Working with the HIPAA Privacy Manual and Forms

Slides:



Advertisements
Similar presentations
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Advertisements

H OGAN & H ARTSON, L.L.P.
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
CALENDAR.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA AWARENESS TRAINING
1 ON- LINE TRAINING EVENT HIPAA (Health Insurance Portability & Accountability Act) ENTER.
The 5S numbers game..
Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.
Minimum Necessary Standard Version 1.0
Before Between After.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Presented by the Office of the General Counsel An Overview of HIPAA.
NAU HIPAA Awareness Training
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
HIPAA For Provider Contracting Networks Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HOGAN & HARTSON, L.L.P. “Publications” “Health”
Health Insurance Portability and Accountability Act
Health Insurance Portability and Accountability Act
Business Associate Contracts: Time Is Running Out . . .
National Congress on Health Care Compliance
Analysis of Final HIPAA Privacy Modification Rule
Presentation transcript:

Working with the HIPAA Privacy Manual and Forms --- HIPAA Summit West II Clark Stanton & Tom Jeffry Davis Wright Tremaine LLP Copyright Davis Wright Tremaine LLP - Jan. 2002

Table of Contents Introduction HIPAA Basics Preemption and Interaction with State Law Interface with HIPAA Security Requirements Special Topics: Health Research Release of Information Business Associates Patient Rights Notice of Privacy Practices Administrative Requirements Privacy Officer Personnel Enforcement of HIPAA Copyright Davis Wright Tremaine LLP - Jan. 2002

HIPAA Basics

Administrative Simplification Provisions of HIPAA Transactions Final standards effective October 2003 Privacy Final standards effective April 2003 Security Proposed standards published August 1998 Final standards expected this year Security may be early next year We will take just a few minutes to quickly cover the two other rules to put the privacy rule in context. Other speakers will cover in much more detail Copyright Davis Wright Tremaine LLP - Jan. 2002

Covered Entities Health Plans Health Care Clearinghouses Plans that provide or pay for medical care Health Care Clearinghouses Entities that process or facilitate processing non-standard data elements into standard data elements, or vice versa Providers who transmit data electronically Furnishes, bills or is paid for health care in the normal course of business Providers must directly or indirectly use electronic means for one of the set of designated transactions in order to be covered. If you really don’t submit anything electronically (or use a clearinghouse to do so), you are not covered. A relatively few providers. Faxing alone does not get you included. We think it will be in the interest of most providers to participate and maximize use of electronic submissions Copyright Davis Wright Tremaine LLP - Jan. 2002

Privacy — General Rule A covered entity may not use or disclose Protected Health Information except: For treatment, payment or health care care operations Providers usually require a general written “consent” Without consent or authorization, for governmental and other specified public interest purposes Pursuant to individual “authorization” 164.506(a) Use refers to use within the institution; disclose refers to disclosure outside the institution (including giving access to outsiders) This permits disclosure to non-covered entities (e.g., workers comp carriers, employers) with which the CE does not have to have a business partner agreement. The info would lose its protection. This is one reason why HCFA is urging more comprehensive legislation. Copyright Davis Wright Tremaine LLP - Jan. 2002

Protected Health Information Individually identifiable health information In whatever form it exists Electronic, written, oral But not “de-identified” information 164.504 Protects individually identifiable health information that has been maintained or transmitted in electronic format by a covered entity, it would be protected in whatever form it exists, as long as it is held by a covered entity. Copyright Davis Wright Tremaine LLP - Jan. 2002

Protected Health Information Individually identifiable health information — Information relating to — An individual’s health or condition Provision of health care to an individual Payment for health care to an individual Identifies an individual, or there is a reasonable basis to believe it can be used to identify an individual 164.504 “Health information” is such information created or received by a health care provider, health plan, public health authority, employer, life insurer, school or health care clearinghouse “Individually identifiable health information” is such information, including demographic information collected from an individual, created by or received from a health care provider, health plan, employer or health care clearinghouse Note, however, that individually identifiable health information is protected health information only if it is electronically transmitted or maintained by a covered entity; so it doesn’t cover health information created or received by an employer as such Payment for health care includes related activities-- coverage determinations; risk adjusting payments based on enrollee health status and demographic characteristics; billing, claims management, medical review, medical data processing; review of services for medical necessity, coverage, appropriateness utilization review [note this also affects disclosure for payment purposes; HCFA is particularly concerned about disclosure to employers; HCFA invites comments on the disclosure of identifiable HCI to employers 59937]] The “reasonable basis” test ties into the reg on de-identified information Copyright Davis Wright Tremaine LLP - Jan. 2002

De-Identification Confidentiality requirements do not apply to health information that has been “de-identified” Qualified person must determine that risk of re- identification is “very small” Removal of specified identifiers creates presumption of de-identification 164.506(d). 59946 De-identified information is not protected. CEs can sell it, for example. Copyright Davis Wright Tremaine LLP - Jan. 2002

De-Identification Information is presumed de-identified if — The following identifiers are removed or concealed: And the CE does not have actual knowledge that the recipient could use it to identify the individual Copyright Davis Wright Tremaine LLP - Jan. 2002

Required Disclosures To the individual, pursuant to request To the Secretary of DHHS, to determine compliance Copyright Davis Wright Tremaine LLP - Jan. 2002

Permitted Disclosures A covered entity may not use or disclose Protected Health Information except: For treatment, payment or health care care operations Providers usually require a general written “consent” Without consent or authorization, for governmental and other specified purposes Pursuant to individual “authorization” for other purposes 164.506(a) Use refers to use within the institution; disclose refers to disclosure outside the institution (including giving access to outsiders) This permits disclosure to non-covered entities (e.g., workers comp carriers, employers) with which the CE does not have to have a business partner agreement. The info would lose its protection. This is one reason why HCFA is urging more comprehensive legislation. Copyright Davis Wright Tremaine LLP - Jan. 2002

Disclosures Requiring Consent Treatment Treatment includes — Provision of health care Coordination of health care Referral for health care 164.504 The use or disclosure does not have to be for the treatment of the person whose PHI is being used or disclosed Copyright Davis Wright Tremaine LLP - Jan. 2002

Disclosures Requiring Consent Payment Payment includes — Health plan activities to determine payment responsibilities and make payment Provider activities to obtain reimbursement Such as — Coverage determinations Billing and claims management Medical review, medical data processing Review of services for medical necessity, coverage, appropriateness; utilization review Copyright Davis Wright Tremaine LLP - Jan. 2002

Disclosures Requiring Consent Health Care Operations Health care operations include — Quality assessment and improvement Peer review, education, accreditation, certification, licensing and credentialing Insurance-related activities Auditing and compliance programs Business planning and development Business management and general administration Health care operations do not include-- Using PHI for marketing Use by non-health related division of same information (e.g., by life underwriting operation of health insurer) Disclosure to an insurer for making pre-enrollment determinations Disclosure to an employer for employment determinations Use for fund-raising purposes QUESTION WHAT ABOUT POSTCARDS TO PATIENTS WITH APPOINTMENTS QUESTION: WHAT ABOUT POSTCARDS WITH APPOINYTMENT REMINDER QUESTION: WHAT ABOUT MEDICAL AUDITS?? Copyright Davis Wright Tremaine LLP - Jan. 2002

Notice of Privacy Practices Provider’s routine uses/disclosures of PHI Description of patient rights (next slide) Provider duties (e.g., abide by terms of notice) How to file a complaint w/ provider/DHHS Contact information Copyright Davis Wright Tremaine LLP - Jan. 2002

Patient Rights Right to inspect and copy PHI Right to amend (if info is incorrect or incomplete) Right to accounting of non-routine disclosures of PHI Right to request additional restrictions on use/disclosure Right to request confidential communications of PHI Right to written notice of how provider will use/disclose PHI (copy of NPP) Right to authorize release for non-routine use/disclosure; consent to routine use/disclosure (~health plans) Copyright Davis Wright Tremaine LLP - Jan. 2002

Consent Requirements Required at outset of care or enrollment Covers treatment, payment and health care operations Inform patient of: CE’s privacy practices Right to request additional restrictions Right to revoke consent for future actions Signed and dated Copyright Davis Wright Tremaine LLP - Jan. 2002

Consent Requirements May not be combined with notice of privacy practices May be combined with informed consent if Visually separate Separately signed Joint consents prohibited except for organized health care arrangements that share a privacy notice Copyright Davis Wright Tremaine LLP - Jan. 2002

Consent Requirements Exceptions — Indirect treatment relationship Delivers care on orders of another provider Reports to the other provider Provider unable to obtain consent: Emergencies Communication barriers, but consent can be inferred Legal obligation to treat Provider must document attempt to obtain consent Copyright Davis Wright Tremaine LLP - Jan. 2002

Disclosures Requiring Oral Agreement Individuals must have opportunity to agree or object to certain uses or disclosures of PHI: Directory (name, location, general condition & religious affiliation) Disclosure to family/friends involved in patient’s treatment of PHI directly related to their involvement Notification to responsible person about location, general condition or death If the individual objects, CE may not disclose 164.506(a) Use refers to use within the institution; disclose refers to disclosure outside the institution (including giving access to outsiders) This permits disclosure to non-covered entities (e.g., workers comp carriers, employers) with which the CE does not have to have a business partner agreement. The info would lose its protection. This is one reason why HCFA is urging more comprehensive legislation. QUESTION: HOW DO YOU PROVIDE THE OPPORTUNITY? Copyright Davis Wright Tremaine LLP - Jan. 2002

Permitted Disclosures Government and Other Purposes As required by other laws Public health activities Victims of abuse, etc. Health oversight activities Judicial and administrative proceedings Law enforcement purposes Decedents — coroners and medical examiners Organ procurement Research purposes, under limited circumstances Imminent threat to health or safety (to the individual or the public) Specialized government function Workers’ compensation These permit (but do not compel) disclosure of PHI Public health activities - disclosure to public health authorities, and to persons at risk Health oversight activities - disclosure to health oversight agencies - not defined Judicial and administrative proceedings - in response to a court order, or where the individual is a party to the proceedings and his medical condition is in issue Coroners and medical examiners - for identifying deceased person and cause of death Law enforcement purposes - Pursuant to legal process (warrant, grand jury subpoena, administrative request) Identification of individuals Information about victim of crime or abuse Intelligence and national security activities Health care fraud reporting Governmental health data systems Directory purposes - persons not incapacitated must agree; incapacitated persons need not; can disclose name, location in the facility, and general condition (not specific medical information) Banking and payment processes - disclosure to financial institution for routine activities Research purposes. Requires-- Waiver of authorization by IRB or privacy board Determination that the research meets certain criteria, including that it cannot practically conducted without the waiver, and that its importance outweighs the intrusion into subjects’ privacy, and that the waiver poses no more than a minimal risk to the subjects, and will not adversely affect their rights and welfare. Emergencies - permits disclosure to the individual or the public to prevent serious and imminent threat to health and safety Next of kin - includes close personal friends, where directly relevant to the person’s involvement in the individual’s health care Other laws Applies only to uses or disclosures not covered by the reg Copyright Davis Wright Tremaine LLP - Jan. 2002

Authorization CEs must obtain express authorization for disclosure of PHI not covered by “consent” or otherwise authorized by HIPAA Authorization must be in writing using forms meeting specific requirements Model forms in the proposed rule were withdrawn CE may not condition treatment on “authorization” — except for clinical trials Authorization is revocable at will Copyright Davis Wright Tremaine LLP - Jan. 2002

Permitted Disclosures Individual Authorization Required elements-- Meaningful and specific description of information Identity of persons authorized to make disclosure (may be by class) Specific identity of persons to whom disclosure may be made Date and signature Expiration date Where authorization requested by CE — Description of purpose of request Statement of financial gain Copyright Davis Wright Tremaine LLP - Jan. 2002

Permitted Disclosures Individual Authorization Other rules-- CE may condition treatment or enrollment on “consent” CE may not condition treatment on “authorization” for other purposes, except for clinical trials Authorization and consent are revocable at will, except to the extent the entity has relied on them Psychotherapy Notes. Specific authorization is required for any use or disclosure, except by the psychotherapist who made the notes Research information unrelated to treatment means information created or received in the course of research for which there is insufficient evidence to warrant its use in providing health care, and for which the provider does not request payment from a health plan. Effect is that specific authorization is always required for use or disclosure in treatment, payment or health care operations. Copyright Davis Wright Tremaine LLP - Jan. 2002

Authorization Psychotherapy Notes A covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: (i) To carry out the following treatment, payment, or health care operations, consistent with the requirements for consent: Use by originator of the psychotherapy notes for treatment; Use or disclosure by the CE in training programs, or Use or disclosure by the CE to defend a legal action or other proceeding brought by the individual; and Copyright Davis Wright Tremaine LLP - Jan. 2002

Authorization Psychotherapy Notes A covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except: (cont’d) (ii) A use or disclosure under the following circumstances: to the individual required by law (e.g., abuse reporting, judicial proceedings, law enforcement purposes) for oversight of the originator of the psychotherapy notes to a coroner or medical examiner, or is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public Copyright Davis Wright Tremaine LLP - Jan. 2002

Minimum Necessary Information CE must make reasonable efforts to limit uses, disclosures and requests for PHI to the minimum necessary Exceptions: Disclosure to a provider for treatment Disclosure to individual Disclosure to DHHS for HIPAA compliance Disclosure required by law Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices PAUL, PLEASE TALK A LITTLE ABOUT THE USES OF PHI INSIDE AND OUTSIDE A CE – HOW DOES THE MINIMUM NECESSARY DOCRTINE WORK? Copyright Davis Wright Tremaine LLP - Jan. 2002

Minimum Necessary Information Uses of PHI. CE must: Identify persons or classes of persons who need access to PHI Identify their need for health information and the conditions to access Limit access accordingly Disclosures of and requests for PHI. CE must: Implement policies to limit routine disclosures and requests Review non-routine disclosures and requests individually Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Minimum Necessary Information CE may rely on scope of information requested by — A public official Another covered entity A “professional” providing services to the CE Researchers (as long as the research requirements are satisfied) A CE may not disclose the entire record, unless it is specifically justified But this does not apply to disclosure to providers for treatment Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Marketing No authorization required for — Face-to-face encounter Marketing concerning products or services of nominal value Marketing concerning health-related services Copyright Davis Wright Tremaine LLP - Jan. 2002

Marketing Communications for health-related services must — Identify covered entity Disclose remuneration Contain opt-out (except for general newsletters) If targeted based on health condition — Be based on determination of benefit to patient Explain why the individual has been targeted Copyright Davis Wright Tremaine LLP - Jan. 2002

ACME Hospital Copyright Davis Wright Tremaine LLP - Jan. 2002

Fundraising CE may use or disclose to BA or related foundation for purposes of raising funds for CE’s benefit — Demographic information Dates of health care provided CE must include opt-out information in fund-raising materials Copyright Davis Wright Tremaine LLP - Jan. 2002

ACME Hospital Copyright Davis Wright Tremaine LLP - Jan. 2002

ACME Hospital Copyright Davis Wright Tremaine LLP - Jan. 2002

Special Rules: Organizational Requirements Hybrid entities CEs with multiple covered functions Affiliated covered entities Organized health care arrangements Group health plans Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Special Rules: Organizational Requirements Hybrid entity Covered entity whose covered functions are not its primary functions Covered with respect to its health care component May not disclose PHI to other components, except as permitted to third parties (but it doesn’t need BA agreements among its components) Must designate health care components Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Special Rules: Organizational Requirements Covered entities with multiple covered functions Must comply with the requirements for each function May disclose PHI only as necessary for the function for which the disclosure is made Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Special Rules: Organizational Requirements Affiliated Covered Entities Separate covered entities under common ownership or control may designate themselves a single covered entity Ownership means an interest of 5% or more Control means significant influence Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Affiliated Entities Covered entities joined through common ownership or control Affiliated covered entities may: Act as a single covered entity with a single compliance program Appoint a single privacy officer Utilize centralized reporting mechanisms Adopt a single Notice of Privacy Practices Adopt single consent and authorization forms Do not assume that affiliated covered entity status will always be desirable, even if it is available. Copyright Davis Wright Tremaine LLP - Jan. 2002

Affiliated Entities To qualify as affiliated entities: Must meet the definition of a “covered entity” Must be a distinct legal entity Must share common ownership or control Common ownership means an ownership or equity interest of 5% or more “Common control” not so clearly defined: “the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity.” Hospital chain example. Copyright Davis Wright Tremaine LLP - Jan. 2002

Special Rules: Organizational Requirements Organized Health Care Arrangements Clinically integrated care setting in which individuals typically receive health care from more than one provider. Certain relationships between a group health plan and HMOs, health insurers and/or other group health plans. An organized system of health care in which the covered entities: Hold themselves out to the public as participating in a joint arrangement; and Participate in joint UR, QA or payment activities. Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Organized Health Care Arrangements Examples: Hospital and its medical staff Staff-model HMOs Independent practice association Medical group Copyright Davis Wright Tremaine LLP - Jan. 2002

Organized Health Care Arrangements Unlike affiliated covered entities, not treated as a single covered entity. Entities may share PHI for treatment, payment and operations without business associate agreements. May use a single Notice of Privacy Practices and joint consent form. Copyright Davis Wright Tremaine LLP - Jan. 2002

Special Rules: Organizational Requirements Group health plans Plan documents must restrict disclosure of PHI to sponsor by plan and insurer/HMO Plan may disclose summary health information for — Obtaining premium bids Modifying or terminating the group health plan Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Special Rules: Organizational Requirements Group Health Plans (cont’d) Other disclosures to plan sponsor Limited to plan administration functions Must be pursuant to assurances relating to use and disclosure (like BA agreement) No use for employment-related actions “Adequate separation” between plan and sponsor Deals with the situation where the CE has more information available than is necessary for the purposes of the disclosure. No bright-line test--weigh the cost and practicality of limiting the information against the effect of broader disclosure. No minimum standard--some effort is required. Requirement would vary according to the technological capabilities and practices of the entity. Generally, the entity makes the determination--except where the disclosure is mandated by law, in which case the responsible agency would make the determination where the info is requested by a health plan for audit purposes, in which case the health plan makes the determination Focused both on the scope of information disclosed, and on the range of persons to whom it is disclosed--so there is some overlap with the security regulations. For computerized records, disclosure would be limited to records and fields necessary for the purpose of the disclosure. For paper records, selective copying or the use of order forms. Requires consideration of whether de-identified information could be used. Would preclude disclosure of entire medical record in absence of an explanation. Required implementation of procedures describing the process for making determinations, the persons responsible, review of disclosure practices Copyright Davis Wright Tremaine LLP - Jan. 2002

Special Rules: Administrative Procedures CEs must have policies, procedures, and systems to protect health information and individual rights. Designation of a privacy officer and contact person Privacy training for workforce Administrative and technical safeguards to prevent intentional or accidental misuse of PHI Means for individuals to lodge complaints Sanctions for employee violations Mitigation procedures PAUL: Q- WHAT IS THE TRAINING REQUIREMENT? A: TRAINING IS (A) IN PROVIDER POLICIES AND PROCEDURES & (B) SCALABLE 164.518; 59988 Privacy training required only for members of workforce who have access to PHI Has to be done by effective date; new employees within a reasonable time, and policy changes within a reasonable time In small MDs office, could be satisfied by providing each employee with a copy of information policies and requiring him/her to acknowledge having reviewed it. A large health plan might have live training, video presentations or interactive software Employee has to sign a certification that he will honor the CE’s policies. This has to be signed every 3 years; no requirement for retraining Administrative and technical safeguards-- procedures to verify identity and authority of person requesting PHI where there are not routine dealings procedures to prevent violations by its workforce and business partners CE not liable for disclosure of PHI by whistleblowers! Complaint standard requires maintenance of a complaint log, with disposition. No formal procedures required. Sanctions are not specified--CE has to develop them Mitigation procedures are to address deleterious effect of use or disclosure in violation - not specified Documentation. All this must be documented in a written policy. Copyright Davis Wright Tremaine LLP - Jan. 2002

How to Get Started

The 5 Stages of HIPAA Denial Anger Bargaining Depression Acceptance Copyright Davis Wright Tremaine LLP - Jan. 2002

Strategic Planning Board of Directors and senior management should be involved in high-level decisions, such as: Organizational structure (if applicable) Designation of privacy and security officers and related committees Role of legal counsel Funding Copyright Davis Wright Tremaine LLP - Jan. 2002

Getting Started Designate a privacy official Identify job responsibilities and reporting relationships See AHIMA sample job description in Manual Designate a security official May, but need not be, the privacy officer Copyright Davis Wright Tremaine LLP - Jan. 2002

Privacy Officer In larger organizations, Privacy Officer and Security Officer should probably be two different people Privacy Officer responsible for access to, and uses and disclosures of, PHI Interaction with department, committee and clinical personnel Copyright Davis Wright Tremaine LLP - Jan. 2002

Security Officer Responsible for knowledge of network and enterprise-wide information systems and architecture, including: Security threats and mechanisms Intrusion management Firewall administration Incident response Activity monitoring and auditing Copyright Davis Wright Tremaine LLP - Jan. 2002

Organize a Privacy Committee HIPAA compliance is an organization-wide effort Possible members of a privacy committee: Privacy officer Compliance officer Internal auditor Medical staff coordinator Copyright Davis Wright Tremaine LLP - Jan. 2002

Organize a Privacy Committee Risk manager Director of contracting Director of financial services Director of health information Director of human resources Director of information technology Director of nursing Director of public affairs Copyright Davis Wright Tremaine LLP - Jan. 2002

Organize a Privacy Committee Privacy Committee has a big job: Review and assess current privacy practices Determine what new policies and procedures are needed Write new policies and procedures Privacy Officer cannot be the only person who understands HIPAA Copyright Davis Wright Tremaine LLP - Jan. 2002

Inventory of Information Practices Committee should begin by inventorying the ways that your organization uses and discloses PHI. Each use and disclosure must be evaluated to determine if it: Is permissible without further consent or authorization Complies with “minimum necessary” standard Copyright Davis Wright Tremaine LLP - Jan. 2002

Policies and Procedures New policies and procedures will need to be developed for: Creating, distributing, retaining, storing, retrieving and destroying records that contain PHI Notifying patients of privacy practices Monitoring HIPAA compliance Processing complaints about privacy violations Entering into contracts with business associates Sanctioning HIPAA violators Protecting HIPAA complainants against retaliation. Copyright Davis Wright Tremaine LLP - Jan. 2002

Policies and Procedures Policies and procedures must be maintained in written or electronic form (can’t just “do the right thing”). Must retain policies and procedures for six years from date of creation of last effective date, whichever is later. Copyright Davis Wright Tremaine LLP - Jan. 2002

Workforce Training Privacy and security awareness training for: Entire workforce by compliance date New employees following hire Affected employees after material changes in policies Document Training Copyright Davis Wright Tremaine LLP - Jan. 2002

Workforce Training “Workforce” includes employees, volunteers, trainees and others whose work is under the provider’s control. Hospital medical staff are not workforce, but privacy training for physicians is advisable. Method of training is not specified (videos, handouts, tapes, etc.) Copyright Davis Wright Tremaine LLP - Jan. 2002

Workforce Sanctions Providers must develop sanctions for employees and other workforce members who violate policies and procedures. Sanctions should: Be consistent with existing disciplinary requirements. Be consistently enforced Distinguish between major and minor infractions. Copyright Davis Wright Tremaine LLP - Jan. 2002

Workforce Sanctions Sanctions do not apply to whistleblowers. Breaches by business associates should be addressed in business associate agreement. Copyright Davis Wright Tremaine LLP - Jan. 2002

Security Standards Applies to health information whether or not identifiable: Administrative procedures Physical safeguards Technical security services Technical security for network communications Copyright Davis Wright Tremaine LLP - Jan. 2002

HIPAA Security The HIPAA statute requires covered entities to : “maintain reasonable and appropriate administrative, technical and physical safeguards … To ensure the integrity and confidentiality of [PHI] …” Do you put the emphasis on “reasonable” or “ensure”? In terms of dollars spent on IT upgrades, the difference can be huge. Copyright Davis Wright Tremaine LLP - Jan. 2002

HIPAA Security Did HHS intend to apply Pentagon-level security to a two-physician medical office? HHS has emphasized “reasonableness” in public statements. The proposed Security Rule offers a useful example involving a “small or rural provider” — a physician office with 1-4 physicians, 2-5 employees. Copyright Davis Wright Tremaine LLP - Jan. 2002

HIPAA Security Physician Office PC-based practice management system. Does not employ a systems administrator (too small). Self-certify that appropriate security is in place using a knowledgeable staff person or consultant. Assess risks and develop policies and procedures to address them. Copyright Davis Wright Tremaine LLP - Jan. 2002

HIPAA Security Physician Office Security configuration management Can rely on features of purchased hardware and software, like virus protection software Activate internal auditing capabilities of software to track access to data Use locked rooms or closets to secure equipment and disks Copyright Davis Wright Tremaine LLP - Jan. 2002

HIPAA Security Physician Office Locate terminals in areas where public may not access User-based data access (user name, password approach) Use encryption for Internet transmission of PHI Chain of trust agreement with third party handling claims processing Copyright Davis Wright Tremaine LLP - Jan. 2002

Preemption: How It Works and The Fun We’ll Have

Preemption under HIPAA Public Law 104-191; Section 1178: HIPAA (any provision, requirement, standard or implementation specification of HIPAA) shall supersede any contrary provision of State law. Preemption applies to all of HIPAA, not just the privacy portion HIPAA 1178(a), 264(c)(2) Reg 160.201 ff Excepted are-- state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes for improving the health care delivery system state laws for public health reporting, surveillance, investigation or intervention state laws that address controlled substances HIPAA pre-empts only state laws that are designed to regulate the privacy of health information; not those that do so only incidentally Copyright Davis Wright Tremaine LLP - Jan. 2002

Exceptions to Preemption State laws addressing controlled substances Where DHHS determines a State law is necessary — To prevent fraud and abuse To ensure appropriate regulation of health plans For reporting on healthcare delivery or costs To serve a compelling need related to public health, safety or welfare DHHS must determine invasion of privacy is warranted when balanced against the need. HIPAA 1178(a), 264(c)(2) Reg 160.201 ff Excepted are-- state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes for improving the health care delivery system state laws for public health reporting, surveillance, investigation or intervention state laws that address controlled substances HIPAA pre-empts only state laws that are designed to regulate the privacy of health information; not those that do so only incidentally Copyright Davis Wright Tremaine LLP - Jan. 2002

Exceptions to Preemption Public health laws for reporting disease, injury, child abuse, birth or death, or public health surveillance, investigation or intervention Laws requiring health plans to report or provide access to information for audits, program monitoring, or facility or individual licensure or certification. Laws relating to the privacy of health information that are contrary to and more stringent than the HIPAA requirements HIPAA 1178(a), 264(c)(2) Reg 160.201 ff Excepted are-- state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes for improving the health care delivery system state laws for public health reporting, surveillance, investigation or intervention state laws that address controlled substances HIPAA pre-empts only state laws that are designed to regulate the privacy of health information; not those that do so only incidentally Copyright Davis Wright Tremaine LLP - Jan. 2002

Preemption: Contrary Contrary means — Covered entity could not comply with both State law and the HIPAA requirement or State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA HIPAA 1178(a), 264(c)(2) Reg 160.201 ff Excepted are-- state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes for improving the health care delivery system state laws for public health reporting, surveillance, investigation or intervention state laws that address controlled substances HIPAA pre-empts only state laws that are designed to regulate the privacy of health information; not those that do so only incidentally Copyright Davis Wright Tremaine LLP - Jan. 2002

Preemption: More Stringent More stringent means that State law — Has stricter limits on use or disclosure of health information Except for disclosures to DHHS or patient Gives greater rights of access to or correction of health information by the patient Does not affect State laws authorizing or prohibiting disclosure of information about a minor to parent or guardian Has harsher penalties for unauthorized use or disclosure Copyright Davis Wright Tremaine LLP - Jan. 2002

Preemption: More Stringent Provides greater information to individuals regarding use, disclosure, rights or remedies Has stricter requirements for authorizing or consenting to the disclosure of information Has stricter standards for record-keeping or accounting for disclosures of information With respect to any other matter provides greater privacy protection to the patient Copyright Davis Wright Tremaine LLP - Jan. 2002

Requesting Exceptions Process for requesting exceptions from DHHS Anyone may request an exception Request by a state must be submitted through its chief elected official or designee Some preemption issues will ultimately be determined through dialogue between state government and DHHS HIPAA 1178(a), 264(c)(2) Reg 160.201 ff Excepted are-- state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes for improving the health care delivery system state laws for public health reporting, surveillance, investigation or intervention state laws that address controlled substances HIPAA pre-empts only state laws that are designed to regulate the privacy of health information; not those that do so only incidentally Copyright Davis Wright Tremaine LLP - Jan. 2002

How Preemption Will Work Preemption will focus on specific elements and aspects of State laws HIPAA will be the baseline State law will be given effect only to the extent that (a) there is no HIPAA law on the issue; (b) State law is more stringent; or (c) there is an exception Exemptions will apply to specific State laws, not entire State schemes 164.504 Protects individually identifiable health information that has been maintained or transmitted in electronic format by a covered entity, it would be protected in whatever form it exists, as long as it is held by a covered entity. Copyright Davis Wright Tremaine LLP - Jan. 2002

How Preemption Will Work California Example: No California equivalents for — Business associates CEs must contract with entities that receive PHI in order to perform service for/on behalf of CE Minimum necessary CEs should not ask for or release more than the minimum necessary PHI required for the purposes for which release is sought 164.504 Protects individually identifiable health information that has been maintained or transmitted in electronic format by a covered entity, it would be protected in whatever form it exists, as long as it is held by a covered entity. Copyright Davis Wright Tremaine LLP - Jan. 2002

How Preemption Will Work California Example: No California equivalents (cont’d) — Notice to patient of CE practices with respect to its handling of PHI No notice requirement in CA law Requirement of patient consent for use of PHI for treatment, payment and operations California permits disclosure for such purposes without patient authorization or notice 164.504 Protects individually identifiable health information that has been maintained or transmitted in electronic format by a covered entity, it would be protected in whatever form it exists, as long as it is held by a covered entity. Copyright Davis Wright Tremaine LLP - Jan. 2002

How Preemption Will Work California Example: Key California provision for preemption analysis purposes Civil Code section 56.10(c)(14): Information may be disclosed when the disclosure is otherwise specifically authorized by law This provision will permit the disclosure of health information that is permitted by HIPAA when there is question whether it is allowed under CA law 164.504 Protects individually identifiable health information that has been maintained or transmitted in electronic format by a covered entity, it would be protected in whatever form it exists, as long as it is held by a covered entity. Copyright Davis Wright Tremaine LLP - Jan. 2002

Business Associates

Business Associates Satisfactory Assurances A covered entity may disclose protected health information to business associates if it obtains “satisfactory assurances” that business associates will appropriately safeguard the information Business associate contract required Copyright Davis Wright Tremaine LLP - Jan. 2002

Use and Disclosure — Who Is a Business Associate? A person who receives individually identifiable health information and — On behalf of a covered entity performs or assists with a function or activity involving use or disclosure of information or otherwise covered by HIPAA Provides certain identified services to a covered entity May be a covered entity Lawyers, Actuaries Billing Firms Other Covered Entities Clearinghouses Accountants, Auditors Financial Services Entity Management Firms Consultants, Vendors Accreditation Organizations Copyright Davis Wright Tremaine LLP - Jan. 2002

No Business Associate Relationship Health plan provides member info to pharmaceutical company to market drug Hospital contracts with bank to process credit card payments Medical group uses courier services to deliver medical records to laboratory Copyright Davis Wright Tremaine LLP - Jan. 2002

Use and Disclosure — Business Associate Contracts A covered entity may disclose protected health information to business associates if it: Obtains “satisfactory assurances” that business associates will appropriately safeguard the information Business associate contract required Form agreement included in manual Informational purposes/not legal advice Any form must be adapted and individualized Copyright Davis Wright Tremaine LLP - Jan. 2002

Business Associate Contracts — Required Terms Use and disclose information only as authorized in the contract (Sections 2(a), 2(b)) No further uses and disclosures Such uses and disclosures may not exceed what the covered entity may do under HIPAA Data aggregation services exception Implement appropriate privacy and security safeguards (2(c)) Report unauthorized disclosures to covered entity (2(d)) Make available protected health information under access, amendment and accounting of disclosures rights (2(f), 2(g), 2(h)) Incorporate any amendments to PHI Copyright Davis Wright Tremaine LLP - Jan. 2002

Business Associate Contracts — Required Terms Make available its records to HHS for determination of covered entity’s compliance (2(i)) Return/destroy protected health information upon termination of arrangement, if feasible (4(d)) Ensure agents and subcontractors comply (2(e)) Authorize termination by covered entities (4(a)) Copyright Davis Wright Tremaine LLP - Jan. 2002

Business Associate Contracts — Provisions to be Considered Right to review contracts between business associates and their subcontractors/agents Business associate’s insurance (2(m)) Indemnification (5) Use for management and administration (2(a), 2(b)) Effective date and “placeholder” provisions Copyright Davis Wright Tremaine LLP - Jan. 2002

Liability for Business Associates If covered entity knows of a pattern of activity constituting a breach by the business associate, then Must take reasonable steps to Cure the breach or End the violation If unsuccessful, Must terminate if feasible or Report to DHHS Reprieve from proposed regulations Substantial and credible evidence standard Copyright Davis Wright Tremaine LLP - Jan. 2002

Business Associate Considerations Identify likely business associates Start by listing everyone who receives individually identifiable health information Determine who is/likely to be a business associate Allow for educational lead time Copyright Davis Wright Tremaine LLP - Jan. 2002

Enforcement

Enforcement - Penalties CMPs against persons who fail to comply $100 per violation, not to exceed $25,000/year Criminal penalties for knowingly disclosing or obtaining PHI or using a unique health ID Knowing only: $50,000, 1 yr, or both False pretenses: $100,000, 5 yrs or both Use for commercial or personal gain or malicious harm: $250,000, 10 yrs or both HIPAA 1176 The $25,000 limit is for the same person for violations of an identical requirement Person can escape liability by showing (1) that it did not know, and by exercising reasonable diligence would not have known, that it violated the provision, or (2) that the failure was due to a reasonable cause and not willful neglect, and was corrected within 30 days Copyright Davis Wright Tremaine LLP - Jan. 2002

Enforcement - Process Authority to impose civil money penalties has been delegated to the DHHS Office for Civil Rights Individuals may file complaints with DHHS/OCR, which will investigate DHHS/OCR may also conduct periodic HIPAA compliance reviews HIPAA provides no private right of action But state law may authorize private actions HIPAA 1176 The $25,000 limit is for the same person for violations of an identical requirement Person can escape liability by showing (1) that it did not know, and by exercising reasonable diligence would not have known, that it violated the provision, or (2) that the failure was due to a reasonable cause and not willful neglect, and was corrected within 30 days Copyright Davis Wright Tremaine LLP - Jan. 2002

Working with the HIPAA Privacy Manual and Forms Copyright Davis Wright Tremaine LLP - Jan. 2002

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.