Presentation is loading. Please wait.

Presentation is loading. Please wait.

– Privacy in Perspective – Dealing with Hybrids & Other Unique Collaborations Thomas E. Jeffry, Jr., Esq. Partner, Davis Wright Tremaine LLP, Los Angeles,

Published byEmma Barton Modified over 8 years ago

Similar presentations

Presentation on theme: "– Privacy in Perspective – Dealing with Hybrids & Other Unique Collaborations Thomas E. Jeffry, Jr., Esq. Partner, Davis Wright Tremaine LLP, Los Angeles,"— Presentation transcript:

1 – Privacy in Perspective – Dealing with Hybrids & Other Unique Collaborations Thomas E. Jeffry, Jr., Esq. Partner, Davis Wright Tremaine LLP, Los Angeles, CA Austin M. O’Flynn, Esq. Senior Counsel, Catholic Healthcare West, San Francisco, CA Thursday, September 8, 2005 Washington, DC

2 Slide 2 Issues Addressed Legal vs. Operational Relationships Hybrids ACE – Regulatory Enforcement Basic Organizational Structures and Strategies Enforcement Table Collaboration Types involving PHI CHW HIPAA Org Chart Customizing Authorizations NPP in terms of ACE and Websites postings

3 Slide 3 Capturing the Right HIPAA Org Structure District Hospital Medical Foundation Physicians J.V. Clinics H. Health 501(c)3 Educ. 501(c)3

4 Slide 4 Basic organizational structures and strategies ACE – horizontal integration Organized Health Care Arrangements (OHCAs) – vertical integration Hybrids – internal segregation Authorizations to permit disclosures between separate entities – external segregation

5 Slide 5 Legal Relationships v. Operational Relationships Legal Wholly owned subsidiary of parent Separate entities with a common parent Supporting organization (e.g. foundation) Joint venture Operational Health system of multiple hospitals Hospital and freestanding clinic Hospital and research facilities Health clinic and social services

6 Slide 6 Hybrids Single legal entity Covered entity Business functions include both covered and non-covered functions Designates health care components that includes any component that would be a covered entity if a separate legal entity

7 Slide 7 Covered Entity (CE) Identification necessary for patient enforcement Responsible for PHI Exercise of patient rights Notice of Privacy Practices (NPPs) Separate covered entities Share PHI for treatment and payment Limited sharing for operations

8 Slide 8 Affiliated Covered Entity (ACE) CEs that are under common ownership or control may designate themselves as a single ACE. “Common ownership is defined as an ownership or equity interest of five percent or more.” Common control exists if an entity has the power - directly or indirectly - to significantly influence or direct the actions or policies of another entity. If the affiliated entity contains health care components, it must implement safeguards to prevent the larger entity from using protected health information maintained by the component entity. Privacy Rule, December 2000 Preamble

9 Slide 9 Organized Health Care Arrangement (OHCA) 1. A clinically integrated care setting in which individuals typically receive health care from more than one healthcare provider (legally separate); or 2. An organized system of health care in which more than one CE participates, and they: (i) hold themselves out to the public in a joint arrangement, and (ii) participate in one or more of the following joint activities -- Utilization review, Quality Assessment and Improvement activities, Shared Risk Pool Program Note: an Acknowledgment obtained by one CE means the other CEs do not need to also seek one.

10 Slide 10 Basic organizational structures and strategies - ACE An ACE may use a single NPP as if it were a single CE The CEs that together make up the ACE are jointly and severally liable for any civil monetary penalty under HIPAA An Authorization (beyond TPO) is sufficient for all CEs – not so for an OHCA California --Title 22 limitation on ACE structure Minimum necessary still applies

11 Slide 11 Basic organizational structures and strategies - OHCA An OHCA may use a single NPP, just like a covered entity for all its activities. The CEs that together make up the OHCA are NOT jointly and severally liable for any civil monetary penalty under HIPAA. An Authorization (beyond TPO) is NOT sufficient for all CEs May need more BAA’s in place Minimum necessary still applies

12 Slide 12 Basic organizational structures and strategies - Hybrid Applies to multi-purpose organizations Limits exchange of PHI between health care components and non-health care components Rules on permitted uses and minimum necessary may otherwise limit such exchanges Minimizes regulatory burden on non-health care components

13 Slide 13 Basic organizational structures and strategies - Authorizations Trumps HIPAA’s limitations on use and disclosure of PHI between Components of a single CE Two CEs A CE and a non-CE Allows for use on health information for other purposes (e.g. education, social services, surveillance, research)

14 Slide 14 Customizing Authorizations To provide additional requirements required under State law To provide for use and disclosure of non-health related information subject to regulations Financial information Educational records Employment information Limitation on compound authorizations

15 Slide 15 Different Structures  Different Patient’s Rights Title 22 Limitations -- California Managing Patient Rights Alternative Communication Accounting for Disclosures Is disclosure on behalf of CE or ACE? Approval of Restrictions and communication to all HIPAA entity members Who receives Complaints and maintains required documentation on behalf of hospital, CE and ACE? Who within ACE manages NPP Acknowledgements for hospital, CE, and ACE?

16 Slide 16 Enforcement Issues Patient’s rights against CE OCR rights actionable against ACE/OHCA/CE A broader organization  expectation Size of Organization  Resources  Ability of Organization ACE may be viewed as larger than an OHCA which may be viewed as larger than a CE

17 Slide 17 HIPAA Enforcement Table Rights ofCEBAOHCAACE*Hybrid PatientsYesNo Yes OCRYesNo**NoYes *Good uniform controls? *Consider Number of OCR “dings” and penalty caps **Yes if BA is already a CE

18 Slide 18 Examples of Collaboration Types where PHI may be exchanged Joint Ventures Management Agreement (e.g. District Hospitals) Medical Foundations Multi-purpose agencies – Social Service Groups Research

19 Slide 19 Examples of Collaboration Types where PHI may be exchanged Education/Schools Public health Surveillance Electronic Community Health Records

20 Slide 20 Capturing the Right HIPAA Org Structure District Hospital Medical Foundation Physicians J.V. Clinics H. Health 501(c)3 Educ. 501(c)3

21 Slide 21 HIPAA Org Documentation The designation of an affiliated covered entity must be documented and the documentation maintained as required by § 164.530(j).

22 Slide 22 CHW HIPAA Organization Chart Part A - List of hospitals and clinics and other entities and business units who may or may not be covered entities and their HIPAA status within CHW. Part B - List of 501(c)(3) fundraising foundations and their relationships to covered entities within the CHW ACE. Part C - List of plans, both insured and self-insured, and plan administrators. Part D - List of entities in which CHW or its affiliate may have an ownership interest but does not have management responsibility nor operating responsibility.

23 Slide 23 CHW HIPAA Org Chart – Part A 1.Level 1 Legal Entity 2.Level 2 Legal Entity or d/b/a 3.Level 3 Legal Entity or d/b/a 4.Level 4 Legal Entity or d/b/a 5.If Joint Venture, Managed or Operated by CHW Facility? 6.Using PHI? 7.Name of Hybrid (if applicable) 8.Name of Non-Covered Component 17 Columns – remaining 9 columns cont’d on next slide 

24 Slide 24 CHW HIPAA Org Chart – Part A 9.Name of CE 10.Name of ACE 11.Primary OHCA 12.Other OHCA 13.BA 14.Name of NPP 15.Hospital President 16.Hospital/ Facility FPO 17.Comments

25 Slide 25 Who Documents HIPAA Org? Recommendations Single Custodian Documentation needs to reflect both your legal and operational reporting structure Readily accessible internally Internalize HIPAA Org analysis into legal check off process for creating or changing status of JV’s, partnerships, new corporations, 501(c)’s and other entities Annually review and update

26 Slide 26 HIPAA Org Annual Review Who should be involved? Custodian of HIPAA Org Document Hospital/Facility Administrator Legal Counsel Privacy Official Marketing and Communication Dept 501(c) President Benefits Director

27 Slide 27 Notice of Privacy Practices (NPP) Different for each CE Must be consistent  Org Chart clinics hospital Non-HIPAA provisions related to other requirements (e.g. education, financial) If website supports multiple CEs No ACE NPP  post all NPPs ACE NPP  only One NPP

28 Slide 28 Closing Thoughts Identify and distinguish legal and operational relationships Document your organization structure Make sure CE or health care component of hybrid maintains control and custody of medical records Authorizations may be the easier solution, business associate agreements are not when providing integrated services

29 Slide 29 Contact information Thomas E. Jeffry, Jr. Davis Wright Tremaine (213) 633-6800 tomjeffry@dwt.com Austin M. O'Flynn, Esq. Catholic Healthcare West (415) 438-5559 AOFlynn@chw.edu

Download ppt "– Privacy in Perspective – Dealing with Hybrids & Other Unique Collaborations Thomas E. Jeffry, Jr., Esq. Partner, Davis Wright Tremaine LLP, Los Angeles,"

Similar presentations

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,

Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

Similar presentations

Ads by Google