2CautionThis is an overview of fairly complex statutes and regulations.No substitute for reading the rules.New proposed HIPAA rules are pending.In addition to HIPAA, you may be subject to more restrictive state laws.HIPAA establishes floor to patient privacy.Must comply with more restrictive state law.
4HIPAA (not HIPPA)HIPAA = Health Insurance Portability and Accountability ActPrivacy Rules, 45 CFR et seq.Applies to protected health info (“PHI”)Security Rules, 45 CFR et seq.Applies to electronic PHIHITECH Act modified HIPAA
5HIPAACovered entities cannot use, access or disclose protected health info without patient’s written authorization unless the use, access or disclosure fits within a HIPAA exception.(45 CFR )
6HIPAA: Covered Entities Health care providersHealth plans, including group health plans if50+ participants, orAdministered by third partyBusiness associates who use PHI to perform function for covered entity.E.g., lawyers who represent covered entities.
7HIPAA: Covered Info Protected health info (“PHI”) Not: Individually identifiable infoCreated or maintained by covered entityConcerning an individual’s past, present, or future health, health care, or paymentIn any form or medium.Not:“de-identified” infoInfo not created or maintained in covered entity’s role as a health care provider, e.g., employment records.
9HIPAA Civil PenaltiesDid not know and should not have known of violation$100 to $50,000 per violationUp to $1.5 mil for all identical violations per yearNo penalty if correct within 30 days.OCR may waive or reduce penalty if excessiveViolation due to reasonable cause$1000 to $50,000 per violationWillful neglect, but corrected problem w/in 30 days$10,000 to $50,000 per violation* OCR must impose penaltyWillful neglect, but did not correct problem w/in 30 daysAt least $50,000 per violation
10HIPAA Civil PenaltiesIn February 2011, Mass General Hospital agreed to pay $1,000,000 for HIPAA violations.Employee left medical records of 162 patients on subway while commuting to work.Inadequate safeguards to protect info.
11HIPAA Civil Penalties"We hope the healthcare industry will take a close look at [this case] and recognize that OCR is serious about HIPAA enforcement. It is a covered entity's responsibility to protect its patients' health information."OCR Director Georgina Verdugo.
12HIPAA Criminal Penalties Criminal penalties apply to employees or other individuals who obtain or disclose protected health info (“PHI”) without authorization.Knowingly obtaining PHI in violation of law$50,000 fine1 year in prisonCommitted under false pretenses$100,000 fine5 years in prisonIntent to sell, transfer, or use for commercial gain, personal gain, or malicious harm$250,000 fine10 years in prison(42 USC 1320d-6(a))
13Recent HIPAA Convictions Arkansas physician and two hospital employees improperly accessed murdered newscaster’s medical information.Convictions:Physician: $5000 fine + 1 year probationEmployee 1: $2,500 fine + 1 year probationEmployee 2: $1,500 fine + 1 year probation
14Self-Reporting Covered entities: Must self-report if breach of unsecured PHI to:Affected patient or next of kinDepartment of Health and Human ServicesLocal media if breach involves > 500 personsMust log improper disclosures and provide accounting if requested by patient.
15Additional Reasons to Comply with HIPAA HHS must conduct audits.State Attorney General can bring lawsuit for HIPAA violation.Effective 2012, patients receive a percentage of HIPAA fines.Covered entity must impose sanctions against workforce members who violate HIPAA.No private cause of action under HIPAA, but patients can bring lawsuit under common law theory.Professional disciplinary actions.
16Properly Obtaining PHI from Healthcare Provider or Business Associate
17Obtaining PHIWays to properly obtain PHI from healthcare provider or business associate:Patient obtains info and gives it to youWritten authorization from patientSubpoena + satisfactory written assurancesSubpoena + provider notifies patientCourt orderFit within a different HIPAA exceptionMay need to educate health care providers.
181. Get Info from Patient or Personal Rep Patients and personal representatives have right to access and obtain copies of PHI maintained in designated record set.(45 CFR )Personal rep = person with authority to make health care decisions for patient, e.g,.GuardianSpouseParentOther appropriate relative(45 CFR (g); see I.C )
19Get Info from Patient or Personal Rep Covered entity must allow access or provide copies in format in which records maintained.Electronic or paperCovered entity must respond within 30 days.May require written request for the records.May charge reasonable cost-based fee, e.g., cost of materials, labor and postage, not retrieval.(45 CFR )
20Get Info from Patient or Personal Rep Covered entity may deny request if:Info outside designated record set.Psychotherapy notesInfo compiled in anticipation of litigationInfo obtained under promise of confidentiality and disclosure would identify informantLicensed health care provider determines that access would cause substantial harm.Decision subject to review(45 CFR )
21HIPAA Civil PenaltiesIn February, Cignet Health Center fined $4,300,000 for HIPAA violations.Failed to respond to 41 patients’ requests to access info.Failed to cooperate with OCR’s investigation.
222. Patient Authorization Covered entity may disclose PHI to third parties per valid authorization.Authorization cannot be combined with any other release or document.Must contain required elements.Must contain required statements.Covered entity not required to disclose the info per the authorization.Covered entity may charge a fee.Need not be reasonable.(See 45 CFR )
23Patient Authorization Required elements.Describe info to be disclosed.Identify persons who may make disclosureIdentify persons to may receive infoDescribe purpose of disclosure“at request of patient” sufficient if patient originatesExpiration date or eventE.g., “at conclusion of litigation”Date and signature of patient or personal representativeDescribe authority of personal representative(45 CFR )
24Patient Authorization Required statements.Patient may revoke authorization at anytime.Provider may not condition treatment on authorization.Info disclosed may be re-disclosed and no longer protected.(45 CFR )
25Patient Authorization Specify the info desired.Oral information, recordings, images, etc.Treatment, payment, other.Documents created or maintained by health care entity.Time frame.(45 CFR )
26Subpoena Signed by Attorney or Clerk Covered entity cannot disclose PHI pursuant to subpoena signed by attorney in criminal or civil proceeding unless:Accompanied by written assurances thatPatient was given notice and there were no objections or objections overruled, orProtective order in place; orCovered entity notifies patient of subpoena and patient fails to take action to protect PHI.(45 CFR (e))HIPAA does not nullify subpoena, but precludes disclosure unless conditions satisfied.
27Subpoena Signed by Attorney or Clerk Subpoena itself may contain satisfactory written assurances if:Patient is party to proceedings;Subpoena accompanied by certificate of service confirming patient or their attorney was served and had time to object; andTime for objection has passed.(OCR Frequently Asked Question)
28Subpoena Signed by Attorney or Clerk Provider should strictly comply with terms of subpoena.Ensure you subpoena proper entity, e.g., custodian of records v. employeeProvider may only disclose info specified in subpoena.Provider may not disclose info prior to time specified in subpoena.Patient may be able to object to subpoena until time specified in subpoena.No informal, prehearing discussions.
29Subpoena Signed by Attorney or Clerk HIPAA does not address charges for records in response to subpoena.Most court rules entitle recipient toReasonable mileage and witness feesReasonable cost of copies.May want to tender fees with subpoena.
304. Subpoena, Order or Warrant Signed by Judicial Officer Provider may disclose info if subpoena, order or warrant is signed by a judicial officer or administrative tribunal.(45 CFR (e)(1), (f))“Judicial officer” not defined.Judge or magistrateNot prosecutor or clerk of courtRemember to specify info sought.
315. Grand Jury SubpoenaCovered entity may disclose info per grand jury subpoena.(45 CFR (e)
326. Administrative Request Covered entity may disclose info per administrative request or civil investigative demand upon confirmation that:Info sought is relevant and material to law enforcement inquiry,Request is specific and limited to extent possible, andDe-identified info is insufficient.(45 CFR (f))
337. Hospital May Deliver Records to Court in Response to Subpoena In Idaho, hospital may comply with subpoena by giving notice and filing records with court under seal.Provider may require payment for records before filing with court.Party issuing subpoena may state that filing records with court is not sufficient.(I.C )
34Other Situations in Which Providers May Disclose PHI
351. Treatment, Payment or Health Care Operations Providers may disclose PHI for purposes ofTreatmentPaymentHealth care operations, including litigationPatient may request restrictions, but provider need not agree.(45 CFR ).
362. Family Members and Others Involved in Care Providers may disclose PHI to family and others involved in health care or payment for health care if:Patient agrees, orPatient does not object and provider believes it is in best interest of patient.Disclosure limited to scope of person’s involvement.(45 CFR )
373. Facility DirectoryProvider may disclose limited info for purposes of locating patient if ask for patient by name:Patient’s nameLocation in facilityGeneral conditionPatient may restrict disclosure.(45 CFR )
384. To Avert Serious Threat Covered entity may disclose info to prevent or lesson serious and imminent threat to health or safety of person or public.Disclose info to entity able to respond to threat.(45 CFR (j))
395. Other Law Requires Disclosure Provider may disclose PHI if and to the extent that another law requires disclosure, e.g., to report—Child or vulnerable adult abuseTreatment to victim of crimeInjury by firearmCredible threat by patient against another personCertain communicable diseases(45 CFR (a))
406. Law Enforcement Purposes HIPAA allows providers to disclose info to law enforcement in limited circumstances.Disclosure of limited info to identify or locate a suspect, fugitive, witness or missing person.Disclosures re victim of crime if:Victim agrees, orIf victim is incapacitated or emergency, law enforcement represents info is not to be used against victim and cannot wait for info.Reporting death involving crime.Reporting crime on premises.Reporting crime if provider is a victim.(45 CFR (f))
417. PrisonerCovered entity may disclose info to correctional institution or law enforcement having custody of individual if info necessary for health or safety of the individual or others.(45 CFR (k))
43Patient RightsRequest additional restrictions on use or disclosure of PHIAccess PHIAmend PHIObtain accounting of disclosure of PHI(45 CFR )
44If You Represent Health Care Provider and Receive PHI…
45Business AssociatesBusiness associates = entities that receive PHI from covered entity to perform function on behalf of covered entity, including lawyers.Business associates are subject to HIPAA.Must not access, use or disclose PHI unless permitted by HIPAA.Must safeguard PHI.Must have business associate agreement.May be subject to HIPAA penalties if violate HIPAA.(45 CFR , -.514)
46Contacting Represented or Employed Providers for Info
47Contacting Represented or Employed Providers Cannot contact represented party ex parte, including persons “whose act or omission in connection with the matter may be imputed to the organization for purposes of civil or criminal liability.”(Ethical Rule 4.2, Comment 7)Prohibits ex parte contacts with employed providers given HIPAA penalties?
48HIPAA Resources 45 CFR part 164 OCR website: www.hhs.gov/ocr/hipaa Summary of regulationsFrequently asked questionsGuidance re key aspects of privacy and security rulesSample business associate agreement