GW&T © 2006 Garfunkel, Wild & Travis, P.C. RESPONDING TO GOVERNMENT SUBPOENAS AND OTHER OFFICIAL INQUIRIES UNDER HIPAA September 25, 2006 Judith A. Eisen,

Slides:



Advertisements
Similar presentations
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Advertisements

Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
 What is the Privacy Rule? The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Presented by Jennifer Coughlin Eugene, Oregon April 10, 2013.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Anne Arundel County Fire Department
Confidentiality and HIPAA
HIPAA Privacy Rule Training
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
North Carolina State University Health Information Privacy 4/16/03.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Copyright 2006 Rubin Law Firm, LLC Drafting HIPAA Compliant Subpoenas & Discovery Presented by:RACHEL B. RUBIN Kansas Bar Association Annual Meeting June.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.
Access to Mental Health Records and Related Issues Social Services Attorneys’ Conference March 10, 2006 Mark Botts School of Government, UNC.
Who Must Comply? When is a patient authorization NOT required?  As needed for the protection of federal and state elective constitutional officers and.
Code of Federal Regulations Title 42, Chapter 1, Subchapter A Part 2 – CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENTS BRYANT D. MILLER CAC II, MAC,
1 Sixth National HIPAA Summit The Health Lawyer as Business Associate March 28, 2003 Session VI 3:00 pm Gerald E. DeLoss, Esquire Barnwell Whaley Patterson.
Medical Records in Court: Life after HIPAA North Carolina Conference of Superior Court Judges, October 2003 Presented by Jill Moore, UNC School of Government.
2 H. Westley Clark, M.D., J.D., M.P.H., CAS, FASAM Director Center for Substance Abuse Treatment Substance Abuse Mental Health Services Administration.
Army Family Advocacy Program 1 of R APR 06 Restricted Reporting Policy for Incidents of Domestic Abuse.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
1 Disclosures © HIPAA Pros 2002 All rights reserved.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Confidentiality in Your TEAP Program By Diane A. Tennies, Ph.D., LADC Lead TEAP Health Specialist October 20,
Office of the Secretary Office for Civil Rights (OCR) Indian Health Service HIPAA Training Hosted by the Aberdeen Area Office July 24, 2012.
TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project HEALTH AFFAIRS TRICARE Management Activity.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Privacy and the Civil Commitment Process Allyson K. Tysinger Assistant Attorney General June 4-5, 2008.
Practicing In Harmony with HIPAA The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
1 Tenth National HIPAA Summit HIPAA in the Real World: The Application of HIPAA to Physician Practices Gerald E. DeLoss, Esq. General Counsel Fairmont.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Davis Wright Tremaine LLP The Seventh National HIPAA Summit HIPAA Privacy: Privacy Rule Compliance on Public Health Activities and Research Thomas E. Jeffry,
HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.
FERPA for the Financial Aid Office NCASFAA Fall Conference November 2012.
Health Insurance Portability and Accountability Act (HIPAA) © 2013 Project Lead The Way, Inc.Principles of Biomedical Science.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
HIPAA Training Workshop #2 Trainer: Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Health Insurance Portability and Accountability Act
HIPAA Privacy Rule Training
HIPAA Administrative Simplification
HIPAA and 42 C.F.R. Part 2 Confidentiality
Health Insurance Portability and Accountability Act
HIPAA Pros - Disclosures
Confidential Records and Protected Disclosures
Disability Services Agencies Briefing On HIPAA
New School Violence Law; HIPAA Privacy Training
Health Insurance Portability and Accountability Act
South Jordan City Fire Department
Presentation transcript:

GW&T © 2006 Garfunkel, Wild & Travis, P.C. RESPONDING TO GOVERNMENT SUBPOENAS AND OTHER OFFICIAL INQUIRIES UNDER HIPAA September 25, 2006 Judith A. Eisen, Esq. Garfunkel, Wild & Travis, P.C. 111 Great Neck Road Great Neck, New York Phone: ; Fax:

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # CONCEPTS TO KEEP IN MIND General HIPAA Rule:A Covered Entity (“CE”) may not use or disclose Protected Health Information (“PHI”) except as permitted by the privacy regulations. Preemption: HIPAA preempts State law except when State law is more stringent. Other Federal Laws:HIPAA works alongside other Federal laws. Accountings:A CE must account for certain disclosures. Minimum Necessary Minimum necessary rule will apply in most Rule:situations.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # A health provider receives a request for patient records in relation to a civil action. COMMON SCENARIO:

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # HIPAA RULE The patient executes a HIPAA-compliant authorization which permits the disclosure; or The disclosure is made in response to an order of a court or administrative tribunal; or The disclosure is made in response to a subpoena, discovery request or other lawful process without an order and the CE receives a “satisfactory assurance.” CE may disclose PHI in the course of a judicial or administrative proceeding if:

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # IF THE REQUEST IS ACCOMPANIED BY AN AUTHORIZATION PHI can be disclosed, if: HIPAA-compliant form of authorization; and Disclosure is limited to that PHI expressly authorized for disclosure by the patient Note: No accounting requirement with an authorization.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # IF THE REQUEST IS ACCOMPANIED BY A COURT OR ADMINISTRATIVE ORDER PHI can be disclosed if the order is: An enforceable court order (need to be familiar with state requirements for court orders); - or - An authorized administrative order (need to be familiar with which Administrative agencies are authorized to order production of PHI). Note: May only disclose that PHI which is expressly requested by the applicable court or authorized administrative body.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # IF THE REQUEST IS ACCOMPANIED BY SATISFACTORY ASSURANCE PHI can be disclosed if the CE receives satisfactory assurances (in the form of a written statement and accompanying documentation) from the party seeking the PHI that: Notice was given; in other words:  there were good faith reasonable efforts to give written notice to patient at patient’s last known address; and  The notice had sufficient information for patient to raise objection; and  time for objection elapsed with no objections or objections were resolved; or

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # A qualified protective order (QPO) is being obtained by demonstrating that:  The parties to dispute agreed to QPO and have presented it to court or agency, or  The party seeking PHI has requested QPO from court/agency

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # QPO DEFINED A QPO is order of court/agency or stipulation by parties that: Prohibits parties from using or disclosing PHI for any other purpose and Requires return or destruction of PHI at end of proceeding.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # OFFICE OF CIVIL RIGHTS (“OCR”) INTERPRETATION  For purpose of satisfactory assurances, a copy of the subpoena (or other request pursuant to lawful process) is sufficient on its face (i.e., no additional documents needed) when it demonstrates that: the individual whose PHI is requested is a party to the litigation notice of the request has been provided to the individual or his or her attorney, and the time for the individual to raise objections has elapsed and no objections were filed or all objections filed have been resolved.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # NOTE:  CE can also release PHI in response to a subpoena or other legal process if CE makes reasonable efforts to: Provide notice to patient as per above - or - Seek a QPO

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # CONSIDER WHETHER THE PHI IS SUBJECT TO ADDITIONAL PROTECTIONS Federal Law (42 CFR 2) provides special protection for substance abuse treatment information State laws commonly have special protections for:  Mental health records  HIV/AIDS records  Records regarding genetic testing  Records regarding sexually transmitted diseases HIPAA preempts these State laws unless the State Law is more protective of the patient.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # SPECIALLY PROTECTED INFORMATION  Under 42 CFR 2, programs that qualify as substance abuse programs can only release patient records pursuant to a subpoena or discovery request, if the subpoena or discovery request is accompanied by: A HIPAA compliant authorization that is also compliant with 42 CFR 2; or A court order that meets the requirements of 42 CFR 2.  A subpoena accompanied by satisfactory assurance is not sufficient for release of substance abuse treatment records.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # OCR INTERPRETATION When determining whether to release PHI that relates to substance abuse treatment pursuant to a subpoena, OCR confirms that it is proper to follow the rules in 42 CFR 2.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # CONSIDER WHETHER OTHER STATE LAWS APPLY To the extent that other state laws are more protective than HIPAA, they may also apply. Common considerations include:  Statutory and common law privilege protections (e.g., physician/patient privilege);  State civil procedures laws; and  Facility licensing laws.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # OTHER STATE LAWS Example: In New York, the Civil Practice Law (CPLR 3122) requires that any subpoena served on a medical provider requesting the medical records of a patient shall state in conspicuous bold-faced type that the records shall not be provided unless the subpoena is accompanied by a written authorization by the patient. This significantly impacts the analysis of responding to subpoenas.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # EXAMPLE NEW YORK STATE LAW SUBPOENA RESPONSE PROCESS 1.CE receives a subpoena without a court order or other documentation. CE responds by requesting a HIPAA authorization or court- ordered subpoena. 2. CE receives a subpoena with a non-HIPAA- compliant patient consent. CE responds by requesting a HIPAA authorization or court- ordered subpoena.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # SUBPOENA RESPONSE PROCESS (cont’d) 3.CE receives a subpoena with a satisfactory assurance form. The satisfactory assurance satisfies HIPAA, but not NYS law. CE must request a patient authorization or a court order. 4. CE receives a court ordered subpoena or a subpoena with a HIPAA authorization. CE may disclose the PHI to the requestor in accordance with the subpoena.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # An ambulatory surgery center receives a request for information pursuant to a criminal subpoena. COMMON SCENARIO

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # HIPAA RULE A CE may disclose PHI for law enforcement purposes to a “law enforcement official”, pursuant to legal process and as otherwise required by law, in compliance with: A court order or a court ordered warrant, or subpoena or summons issued by a judicial officer; A grand jury subpoena; A HIPAA-compliant authorization signed by the patient; or

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # An administrative request, including an administrative subpoena or summons, or civil or an authorized investigative demand, or similar process authorized under law, provided that:  the information sought is relevant and material to a legitimate law enforcement inquiry;  the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and  de-identified information could not reasonably be used.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # OCR INTERPRETATION If a CE receives an administrative request from a law enforcement official, the CE must verify: the identity and authority of the public official making the request; and that the three previously stated conditions are met. Note: Disclosures must be limited to the minimum necessary for the intended purpose.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # WHO IS A LAW ENFORCEMENT OFFICIAL? HIPAA defines a “law enforcement official” as an officer or employee of any agency or authority of the United States (or subdivision thereof) which is empowered by law to investigate or conduct an official inquiry into a potential violation of law or to prosecute or otherwise conduct a criminal, civil or administrative proceeding, arising from an alleged violation of law.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # OCR INTERPRETATION The OCR has stated that an employee of a State child support enforcement agency (“Agency”) is considered to be a law enforcement official. In addition, the National Medical Support Notice (NMSN), a national form sent by the Agency, constitutes a written administrative request by a law enforcement official. Therefore a Covered Entity may respond to the NMSN provided it receives written assurances regarding relevance, the request is specific and de- identified information cannot reasonably be used.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # IMPACT OF STATE LAW The rules relative to specially protected information (e.g., HIV/AIDS, substance abuse, mental health) often also apply to grand jury subpoenas and other law enforcement purposes. Privilege protections (e.g., physician/patient privilege) also need to be considered in this context.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # COMMON SCENARIO The covered entity receives a request for information from a health oversight agency (e.g., an office of professional conduct) for use in a proceeding.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # HIPAA RULE CE may disclose PHI to a “health oversight agency,” for “oversight activities” authorized by law. Note: Oversight activities include audits, civil, administrative, and criminal investigations or proceedings, inspections, licensure or disciplinary actions.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # EXCEPTION Health oversight activities do not include an investigation or other activity in which the patient is the subject of the investigation or activity and the investigation or activity does not arise out of, and is not directly related to:  the receipt of health care;  a claim for public benefits related to health; or  qualification for, or receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or services. If the investigation is not for one of these purposes, the rules governing disclosures for law enforcement purposes apply.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # WHAT IS A HEALTH OVERSIGHT AGENCY HIPAA defines a health oversight agency as a person or entity at any level of the federal, state, local or tribal government that: oversees the health care system; or a government program that requires health information to determine eligibility or compliance or to enforce civil rights laws.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # EXAMPLES OF HEALTH OVERSIGHT AGENCIES The Federal Government acknowledges that the definition of health oversight agency is broad. In addition to obvious agencies which monitor health systems (e.g., Departments of Health, Insurance Departments, CMS), the following are also agencies that engage in health oversight: U.S. Department of Justice (when enforcing civil rights, e.g., ADA, civil rights of institutionalize persons); Environmental Protection Agency; Federal Department of Education

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # NOT HEALTH OVERSIGHT AGENCIES Private accreditation organizations because they are performing health care operations on behalf of CEs. In order to obtain PHI, accrediting groups must enter into business associate agreements with CEs for these purposes. Private entities, such as coding committees, that help government health plans make coding and payment decisions are performing services on behalf of the government agencies and, therefore, must enter into business associate agreements in order to receive PHI from the CE.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # COMMON SCENARIO A hospital receives a request for information from a state agency in order to investigate allegations of abuse.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # HIPAA RULE CE may disclose PHI to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. CE may disclose PHI about an individual, other than a child, whom the CE reasonably believes to be a victim of abuse, neglect or domestic violence to a government authority authorized to receive such reports, provided:  the disclosure is required by law and limited to the requirements of that law;  the individual agrees to the disclosure; or

GW&T © 2006 Garfunkel, Wild & Travis, P.C. #  the individual is unable to agree because of incapacity and the disclosure is authorized by law. In such case, the law enforcement or other public official authorized to receive the report must represent that the PHI is not intended to be used against the individual and that an immediate enforcement activity will be adversely affected by waiting for the individual’s consent.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # ADDITIONAL REQUIREMENT If the CE makes a report about an individual who the CE suspects has been abused (other than in regard to children), the CE must promptly inform the individual about the report unless: The CE, in the exercise of professional judgment, believes informing the individual would place him/ her at risk of serious harm; The CE would be informing a personal representative who the CE believes is responsible for the abuse or neglect.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # CONSIDERATIONS When disclosing information related to abuse, consider the following: Is the required information pertaining to an adult or child? Are there any state reporting requirements or restrictions for adults? For example: In some states, there are reporting requirements when a health care facility becomes aware that an adult patient who is mentally disabled (but having capacity) is being abused.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # CONSIDERATIONS (cont’d) Which agencies are authorized to receive reports of abuse? Example: A social services agency may be authorized by law to investigate allegations of child abuse and the CE can share information with the SS agency for that purpose. However, if the police, who are not specifically authorized to receive reports of child abuse, make the same request, their request must fit within a different exception in order for the CE to disclose the PHI.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # COMMON SCENARIO The police walk into a hospital emergency room demanding information about a patient.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # HIPAA RULE CE is permitted to disclose PHI to a law enforcement official for a law enforcement purpose under any of the following circumstances: When Required By Law, including laws that require the reporting of certain types of wounds or other physical injuries. When There is Evidence of a Crime on the Premises and there is good faith belief that the PHI constitutes evidence of criminal conduct that occurred on the CE’s premises.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # In Order to Identify or Locate an Individual provided that only the following information is disclosed:  Name, address and social security number  Date and place of birth  ABO blood type and Rh factor  Type of injury  Date and time of treatment and/or death, if applicable  A description of distinguishing physical characteristics. Note:Except as otherwise permitted, information related to DNA or DNA analysis, dental records or typing, samples or analysis of body fluids or tissue cannot be disclosed for purposes of locating or identifying an individual.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # Regarding a Patient Believed to be a Victim of a Crime provided:  The patient agrees to the disclosure; or  CE believe the disclosure is in the best interest of the victim, but cannot obtain the patient’s agreement because of incapacity or other emergency circumstances, and the law enforcement official states that: such information is not intended to be used against the patient-victim; or immediate law enforcement activity would be materially adversely affected by waiting until the patient-victim gains sufficient capacity to agree.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # In Order to Provide Notice About the Death of a Patient when the CE suspects the death resulted from criminal conduct. In a Medical Emergency when disclosure of the patient’s health information is necessary to alert law enforcement to:  The commission and nature of a crime;  The location of the crime or victims of the crime; and  The identity, description and location of the perpetrator of the crime. Exception: If the medical emergency is the result of abuse, neglect, or domestic violence, any disclosure to law enforcement officials for law enforcement purposes must be made pursuant to that provision.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # REMEMBER: Disclosure is also permitted when there is adequate legal process (e.g., court order or summons issues by a judicial officer) discussed earlier.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # OCR INTERPRETATION The OCR has stated that disclosures to law enforcement officials are subject to the minimum necessary rule; however, when reasonable to do so, the CE may rely upon representation of the law enforcement official as to what information is the minimum necessary for their lawful purpose. Note: If the law enforcement official making the request is not known to the CE, the CE must verify the identity and authority of such person before disclosing information.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # RECOMMENDATIONS Decisions regarding disclosures to law enforcement officials are among the most complicated under HIPAA. Because of the number of different exceptions under HIPAA, various state laws, and privilege protections, it is virtually impossible to make a standard rule that addresses all circumstances. When reviewing requests from law enforcement officials, consider the following: Understand the purpose of the law enforcement official’s request. Review the law enforcement official’s authority to obtain the requested information for the stated purpose (remember: different officials have different authority).

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # RECOMMENDATIONS Don’t hesitate to request appropriate legal process (e.g., a court order) if the disclosure is not clearly permissible (it may not be difficult for the law enforcement official to obtain and may protect the health care facility). If the investigation for which information is being requested involves the CE, immediately involve legal counsel. Don’t forget about restrictions under State law.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # COMMON SCENARIO A health care provider receives a request for information in order for an entity to conduct public health surveillance

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # HIPAA RULE CE may disclose PHI for public health purposes to the following entities under the following circumstances: To Prevent or Control Disease if to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to the reporting of disease, injury, and vital events (such as birth or death) and the conduct of public health surveillance, interventions or investigations.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # To Report Information to the Food and Drug Administration (FDA) with respect to an FDA- regulated product or activity related to the quality, safety or effectiveness of such FDA-regulated product or activity for:  Collecting and reporting defects  Tracking products  Enabling product recalls:  Conducting post-marketing surveillance, or

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # To Notify Persons of Exposure to Communicable Diseases if the CE is authorized by law to notify each person as necessary in the conduct of a public health intervention or investigation.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # CE may disclose to an employer if the following four requirements are met: CE is a health care provider which is a member of the workforce of such employer (e.g., on-site medical clinic), or provides health care to the individual at the request of the employer:  To conduct an evaluation relating to medical surveillance of the workplace; or  To evaluate whether the individual has a work- related illness or injury; The PHI consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance; HIPAA RULE (Employers)

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # The Employer needs such findings in order to comply with its obligations to report occupational injuries and illnesses under Federal laws and related regulations such as the Occupational Safety and Health Act (“OSHA”), or similar state laws, or to carry out responsibilities for workplace medical surveillance; and

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # CE provides written notice to the patient that the foregoing disclosures will be made to the individual’s employer:  By giving a copy of the notice to the individual at the time the health care is provided; or  If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # Even though HIPAA authorizes a disclosure to an employer, other State laws (e.g., HIV/AIDS confidentiality laws) may not allow for such disclosure. REMEMBER:

GW&T © 2006 Garfunkel, Wild & Travis, P.C. OTHER PERMISSIBLE DISCLOSURES TO GOVERNMENT OFFICIALS

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # HIPAA RULE The CE may use or disclose PHI to the extent required by law, as limited to the relevant requirements of such law. To Identify a Deceased Person or Cause of Death: if to a coroner or medical examiner for the purpose of performing duties authorized by law. To Make Necessary Funeral Arrangements if to funeral directors (even prior to death).  For Purposes of Workers’ Compensation to comply with laws relating to workers’ compensation or other similar programs.  For Cadaveric Organ, Eye or Tissue Donation Purposes if to organ procurement organizations.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. #  To Avert a Serious Threat to Health or Safety if the CE believes, in good faith, that the disclosure:  Is necessary to prevent or lessen a serious and imminent threat to the health or safety of the public and such disclosure is made to persons reasonably able to prevent or lessen the threat; or  Is necessary for law enforcement authorities to identify or apprehend an individual who appears to have escaped from lawful custody; or who has made statements regarding participation in a violent crime which may have caused serious physical harm to the victim, subject to certain limitations.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # For Proper Execution of a Military Mission concerning individuals who are Armed Forces personnel or foreign military personnel, if the appropriate military authority published an appropriate notice in the Federal Register. For National Security and Intelligence Activities to authorized Federal officials for activities authorized by the National Security Act and implementing authority. For Protective Services for the President and Others to authorized federal officials for the provision of protective services to the President or other persons authorized by Federal law or for the conduct of authorized investigations.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # To a Correctional Institution or a law enforcement official in a custodial situation if the PHI is necessary for:  The provision of health care to such individual;  The health and safety of such individual or other inmates;  The health and safety of the officers or employees of or others at the correctional institution;  Law enforcement on the premises of the correctional institution; or  The administration and maintenance of the safety, security, and good order of the correctional institution.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # NOTE: All of the permitted legal disclosures are subject to specific HIPAA requirements which must be reviewed prior to disclosures.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # ACCOUNTING FOR DISCLOSURES An individual has a right to receive an accounting of disclosures of PHI made by a Covered Entity, subject to several exceptions. Among other exceptions, a covered entity does not need to account for disclosures made:  For treatment, payment and health care operations purposes;  Pursuant to a HIPAA authorization; or  To the individual.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # REMINDER: ACCOUNTINGS All of the legal disclosures discussed today must be included in an accounting, unless there is a HIPAA- compliant authorization. CE will need to log these disclosures as they occur.

GW&T © 2006 Garfunkel, Wild & Travis, P.C. # DISCUSSION/QUESTIONS

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.