New School Violence Law; HIPAA Privacy Training Presented by: Tracey K. Jaensch, Esq.
What We Will Cover New Personnel and Privacy Issues Arising from Marjory Stoneman HS Public Safety Act Overview of HIPAA Privacy Requirements Exceptions Related to Law Enforcement Take Aways
HIPAA Privacy and Security Rule Overview Health Insurance Portability and Accountability Act (HIPAA) Amendment – Health Information Technology for Economic and Clinical Health (HITECH) Act Purpose of Mandates properly protect individuals’ health information while allowing the flow of health information needed to provide and promote high quality health care
HIPAA Privacy Rule Applicable only to Covered Entities and Business Associates Requires implementation of standards to safeguard protected health information (PHI)
HIPAA Privacy Rule Covered Entities Business Associates health plans (fully insured or self-funded) health care providers (e.g. Crossroads) healthcare clearinghouses Business Associates person or organization that performs, or assists in performing, a service or function on behalf of a covered entity that involves use or disclosure of PHI
Entities Specifically NOT Covered HIPAA Privacy Rule Entities Specifically NOT Covered Employers Life, Disability, and Workers’ Compensation Insurers Law Enforcement Agency School? What services provided and who pays for services
HIPAA Privacy Rule PHI is: individually identifiable health information in any form Electronic Written Oral that is created or received by a covered entity or business associate
Examples of PHI Names and Addresses Premiums and coverage amounts Account numbers Geographic subdivisions smaller than a State, including street address, city, county, zip Certificate/license numbers All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, or date of death Internet Protocol (IP) address Telephone and Fax numbers, E-mail Addresses Biometric identifiers, including finger and voice prints, full face photographic images, etc. Social Security Numbers Medical record numbers and Health Plan Beneficiary Numbers Any other unique identifying number, characteristic, etc.
HIPAA Privacy Rule Defines when PHI is: required to be disclosed permitted to be used or disclosed without consent permitted to be used or disclosed only with authorization from the individual
HIPAA Security Rule contains requirements for the storage, transmission and access to electronic PHI applies to covered entities and business associates
HIPAA Privacy and Security Rule Overview Enforcement of Privacy and Security Rule Privacy and Security Officer Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) States Attorney General
HIPAA Privacy and Security Rule Overview Civil Penalties States Attorney General max recovery of $25K OCR 4 tiers up to $1.5M for willful violations Individuals may share in civil penalties recovered
Privacy Rule Compliance Permitted Uses and Disclosures To the individual involved; For routine disclosures for health purposes with or without the individual’s consent; OR With the individual’s authorization, to make non-routine disclosures.
Privacy Rule Compliance Routine Disclosures Health care Treatment; Health care Payment; OR Health care Operations -Disclosures generally permitted with or without individual’s consent
Privacy Rule Compliance Non-Routine Disclosures (Non-TPO) Those disclosures relating to: Marketing Employment decisions; or Non-health purposes. - Must Get Written Authorization
Privacy Rule Compliance Minimum Necessary Standard Any disclosure of PHI must be in a limited data set or, if more information is needed, the minimum necessary Incidental disclosures not a violation
Communications with Family Members Compliance with Privacy Rules Communications with Family Members HIPAA allows communication of PHI to the individual A parent of a minor child and the executor or administrator of a deceased individual’s estate are treated under HIPAA as if they are the individual To disclose PHI to other family members (for example, a spouse) you must obtain the written consent of the individual
A law enforcement organization is not a covered entity. LAW ENFORCMENT AND HIPPA 45 CFR Chapters 160 and 164. 45 CFR §164.512(f) A law enforcement organization is not a covered entity. A covered entity may disclose protected health information (PHI) for a law enforcement purpose, to a law enforcement official, only under several sets of circumstances.
LAW ENFORCMENT AND HIPPA 45 CFR Chapters 160 and 164. 45 CFR §164 LAW ENFORCMENT AND HIPPA 45 CFR Chapters 160 and 164. 45 CFR §164.512(f) A law enforcement official is defined as "an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe," who is: empowered by law to investigate or conduct an official inquiry into a potential violation of law; or, prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
Permitted Disclosures As required by specific reporting laws In compliance with (and limited by relevancy requirements) of: Court order or court-ordered warrant Subpoena or summons issued by judicial officer A grand jury subpoena An administrative request
1. Relevant and material to a legitimate law enforcement inquiry Specific and limited in scope to the extent reasonably practicable in light of the purpose for which info sought For a purpose for which de-identified information could not be used
IDENTIFICATION AND LOCATION PURPOSES PHI may be disclosed for "identification and location" purposes, in response to a law enforcement officer's official request. Purposes would include identifying or locating a suspect, fugitive, material witness, or missing person.
COVERED ENTITY MAY ONLY DISCLOSE THE FOLLOWING FOR ID AND LOCATION: name and address; date and place of birth; social security number; ABO blood type and rh factor; type of injury; date and time of treatment; date and time of death, if applicable; and, a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos. The regulations specifically exclude any PHI related to the individual’s DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue (unless it is one of the items listed above).
Law Enforcement Official’s Request Victim PHI Dead Individual PHI On Premises Criminal Activity Provider providing emergency health care in response to medical emergency off-premises
http://www.hhs.gov/ocr/privacy/
IMPACT ON NEW PERSONNEL AND THREAT ASSESSMENT TEAMS Act requires Resource Officer who is a certified officer MOU with Sheriff or law enforcement Additional training of school personnel (who is a law enforcement officer?) Privacy Rules and training
Thank You