Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced HIPAA Privacy Compliance Strategies: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA.

Published byKelley Michael Shelton Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced HIPAA Privacy Compliance Strategies: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA."— Presentation transcript:

1

2 Advanced HIPAA Privacy Compliance Strategies: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA Practice Group Davis Wright Tremaine LLP Seattle, WA beckywilliams@dwt.com Davis Wright Tremaine LLP

3 2 HIPAA Privacy — A Timeline November 3, 1999: Proposed privacy regulations December 28, 2000: Final privacy regulations published April 14, 2001: Effective date of final privacy regulations July 2001: HHS Guidance issued March 27, 2002: Proposed amendments to final regulations published April 14, 2003: Privacy compliance date (except small health plans) April 14, 2003: Privacy compliance date for small plans 1996: HIPAA is enacted into law April 20, 2005: Security compliance date April 20, 2006: Security compliance for small plans

4 Davis Wright Tremaine LLP 3 HIPAA Roulette

5 Davis Wright Tremaine LLP 4 The Enforcement Rule A change in the status quo?

6 Davis Wright Tremaine LLP 5 The Enforcement Rule  Final Rule  Published: February 16, 2006  Effective date: March 16, 2006  Uniform civil enforcement approach for all administrative simplification – DOJ remains responsible for criminal enforcement  Signal for change in enforcement?  Continuing commitment to cooperation and assistance  HHS discretion continues  Mandates civil money penalties where a violation is found  Final Rule  Published: February 16, 2006  Effective date: March 16, 2006  Uniform civil enforcement approach for all administrative simplification – DOJ remains responsible for criminal enforcement  Signal for change in enforcement?  Continuing commitment to cooperation and assistance  HHS discretion continues  Mandates civil money penalties where a violation is found

7 Davis Wright Tremaine LLP 6 The Ex-Factor  Breaking Up is Hard to Do  When Good Employees Go Bad

8 Davis Wright Tremaine LLP 7 The Ex-Factor  Top risks for intentional misuse, improper disclosures and false accusations:  Ex-relationships: divorces, custody disputes, break- ups, new significant others, and so on and so on  Ex-employees  Even high school/grade school grudges  Tip: When there is “history,” dig a little deeper  Tip: Privacy Officer should be attuned to “gossip”  Revisit termination process  Top risks for intentional misuse, improper disclosures and false accusations:  Ex-relationships: divorces, custody disputes, break- ups, new significant others, and so on and so on  Ex-employees  Even high school/grade school grudges  Tip: When there is “history,” dig a little deeper  Tip: Privacy Officer should be attuned to “gossip”  Revisit termination process

9 Davis Wright Tremaine LLP 8 Complaint Process and Other Responses

10 Davis Wright Tremaine LLP 9 Response to Ex-Factor and Other Violations: Complaint Process  Must provide process to receive complaints  Must document all complaints and their disposition  Tip: Make it easy for a patient to complain  Written only vs. any medium  Tip: Be aware of direct complaints that may become OCR complaints  Tip: Pay attention to the follow-up  Must provide process to receive complaints  Must document all complaints and their disposition  Tip: Make it easy for a patient to complain  Written only vs. any medium  Tip: Be aware of direct complaints that may become OCR complaints  Tip: Pay attention to the follow-up

11 Davis Wright Tremaine LLP 10 Consumer Breach Notification When do you have to report yourself?

12 Davis Wright Tremaine LLP 11 Consumer Breach Notification  Many state laws mandate notification  HIPAA has no specific notification requirement but  Covered entities have a duty to mitigate  Accounting of disclosure for breaches (that are not incidental disclosures)  Beware: No good deed goes unpunished  Good citizens  Bad PR, class actions, etc.  Many state laws mandate notification  HIPAA has no specific notification requirement but  Covered entities have a duty to mitigate  Accounting of disclosure for breaches (that are not incidental disclosures)  Beware: No good deed goes unpunished  Good citizens  Bad PR, class actions, etc.

13 Davis Wright Tremaine LLP 12 Business Associates Continues to be a top area of confusion/frustration

14 Davis Wright Tremaine LLP 13 Who is a Business Associate?  A person who, on behalf of a covered entity or OHCA —  Performs or assists with a function or activity Involving PHI or Otherwise covered by HIPAA  Performs certain identified services  A person who, on behalf of a covered entity or OHCA —  Performs or assists with a function or activity Involving PHI or Otherwise covered by HIPAA  Performs certain identified services Auditors, Actuaries Billing Firms Lawyers ClearinghousesTPAs Covered Entity Management Companies Consultants, Vendors Accreditation Organizations

15 Davis Wright Tremaine LLP 14 Who Are Business Associates?  Medical device company... Probably not  Research sponsor... Usually not  Does not work to circumvent research rules  Record storage/destruction... Depends  Accreditation organizations... Yes  Software vendor... Maybe  Collection agencies... Yes  Lawyers... Definitely maybe  Medical device company... Probably not  Research sponsor... Usually not  Does not work to circumvent research rules  Record storage/destruction... Depends  Accreditation organizations... Yes  Software vendor... Maybe  Collection agencies... Yes  Lawyers... Definitely maybe

16 Davis Wright Tremaine LLP 15 What Must Be in a Business Associate Contract — Privacy Rule  Use and disclose information only as authorized in the contract  No further uses and disclosures  Not to exceed what the covered entity may do  Implement appropriate safeguards  Report unauthorized disclosures to covered entity  Facilitate covered entity’s access, amendment and accounting of disclosures obligations  Allow HHS access to determine CE’s compliance  Return/destroy protected health information upon termination of arrangement, if feasible  If not feasible, extend BAC protections  Ensure agents and subcontractors comply  Authorize termination by covered entity  Use and disclose information only as authorized in the contract  No further uses and disclosures  Not to exceed what the covered entity may do  Implement appropriate safeguards  Report unauthorized disclosures to covered entity  Facilitate covered entity’s access, amendment and accounting of disclosures obligations  Allow HHS access to determine CE’s compliance  Return/destroy protected health information upon termination of arrangement, if feasible  If not feasible, extend BAC protections  Ensure agents and subcontractors comply  Authorize termination by covered entity

17 Davis Wright Tremaine LLP 16 What Must Be in a Business Associate Contract — Security Rule  Implement administrative, physical and technical safeguards that reasonably and appropriately protect the  Confidentiality,  Integrity and  Availability  Of electronic protected health information  Ensure any agent implements reasonable and appropriate safeguards  Report any security incident  Authorize termination if the covered entity determines business associate has breached  Implement administrative, physical and technical safeguards that reasonably and appropriately protect the  Confidentiality,  Integrity and  Availability  Of electronic protected health information  Ensure any agent implements reasonable and appropriate safeguards  Report any security incident  Authorize termination if the covered entity determines business associate has breached

18 Davis Wright Tremaine LLP 17 Business Associate Contracts  Tip: Contract management system  Tip: Do not forget the security requirements  When ePHI is involved, the privacy version is not enough  Process to identify business associates  Revisit existing relationships and contracts  Address future relationships  Process to effectively deal with contracting  Templates  Elevate issues as needed  Liability of a covered entity for its business associates  Tip: Contract management system  Tip: Do not forget the security requirements  When ePHI is involved, the privacy version is not enough  Process to identify business associates  Revisit existing relationships and contracts  Address future relationships  Process to effectively deal with contracting  Templates  Elevate issues as needed  Liability of a covered entity for its business associates

19 Davis Wright Tremaine LLP 18 The Forgotten Health Plan

20 Davis Wright Tremaine LLP 19 Health Plan  Covered providers have employee benefit plans that likely are covered entities  Treated as a separate entity  Verify compliance efforts  Don’t forget FSAs and EAPs  Security compliance for small health plans (under $5 million in receipts) is coming up  Privacy FAQ  Send reminder of how to obtain a Notice of Privacy Practices every three years  Covered providers have employee benefit plans that likely are covered entities  Treated as a separate entity  Verify compliance efforts  Don’t forget FSAs and EAPs  Security compliance for small health plans (under $5 million in receipts) is coming up  Privacy FAQ  Send reminder of how to obtain a Notice of Privacy Practices every three years

21 Davis Wright Tremaine LLP 20 Accounting of Disclosures  What is covered  What is the best way to track  Communications with patients

22 Davis Wright Tremaine LLP 21 Accounting of Disclosures  Patient has the right to receive an accounting of disclosures of the patient’s PHI  Accounting includes:  Date of disclosure  Recipient name and address  Description of information disclosed  Purpose of disclosure  Patient has the right to receive an accounting of disclosures of the patient’s PHI  Accounting includes:  Date of disclosure  Recipient name and address  Description of information disclosed  Purpose of disclosure

23 Davis Wright Tremaine LLP 22 Accounting of Disclosures  Exceptions:  Treatment, payment and operations  Individual access  Directories, persons involved in care  Pursuant to authorizations  National security or intelligence  Incidental disclosures  Limited date set  Prior to April 14, 2003  Exceptions:  Treatment, payment and operations  Individual access  Directories, persons involved in care  Pursuant to authorizations  National security or intelligence  Incidental disclosures  Limited date set  Prior to April 14, 2003

24 Davis Wright Tremaine LLP 23 Accounting of Disclosures – Problems  Cumbersome process with relatively few requests  Patients often want information that is excepted  Tricky issues  Date ranges acceptable (e.g., access to a universe of records during limited time)  For disclosures made routinely within set time: Intervals acceptable (e.g., “gunshot wound within 48 hours after treatment” plus date of treatment)  Dealing with Business Associates  Cumbersome process with relatively few requests  Patients often want information that is excepted  Tricky issues  Date ranges acceptable (e.g., access to a universe of records during limited time)  For disclosures made routinely within set time: Intervals acceptable (e.g., “gunshot wound within 48 hours after treatment” plus date of treatment)  Dealing with Business Associates

25 Davis Wright Tremaine LLP 24 Accounting of Disclosures ─ Approaches  Different potential approaches  Log all disclosures at time of the disclosure  Do analysis at time of any patient request  Abbreviated accounting  Tip: Clarify the request before beginning (but do not discourage request)  Different potential approaches  Log all disclosures at time of the disclosure  Do analysis at time of any patient request  Abbreviated accounting  Tip: Clarify the request before beginning (but do not discourage request)

26 Davis Wright Tremaine LLP 25 Copying Fees HIPAA versus State Maximum

27 Davis Wright Tremaine LLP 26 Copying Fees  State law often imposes maximum copying fees  May include administrative fee (e.g., retrieving or handling)  Per page fee  HIPAA requires reasonable cost-based fees for individual access  Statutory maximum is not necessarily consistent with HIPAA requirement  Fee may depend on purpose and who requests record  State law often imposes maximum copying fees  May include administrative fee (e.g., retrieving or handling)  Per page fee  HIPAA requires reasonable cost-based fees for individual access  Statutory maximum is not necessarily consistent with HIPAA requirement  Fee may depend on purpose and who requests record

28 Davis Wright Tremaine LLP 27 De-Identification  How  When to use

29 Davis Wright Tremaine LLP 28 De-Identification  Information is presumed de-identified if—  Qualified person determines that risk of re-identification is “very small” or  The following identifiers are removed: NameAddressRelativesEmployer DatesTelephoneFaxe-mail SSNMR#Plan IDAccount # License #Vehicle IDURLIP address FingerprintsPhotographsOther unique identifier  And the CE does not have actual knowledge that the recipient is able to identify the individual  Information is presumed de-identified if—  Qualified person determines that risk of re-identification is “very small” or  The following identifiers are removed: NameAddressRelativesEmployer DatesTelephoneFaxe-mail SSNMR#Plan IDAccount # License #Vehicle IDURLIP address FingerprintsPhotographsOther unique identifier  And the CE does not have actual knowledge that the recipient is able to identify the individual

30 Davis Wright Tremaine LLP 29 De-Identification  Beware the “other unique identifier” requirement  Especially difficult with large number of records  Beware small communities  Identify what workforce needs to know de-identification rules. For example,  Marketing  Newsletters  Medical staff who lecture or publish  Beware the “other unique identifier” requirement  Especially difficult with large number of records  Beware small communities  Identify what workforce needs to know de-identification rules. For example,  Marketing  Newsletters  Medical staff who lecture or publish

31 Davis Wright Tremaine LLP 30 Limited Data Sets  What are they  When to use limited data sets  How to disclose limited data sets

32 Davis Wright Tremaine LLP 31 Limited Data Set — Not Quite De-Identified  Limited Data Set = PHI that excludes direct identifiers except:  Full dates  Geographic detail of city, state and 5-digit zip code  Not completely de-identified  Special rules apply  Limited Data Set = PHI that excludes direct identifiers except:  Full dates  Geographic detail of city, state and 5-digit zip code  Not completely de-identified  Special rules apply

33 Davis Wright Tremaine LLP 32 Data Use Agreements  Limited Purposes:  Research,  Public health  Health care operations  Recipient must enter into a Data Use Agreement:  Permitted uses and disclosures by recipient  Who may use or receive limited data set  Recipient must: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals  Limited Purposes:  Research,  Public health  Health care operations  Recipient must enter into a Data Use Agreement:  Permitted uses and disclosures by recipient  Who may use or receive limited data set  Recipient must: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals

34 Davis Wright Tremaine LLP 33 Data Use Agreements  Likely uses  State hospital associations  Public health agencies (for non-mandatory reporting)  Research where identifiers are not necessary  Not included in an accounting of disclosures  Likely uses  State hospital associations  Public health agencies (for non-mandatory reporting)  Research where identifiers are not necessary  Not included in an accounting of disclosures

35 Davis Wright Tremaine LLP 34 Disclosures to Law Enforcement

36 Davis Wright Tremaine LLP 35 Disclosures to Law Enforcement Required by law Court orders, subpoenas... Administrative request Request about a crime victim Child abuse or neglect Adult abuse, neglect or domestic violence (limited) Death in suspicious circumstances Criminal activity in off-site medical emergencies Required by law Court orders, subpoenas... Administrative request Request about a crime victim Child abuse or neglect Adult abuse, neglect or domestic violence (limited) Death in suspicious circumstances Criminal activity in off-site medical emergencies Crime on the premises Avoid serious and imminent threat Identification of suspect, fugitive, material witness or missing person (limited) Admission to a violent crime (limited) Specialized law enforcement

37 Davis Wright Tremaine LLP 36 Disclosure to Law Enforcement  Preemption considerations  State law plays a critical role in analysis  Develop detailed policies and procedures  Tip: Identify go-to people  Tip: Two tier approach Basic approach for majority of workforce Detailed approach for those making the decisions  Tip: Consider a community meeting with providers and law enforcement to agree on ground rules  Preemption considerations  State law plays a critical role in analysis  Develop detailed policies and procedures  Tip: Identify go-to people  Tip: Two tier approach Basic approach for majority of workforce Detailed approach for those making the decisions  Tip: Consider a community meeting with providers and law enforcement to agree on ground rules

38 Davis Wright Tremaine LLP 37 Legal Proceedings

39 Davis Wright Tremaine LLP 38 Disclosures for Legal Proceedings  If a party to litigation/proceeding  May use and disclose PHI for own health care operations (as well as other exceptions)  “Operations” include conducting or arranging for legal services to the extent related to health care functions Defendant in malpractice suit Plaintiff in collection matter (also payment)  Minimum necessary De-identification Qualified protective order  Business associate contract for outside counsel needed  If a party to litigation/proceeding  May use and disclose PHI for own health care operations (as well as other exceptions)  “Operations” include conducting or arranging for legal services to the extent related to health care functions Defendant in malpractice suit Plaintiff in collection matter (also payment)  Minimum necessary De-identification Qualified protective order  Business associate contract for outside counsel needed

40 Davis Wright Tremaine LLP 39 Disclosures for Legal Proceedings  If covered entity is not a party, find an exception  Required by law (e.g., court order)  Health care oversight (e.g., licensure hearing)  Authorization  Response to subpoena or other lawful process Satisfactory assurances that requestor made reasonable efforts either to notify relevant patients or secure a qualified protective order Covered entity may do the same Specific requirements for each  If covered entity is not a party, find an exception  Required by law (e.g., court order)  Health care oversight (e.g., licensure hearing)  Authorization  Response to subpoena or other lawful process Satisfactory assurances that requestor made reasonable efforts either to notify relevant patients or secure a qualified protective order Covered entity may do the same Specific requirements for each

41 Davis Wright Tremaine LLP 40 Disclosure for Legal Proceedings  Preemption Considerations: Beware state law  Accounting of Disclosures  Depends on exception  No: health care operations, payment, authorization  Yes: subpoena, health care oversight  Tip: Don’t assume a lawyer knows the law (with HIPAA at least)  Preemption Considerations: Beware state law  Accounting of Disclosures  Depends on exception  No: health care operations, payment, authorization  Yes: subpoena, health care oversight  Tip: Don’t assume a lawyer knows the law (with HIPAA at least)

42 Davis Wright Tremaine LLP 41 Misunderstandings and Unrealistic Expectations HIPAA does not always live up to expectations

43 Davis Wright Tremaine LLP 42 Misunderstandings and Unrealistic Expectations  Must train workforce  Biggest threat  Greatest resource  Training needs to be relevant and tailored  Assess levels of awareness  Manage  Measure  You must encourage workforce awareness  Abuse of legitimate access  Difficult to detect on audit  Facilitate workforce reporting of suspicions and making suggestions  Must train workforce  Biggest threat  Greatest resource  Training needs to be relevant and tailored  Assess levels of awareness  Manage  Measure  You must encourage workforce awareness  Abuse of legitimate access  Difficult to detect on audit  Facilitate workforce reporting of suspicions and making suggestions

44 Davis Wright Tremaine LLP 43 Misunderstandings and Unrealistic Expectations  Should we train/educate patients?  Areas of confusion  Opting out of facility directory Foster understanding of consequences  Requests for additional privacy protections Patient has right to ask Covered entity has right to say “No” Covered entity is bound by a “Yes” Promote consistency  Accounting of disclosure  Not all disclosures without authorization are improper  Should we train/educate patients?  Areas of confusion  Opting out of facility directory Foster understanding of consequences  Requests for additional privacy protections Patient has right to ask Covered entity has right to say “No” Covered entity is bound by a “Yes” Promote consistency  Accounting of disclosure  Not all disclosures without authorization are improper

45 Davis Wright Tremaine LLP 44 Questions

Download ppt "Advanced HIPAA Privacy Compliance Strategies: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA."

Similar presentations

HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA

HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.

Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Corporate Compliance Program STANDARDS OF CONDUCT HIPAA PRIVACY & SECURITY Temple University Health System Maribel Valentin, Esquire Associate Counsel.

Corporate Compliance Program STANDARDS OF CONDUCT HIPAA PRIVACY & SECURITY Temple University Health System Maribel Valentin, Esquire Associate Counsel.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
North Carolina State University Health Information Privacy 4/16/03.

North Carolina State University Health Information Privacy 4/16/03.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

Similar presentations

Ads by Google