1.  Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability” part); and 2.Ensure the security and confidentiality of patient information and mandate uniform standards for electronic data transmission (the “accountability” part). ◦ Act required the Department of Health & Human Services (DHHS) to implement regulations on the specific areas of HIPAA.  Rules of Primary Concern Here - Privacy & Security Rules: ◦ Privacy Rule: Sets limits and conditions on the uses and disclosures of protected health information without patient authorization; gives patients rights over their health information (e.g., rights to examine and obtain a copy of their health records, to request corrections).  Compliance Deadline: April 2003 ◦ Security Rule: The ability to control access to and prevent information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.  Compliance Deadline: April 2005 4/28/20151PRIVILEGED ATTORNEY-CLIENT COMMUNICATION

2.  Entities subject to HIPAA (“covered entities”): ◦ Health plans, health care clearinghouses or health care providers (e.g., hospitals, physicians, etc.) that:  transmit health information electronically  in connection with “covered transactions” (e.g., billing, transmission of health plan enrollment information). ◦ For example, the UC Student Health & Counseling Centers (SHCs and SCCs)  Operational Consequences of Being a Covered Entity ◦ Comply with the HIPAA rules for transactions and code sets (i.e., use certain standardized forms of transmitting electronic data) ◦ IF the covered entity is using or disclosing Protected Health Information (PHI)  THEN it is required to comply with the HIPAA Privacy Rule (e.g., issue a notice of privacy practices, execute business associate agreements, follow the HIPAA Privacy Rule’s restrictions on the use and disclosure of PHI)  What is PHI? ◦ Individually identifiable health information except for  “Education records” or “treatment records” of students under FERPA ◦ Even though the SHCs and SCCs are HIPAA covered entities, they are not required to comply with the HIPAA Privacy Rule with respect to student records. 4/28/20152PRIVILEGED ATTORNEY-CLIENT COMMUNICATION

3.  Enacted in 1974  Protects the privacy rights of students ◦ General Rule: The University may not disclose a student’s education records without the student’s written consent. ◦ Several exceptions to general rule (e.g., to University officials who have a legitimate educational interest, health or safety emergency). 34 CFR 99.31.  What are “Education Records”? ◦ Directly related to a student; and ◦ Maintained by the University or by a party acting for the University.  Exception: “Treatment Records” are excluded from the definition of “Education Records.”  Treatment Records:  Records created/maintained by a health care professional/paraprofessional;  Used, created or maintained only in the provision of treatment; and  Not disclosed to anyone other than individuals providing treatment. 4/28/20153PRIVILEGED ATTORNEY-CLIENT COMMUNICATION

4.  Post-November 2008 Analysis  Joint Guidance from the Dept of Education & the Dept of Health & Human Services on the Application of HIPAA and FERPA ◦ The definition of PHI under HIPAA excludes both education & treatment records. ◦ Significance:  A HIPAA covered entity is not required to comply with the HIPAA Privacy and Security Rules with respect to both “education records” and “treatment records” (i.e., student medical information). ◦ The catch – HIPAA still applies to non-student medical information. Joint Guidance: http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf 4/28/20154PRIVILEGED ATTORNEY-CLIENT COMMUNICATION

5.  Rule of Thumb: If the information relates to a student and is ◦ Maintained by the University (education records); OR ◦ Made, maintained by a health care professional or paraprofessional and used only in connection with the provision of treatment (treatment records) FERPA applies 4/28/20155PRIVILEGED ATTORNEY-CLIENT COMMUNICATION

6.  Background ◦ Enacted in 1979 ◦ Enforcement Agency: CA Department of Public Health (CDPH)  Applies to: ◦ Most health care providers (e.g., hospitals, doctors, nurses, SHCs/SCCs), plans, contractors ◦ Exceptions: Substance abuse programs and certain mental health care providers (e.g., inpatient psychiatric facilities, county-designated psychiatric facilities)  What Information is Protected Under CMIA? ◦ Medical Information:  individually identifiable information,  in electronic or physical form,  in possession of or derived from a provider, plan, pharmaceutical company, or contractor  regarding a patient's medical history, mental or physical condition, or treatment. ◦ Bottom Line: Generally captures treatment records and education records maintained by the SHC/SCC. 4/28/20156PRIVILEGED ATTORNEY-CLIENT COMMUNICATION

7.  Rules on Disclosure: ◦ Generally patient authorization is required for providers, plans and contractors to make a disclosure. (Cal Civ 56.10) ◦ Exceptions to General Rule:  Must Disclose: List of required disclosures, e.g., if the information is compelled by  Search warrant  Administrative agency  Court order  Subpoena  When otherwise specifically required by law Cal Civ 56.10(b)  May Disclose: List of permitted disclosures, e.g.,  For treatment and diagnosis  If psychotherapist believes disclosure is necessary to prevent serious and imminent threat  For payment purposes  For licensure and accreditation purposes  When otherwise specifically authorized by law (e.g., when authorized by FERPA) Cal Civ 56.10(c) ◦ Different rules apply to outpatient psychotherapy treatment information 4/28/20157PRIVILEGED ATTORNEY-CLIENT COMMUNICATION

8.  Medical Information vs. Outpatient Psychotherapy Treatment Information: (1) Standard medical information (e.g., results of physical, broken bone x-ray)  See Cal Civ 56.10 (2) Medical information that specifically relates to a patient’s treatment with an outpatient psychotherapist (“Outpatient Psychotherapy Treatment Information”)  See Cal Civ 56.104  Rules on Disclosure of Outpatient Psychotherapy Treatment Information Under CMIA ◦ The “Must Disclose” provisions still apply to these records; no authorization required. ◦ Specific “May Disclose” provisions apply:  Treatment/Diagnosis: Disclosure for treatment or diagnosis  Threat: Disclosure by psychotherapist to prevent serious and imminent threat to health/safety  Threat & Law Enforcement/Target Request Information: Per request by law enforcement or target of threat after an initial disclosure has been made by the psychotherapist  Requestor: If a requestor notifies the provider and the patient of a request  The “otherwise specifically authorized by law” exception does not apply 4/28/2015PRIVILEGED ATTORNEY-CLIENT COMMUNICATION8

9.  CMIA & FERPA: ◦ CMIA’s “otherwise specifically authorized by law” clause  Permits providers to disclose medical information (without an authorization) if the disclosure is “otherwise specifically authorized by law” (Cal Civ 56.10(c)(14))  CMIA & HIPAA: ◦ HIPAA Preemption Rule: Providers must comply with whichever state or federal law is more stringent, and with whichever provision is more stringent.  In SHC/SCC context, preemption rule only applies with regard to non- student records. 4/28/20159PRIVILEGED ATTORNEY-CLIENT COMMUNICATION

10. Questions? 4/28/201510PRIVILEGED ATTORNEY-CLIENT COMMUNICATION