Presentation on theme: "I.G. Subpoenas and the HIPAA Privacy Rule The views and opinions expressed in the presentation are those of the presenter, and not necessarily official."— Presentation transcript:
I.G. Subpoenas and the HIPAA Privacy Rule The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions of the Office of Inspector General, Department of Health and Human Services
The Inspector General’s Authority Inspector General Act of U.S.C. App 3 Inspector General Subpoenas 5 U.S. C. App 3 §6(a)(4) “to require by subpoena the production of all [documents] necessary in the performance of the functions assigned by this Act.”
HIPAA Privacy Rule 45 C.F.R. § permits covered entities to disclosure protected health information (PHI) without patient consent for the 12 “national priorities” listed in this section. Most disclosures to the HHS IG will come under 45 C.F.R. §§ (a) and (d)
The Inspector General as Health Oversight Agency Definition of a health oversight agency 45 C.F.R. § Regulation preamble 65 Fed. Reg (Dec 28, 2000)
The Health Oversight Exception 45 C.F.R. § (d) Permits covered entities to disclose protected health information to a health oversight agency for oversight activities authorized by law.
The Health Oversight Exception Examples of health oversight activities: audits, civil, administrative or criminal investigations, inspections, licensure or disciplinary actions, civil, administrative or criminal proceedings or actions
The Health Oversight Exception More health oversight activities: Health fraud investigations conducted with the FBI/DoJ. Both IG subpoenas and DoJ’s administrative subpoenas (18 U.S.C. §3486) are used. The HIPAA Privacy Rule permits covered entities to disclose to both types of subpoena under the health oversight exception.
The Health Oversight Exception More health oversight activities Joint investigations with other agencies: health oversight investigation conducted in conjunction with an investigation related to a claim for public benefits not related to health. Example: social security number fraud involving Medicaid and other public benefits such as food stamps, housing vouchers.
The Required by Law Exception 45 C.F.R. § (a) Permits covered entities to “disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.”
Required by Law Definition of required by law 45 C.F.R. § Includes subpoenas issued by a governmental inspector general. Also includes the “Medicare conditions of participation with respect to health care providers participating in the program.”
Overlap of Health Oversight and Law Enforcement Some requests for disclosure of PHI could fit under more than one exception in 45 C.F.R. § Regulation Preamble 65 F.R : Covered entity may disclose PHI as permitted by one paragraph of § regardless of whether the disclose fails to meet the requirements under a different paragraph of § or elsewhere in the rule.
Health Care Fraud as Health Oversight Regulation Preamble 65 Fed. Reg explains that health care fraud was moved from law enforcement in the notice of proposed rule making to health oversight in the final rule.
Informing the Covered Entity Subpoena cover letter OIG will cite applicable section of the HIPAA Privacy Rule that permits disclosure OIG may demand a suspension of accounting of disclosures per 45 C.F.R. § Verification of Identity 45 C.F.R. § (h)(2)(ii)
Conclusion The HIPAA Privacy Rule permits covered entities to disclose PHI in response to IG subpoenas. The OIG will work with covered entities to allay concerns about an IG subpoena; however, when necessary, we will take action to enforce the subpoena. If a covered entity has questions about disclosure of PHI related to an IG subpoena from the HHS OIG, it should contact the Office of Counsel to the Inspector General at (202)