0 Jumping through Two Hoops: the HIPAA Privacy Rule and State Law Compliance Issues Bruce Merlin Fried, Esq. The fifth National HIPAA Summit November 1,

Slides:



Advertisements
Similar presentations
1
Advertisements

NIXON PEABODY LLP 1 Understanding the Marketing Restrictions of HIPAA Leigh-Ann M. Patterson Nixon Peabody LLP 101 Federal Street Boston, MA (617)
JCAHO –A HIPAA Business Associate National HIPAA Summit
Jumping through Two Hoops HIPAA and State Law Compliance Bruce Merlin Fried, Esq. HIPAA State Law and Preemption Audio Summit July 10, 2002.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.
RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
Foreign Air Operator Validation & Surveillance
Create an Application Title 1A - Adult Chapter 3.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
1 Targeted Case Management (TCM) Changes Iowa Medicaid Enterprise October 14, 2008.
HIPAA AWARENESS TRAINING
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
PP Test Review Sections 6-1 to 6-6
Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
Jumping through Two Hoops HIPAA and State Law Compliance: the Problem of the Failure of Federal Preemption Bruce Merlin Fried, Esq. HIPAA Summit West II.
Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
I.G. Subpoenas and the HIPAA Privacy Rule The views and opinions expressed in the presentation are those of the presenter, and not necessarily official.
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
Adding Up In Chunks.
Minimum Necessary Standard Version 1.0
7/16/08 1 New Mexico’s Indicator-based Information System for Public Health Data (NM-IBIS) Community Health Assessment Training July 16, 2008.
Analyzing Genes and Genomes
Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
1 Phase III: Planning Action Developing Improvement Plans.
PSSA Preparation.
Essential Cell Biology
Immunobiology: The Immune System in Health & Disease Sixth Edition
Energy Generation in Mitochondria and Chlorplasts
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
 What is the Privacy Rule? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Rule Training
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Health Insurance Portability and Accountability Act (HIPAA)
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Medical Records in Court: Life after HIPAA North Carolina Conference of Superior Court Judges, October 2003 Presented by Jill Moore, UNC School of Government.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
1 Disclosures © HIPAA Pros 2002 All rights reserved.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Michael R. Costa, Esq., M.P.H. Greenberg Traurig, LLP One International Place, 3 rd Floor Boston, MA (fax)
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Davis Wright Tremaine LLP The Seventh National HIPAA Summit HIPAA Privacy: Privacy Rule Compliance on Public Health Activities and Research Thomas E. Jeffry,
Federal Preemption, and State Healthcare Privacy and Data Security Law and Regulation Fifth National HIPAA Summit October 30 – November 1, 2002 Mark Barnes.
Table of Contents. Lessons 1. Introduction to HIPAA Go Go 2. The Privacy Rule Go Go.
Health Insurance Portability and Accountability Act (HIPAA) © 2013 Project Lead The Way, Inc.Principles of Biomedical Science.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Health Insurance Portability and Accountability Act
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
Health Insurance Portability and Accountability Act
HIPAA Summit West The Hidden Trap: Compliance with State Law
HIPAA Summit VII The Hidden Trap: Compliance with State Law
2003 Immunization Registry Conference
National Congress on Health Care Compliance
HIPAA, The Next Level: HIPAA Preemption of State Laws
Presentation transcript:

0 Jumping through Two Hoops: the HIPAA Privacy Rule and State Law Compliance Issues Bruce Merlin Fried, Esq. The fifth National HIPAA Summit November 1, 2002

1 Introduction n Topic 1: The Legal Framework Governing Preemption under the Privacy Rule n Topic 2: How to Conduct a Preemption Analysis n Topic 3: The ShawPittman HIPAA Privacy Preemption Extranet

2 Topic 1: The Legal Framework Governing Preemption

3 HIPAA: The Law of the Land? n HIPAA § 261 created part C of Title XI of the Social Security Act (the Administrative Simplification Provisions) – Our focus: Privacy n One national standard vs. state experimentation? One national standard would: –be easier to administer –create uniform privacy protection for all But,…

4 The Statute n § Effect of State Law (1) General Rule -- Except as provided in paragraph (2), a provision or requirement under this Part, or a standard or implementation specification... shall supercede any contrary provisions of State law, including a provision of State law that requires medical or health plan records... to be maintained or transmitted in written rather than electronic form.

5 The Exceptions n (2) Exceptions -- A provision or requirement... or a standard or implementation provision... shall not supercede a contrary provision of State law [if one of four situations apply].

6 The Exceptions 1. The Secretary of HHS determines the provision, is necessary –to prevent fraud and abuse; –to ensure appropriate State regulation of insurance and health plans; –for State reporting of health care delivery or costs; or –for other purposes; or addresses controlled substances.

7 The Exceptions 2. The provision of State law relates to the privacy of health information and is more stringent than a standard, requirement, or implementation specification adopted under the Privacy Rule. 3. The provision of State law provides for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention.

8 The Exceptions 4. The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.

9 The Privacy Rule n The Privacy Rule does not preempt State law where the provision of State law relates to the privacy of health information and is contrary to and more stringent than a provision of the Privacy Rule.

10 n The Privacy Rule also does not preempt: –State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance investigation or intervention; –State laws that require a health plan to report, or to provide access to information, for the purpose of management or financial audits, program monitoring and evaluation, licensing, and related issues; –Laws that the Secretary of HHS has determined should not be preempted. 45 C.F.R. §

11 Whats Contrary? Contrary means: A covered entity would find it impossible to comply with both the State and federal requirements; or The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of the Administrative Simplification regulations. 45 C.F.R. §

12 Whats More Stringent? A State law is more stringent when it meets one or more of the following criteria: 1.The State law prohibits or restricts a use or disclosure that would be permitted by HIPAA, except if the disclosure is: –Required by the Secretary to determine HIPAA compliance; or –To the individual who is the subject of the individually identifiable health information;

13 More Stringent means… 2.The State law permits greater rights of access or amendment, provided that nothing in the Privacy Rule may be construed to preempt any State law to the extent that it authorizes or prohibits disclosure of protected health information about a minor to a parent, guardian or person acting in loco parentis; 3.The State law provides a greater amount of information to the individual about a use, disclosure, right or remedy;

14 More Stringent means… 4.The State law narrows the scope or duration of an authorization or consent for use or disclosure of individually identifiable health information or reduces the coercive effect of the circumstances surrounding the authorization or consent; 5.With respect to record keeping or accounting disclosures, the State law provides for the retention or reporting of more detailed information or for a longer duration; or 6.The State law generally provides greater privacy protection for the individual. 45 C.F.R. §

15 Topic 2: How To Conduct A Preemption Analysis

16 The Effect n In general, the Privacy Rule creates a federal floor of privacy, upon which states may still place stricter standards.

17 Step 1: Identifying Relevant State Law n What State laws are at issue? – State constitutions – Statutes – Regulations – Rules – Common law – Other state action having the force of law. 45 C.F.R. §

18 n Does the State law relate to the privacy of health information (e.g., does the State law have the specific purpose of protecting the privacy of health information or affect the privacy of health information in a direct, clear, and substantial way)? 45 C.F.R. §

19 Step 2: Analyzing State law on a provision- by-provision basis. Is State law contrary to the Privacy Rule (i.e., is it impossible to comply with both)? Is State law more stringent than the Privacy Rule?

No Yes No Is the provision of state law contrary to the Privacy Rule (i.e., is it impossible to comply with both the Privacy Rule and the provision of state law)? Does the provision of state law relate to the privacy of health information and fall within the scope of the project? This provision is wholly preempted. Contrary and Less Stringent; Preempted. This provision is wholly preempted. Contrary and Less Stringent; Preempted. As a matter of law, the provision is not preempted by the Privacy Rule. Therefore, covered entities must comply with both state law and the Privacy Rule. Conduct a practical analysis, comparing the provision to the Privacy Rule. Where there are no analogous provisions in the Privacy Rule, state law will supplement the Privacy Rule. Not Contrary, Not Preempted, Both Apply; State Law Supplements Privacy Rule. Where analogous provisions in the Privacy Rule, determine which controls as a practical matter. Use the Rules definition of more stringent to guide analysis. Not Contrary, Not Preempted, Both Apply, But, as a Practical Matter, Either State Law or the Privacy Rule Will Control. As a matter of law, the provision is not preempted by the Privacy Rule. Therefore, covered entities must comply with both state law and the Privacy Rule. Conduct a practical analysis, comparing the provision to the Privacy Rule. Where there are no analogous provisions in the Privacy Rule, state law will supplement the Privacy Rule. Not Contrary, Not Preempted, Both Apply; State Law Supplements Privacy Rule. Where analogous provisions in the Privacy Rule, determine which controls as a practical matter. Use the Rules definition of more stringent to guide analysis. Not Contrary, Not Preempted, Both Apply, But, as a Practical Matter, Either State Law or the Privacy Rule Will Control. Not included in the analysis. Is the provision of state law more stringent than the Privacy Rule? State law controls over the Privacy Rule. Contrary and More Stringent. NOT CONTRARY, NOT PREEMPTED Is it merely a general provision providing for the confidentiality or privacy of information (e.g., physician must keep patient records confidential)? Yes No Yes 20

21 Preemption Example 1 n State law provides that HIV-related information may only be disclosed with the authorization of the individual. n The Privacy Rule permits a health plan to disclose PHI for T, P, & HCO without the consent or authorization of the individual. n Contrary? No. You can comply with both by complying with the more restrictive State law. n Practical Impact: The more restrictive State law will control.

22 Preemption Example 2 n State law provides that a health plan may use and disclose health information received or created for fundraising activities. n The Privacy Rule provides that only a narrow subset of PHI may be used for fundraising (demographic data and dates that health care was provided), without an authorization, and that certain other requirements be met. 45 C.F.R. § (f). n Contrary? No, it is possible to comply with both by complying with the more stringent provisions of the Privacy Rule. n Practical Impact: Follow the Privacy Rule.

23 Preemption Example 3 n State law precludes, without exception, a provider from giving an individual access to his or her medical records to the extent that they are mental health records. n The Privacy Rule requires a health care provider to grant an individual access to his or her PHI, with limited exceptions.

24 Preemption Example 3 n Contrary? Yes. It is impossible for a provider to comply with both State law and the Privacy Rule (assuming an exception does not apply). n Relates to the privacy of health information? Yes. n More Stringent? No. The Privacy Rule grants an individual greater rights of access than state law. n Preempted? Yes. State law is contrary and less stringent than the Privacy Rule.

25 Preemption Example 4 n State Law requires an insurer to take action on a request for amendment within 30 days. n The Privacy Rule generally requires a health plan to act within 60 days of a request for amendment. n Contrary? No, it is possible to comply with both by complying with the more stringent State law provisions. n Practical Impact: Follow the State law requirement.

26 Topic 3: The ShawPittman HIPAA Privacy Preemption Extranet

27 ShawPittmans Preemption Project n Chosen by HIAA, BCBSA and AAHP to conduct a national preemption analysis applicable to health plans. n Objective -- A national preemption standard for health plans. n 50 States, plus D.C., P.R., V.I. and Guam.

28 WHAT IS COVERED IN THE ANALYSIS? Statutes and regulations that have a direct application to health insurance plans (e.g., health insurers,HMOs, pre- paid health plans, Medicaid managed care plans and Blue Plans) and pharmacies. Statutes and regulations that have an indirect application to health insurance plans (e.g., that limit the information that downstream providers can disclose to health insurance plans for payment and HCO).

29 WHAT IS COVERED IN THE ANALYSIS? Case law and attorneys general opinions that interpret the relevant statutes and regulations included in the Analysis. A list of specifically included and excluded topics is set forth in the Scope Memorandum.

Topic 3: Initial Screen 30

Preemption Analysis 31

Effective Date, Direct vs. Indirect Analysis, Title, and Scope 32

Protected Information 33

Topics and Subtopics 34

35 Topics and Subtopics n 13 Topics - Track Privacy Rule Uses and Disclosures Consents and Authorizations Standards Impacting Uses and Disclosures Individual Access Rights Individual Amendment Rights Individual Accounting Rights Notice Individual Right to Request Restriction on Use or Disclosure

36 Topics and Subtopics n 13 Topics - Track Privacy Rule Individual Right to Request Confidential Communications Administrative Requirements Selected Supplemental Requirements Impacting Health Insurance Plans Other

37 Topics and Subtopics n Subtopics Vary By Topic n Uses and Disclosures 50 subtopics: For example, (1) for fundraising, (2) for health oversight activities, and (3) with authorization or consent of the individual. n Notice 7 subtopics: For example, (1) to whom, (2) timing of distribution, (3) method of distribution, and (4) content of notice.

List Statutes/Regulations 38

39 There are numerous ways to review the information Entire State analysis By Search terms (e.g., AIDS) Sorted: –by statute. –by topics and subtopics

40 ShawPittman N Street, N.W. Washington, DC Providing Comprehensive Legal Services for the Health Care Community WashingtonVirginiaNew York Los AngelesLondon

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.