Overview of HIPAA and Other Privacy and Security Laws in Health … · 2019. 4. 4. · •Notice of privacy practices •Patient rights •Also …. –Develop policies and procedures

©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.

Overview of HIPAA and Other Privacy

and Security Laws in Health Care

Craig Sieverding

Davis Brown Law Firm


Outline

• HIPAA fundamentals

– Privacy Rule = with focus on uses and disclosures of health information

– Security Rule

– Breach Notification Rule

– Enforcement Rule

• Other Privacy and Security Rules

– Which may provide greater protections for health information


Why Is Privacy Important in Health Care Today?

• Privacy and security of health information is a grave concern

– To patients, the public and regulators

• Medicine is and remains data driven

– Emerging technology in health care today (e.g. telemedicine, mobile health devices)

• Increased threat of data breaches and ransomware

• One solution = Good compliance to identify and mitigate risk


HIPAA

• Health Insurance Portability and Accountability Act (HIPAA) (1996)

– Title 2 = administrative simplifications, including security standards and privacy

– Strengthened through HITECH (2009), which incl. breach notification and enforcement

• Generally speaking, these are the federal confidentiality provisions relating to health information


The Four “Rules” of HIPAA

• Privacy Rule (2002)

– Use and disclosure of health information

– A patient’s rights in health information

• Security Rule (2003)

– Safeguarding electronic health information

• Notification (2009)

– Notification of breach of health information

• Enforcement (2009)

– Agency enforcement and penalties for violations with health information


When Does HIPAA Govern Health Information?

• HIPAA does not govern the use and disclosure of all health information

– E.g., patients can share their health information with employers; employers can share internally

• Need to ask two basic questions:

– Who? What type of entity / individual is using or disclosing the information?

– What? What information is such entity using or disclosing?


Who Is Governed by HIPAA?

• “Covered Entities”

– Health care providers

– Health plans

– Health care clearinghouses

• Business Associates

7


Business Associates

• Who is a Business Associate?

– A person who performs a function or activity on behalf of a Covered Entity, whose work involves the use/disclosure of PHI

• Claims processing

• Data analysis

• Billing and coding services

– Note: Business Associates can have subcontractors who, by extension, are its “business associates”

8


Exceptions -- Who’s Not a Business Associate?

• Healthcare providers when receiving PHI for treatment

• “Conduits”

– Entities that pass on PHI but have no way to access, store or utilize it

– E.g., the US Postal Service


Business Associate Agreements (BAAs)

• Covered Entity has to obtain “satisfactory assurances” from Business Associate regarding the safeguarding of PHI

– Need a Business Associate Agreement

• Contains several specific provisions regarding data privacy and security

– Note: What if non-BA such as a provider receives your PHI?

• Can get data-use agreements for security and other assurances

10


Liability of Business Associates

• Business Associates are directly liable for

– Impermissible uses and disclosures

– No breach notification to the Covered Entity

– Failure to provide for certain patient rights (e.g. access to ePHI or accounting)

– Violation of HIPAA security rule

– Breach of BAA


Monitor Business Associates

• If a Covered Entity knows that a Business Associate’s activity constitutes a material HIPAA breach

– Take reasonable steps to cure the breach or end the violation

– If such steps were unsuccessful, have to terminate the relationship

12


What Information Is Protected?

• HIPAA governs “protected health information” or “PHI,” which is information that

– Relates to physical or mental condition of individual, provision of care to individual, or payment for health care

– Identifies or reasonably could be used to identify patient

13


De-Identification

• If common identifiers removed (“de-identification”), HIPAA does not apply

– Remove 18 identifiers and have no reason to believe that the individual could be identified

• Names, geographical info (smaller than state), telephone numbers, birth date

• Dates of service (smaller than year)

• SSN, MRN, account numbers

– Note: Also can use expert determination that certain data set has very low risk


Other “Health Information” Not Covered by HIPAA

• Deceased Patients

– Information of patient who has been dead for fifty (50) years is no longer protected

• This does not mean that a provider has to keep records for 50 years; use record retention policy

• Information maintained in capacity other than as a provider

– Employer / human resources (e.g. return-to-work information)


The Privacy Rule (recap)

• Required and permitted uses and disclosures

• Notice of privacy practices

• Patient rights

• Also ….

– Develop policies and procedures

– Training of workforce

– Appointing Privacy Officer


Required and Permitted Disclosures

• Covered Entity may not use or disclose PHI, except as required or permitted

– HIPAA only requires disclosures in two instances

• To the individual (patient requests access)

• To the Secretary of HHS

– HIPAA permits uses and disclosures of PHI for multiple purposes

17


A Note on “Minimum Necessary”

• Disclosures generally limited to minimum amount necessary for the intended purpose

– Only use what you need

– Only disclose what the requestor needs

• Several exceptions

– To the individual

– For treatment purposes


Notice of Privacy Practices

• The notice to patients describing how a Covered Entity may uses or disclose the patient’s PHI

– In plain English

– The Notice also

• Outlines the Covered Entity’s HIPAA obligations

• Identifies a patient’s rights

• Obtains permission to leave voice mail messages, talk to family members, use PHI for fundraising, etc.


Common Permitted Uses and Disclosures

• To the individual

– Requiring the individual to agree or object

• With authorization

• Treatment, payment and health care operations

• For certain safety or government and public policy reasons

20


To the Individual

• Patients have right to own protected health information

– Right to access

• May disclose to individual

– E.g., during treatment

– Note: Exception wheredisclosure may lead to harm of patientor others

21


Personal Representatives

• “Personal representatives” are treated as the “individual”

– Administrators or executors of a decedent’s estate

– Parents or legal guardians

• Sometimes questions as to who has legal custody (specifically for medical decisions)

• Professional judgment to deny (e.g. with reasonable belief of abuse or neglect)


Family & Friends

• May share PHI with family or friends in certain circumstances

• Capacity to make health care decisions?

– Yes: can share if family / friend is involved in care, unless patient objects

– No: can share if family / friend is involved in care, and if in the patient’s best interests

23


Facility Directory

• May disclose PHI in facility directory

– Limited to name, location and general condition

– Need to give patient notice (e.g. in Notice of Privacy Practices) and no objection

– Requestor asks patient by name


Patient Authorizes a Disclosure

• Core elements of an authorization:

– Who releases / who receives

– Scope of records (timeframe, type)

– Purpose of disclosure

– Expiration date

– Required statements

• Cannot condition treatment on authorization

• That information may be redisclosed

• That authorization is revocable

– Signature 25


Treatment

• For your own treatment purpose or for another health care provider’s treatment purposes

– E.g. continuity of care, referral to specialist, internal consult

– For mental health records, butnot for psychotherapy notes

26


Payment

• Facilitate payment of the item/service

– E.g., data to insurance providers, data for payment, contract review, collection actions

27


Operations

• Administrative functions:

– Peer review, utilization review, statistical analysis and reporting

– Training health care and non-health care professionals

– Legal, consulting orbilling assistance

28


Safety or Government and Public Policy Purposes

• May disclose PHI (without authorization)

– As required by law (reporting injuries, etc.)

– For judicial proceedings

– For law enforcement purposes

– About victims of abuse, neglect or domestic violence

– About decedents (to coroners, med examiners, funeral directors)


Required Reporting to Law Enforcement

• If required by law to report certain information, may disclose PHI containing such information

– Child and adult abuse

– Certain types of wounds and injuries

– Certain deaths in hospitals

– Gross deviations of licensure standards

– Certain threats to mental health providers

30


Duty to Warn / Protect

• Duty to warn / protect where there is reasonable cause to believe patient is dangerous to self or others

– Threat must be towards a specific identifiable victim

– The threat has to be believable; it should be explicit, not vague

31


Court Order

• May disclose in response to court or other administrative order

– Order issued by judge or judicial officer

– Including grand jury subpoena

– Note: Non-HIPAAconsequences for not disclosing

32


Subpoena

• May disclose if requestor engaged in effort to notify patient or if requestor sought protective order

– Subpoena = usually signed by an attorney; commands someone to testify or to produce documents

– Note: Often not sufficient under other, more stringent protections

33


A Note on Workers’ Compensation

• Statutory requirement to provide copies of medical records

– Provide employer / insurance carrier the initial and final clinical assessment to help determine liability for payment

– Provide other records, with allowable cost, $20 for 1-20 pages; $20 plus $1 per page for 21-30 pages; etc.


Serious Threat of Harm

• May disclose PHI if good faith belief that disclosure

– Is necessary to prevent or lessen a serious and imminent threat

– To person able to prevent or lessen the threat, including law enforcement (so not just to law enforcement)

• Includes psychotherapy notes

35


Other Disclosures to Law Enforcement

• Crime victims

• Decedents

• Identification and Location

• Crime and Premises

36


Crime Victims

• May disclose information about crime victim if:

– Patient (the crime victim) agrees, or

– Patient unable to consent due to incapacitation or emergency and:

• Police need information to determine if someone other than patient committed a crime

• Immediate need for law enforcement action

• Disclosure is in best interest of the patient

37


Decedents

• Permitted to disclose PHI about decedent

– For the purpose of alerting law enforcement of the death of the individual

– If there is a suspicion that such death may have resulted from criminal conduct

38


Identification and Location

• Permitted to disclose to law enforcement certain information to identify or locate a suspect

– Name, date of birth, general condition, social security number, contact data

– NOT test results for substances, genetics, HIV/AIDS, blood tests

39


Crime on Premises

• Permitted to disclose evidence of criminal conduct if good faith belief that crime occurred on premises

– E.g., patient charges services on a stolen credit card

40


A Note on Marketing

• Generally need authorization to encourage use of service, unless

– Of service / product by covered entity

– For treatment of patient

– Case management (e.g. recommend other treatment)

• If provider receives money for marketing, then generally need authorization

• More latitude for fundraising, with opt-out in notice of privacy practices


Selling PHI?

• General rule = may not sell PHI to a third party without patient authorization

– Some common sense exceptions, e.g. part of sale of covered entity, for cost of transmittal of PHI (e.g. for disease reporting)

– Note: How then has big data monetized PHI? Not getting patient consent; using de-identified data and data from non-covered entities (e.g. fitbit, certain medical devices)


Special Treatment Under HIPAA – Psychotherapy Notes

• “Psychotherapy notes” only type of record with additional HIPAA protections

– Notes kept separate from a patient’s standard medical file

• Contents of counseling session

• Not medication prescription / monitoring, session times, clinical test results, etc.

– Requires specific consent

– No right of access


Patient’s Right to Access

• Patient has right to review / copy records

– Medical records (e.g., records used to make decisions about individuals)

– Billing records (incl. enrollment, payment, claims, management systems)

• Process

– Some form of verification required

– Accommodate options for access

– Timelines for production (generally 30 days)

– Fees to charge records44


Other Patients’ Rights to PHI?

• Patients have the right to …

– Receive an accounting of disclosures

– Amend incorrect data

– File a complaint

– Request restrictions

– And more …

45


Privacy of Treatment

• If an individual requests privacy regarding certain treatment and pays for that treatment out-of-pocket …

– Required to respect that request and may not provide that information even to the insurer

46


The Security Rule

• The Security Rule establishes national standards to protect ePHI

– Requiring appropriate reasonable safeguards to protect ePHI

• Administrative

• Physical

• Technical

– Covered entities and businessassociates must conduct riskassessments


Administrative Safeguards

• Assign security responsibilities

– Who is the Security Officer?

• Security management processes

– Measures to reduce risks

– Audits and responses?

• Security awareness and training

• Procedures for security incident responses


Physical Safeguards

• Facility access controls

• Workstation use

• Workstation security

• Device and media controls


Technical Safeguards

• Access control

• Audit controls

• Person or entity authentication

• Transmission security


Common Security Problems

• PHI left in high traffic areas

• Staff not aware of surroundings

• Improper destruction policies

• Theft / loss


Common Security Safeguards

• Limit access to computer and records

• Keep password secure and private

• Turn over or remove records from plain sight

• Pick up, remove or shred items and records

• Remind colleagues and co-workers to abide by security procedures and practices if see potential violations

• Report any HIPAA violations

• If transport PHI, keep safe and secure (not visible or accessible to others)

• Minimize the PHI forwarded to any third party


Breach Notification Rule

• Essentially a four-step inquiry as to whether a (potential) impermissible use is a reportable breach

– Was there an impermissible use or disclosure?

– Was the PHI unsecured?

– Was the PHI compromised?

– Does an exception apply?


What is a Breach?

• Breach = impermissible use that compromises the privacy / security of PHI

• Breach presumed, unless the there is a low probability of compromise based, on a risk assessment of at least these factors:

– Nature and extent of PHI involved

– The unauthorized person(s) involved

– Whether PHI was acquired or viewed

– Extent to which risk has been mitigated


Why Encryption Is So Important?

• “Unsecured” protected health information is information not secured through the use of technology or methodology specified by HHS

– Which renders the information “unusable, unreadable or indecipherable to unauthorized individuals”

• If secured, generally there is low probability that PHI accessed and that breach occurred


The Exceptions –What Is Not a Breach?

• Unintentional use (or acquisition or access) that was done in good faith and is not redisclosed

• Inadvertent disclosure from one authorized person to another and not re-disclosed

• Disclosure to unauthorized person who would not be able to retain such information


Common Examples of Potential Breach

• Disclosing more PHI than authorized

• Laptop / flashdrive containing PHI stolen

• PHI left in garbage, driveway, back of truck, etc.

• Patient chart is missing internally or lost in shipping

• Disabled firewall (technology safeguard)

• PHI in social media


Notification

• To each patient whose unsecured PHI was breached

– “Without unreasonable delay” or no later than 60 days

• To HHS, through annual reporting / log

– BUT, if breach of 500 or more patients, then notify without unreasonable delay

• To Media

– If breach involves 500 or more; same timeframe as with patients


What to Tell the Patient?

• The content and nature of the notification

– Description of the event

– Description of the types of PHI

– Steps individual should take

– A brief description of the steps taken by entity

– Contact information to learn more


The Enforcement Rule

• Enforcement (i.e. penalties and punishment) for any violation of HIPAA, and its Privacy, Security and Notification Rules

– Intentional or inadvertent conduct


Who Enforces?

• Office of Civil Rights (OCR)

– Primary agency, through complaint investigations and compliance reviews

• Department of Justice

– Criminal enforcement

• State Attorney General

– Civil actions on behalf of residents

• No private right of action

– But other privacy laws / torts that can create such liability


Is HIPAA Really Enforced?

• Office of Civil Rights (CY 2016):

– Received more than 21,381 complaints

– Investigates approx. 1% of cases

• 999 cases resulted in corrective action

• 13 settlements with civil monetary penalties

– Also performed 334 compliance reviews

– Enforcement continues to rise

• Approx. 70% increase in complaints since 2013

• Over 100% increase in CMPs


Monetary Penalties

• Tiered penalty for each violation, based upon relative culpability:

– Unknowingly: $100 - $50,000

– Reasonable cause: $1,000 - $50,000

– Willful neglect but with 30 day correction: $10,000 - $50,000

– Willful neglect and no correction: $50,000 per violation


Penalty for Each Violation?

• A separate violation occurs each day, the covered entity or BA is in violation of the provision

– OCR takes into consideration actions taken to mitigate damage and assess cure

• Annual maximum for identical violations is $1.5 million

– Note: Health care has highest reported cost per capita in event of a data breach


What’s Being Investigated

• Most complaints are about

– Lack of patient access

– Impermissible use and disclosure

• But enforcement typically also includes

– Lack of safeguards (e.g. no risk assessment)


Consequences for a Violation?

• For the Covered Entity

– Notification & enforcement (civil and criminal penalties)

– Reputational harm

• For the individual

– Employee discipline

– Licensure implications

– Private lawsuits (invasion of privacy, defamation, breach of contract)


Other Privacy / Security Rules

• Must comply with other privacy / security laws that provide greater protection

– E.g. regulations for genetic information, mental health, HIV/AIDS, and substance abuse information

– Licensing regulations

– Ethics standards

– Common law duties(invasion of privacy)

67


GINA

• HITECH restates that genetic information is a type of health information

– Prohibits health plans (other than long-term care plans) from utilizing such information for underwriting and similar purposes

– Does not provide significant direction or issues relating to healthcare providers

68


Iowa Protections for Mental Health Records

• Iowa law (Iowa Code§228) also protects “mental health information”

– Need authorization (for most disclosures)

– Need to log disclosures

– May disclose in limited circumstances without an authorization

• Emergencies, court order, civil commitments, administrative disclosures, care coordination

• No re-disclosure69


Sharing PHI with Family and Friends in Iowa

• Can a provider share data with family?

– General rule (HIPAA): If the patient does not object

– Mental Health Records (s. 228.8): If necessary, where family has direct involvement in care, and with notification

70


Substance Abuse Records

• Federal regulation provides more stringent protection than HIPAA

– Records of patient maintained in connection with drug abuse / alcohol treatment

– Applies to specialty clinic or program or provider

• Disclosure very limited

– E.g., with specific authorization, in bona fide medical emergency (to medical personnel), court order

71


How to Avoid HIPAA and Other Privacy Issues

• Implement policies and safeguards in place

– Execute Business Associate Agreements

• Educate and train personnel

• Respond immediately and correct any violation

• Report breaches timely


Thank you

Craig Sieverding

Davis Brown Law Firm

515-246-7843

[email protected]

73

Documents

Overview of HIPAA and Other Privacy and Security Laws in Health … · 2019. 4. 4. · •Notice of privacy practices •Patient rights •Also …. –Develop policies and procedures