1. Privacy in the Real World Stephen A. Serfass Stephen.Serfass@dbr.com

2. Introduction  Legal Landscape  Key HIPAA Terminology  Real World Case Studies 1

3. Legal Landscape 2

4. Legal Overview: Federal Law  HIPAA (amended by HITECH) - Governs covered entities’ use/disclosure of “Protected Health Information” (PHI) - Financial consequences are significant for violations - Establishes breach notification obligation - No private right of action, but may be used to inform standard of care (e.g., state law cause of action for negligence claim) Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 2014 WL 5507439 (Ct. Nov. 11, 2014) 3

5.  Breach victims have had success holding employers accountable for HIPAA violations by employees - Pharmacist exposed information of a woman (suspected of having an STD) to her now-husband - Claims of negligence/professional malpractice that attach through respondeat superior liability - Indiana Court of Appeals upheld $1.4 Million verdict against Walgreens (employer). See Walgreens v. Hinchy, No. 49A02- 1311-CT-950, (Ind. Ct. App. Nov. 14, 2014 ) 4 Legal Overview: Federal Law (cont.)

6.  Gramm Leach Bliley - Governs Nonpublic Personal Information (NPI) held by financial institutions - No private right of action - Enforced by state insurance regulators; if similar state statute, state law supersedes GLB 5

7. Legal Overview: Federal Law (cont.)  Other Federal private party claims under Electronic Communications Privacy Act; Stored Communications Act; Video Privacy Protection Act; Driver’s Privacy Protection Act; Family Educational Rights and Privacy Act 6

8. Legal Overview: State Law  Breach Notification Statutes - 47 states require prompt notification (as fast as 15 days) 28 States – report to government & media if substantial impact (>500 people) Some states set thresholds for the notice requirement (e.g., reasonable basis to believe breach will result in harm) 7

9. Legal Overview: State Law (cont.)  Breach Notification Statutes - Apply to data in paper format (at least 3 states) - Some states (36) establish penalties and (11) private rights of action - Statutes typically define: Data breach, Types of protected information, Type of notice required 8

10. Legal Overview: State Law (cont.)  State Insurance Privacy Laws - Some Go Beyond Breach Notification – Require implementation of active security measures to prevent data breaches (AR, CA, MD, MA, RI, OR, TX, UT) - Unfair and Deceptive Trade Practices Acts – Variation on Consumer Protection Act; Enforced by attorney general 9

11. HIPAA/HITECH 10

12.  Health Insurance Portability and Accountability Act (“HIPAA”), enacted 1996 Title I protects health insurance coverage for workers and their families when they change or lose their jobs Title II, also known as the Administrative Simplification provisions, established standards for the privacy and security of health information; later codified in the Privacy Rule and the Security Rule 11

13. What is HITECH?  The Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted as part of the American Recovery and Reinvestment Act of 2009 - HITECH updated and extended the Privacy Rule and Security Rule - Created a tiered civil penalty structure for non-compliance 12

14. Why HIPAA Matters  HIPAA is enforceable by the Federal and State authorities - The Federal Government: the Department of Health and Human Services’ Office for Civil Rights - Each state’s Attorney General - There is no private right of action by individuals 13

15. Why HIPAA Matters  HIPAA contains both Civil and Criminal Penalties for non-compliance - Civil penalties range from $100 to $50,000 per violation - Criminal penalties: individuals, Covered Entities or Business Associates who “knowingly” obtain or disclose PHI in violation of the Privacy Rule - Criminal penalties can include fines and prison time 14

16. Recent OCR Enforcement Actions 15  New York Presbyterian/Columbia University Hospital: 4.8M – May 2014  Concentra: 1.7M – April 2014  Affinity Health Plan: 1.2M – August 2013  WellPoint: 1.7M – July 2013

17. Who is Covered by HIPAA?  HIPAA applies to “Covered Entities” and their “Business Associates”  Covered Entities include health plans, health care clearinghouses, and health care providers - “Health Plan” includes issuers of health insurance and long-term care insurance - “Health Plan” sweeps within its scope issuers of certain combination products (life/LTCi, for example) 16 45 CFR § 160.103.

18. Who is Covered by HIPAA?  A Covered Entity can designate itself a “hybrid” entity and only govern part of its operations under HIPAA – those aspects that include the “health plan” 17 45 CFR § 160.103.

19. Who is Covered by HIPAA?  A “Business Associate” performs functions or activities that use/disclose Protected Health Information on behalf of a Covered Entity  Every Business Associate must enter into a HIPAA- compliant Business Associate Agreement with the entity it is serving (Covered Entity or “upstream Business Associate”)  Business Associates now also are regulated directly by HIPAA 18 45 CFR § 164.104(a),(b).

20. What is Protected Health Information?  Protected Health Information, or “PHI”, refers to individually identifiable health information which can be linked to a particular person  Electronic PHI or “EPHI” is PHI stored electronically (as opposed to on paper)  PHI includes spoken information 19 45 CFR § 160.103 (Protected Health Information).

21. What is Protected Health Information?  If the info is “individually identifiable,” that information is PHI if it relates to: - The individual’s past, present or future physical or mental health or condition - The provision of health care to the individual - The past, present, or future payment for the provision of health care to the individual 20 45 CFR § 160.103 (Health Information).

22. What is Protected Health Information?  Common Mistake: “PHI is just the medical records we get from doctors about our insureds”  Reality: The fact that an individual has an insurance policy at all is PHI because this fact relates to the past, present, or future payment of health care 21

23. What is Protected Health Information?  Examples of PHI: - List of policyholders’ names and enrollment status - Underwriter’s notes assessing the medical history of an applicant - An EOB and check issued to a policyholder - A premium bill 22

24. Uses and Disclosures Under HIPAA When can a Covered Entity or Business Associate use or disclose PHI?  For purposes of “treatment, payment and health care operations”  Pursuant to a valid Authorization  Other narrow purposes where no Authorization is required  To the individual or their designated representative, regarding their PHI 23 45 CFR § 164.502(a).

25. Uses and Disclosures Under HIPAA Common Mistake: “HIPAA only covers me disclosing information improperly to third parties” Reality: HIPAA does limit disclosures of PHI, but it also limits use 24

26. Uses and Disclosures Under HIPAA Common Examples of Use Violating HIPAA:  Looking up the PHI about individuals, in company systems, without a permissible business purpose  Using PHI in a manner other than what is authorized (e.g., an “intended purpose” authorization specific to underwriting does not allow that PHI to be used for marketing) 25

27. Minimum Necessary Rule  HIPAA also requires that using/disclosing the minimum necessary PHI required to accomplish the task 26 Before looking at information, ask yourself: “Do I need to know this information to do my job?” Before disclosing information, ask yourself: “Does this person need the information to do his work?” 45 CFR § 164.502(b).

28. Real World Examples 27

29. Claims Scenarios: Part I – Third-Party Involvement  Captive Agent calls on behalf of insured to facilitate filing a claim for insured who has dementia: - No known power of attorney; third-party designee deceased - Agent wants to be present during on-site Functional Assessment and wants to do the legwork for obtaining medical records and act as primary contact for insured going forward 28

30. Claims Scenarios: Part I – Third-Party Involvement  How much information should the claims administration team divulge? To what extent may this agent be involved in the process? 29

31. Business Associate Agreements  Establish the permitted and required uses and disclosures of PHI by the business associate  Must provide : - That the BA will use appropriate safeguards to prevent the use and disclosure of PHI other than as provided for by the BAA 30 45 CFR § 164.504(e) (BAA requirements).

32. Business Associate Agreements  Must provide: - That any subcontractors, “downstream business associates,” agree to the same restrictions / conditions - That the BA will comply with the requirements that apply to covered entities in the performance of any assumed obligations of the covered entity 31 45 CFR § 164.504(e) (BAA requirements).

33. The Security Rule and Appropriate Safeguards The Covered Entity or Business Associate must:  Reasonably safeguard PHI from incidental uses or disclosures made pursuant to an otherwise permitted use or disclosure  Assure that data and systems are protected from misuse, unauthorized access, damage, alteration or disclosure 32 45 CFR § 164.530(c)(1) (safeguards).

34. The Security Rule and Appropriate Safeguards The Covered Entity or Business Associate must:  Have in place appropriate administrative, technical and physical safeguards to protect the confidentiality, availability and integrity of PHI  Reasonably safeguard PHI from use/disclosure in violation of the Privacy Rule 33 45 CFR § 164.530(c)(1) (safeguards).

35. Claims Scenarios: Part I – Third-Party Involvement  Captive Agent calls on behalf of insured to facilitate filing a claim for insured who has dementia: - No known power of attorney; third-party designee deceased - Agent wants to be present during on-site Functional Assessment and wants to do the legwork for obtaining medical records and act as primary contact for insured going forward 34

36. Uses and Disclosures Under HIPAA When can a Covered Entity or Business Associate use or disclose PHI?  For purposes of “treatment, payment and health care operations”  Pursuant to a valid Authorization  Other narrow purposes where no Authorization is required  To the individual or their designated representative, regarding their PHI 35 45 CFR § 164.502(a).

37. Uses and Disclosures Under HIPAA Health care operations:  Definition is broad: - Underwriting, enrollment, premium rating and other activities related to creation, renewal, or replacement - Conducting or arranging for medical review, legal services, and auditing functions - Business management and general admin. activities  Does not include sales/marketing 36 45 CFR § 164.501.

38. Claims Scenarios: Part I – Third-Party Involvement  Same scenario as before however now the daughter calls on behalf of her mother to facilitate filing a claim: - Daughter is not the power of attorney - Daughter is the only sibling of three available to act as intermediary and provide information 37

39. Claims Scenarios: Part I – Third-Party Involvement  How much information should the claims administration team divulge? To what extent may the daughter be involved in the process? 38

40. Uses and Disclosures for Third-Party Involvement  A covered entity may “disclose to a family member, other relative, close personal friend, or any other person identified by the individual... PHI that is directly relevant to such person’s involvement with the individual's health care, or payment related to the same” 39 45 CFR § 164.510(b)(1)(i).

41.  If the individual is present and has capacity: - Must obtain (1) agreement, (2) opportunity to object, or (3) reasonably infer from the circumstances the lack of objection  If the individual lacks capacity: - Only if the covered entity determines that disclosure is in the best interests of the individual (professional judgment) 40 45 CFR § 164.510(b)(2),(3). Uses and Disclosures for Third-Party Involvement

42. Claims Scenarios: Part I – Third-Party Involvement  Same scenario as above except now it is the insured’s neighbor: - Neighbor is not the power of attorney - No known power of attorney or immediate family member  How much information does the claims administration team divulge? To what extent may the neighbor be involved in the process? 41

43. Claims Scenarios: Part II – Claim Status Updates  Insured is considering Home Care services - Home care provider would like to provide a Plan of Care within the insured’s benefit limits - Provider calls to obtain coverage information  How much information does the claims administration team divulge? To what extent may the care provider be involved in the process? 42

44. Treatment, payment, or health care operations  “A covered entity may use or disclose [PHI] for its own treatment, payment, or health care operations”  “A covered entity may disclose [PHI] to another covered entity or a health care provider for the payment activities of the entity that receives the information”  “A covered entity may disclose [PHI] for treatment activities of a health care provider” 43 45 CFR § 164.506(c)(1)-(3).

45. Underwriting Scenarios: HIPAA Authorizations  Broker submits generic HIPAA form to underwriter requesting the release of client’s PHI from a list of companies  Underwriter has the following concerns: - Is the form HIPAA compliant? - Under HIPAA, does it matter that the form is generic, rather than specific to each company? 44

46. Underwriting Scenarios: HIPAA Authorizations Core elements of a valid authorization:  Meaningful description of the information to be used  Name of “person(s), or class of persons” authorized  Name of “person(s), or class or persons” to whom the covered entity may disclose  General description of each purpose  Expiration date or expiration event that relates to purpose  Signature and date 45 45 CFR § 164.508(c)(1).

47. Underwriting Scenarios: HIPAA Authorizations  Required statements of a valid authorization: - A warning of the possibility of disclosure by recipient - A statement of the right to revoke authorization - An explanation of the inability (or, in limited cases, the ability) to condition treatment, payment, enrollment or eligibility for benefits on the authorization 46 45 CFR § 164.508(c)(2).

48. Underwriting Scenarios: Adverse Underwriting Decision  Underwriter declines based on information found in the medical records—but condition was not previously disclosed to producer  How much information should the underwriter disclose to the producer? 47

49. Minimum Necessary Rule  HIPAA also requires that using/disclosing the minimum necessary PHI required to accomplish the task 48 Before looking at information, ask yourself: “Do I need to know this information to do my job?” Before disclosing information, ask yourself: “Does this person need the information to do his work?” 45 CFR § 164.502(b).

50. Underwriting Scenarios: Privacy Notice and Right to PHI  55 year old attorney (female) applying with husband: - Admits on her application to high blood pressure only - Medical records, prescription profile, MIB reflect HBP only - In husband’s medical records, documentation exists that wife drinks alcohol daily (almost 1 bottle of wine per night) 49

51. Underwriting Scenarios: Privacy Notice and Right to PHI  55 year old attorney (female) applying with husband: - Underwriter declines wife’s application based on information in husband’s medical record - Wife submits request for reason and a copy of her file 50

52. Requests for Access and Timely Action  Under HIPAA, “a covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set” 51 45 CFR § 164.524(b)(1).

53. Requests for Access and Timely Action  The covered entity must respond within 30 days or request an extension for up to 30 additional days, in limited circumstances  And a covered entity is required to document and retain “the designated record sets that are subject to access by individuals” 52 45 CFR § 164.524(a)(2), (e)(1).

54. Designated record set:  “(1) A group of records maintained by or for a covered entity that is:... (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals” 53 45 CFR § 164.501.

55. Underwriting Scenarios: Use of Public Information  Underwriter is concerned because billing address and current residence do not match  Underwriter googles name and discovers client is in a rehabilitation house for alcohol abusers  Underwriter takes adverse action and declines coverage  Any issue using internet searches without authorization? 54

56. Uses and Disclosures Under HIPAA When can a Covered Entity or Business Associate use or disclose PHI?  For purposes of “treatment, payment and health care operations”  Pursuant to a valid Authorization  Other narrow purposes where no Authorization is required  To the individual or their designated representative, regarding their PHI 55 45 CFR § 164.502(a).

57. Uses and Disclosures Under HIPAA  Health care operations: - Definition is broad Underwriting, enrollment, premium rating and other activities related to creation, renewal, or replacement Conducting or arranging for medical review, legal services, and auditing functions Business management and general admin. activities - Does not include sales/marketing 56 45 CFR § 164.501.

58. Underwriting Scenarios: Prequalification  Agent sends the underwriter an e-mail requesting a prequalifying “yes”/“no” and discloses client’s name and health history - No HIPAA authorization form received - BAA agreement in place with agent  Is it a problem to provide the agent with a response like, “based on the information, client looks Preferred?” - Is this a permitted use? 57

59. 58 Questions?

60. Stephen A. Serfass Stephen.Serfass@dbr.com 59 Thank You