanctions policies for members violating privacy and security policies
• Between April 2003 and November 2006, the training given to employees regarding compliance with the Privacy Rule of HIPAA was insufficient to ensure proper destruction of PHI

In January 2009 a resolution agreement was reached with the following terms:

• Each CVS entity must designate a Compliance Representative that is familiar with the Privacy Rule in order to ensure compliance with HIPAA and the Corrective Action Plan required by the agreement. The Compliance Representative is in charge of designing or improving policies, procedures, training and internal controls.
• CVS must pay the Department of Health and Human Services $2,250,000 in penalties
• CVS Entities must agree to implement the Corrective Action Plan outlined in the Resolution Agreement

The Corrective Action Plan (CAP) for CVS entities involved a number of changes in oversight, policy and training to ensure the adequate protection of PHI. Oversight of implementation of the CAP lasts three years from the effective date of the agreement.

The CAP required the following:

Policies

• Development, Improvement and maintenance of privacy policies and procedures that comply with the Privacy Rule of HIPAA and any other relevant privacy regulations
• CVS Entities must submit revised policies within 90 days of the agreement and implement the policies within 60 days of OCR approval
• Policies and procedures must be reviewed annually by the Compliance Representative
• Physical and Administrative safeguards to allow the proper disposal of PHI must be implemented

Employee Policies and Training

• All employees accessing personal health information must receive a copy of the new policies and sign a written agreement saying they understand and agree to abide by the Privacy Rule
• Employees that fail to comply with the Privacy Rule must receive disciplinary action
• Employees that have access to PHI must receive training appropriate to their level of access regarding proper handling of PHI, including its disposal, as well as the sanctions policies for non-compliance. Training should take place within 30 days of employment. Employees are prohibited from handling PHI before completing their privacy training
• A written or electronic account of employee training must be made available to the Office of Civil Right for inspection
• Employees must verify in writing that they have received training and certification must be submitted to the relevant CVS entity within 10 days of certification
• Training material must be reviewed annually by the Compliance Representative

Enforcement

• CVS Entities must develop procedures for internal monitoring of compliance to be approved by the OCR
• CVS Entities will use a third party assessor to conduct evaluations of compliance with the Privacy Rule and the CAP. The Assessor must file reports with the OCR and Compliance Representative periodically
• The Assessor, Compliance Representative and all CVS Entities must maintain all paper’s related to the Assessor’s reports for inspection upon request by the OCR
• CVS entities must develop and internal reporting procedure for approval by the OCR which requires employees to report violations of the CAP to the Compliance Representative as soon as they become aware of the problem
• Upon receiving an internal report, the Compliance Representative must investigate the problem immediately
• If the investigation determines that a violation has occurred a written report describing the violation and the actions taken by the CVS entity must be submitted to the Assessor and the OCR

Reporting

Within 150 days of OCR approval of the policies and procedures, the Compliance Representative will file an Implementation Report that includes the following information:

• A written attestation from the Compliance Representative stating that CVS is in full compliance with the Privacy Rule and the CAP to the best of their knowledge
• A written attestation from the Compliance Representative stating that the workforce with access to PHI have received their initial privacy training certification
• A copy of all training materials and a summary of the training program including length, topics and schedules
• A written attestation from the Compliance Representative with the contact information for all locations and retail pharmacies stating that all locations are compliant with the CAP within the best of their knowledge
• A written attestation from the Compliance Representative stating they have reviewed the Implementation Report and believe the evaluation to be accurate

Periodic reports must also be filed once a year to allow ongoing oversight. The periodic reports require similar information regarding training materials and compliance officer attestations. They also require a summary of all engagement between CVS Entities and the Assessor (ie: financial audits, compliance program engagements) and a summary of   any compliance violations committed by a workforce employee. Furthermore, CVS is responsible for maintaining all documents related to the CAP for six years.

Significance of the CVS Enforcement Case

The CVS enforcement case reinforced several important privacy issues:

• All employees handling PHI must receive the proper training in their privacy obligations under HIPAA and other privacy laws. Furthermore they must be held accountable for any violations that occur
• Data destruction requires as much attention to privacy concerns as data in other parts of the data life cycle.
• Though most individuals PHI was not compromised through CVS’s improper disposal of data, it is the potential for such unauthorized use, access, or disclosure which is the real problem being addressed in the Corrective Action Plan.

In Conclusion:

The U.S. Government is serious about HIPAA enforcement. Entities handling PII must take the necessary steps to ensure compliance or be faced with much stronger requirements, oversight and costs.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• HIPAA (I.B.a.i)

HIPAA legislation is divided between two rules: the Privacy Rule and the Security Rule. The Privacy Rule of HIPAA involves the privacy of protected health information (PHI). Among the protections it provides are the right to access and amend medical records, the right to consent to PHI disclosure, the right to notice of a covered entity’s privacy practices, as well as the safeguarding and limited disclosure of PHI. Enforcement of the Privacy Rule ensures that such rights are protected.

How Does the OCR Enforce the Privacy Rule?

The Office of Civil Rights enforces the Privacy Rule through several methods:

• Investigating complaints filed with the OCR
• Conducting compliance reviews of covered entities
• Creating programs for education and outreach

The most common method of enforcement is the investigation of complaints.

How Does the OCR Investigate Complaints?

All complaints filed with the OCR go through an Intake and Review process. If the complaint meet the following criteria, the complaint moves on to the investigation stage:

• The alleged violation occurred after the effective dates of the Privacy or Security Rule.
• The entity against whom the complaint is filed must be considered a covered entity
• The alleged complaint must be an activity that would violate the Privacy or Security Rule.
• The Complaint must be filed within 180 days of when then person submitting the complaint became aware of the violation.

If the complaint does not meet all of the above criteria, than no violation of HIPAA is considered to have occurred. If the complaint does meet all of the above criteria, an investigation is launched to determine the veracity of the complaint.

If the complaint involves a possible criminal violation, the investigation is handled by the Department of Justice. If the complaint only involves Privacy or Security Rule violations, it is investigated by the OCR. Depending on the results of the OCR investigation:

• No violation may be found
• A violation may be found and voluntary compliance, or corrective action is taken
• A formal finding of violation from the OCR is issued

Enforcement Statistics

The Number of HIPAA complaints has increased each year since its institution. In 2008, the OCR received almost 10,000 complaints. On average, around two-thirds of alleged complaints are determined to be violations and resolution action is taken. One-third of alleged complaints either do not meet the criteria to warrant an investigation or the investigation determined that no violation had occurred.

On average the top five complaints filed every year involve:

1. Impermissible uses and disclosures
2. Safeguards
3. Access
4. More PHI is collected or used than the minimum necessary
5. Improper authorization for disclosure

On average, the top five covered entities that have been found to be in violation of the Privacy Rule include:

1. Private Practices
2. General Hospitals
3. Outpatient Facilities
4. Health Plans
5. Pharmacies

Summary:

The OCR is committed to HIPAA enforcement. All complaints filed with the OCR are reviewed and may be subject to investigation if a violation is suspected. Depending on the severity of the violation, the OCR may need to take enforcement action against an entity to ensure compliance. Such enforcement is costly to both the entity, the U.S. Government and its citizens, so covered entities should review their practices and policies to correct any potential compliance violations.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• HIPAA (I.B.a.i)

What is Protected Health Information?

Protected Health Information is any personally identifiable health information communicated in any form–oral, paper or electronic–that is maintained by a covered entity as defined by HIPAA (see below.) Personally identifiable health information may include a person’s age, gender and other demographic information as well as information about their diagnosis; prognosis; their past, present or future medical health or conditions; and payment for the provision of past, present or future medical care. Any information that may potentially identify an individual personally is considered to be protected health information (PHI.)

Who Must Comply With HIPAA?

In general any entity that handles protected health information must comply with HIPAA regulations. However, the law specifically mentions the following all of which are considered “covered entities” :

• Health Care Providers – All hospitals, doctors, nurses, health care workers and any other healthcare service providers
• Health Plans– Medicare and Medicaid; private insurance companies; group health plans
• Business Associates– Any third part that may handle protected health information as a service, such as billing, data analysis, data aggregation, etc.

The Privacy Rule

The HIPAA Privacy rule attempts to strike a balance between the need for disclosure among health care professionals to ensure quality care, payment and  maintain public security, while still protecting the identity and personal health information of the patient.

Under the Privacy Rule a patient has the right to:

• Notice of a covered entity’s privacy practices which include the type of information collected and its intended use.
• Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information.
• Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records.
• Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy.
• Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient’s information.

Exceptions to the Privacy Rule

The Privacy Rule makes provisions for the disclosure of protected health information without the limitations outlined above for the following situations:

• Information needed for public health activities and safety
• In coordination with law enforcement of judicial activities and proceedings
• Certain research purposes
• Special Government functions

The Security Rule

HIPAA’s Security Rule deals specifically with the protection of personal health information in its electronic form, which includes data stored on computer hard drives and magnetic or digital storage devices.

The Security Rule requires that covered entities take reasonable measures to:

• Ensure the confidentiality, integrity, and availability of electronic health information
• Protect against the unauthorized access, use or disclosure of protected health information.
• Enforce HIPAA compliance in the work force.

Further more the Security Rule requires:

• The creation of an individual entity to be responsible for implementing and enforcing the Security Rule
• Initial and periodic risk assessments to determine the efficacy of current safeguards, evaluate new threats and implement the necessary protections to maintain the confidentiality and integrity of the data.
• The creation of an ongoing training program to educate the workforce on complying with the Security Rule
• The Covered entity to incorporate the Security Rule into Business Associate Contracts to ensure that all business associates maintain an equivalent level of protection.

Summary:

The Health Care Portability and Accountability Act plays a significant role in the protection of the privacy of health information. HIPAA is a complex and far reaching law which pertains all professionals involved in the health care field. Education in HIPAA compliance must be ongoing, and compliance closely monitored to ensure the protection of health information.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including HIPAA (I.A.b.i.)