Upload
molly-lynch
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
HIPAA and CINA ProceedingsHIPAA and CINA ProceedingsA Presentation to the Law and Community Health Section of the A Presentation to the Law and Community Health Section of the
Alaska Bar AssociationAlaska Bar Association
February 24, 2004 February 24, 2004
Joan M. Wilson, J.D.Joan M. Wilson, J.D.
DAVIS WRIGHT TREMAINEDAVIS WRIGHT TREMAINE
Anchorage, AlaskaAnchorage, Alaska
[email protected]@dwt.com
(907) 257-5337(907) 257-5337
Overview of PresentationOverview of Presentation
HIPAA Lay of the LandHIPAA Lay of the Land
HIPAA Privacy RequirementsHIPAA Privacy Requirements Disclosures (With and Without Disclosures (With and Without
Authorization)Authorization)
Individual RightsIndividual Rights
RecommendationsRecommendations
MeMe
Attorney, AnchorageAttorney, Anchorage
LitigatorLitigator Hired GunHired Gun Commercial DisputesCommercial Disputes Employment LitigationEmployment Litigation
How Did I Get Into How Did I Get Into Health Care?Health Care?
SubpoenasSubpoenas Medicaid Fraud TrialMedicaid Fraud Trial HIPAAHIPAA
What’s New In HIPAAWhat’s New In HIPAA(Ripped from the Headlines)(Ripped from the Headlines)
Reported (to me), Friday, February 13, 2004 Reported (to me), Friday, February 13, 2004 from the from the American Journal of PsychiatryAmerican Journal of Psychiatry Mrs. A, a 79-year-old woman without a previous Mrs. A, a 79-year-old woman without a previous
psychiatric history, was found in a pool of blood as a psychiatric history, was found in a pool of blood as a result of a self-inflicted gunshot woundresult of a self-inflicted gunshot wound
Mrs. A’s husband reported that she had recently Mrs. A’s husband reported that she had recently received a letter from her insurance company received a letter from her insurance company regarding its new HIPAA policiesregarding its new HIPAA policies
She misinterpreted the Notice to mean that her She misinterpreted the Notice to mean that her insurance company was discontinuing her coverageinsurance company was discontinuing her coverage
HIPAA — THE BIG PICTURE HIPAA — THE BIG PICTURE Not Just One IssueNot Just One Issue
Health Insurance Portability and Accountability Act of 1996
HIPAAHIPAA
Title IPortability
Title IPortability
Title IIAdministrativeSimplification
Title IIAdministrativeSimplification
Titles III,IV, V
Titles III,IV, V
ElectronicSignature
ElectronicSignature
HealthIdentifiers
HealthIdentifiers
Transaction Standards
Transaction Standards SecuritySecurity PrivacyPrivacy
Privacy and SecurityPrivacy and Security
SecurityPrivacy
Ensures:•Privacy•Accessibility•Integrityof electronichealth information
Protects all individuallyidentifiable healthinformation:•Paper•Electronic•Oral
Privacy of electronichealth information
Covered EntitiesCovered Entities
Health Plans (including many employee benefit Health Plans (including many employee benefit plans)plans) Plans that provide or pay for medical carePlans that provide or pay for medical care
Health Care ClearinghousesHealth Care Clearinghouses Entities that process or facilitate processing non-Entities that process or facilitate processing non-
standard data elements into standard data elements, or standard data elements into standard data elements, or vice versavice versa
Providers who electronically transmit any Providers who electronically transmit any health information in a HIPAA covered health information in a HIPAA covered transactiontransaction Furnishes, bills or is paid for health care in the normal Furnishes, bills or is paid for health care in the normal
course of businesscourse of business
HIPAA Penalties and HIPAA Penalties and EnforcementEnforcement
Civil penaltiesCivil penalties $100 per violation$100 per violation $25,000 annual cap for violations of “identical” $25,000 annual cap for violations of “identical”
requirementrequirementCriminal penaltiesCriminal penalties Wrongful disclosure: up to $5,000 and/or 1 year jail timeWrongful disclosure: up to $5,000 and/or 1 year jail time False pretenses: False pretenses: $100,000 and/or 5 yrs imprisonment $100,000 and/or 5 yrs imprisonment For profit/with malice: up to $250,000 and/or 10 yrs in For profit/with malice: up to $250,000 and/or 10 yrs in
jailjailOther “penalties”or liabilityOther “penalties”or liability Standard of careStandard of care ReputationReputation
Potential Civil Liability — Potential Civil Liability — Ratcheting Duty of CareRatcheting Duty of CareTort – NegligenceTort – NegligenceTort - Invasion of PrivacyTort - Invasion of PrivacyTort - Breach of Confidence (Physician-Patient)Tort - Breach of Confidence (Physician-Patient)Tort – DefamationTort – DefamationTort- FraudTort- FraudStatutory - Consumer FraudStatutory - Consumer FraudContract - Breach of Confidentiality Clauses/PoliciesContract - Breach of Confidentiality Clauses/PoliciesContract - Breach of Express or Implied WarrantyContract - Breach of Express or Implied WarrantyContract - Suits by Business AssociatesContract - Suits by Business AssociatesEmployment -related suits (HIPAA sanctions issues)Employment -related suits (HIPAA sanctions issues)
Privacy OverviewPrivacy Overview
The Privacy Rule covers —The Privacy Rule covers —
Permitted uses and disclosures of Permitted uses and disclosures of protected informationprotected information
Individual rightsIndividual rights
Administrative requirementsAdministrative requirements
PrivacyPrivacyProtected Health Information Protected Health Information Information relating to—Information relating to—
Past, present or future physical or mental health or Past, present or future physical or mental health or condition provision of health care to an individualcondition provision of health care to an individual
Provision of health care orProvision of health care or
Past, present or future payment for health carePast, present or future payment for health care
Created/received by provider, plan, employer or clearinghouseCreated/received by provider, plan, employer or clearinghouse
Individually identifiable or reasonable Individually identifiable or reasonable likely to be identifiablelikely to be identifiable
In any mediumIn any medium WrittenWritten
VerbalVerbal
ElectronicElectronic
Preemption of State LawPreemption of State Law
General Rule: HIPAA preempts or General Rule: HIPAA preempts or supercedes all “contrary” State lawssupercedes all “contrary” State laws
Exceptions:Exceptions: HHS determinationHHS determination State law that is “more stringent” State law that is “more stringent” Public health reportingPublic health reporting Insurance oversightInsurance oversight
HIPAA — floor for privacy requirementsHIPAA — floor for privacy requirements
Alaska law still will apply in many casesAlaska law still will apply in many cases
Use and DisclosureUse and Disclosure
General rule: A covered entity and its General rule: A covered entity and its workforce, may not use or disclose protected workforce, may not use or disclose protected health information, except —health information, except — For treatment, payment and operations For treatment, payment and operations With individual permissionWith individual permission
After opportunity to agree or objectAfter opportunity to agree or object
With an authorizationWith an authorization To the individualTo the individual As otherwise permitted or required by HIPAAAs otherwise permitted or required by HIPAA
Required DisclosuresRequired Disclosures
To the individual, pursuant to access rightTo the individual, pursuant to access right
To the Secretary of DHHS, to determine To the Secretary of DHHS, to determine compliancecompliance
Permitted Disclosures Absent Permitted Disclosures Absent Authorization Authorization
As required by other lawsAs required by other laws
Public health activitiesPublic health activities
Victims of abuse, etc.Victims of abuse, etc.
Health oversight activitiesHealth oversight activities
Workers’ compensationWorkers’ compensation
Law enforcement purposesLaw enforcement purposes
Decedents - coroners Decedents - coroners and medical examinersand medical examiners
Organ procurementOrgan procurement
Research purposes, under Research purposes, under limited circumstanceslimited circumstances
Imminent threat to health Imminent threat to health or safety (to the individual or safety (to the individual or the public)or the public)
Specialized government Specialized government functionfunction
Judicial and administrative Judicial and administrative proceedingsproceedings
Individual Authorization Individual Authorization
If a use or disclosure is not otherwise If a use or disclosure is not otherwise permitted, authorization requiredpermitted, authorization required
Core elements:Core elements: Meaningful and specific description of informationMeaningful and specific description of information
Persons or Class of Persons authorized to Persons or Class of Persons authorized to disclose/receive disclosuredisclose/receive disclosure
Purpose Purpose
At the Request of the IndividualAt the Request of the Individual
Expiration date/ event Expiration date/ event
Individual Authorization Individual Authorization
Required statements:Required statements: Right to revokeRight to revoke
Whether authorization is a condition of treatmentWhether authorization is a condition of treatment
Potential for redisclosurePotential for redisclosure
Obtain appropriate signature – Obtain appropriate signature – copy to individualcopy to individual
Individual AuthorizationIndividual Authorization
Give a copy of authorizationGive a copy of authorization
Make sure authorization is:Make sure authorization is: Completely filled inCompletely filled in Signed by appropriate personSigned by appropriate person
Defective authorization is not validDefective authorization is not valid
Covered entity not required to disclose PHI Covered entity not required to disclose PHI pursuant to authorization pursuant to authorization disclosure permissibledisclosure permissible Duty of additional inquiry for Duty of additional inquiry for
excessive authorizations?excessive authorizations? Address policies/proceduresAddress policies/procedures
Psychotherapy NotesPsychotherapy Notes
A covered entity must obtain an authorization for A covered entity must obtain an authorization for and use or disclosure of psychotherapy notes, and use or disclosure of psychotherapy notes, exceptexcept
For treatment, payment, or operationsFor treatment, payment, or operations Use by the originator for treatmentUse by the originator for treatment Use by the covered entity for training of its mental health Use by the covered entity for training of its mental health
professionalsprofessionals Defense of the covered entity against action brought by Defense of the covered entity against action brought by
individualindividual Determining HIPAA complianceDetermining HIPAA compliance Required by lawRequired by law Oversight Activities (audit, investigation)Oversight Activities (audit, investigation) Imminent threatImminent threat Not listed as exception – judicial proceedingsNot listed as exception – judicial proceedings
Psychotherapy NotesPsychotherapy Notes
DefinitionDefinition Notes of mental health professional documenting or analyzing Notes of mental health professional documenting or analyzing
the contents of a conversation during a counseling session (kept the contents of a conversation during a counseling session (kept separate from rest of record)separate from rest of record)
ExcludesExcludes Medication prescription and monitoringMedication prescription and monitoring Start and stop timesStart and stop times Modalities and frequencies of treatmentModalities and frequencies of treatment Clinical test resultsClinical test results Summary of diagnosis, functional status, treatment plan, Summary of diagnosis, functional status, treatment plan,
prognosis, and progress to dateprognosis, and progress to date
No Compound AuthorizationNo Compound Authorization May only be combined with another authorization for May only be combined with another authorization for
psychotherapy Notespsychotherapy Notes
MinorsMinors
General rule: Parents accorded rights to General rule: Parents accorded rights to children’s PHIchildren’s PHI
ExceptExcept Where state or other law expressly identifies the Where state or other law expressly identifies the
parent’s or child’s rightsparent’s or child’s rights
STD testing, pregnancySTD testing, pregnancy
Minor Living AloneMinor Living Alone Agreement to the contraryAgreement to the contrary
MinorsMinors
Where the law is silent and parent is Where the law is silent and parent is personal representative for childpersonal representative for child Parent has access/control PHIParent has access/control PHI Personal Representative – state law questionPersonal Representative – state law question
Where the law is silent and parent is not Where the law is silent and parent is not personal representativepersonal representative May deny access if permitted under state law and May deny access if permitted under state law and
decision made by a licensed health care providerdecision made by a licensed health care provider If law silent, no right to demand PHIIf law silent, no right to demand PHI
MinorsMinors
ExceptionException Disclosure permitted or denied where necessary to Disclosure permitted or denied where necessary to
avert serious or imminent threat to the safety or avert serious or imminent threat to the safety or health of the childhealth of the child
Minimum Necessary Minimum Necessary InformationInformation
CE may rely on scope of information CE may rely on scope of information requested by —requested by — A public officialA public official Another covered entityAnother covered entity A “professional” providing services to the CEA “professional” providing services to the CE Researchers (as long as the research Researchers (as long as the research
requirements are satisfied)requirements are satisfied)
A CE may not disclose the entire record, A CE may not disclose the entire record, unless it is justifiedunless it is justified But this does not apply to disclosure to providers But this does not apply to disclosure to providers
for treatmentfor treatment
Provide notice to individuals by the first date of service
Posted in prominent location
Available upon request
On website
Acknowledgment
Individual Rights — Right to Individual Rights — Right to Notice of Privacy PracticesNotice of Privacy Practices
Individual Rights —Individual Rights —Right to AccessRight to Access
Right to request access own protected Right to request access own protected health informationhealth information Reviewable and unreviewable grounds for denialReviewable and unreviewable grounds for denial Explanation of reasons for denialExplanation of reasons for denial Allow review of denial if appropriateAllow review of denial if appropriate
Individual Rights —Individual Rights —Right to Request AmendmentRight to Request Amendment
Individual may request amendment of Individual may request amendment of his/her recordshis/her records
In response, covered entity may — In response, covered entity may — Accept amendmentAccept amendment Deny of amendmentDeny of amendment
Grounds include: not created by entity;Grounds include: not created by entity;information is accurate and complete;information is accurate and complete;information is not subject to accessinformation is not subject to access
Statement of disagreement (by individual)Statement of disagreement (by individual)
Rebuttal statement (by covered entity)Rebuttal statement (by covered entity)
Record-keeping/linkingRecord-keeping/linking
Individual Rights —Individual Rights —Accounting of DisclosuresAccounting of Disclosures
Right to receive an accounting of disclosuresRight to receive an accounting of disclosures
Accounting includes:Accounting includes: Date of disclosureDate of disclosure Recipient name and addressRecipient name and address Description of information disclosedDescription of information disclosed Purpose of disclosurePurpose of disclosure
Individual Rights —Individual Rights —Accounting of DisclosuresAccounting of Disclosures
Exceptions include: Exceptions include: Treatment, payment and health care operationsTreatment, payment and health care operations Individual access Individual access Directories, persons involved in careDirectories, persons involved in care Pursuant to authorizationsPursuant to authorizations National security or intelligenceNational security or intelligence Incidental disclosuresIncidental disclosures Limited date setLimited date set Prior to April 14, 2003Prior to April 14, 2003
Individual Rights — Right to Individual Rights — Right to Request Additional ProtectionsRequest Additional Protections
Right to request additional privacy protectionsRight to request additional privacy protections Covered entity may refuseCovered entity may refuse
If agrees If agrees bound (except in emergency) bound (except in emergency)
Be careful in granting requestsBe careful in granting requests
Right to request to receive Right to request to receive communications in communications in alternative fashionalternative fashion Must accommodate reasonableMust accommodate reasonable
requestsrequests
Permitted DisclosuresPermitted Disclosures Government and Other Government and Other
PurposesPurposesAs required by other lawsAs required by other laws
Public health activitiesPublic health activities
Victims of abuse, etc.Victims of abuse, etc.
Health oversight activitiesHealth oversight activities
Workers’ compensationWorkers’ compensation
Law enforcement purposesLaw enforcement purposes
Decedents - coroners Decedents - coroners and medical examinersand medical examiners
Organ procurementOrgan procurement
Research purposes, under Research purposes, under limited circumstanceslimited circumstances
Imminent threat to health Imminent threat to health or safety (to the individual or safety (to the individual or the public)or the public)
Specialized government Specialized government functionfunction
Judicial and administrative Judicial and administrative proceedingsproceedings
As Required By Other LawsAs Required By Other Laws
Where State Law Requires Where State Law Requires Providers or Administrators Providers or Administrators to Report to Law to Report to Law Enforcement or OCS, HIPAA Enforcement or OCS, HIPAA permits such disclosurespermits such disclosures
Reports of Suspected Child Reports of Suspected Child Abuse or NeglectAbuse or Neglect
Reports of Vulnerable Adult Reports of Vulnerable Adult Abuse, Neglect, or Abuse, Neglect, or AbandonmentAbandonment
Follow State LawFollow State Law
Question for Providers: Question for Providers: How Much to DiscloseHow Much to Disclose
Judicial or Administrative Judicial or Administrative ProceedingsProceedings
A provider A provider maymay Disclose PHI in the course of a judicial Disclose PHI in the course of a judicial or administrative proceeding, ifor administrative proceeding, if Court or administrative tribunal order Court or administrative tribunal order
some providers requiresome providers requireDisclose only the PHI expressly requested by the Disclose only the PHI expressly requested by the orderorder
Absent court Order, by subpoena or discovery request, Absent court Order, by subpoena or discovery request, ifif
Satisfactory assurance of notice to individual whose Satisfactory assurance of notice to individual whose PHI is at issue orPHI is at issue orReasonable efforts to secure a protective orderReasonable efforts to secure a protective order
Judicial or Administrative Judicial or Administrative ProceedingsProceedings
Satisfactory assurance notice to Individual Satisfactory assurance notice to Individual Writing and Documentation ofWriting and Documentation of
good faith attempt to provide written notice to patient good faith attempt to provide written notice to patient Notice contained sufficient information about the Notice contained sufficient information about the litigation or proceeding to permit patient to raise an litigation or proceeding to permit patient to raise an objectionobjectionTime to raise objection lapsed andTime to raise objection lapsed and
No objections filedNo objections filed Objections filed and resolved by court and disclosure is Objections filed and resolved by court and disclosure is
consistent with resolutionconsistent with resolution
Judicial or Administrative Judicial or Administrative ProceedingsProceedings
Reasonable Efforts to Secure a Protective OrderReasonable Efforts to Secure a Protective OrderWriting and Documentation evidenceWriting and Documentation evidence
Parties have agreed to a qualified protective Parties have agreed to a qualified protective order and presented it to the courtorder and presented it to the courtParty requesting information has sought the Party requesting information has sought the protective orderprotective order
Issue Issue Is this operable when PHI is not the PHI of one Is this operable when PHI is not the PHI of one of the partiesof the parties
Judicial or Administrative Judicial or Administrative ProceedingsProceedings
Qualified Protective Qualified Protective Order Order Court or Tribunal Order Court or Tribunal Order
or Stipulation by the or Stipulation by the PartiesParties
Prohibit use of PHI Prohibit use of PHI outside litigation or outside litigation or proceedingproceedingRequires return or Requires return or destruction of PHI destruction of PHI (original and copies) (original and copies) at end of litigation or at end of litigation or proceeding proceeding
Judicial or Administrative Judicial or Administrative ProceedingsProceedings
Absent Protective Order Absent Protective Order from the parties, from the parties, Provider may still Provider may still disclose in response to disclose in response to lawful processlawful process It makes reasonable It makes reasonable
effort to provide notice effort to provide notice to the patient (as to the patient (as above) orabove) or
Seeks a qualified Seeks a qualified protective order on its protective order on its ownown
More Stringent LawMore Stringent Law
If another law governing production of If another law governing production of records in judicial proceedings is more records in judicial proceedings is more stringent than HIPAA, it must be followedstringent than HIPAA, it must be followed
Substance Abuse Treatment RegulationsSubstance Abuse Treatment Regulations 42 C.F.R. Part Two42 C.F.R. Part Two
Comply with both?Comply with both?
RecommendationsRecommendations
Much Can Be Accomplished With a Well-worded Much Can Be Accomplished With a Well-worded Continuing AuthorizationContinuing Authorization
Recipient -- DHSS and Department of LawRecipient -- DHSS and Department of Law Purpose of Disclosure – At Request of Individual or For Purpose of Disclosure – At Request of Individual or For
Adjudication Regarding Care of Minor ChildAdjudication Regarding Care of Minor Child Expiration Date or EventExpiration Date or Event
How Long are Cases in the SystemHow Long are Cases in the System
Until Completion of Child in Need of Aid ProceedingsUntil Completion of Child in Need of Aid Proceedings CautionCaution
May be revoked at any timeMay be revoked at any time
Psychotherapy Notes Psychotherapy Notes
RecommendationsRecommendations
If Court ProceedingsIf Court Proceedings Be Timely in RequestsBe Timely in Requests Legal Issues to ResolveLegal Issues to Resolve
HIPAA – Permissive DisclosureHIPAA – Permissive Disclosure Likely Legal Question with Protective or even Likely Legal Question with Protective or even other Orders where PHI is of a non-partyother Orders where PHI is of a non-party
Notice May be Best Route to goNotice May be Best Route to go
Substance Abuse Treatment regulations still Substance Abuse Treatment regulations still operable for Some Providersoperable for Some Providers
ComplaintComplaintDo Not Use Providers as Your ExpertsDo Not Use Providers as Your Experts