HIPAAand Disaster Situations By LYNDA M. JOHNSON Friday, Eldredge & Clark

 Protects “individually identifiable health information” held by “covered entities” HIPAA - “The Health Insurance Portability and Accountability Act of 1996.”

Individually identifiable health information is information that is subset of health information, including demographic information collected from an individual and: 1.Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and 2.Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and i.That identifies the individual; or ii.With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Covered Entities are:  Health Care Providers  Health Plans  Health Care Clearinghouses

Information Protected by HIPAA is called “Protected Health Information” or “PHI”

WHAT INFORMATION IS COVERED?  ANY HEALTH INFORMATION RELATING TO:  Past, present or future physical or mental health or condition  Provision of healthcare or  Past, present or future payment for healthcare  Created/received by provider, plan, or clearinghouse  Individually identifiable or presents reasonable basis to believe the information can be used to identify the individual  Includes demographic information  In any medium: Written Verbal Electronic “Protected Health Information” (PHI)

Covered Entities may use and disclose PHI fro purposes of treatment, payment, and healthcare operations.

“TREATMENT” generally means the provision, coordination or management of healthcare and related services among healthcare providers or by a healthcare provider with a third party, consultation between healthcare providers regarding a patient, or the referral of a patient from one healthcare provider to another. TREATMENT

“PAYMENT” encompasses the various activities of healthcare providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of healthcare. PAYMENT

“ HEALTHCARE OPERATIONS” are defined to include the business, management and operational activities of a healthcare entity. HEALTHCARE OPERATIONS

AUTHORIZATION Written permission from patient to “use” or “disclose” PHI for a purpose OTHER THAN treatment, payment or healthcare operations.

Privacy Regulations allow Covered Entities to disclose PHI for a variety of purposes including:  Treating patients  Identifying, locating and notifying family members, guardians or those responsible for an individuals care  Obtaining the services of disaster relief agencies  Conducting public health activities  Preventing or lessening serious and imminent threats to health or safety

A “covered entity” may use or disclose PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts.

Covered Entity may exercise its “professional judgment” in making disclosures to disaster relief agencies.

After Hurricane Katrina, OCR issued a special bulletin addressing HIPAA Privacy and Disclosures in Emergency Situations. This bulletin clarified the definition of treatment in an Emergency Situation to include:  Sharing information with other providers  Referring patients for treatment (including linking patients with available providers in areas where patients had relocated)  Coordinating patient care with others (such as emergency relief workers or others) that can help patients find appropriate health services

This Bulletin also clarified that when a provider is sharing PHI with a disaster relief organization, it is not necessary to obtain the patient’s permission (or authorization) to share PHI if doing so would interfere with the organization’s ability to respond to the emergency.

President and HHS Secretary also have the authority to temporarily waive HIPAA requirements in an emergency. This was done with Hurricane Sandy.

 The requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to “opt out” of the facility directory  The requirement to distribute a notice of privacy practices  The patient’s right to request privacy restrictions or to request confidential communications. (Only if President AND Secretary declare a public health emergency.) This “waiver” waives the imposition of sanctions and penalties for noncompliance with the following HIPAA requirements:

If only HHS Secretary issues the waiver, it only applies:  To the area designated and for the period specified in the waiver  To hospitals that have instituted a disaster protocol  For up to 72 hours after hospital has implemented its disaster protocol

Penalties for violating HIPAA Regulations Prior to 2009, fines ranged from $100- $25,000 per violation and were capped at $25,000 for any calendar year.

Beginning in February of 2009, new tiered structure for penalties went into effect.

New maximum penalty for violation of the same HIPAA provision is $1.5 million per year. Prior to HITECH, the maximum was $25,000 per year.

Violation CategoryEach ViolationTotal CMP for Violations of an Identical Provision in a Calendar Year Unknowing$100 - $50,000$1,500,000 Reasonable Cause$1,000 - $50,000$1,500,000 Willful Neglect – Corrected $10,000 - $50,000$1,500,000 Willful Neglect – Not Corrected At least $50,000$1,500,000

There are also criminal penalties that can be imposed. In Arkansas, we have more criminal indictments for HIPAA violations than any other state!

QUESTIONS Lynda M. Johnson Friday, Eldredge & Clark, LLP