Robert M. Portman, J.D. (202) 639-6880 email@example.com Jenner & Block 601 13 th Street, NW Washington, DC 20005
HIPAA Patient Privacy Rules Overview of the Privacy Rule Nuts & Bolts of Patient Protections Compliance & Enforcement Preemption Legal Challenges
Overview: Key Issues History, Breadth & Focus What information is and is not covered Who is subject to rules Business Associate (“BA”) rules Rules on uses and disclosures of PHI “Minimum Necessary Rule” & Verification Privacy Notice/Patient Rights
History/Background HIPAA ’96—where it all started. Required Secretary of HHS to issue rules to protect privacy of patient health information if Congress did not act by August 21, 1999. Congress did not act. (Quelle surprise!) HHS issued final privacy rules—Dec. 2000. HHS Guidance Document—July 2001. Proposed Modification of Rule—March 2002.
Breadth Privacy rule is part of a “suite” of regulations arising out of HIPAA –Standards for electronic transactions (final) –Unique identifiers for employers/providers for use in electronic transactions (proposed) –Several rules to be proposed re electronic transactions involving health plans –Proposed Security Rule Focus here is on Privacy Rule
What is Required of the “Average Provider?” For the “average provider,” the Privacy Rule requires: –Providing patients information about their privacy rights and how their PHI may be used. –Obtaining authorization for certain uses/disclosures. –Adopting clear privacy practices and procedures. –Designating a privacy officer responsible for adoption/compliance with these practices. –Training employees so that they understand these practices.
What Information is Covered? All individually identifiable information that is transmitted or maintained in ANY form, not just electronic. Major change from original proposed rule. Referred to as protected health information or PHI.
Individually Identifiable Info Created or received by a covered entity or employer; Relates to health or condition, provision of health care, or payment for health care with respect to an individual; and Can identify or can be used to identify an individual. Note broad definition of payment activities.
Info Not Covered Information that cannot be used to identify an individual is not protected. How to de-identify information: –Hire an expert to determine that information to be used or disclosed contains no identifying information. –Remove all specified identifying information.
Covered Entities and “Friends” Health Care Providers Health Plans Healthcare Clearinghouses Business Associates (indirect)
Health Care Providers Providers of medical or health services that transmit health information in electronic form, for billing or transferring funds for payment. –Physicians –Hospitals –Home Health Agencies
Health Plans Plans that provide or pay for the cost of medical care. –Group health plans –Health insurance issuers –HMOs –Issuers of LTC policies –Employee welfare benefit plans
Health Care Clearinghouses Entities that process health information from a covered entity. –Billing services –Repricing companies –Community health information systems –Valued-added networks or switches
Business Associates Individuals or entities that receive PHI from covered entities and provide services for or perform functions on behalf of covered entities. Employees and volunteers, no; independent contractors, yes. May include board members. A covered entity may be a business associate of another covered entity.
Business Associates Functions on behalf of a covered entity: –claims processing –data analysis –processing or administration –utilization review –quality assurance –billing –benefit management –practice management –repricing
Business Associates Services performed for covered entity: –legal –actuarial –accounting –consulting –data aggregation –management –administrative –accreditation –financial
Business Associate’s Duties Must abide by restrictions on PHI in contract. Use appropriate safeguards to protect PHI. Ensure that agents or subcontractors agree to same restrictions. (“Chain of Trust” partners) Other requirements –(e.g., make internal practices, books, and records relating to use and disclosure of PHI available to HHS Secretary for purposes of determining covered entity’s compliance with HIPAA.)
Business Associate Contract Can be an addendum to current contract Establish required and permitted uses and disclosures of PHI by BA. State that BA may not use or further disclose PHI in violation of HIPAA rules if done by covered entity. Note: BA may use PHI for internal management and administration of BA, legal responsibilities, and data aggregation for covered entity. Model contract provisions provided by HHS as part of proposed rule modification.
Uses and Disclosures of PHI Basic rule: NO USE OR DISCLOSURE EXCEPT AS PERMITTED OR REQUIRED BY RULE.
Permitted Uses and Disclosures To the individual (without request). With authorization or agreement of the individual. Other circumstances specified in rules where authorization not required (e.g., disclosure to business associates). Transfer of records upon sale, transfer, consolidation, or merger.
Required Disclosures To the individual when requested per rule. When required by HHS for investigation or compliance purposes.
Minimum Necessary Rule General Rule –Covered entity must make reasonable efforts to limit permitted uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. –Same requirement applies to requests for PHI from one covered entity to another.
Minimum Necessary Rule Minimum necessary usage requires, among other things, identifying: –employees with need for access to PHI –categories/types of PHI needed –conditions for access Must also comply with any applicable restrictions (e.g., per patient agreement).
Minimum Necessary Rule Okay to rely on requesting party’s judgment in some cases (if reliance is reasonable): –another covered entity –public officials or agencies –business associates or workforce member –researchers acting per IRB/Privacy Board
Minimum Necessary Rule Exceptions –disclosures to or requests by health care provider for treatment –uses or disclosures to individuals by law or authorization –disclosures to HHS –uses or disclosures pursuant to law or compliance requirements
Minimum Necessary Rule Modified proposed rule clarifies that conversations between physicians about patient do not violate rule even if they are overheard. Modified rule also clarifies that incidental disclosures generally do not violate the rule as long as minimum necessary rule satisfied and other reasonable safeguards adopted.
Verification Requirement Covered entity generally must verify the identity of a person requesting PHI and the authority of the requesting party to have access to the PHI (unless known). Requirement met if covered entity exercises professional judgment and acts in good faith in making disclosures under the rule.
The Nuts & Bolts of Patient Protections Consent Authorization Exceptions Notice of Privacy Practices The Rights of Individuals
Consent Final Rule would have required physicians and other health care providers to obtain consent from patient for use and disclosure of PHI for treatment, payment, or health care operations (TPH). Modified rule eliminates consent requirement and simply requires notice of provider’s privacy policies and practices be provided to patient. Patients should be asked to acknowledge receipt of privacy policies and practices.
Authorization An authorization generally allows use and disclosure of PHI for purposes other than treatment, payment, or health care operations. Covered entities must obtain an authorization to make uses and disclosures not otherwise permitted or required under the Privacy Rule. An authorization must be written in specific terms, and may allow use and disclosure of PHI by the covered entity seeking the authorization, or by a third party.
Authorization Document and retain signed authorizations. Provide patient with copy. May not condition treatment, payment, or enrollment in health plan or eligibility for benefits on authorization except for research-related treatment and other circumstances specified in rule.
Single Authorization Form Final Rule required different types of forms for different types of disclosures. Modified Rule requires only one form regardless of type of disclosure.
Authorization Requirements Must be written in plain language. A copy must be provided to individual if provider seeks authorization.
Authorization Requirements A description of the information to be used or disclosed that identifies the PHI in a specific and meaningful fashion. The name of those authorized to request disclosure of PHI. The name of persons to whom provider may make the requested disclosure.
Authorization Requirements A description of each purpose of the requested use or disclosure. “At the request of the individual” is sufficient description of purpose when an individual initiates the authorization and does not provide a statement of the purpose. Statement whether provider can condition treatment on authorization.
Authorization Requirements An expiration date or event relating to individual or purpose of use or disclosure. Signature of individual (or personal representative) and date. Statement re individual’s right to revoke authorization. Statement concerning possibility of redisclosure.
Authorization for Marketing Under proposed modification, covered entity must obtain authorization from individual before sending them any marketing materials or selling patient lists. But covered entities may communicate freely with patients about treatment options and other health-related information, including disease- management programs.
No Authorization Required With individual’s agreement in limited circumstances Public health activities Health oversight programs FDA-regulated activities (e.g., adverse incidents) Judicial and administrative hearings Certain law enforcement purposes Concerning decedents to coroners/funeral directors Research in certain circumstances
Prior Consents/Authorizations Covered entity may continue to use or disclose PHI pursuant to a prior consent, authorization, or other form of legal permission with some restrictions. But usually will need to obtain new consent or authorization for data collected after compliance date, except for research studies based on individual’s consent.
Privacy Notice HIPAA generally provides individuals the right to “adequate notice” of: –the uses and disclosures of PHI that may be made by the covered entity. –the individual’s rights and the covered entity’s legal duties with respect to PHI. The Notice describes the covered entity’s PHI-related privacy practices. Specific and detailed requirements for the Notice are set forth in the Privacy Rule
Privacy Notice Must provide on first date of service delivery or as soon as reasonably practicable after an emergency. Must make good faith effort to obtain a written acknowledgement of receipt of notice from patient or document reasons why acknowledgement not obtained—substitute for consent.
Privacy Notice Must be prominently displayed at site of service and/or posted on web site. Must be available upon request. Must issue new notice when material changes. Must keep copies of all notices and acknowledgements of receipt.
Rights of Individuals To receive privacy notice at time of first delivery of service. To request restrictions on uses and disclosures of PHI –Covered entity not required to agree. –But if it does so agree, it must comply with restrictions, except for emergencies or other circumstances specified in rules. –Must document agreement. –May terminate with individual’s agreement or without agreement prospectively only.
Rights of Individuals To receive PHI communicated to them by alternative means and at alternative locations to protect confidentiality. To inspect and obtain copies of their PHI from covered entity, except for psychotherapy notes and other exceptions, subject to procedures in rules.
Rights of Individuals To amend or correct PHI. To request an accounting of disclosures in six years prior to request, not including disclosures re treatment, payment, and health care operations, or individuals’ requests for PHI, except for disclosures pursuant to written authorization (see proposed modification). Rights apply to individual and personal representatives.
Parents of Minors For the most part, parents have right to access and control PHI of their minor children. Exceptions to this rule track circumstances in which state law precludes such parental access or control (e.g.,permitting HIV testing of minors without parental permission, cases of abuse, etc.) or where parents have agreed to give up access and control.
Research Proposed modification clarifies that researchers may combine authorization with informed consent to participate in clinical trial. Proposal also conforms requirements of research exception to “Common Rule” used for federally-funded research.
Compliance Covered entities must comply by April 14, 2003. One-year extension for BA contract compliance per proposed modification.
Compliance Designate privacy official and contact person; Train workforce in policies and procedures required to safeguard PHI (different requirements for small and large physician practices); Procedures and safeguards to protect PHI and limit incidental uses or disclosures of PHI; Institute complaints process; and Other requirements set forth in rules.
Compliance: Bus. Assoc. Covered entity not responsible for overseeing BA’s compliance with terms of agreement. But, covered entity violates rule if it knew of a pattern of activity or practice of BA that breached contract, unless covered entity took steps to end the violation and/or terminate the contract, if feasible, or report problem to HHS. If BA is also covered entity and it violates its obligations under the BA Agreement, then it will be directly liable under HIPAA.
Compliance: Bus. Assoc. Contract must have appropriate termination provisions, including return or destruction of PHI upon material breach, if feasible. Proposed rule would give covered entities up to an additional year to modify their contracts with BA’s to comply with the privacy rule.
Enforcement Individual complaints with Secretary within 180 days of act or omission. HHS investigation authority. Informal resolution authority. Civil Penalties. Criminal Penalties.
The Enforcement Provisions: 42 U.S.C. §§ 1320d-5 & 1320d-6 42 U.S.C. § 1320d-5 covers civil violations 42 U.S.C. § 1320d-6 covers criminal violations These sections are not found in the HHS Regulations, rather they come from HIPAA itself.
General Penalty for Failure To Comply With Requirements And Standards: U.S.C. § 1320d-5 (Civil Violations) Punishes any violation of regulations Maximum penalty of $100 per violation Cap of $25,000 per calendar year for each provision of the regulations that are violated
Wrongful Disclosure of Individually Identifiable Health Information: 42 U.S.C. § 1320D-6(a) (Criminal Violations) Violation of federal law Violations must be committed “knowingly”
MENS REA And Use Of The Word “Knowingly” A person commits an act “knowingly” when it is done purposefully; that is, the act is a product of a conscious design, intent or plan that it be done. Horne v. State of Indiana, 445 N.E.2d 976 (1983).
Three Ways To Violate 42 U.S.C. § 1320d-6 Knowingly and in violation of the regulations using or causing to be used a unique health identifier; Knowingly and in violation of the regulations obtaining individually identifiable health information relating to an individual; and Knowingly and in violation of the regulations disclosing individually identifiable health information to another person.
Potential Bases For Criminal Liability Employee liability for employee’s own conduct Liability of privacy officers Corporate liability for acts of employees Concurrent liability of employees and corporation Business Associate Liability
Criminal Penalties For Violating § 1320d-6 Maximum penalties are set forth in §1320d-6(b). Actual sentencing is determined according to the Federal Sentencing Guidelines.
Maximum Penalties (42 U.S.C. § 1320d-6(b)(1)) Any violation: –$50,000 fine, one year imprisonment, or both.
Maximum Penalties (42 U.S.C. § 1320d-6(b)(2)) If offense is committed under under false pretenses: –$100,000 fine, 5 years imprisonment, or both.
Maximum Penalties (42 U.S.C. § 1320d-6(b)(3)) If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm: –$500,000 fine, 10 years imprisonment, or both.
Preemption Requirements contrary to federal law are preempted. Exceptions –more stringent state laws –others Requests for preemption to be resolved by Secretary of HHS.
Legal Challenges South Carolina Medical Association v. HHS Association of American Physicians v. HHS