Presentation on theme: "HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference."— Presentation transcript:
HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference October 23, 2002
Overview n Basics of HIPAA and other laws n Other federal laws: – FERPA, Privacy Act, etc. n HIPAA and Financial Services n Conclusion
I. Basics of HIPAA and Other Laws n When are you required to disclose medical data? n Much confusion on this during drafting period n Basic HIPAA approach -- HIPAA itself never requires disclosure n Exactly two exceptions – Access to patient records, Sec – HHS enforcement of the rule, Sec (c)
Required by Law n Many situations where other law requires you to disclose medical data – Most clearly for a court order – Not a HIPAA violation to comply n Sec (a): A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
Basics on required disclosures n HIPAA (almost) never requires disclosure n HIPAA generally creates new legal limitations on using and disclosing PHI n HIPAA says you may disclose where required by other law n Its your call what you are required to do -- HIPAA doesnt give the answer n Both HIPAA and other law apply
The Privacy Act as Example n Law applies to federal agencies, with fair information practices limiting disclosure and providing access n As of April, 2003 federal agencies will comply with both laws, where applicable n HIPAA enforcement for HIPAA violations n Privacy Act enforcement for Privacy Act violations
EMTALA as Example n Requires treatment on site where patient arrives in emergency situation n HIPAA applies -- must protect PHI but can use & disclose it more broadly for treatment, payment & health care operations n EMTALA applies -- a separate, ongoing legal requirement
Public Health & Health Oversight n Public health, Sec (b) n Health oversight, Sec (d) n Both say covered entity may disclose n No new compulsion from HIPAA to require the disclosure n If a covered entity believes disclosure is not appropriate, and disclosure is permitted by HIPAA, then the other law governs
II. HIPAA Provisions about Other Law n Some provisions in HIPAA specifically point to other statutes as supplying the applicable law n Workers Comp, Sec (l) – May disclose as authorized by and to the extent necessary to comply with laws relating to workers compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault – Required vs. permissive disclosure the key
FERPA -- Educational Records n In HIPAA: – Definition of protected health information excludes – educational records covered by – the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g n Therefore, if records covered by FERPA, no HIPAA obligations
FERPA n Educational records are: – those records, files, documents, and other materials which – contain information directly related to a student; and – are maintained by an educational agency or institution or by a person acting for such agency or institution
What Does this Mean for Schools n K-12 nurses -- clearly only have FERPA and not HIPAA n Universities and schools serving over 18 years old -- right to the student instead n What if student health services also serve non-students? Spouses, employees? – Legally, HIPAA applies to those – Practically, keep separate?
HIPAA and the End of College Athletics! n Will we learn that the quarterback is hurt? Will sports gamblers be able to pursue their chosen profession? n FERPA -- governs school athletes, authorizations required as today n Pro sports -- authorization can be required by the employer – Will union contracts limit that?
III. HIPAA & Financial Services n Gramm-Leach-Bliley & HIPAA n 2 statutes, comply with both n Does that mean 2 notices for covered entities? n GLB came first – GLB agencies contemplated that compliance with HIPAA would count for GLB notice – I am not aware of any follow-up clarification by GLB agencies
GLB & HIPAA n HHS comments, Dec – agencies consult to avoid duplication – insurers covered by GLB would be subject to states, not FTC n The upshot: – Health insurers or other dual covered entities likely can give only HIPAA notice – No definitive word from GLB agencies, though
HIPAA and Financial Services n The payment exception in HIPAA Sec n Easy case – Check, credit card and the basic routing information – Name, account numbers, what is needed to process the payment itself – That data entirely outside of HIPAA
Payments and HIPAA n Back office – As financial institution goes deeper, and does back office for a covered entity, HIPAA risk grows – At some point, become business associate n Clearinghouse – Convert standard/nonstandard transactions – Specialized financial services entity, can become a covered entity
Conclusion on Other Fed. Laws n Disclosure required by other law, then at least may disclose PHI n Disclosure permitted by other law, then HIPAA limits apply n Disclosure forbidden by other law, then HIPAA does not authorize the disclosure (with tiny possible exceptions)