Privacy in the Real World
Download
Report
Transcript Privacy in the Real World
Privacy in the Real World
Stephen A. Serfass
[email protected]
Introduction
Legal Landscape
Key HIPAA Terminology
Real World Case Studies
1
Legal Landscape
2
Legal Overview: Federal Law
HIPAA (amended by HITECH)
- Governs covered entities’ use/disclosure of “Protected Health
Information” (PHI)
- Financial consequences are significant for violations
- Establishes breach notification obligation
- No private right of action, but may be used to inform standard of
care (e.g., state law cause of action for negligence claim)
Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 2014 WL
5507439 (Ct. Nov. 11, 2014)
3
Legal Overview: Federal Law (cont.)
Breach victims have had success holding employers
accountable for HIPAA violations by employees
- Pharmacist exposed information of a woman (suspected of
having an STD) to her now-husband
- Claims of negligence/professional malpractice that attach
through respondeat superior liability
- Indiana Court of Appeals upheld $1.4 Million verdict against
Walgreens (employer). See Walgreens v. Hinchy, No. 49A021311-CT-950, (Ind. Ct. App. Nov. 14, 2014)
4
Legal Overview: Federal Law (cont.)
Gramm Leach Bliley
- Governs Nonpublic Personal Information (NPI)
held by financial institutions
- No private right of action
- Enforced by state insurance regulators; if similar
state statute, state law supersedes GLB
5
Legal Overview: Federal Law (cont.)
Other Federal private party claims under
Electronic Communications Privacy Act; Stored
Communications Act; Video Privacy Protection
Act; Driver’s Privacy Protection Act; Family
Educational Rights and Privacy Act
6
Legal Overview: State Law
Breach Notification Statutes
- 47 states require prompt notification (as fast as
15 days)
• 28 States – report to government & media if
substantial impact (>500 people)
• Some states set thresholds for the notice requirement
(e.g., reasonable basis to believe breach will result
in harm)
7
Legal Overview: State Law (cont.)
Breach Notification Statutes
- Apply to data in paper format (at least 3 states)
- Some states (36) establish penalties and (11)
private rights of action
- Statutes typically define: Data breach, Types of
protected information, Type of notice required
8
Legal Overview: State Law (cont.)
State Insurance Privacy Laws
- Some Go Beyond Breach Notification – Require
implementation of active security measures to
prevent data breaches (AR, CA, MD, MA, RI, OR,
TX, UT)
- Unfair and Deceptive Trade Practices Acts –
Variation on Consumer Protection Act; Enforced
by attorney general
9
HIPAA/HITECH
10
Health Insurance Portability and
Accountability Act (“HIPAA”), enacted 1996
Title I protects health insurance coverage for
workers and their families when they change or lose
their jobs
Title II, also known as the Administrative
Simplification provisions, established standards for
the privacy and security of health information; later
codified in the Privacy Rule and the Security Rule
11
What is HITECH?
The Health Information Technology for
Economic and Clinical Health Act (“HITECH”)
was enacted as part of the American Recovery
and Reinvestment Act of 2009
- HITECH updated and extended the Privacy Rule and
Security Rule
- Created a tiered civil penalty structure for
non-compliance
12
Why HIPAA Matters
HIPAA is enforceable by the Federal and
State authorities
- The Federal Government: the Department of Health
and Human Services’ Office for Civil Rights
- Each state’s Attorney General
- There is no private right of action by individuals
13
Why HIPAA Matters
HIPAA contains both Civil and Criminal
Penalties for non-compliance
- Civil penalties range from $100 to $50,000 per violation
- Criminal penalties: individuals, Covered Entities or
Business Associates who “knowingly” obtain or disclose
PHI in violation of the Privacy Rule
- Criminal penalties can include fines and prison time
14
Recent OCR Enforcement Actions
New York Presbyterian/Columbia University
Hospital: 4.8M – May 2014
Concentra: 1.7M – April 2014
Affinity Health Plan: 1.2M – August 2013
WellPoint: 1.7M – July 2013
15
Who is Covered by HIPAA?
HIPAA applies to “Covered Entities” and their
“Business Associates”
Covered Entities include health plans, health care
clearinghouses, and health care providers
- “Health Plan” includes issuers of health insurance and
long-term care insurance
- “Health Plan” sweeps within its scope issuers of certain
combination products (life/LTCi, for example)
45 CFR § 160.103.
16
Who is Covered by HIPAA?
A Covered Entity can designate itself a “hybrid”
entity and only govern part of its operations
under HIPAA – those aspects that include the
“health plan”
45 CFR § 160.103.
17
Who is Covered by HIPAA?
A “Business Associate” performs functions or activities
that use/disclose Protected Health Information on behalf
of a Covered Entity
Every Business Associate must enter into a HIPAAcompliant Business Associate Agreement with the entity it
is serving (Covered Entity or “upstream Business
Associate”)
Business Associates now also are regulated directly
by HIPAA
45 CFR § 164.104(a),(b).
18
What is Protected Health Information?
Protected Health Information, or “PHI”, refers to
individually identifiable health information which
can be linked to a particular person
Electronic PHI or “EPHI” is PHI stored electronically
(as opposed to on paper)
PHI includes spoken information
45 CFR § 160.103 (Protected Health Information).
19
What is Protected Health Information?
If the info is “individually identifiable,” that
information is PHI if it relates to:
- The individual’s past, present or future physical or
mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the
provision of health care to the individual
45 CFR § 160.103 (Health Information).
20
What is Protected Health Information?
Common Mistake: “PHI is just the
medical records we get from doctors about
our insureds”
Reality: The fact that an individual has an
insurance policy at all is PHI because this fact
relates to the past, present, or future payment of
health care
21
What is Protected Health Information?
Examples of PHI:
- List of policyholders’ names and enrollment status
- Underwriter’s notes assessing the medical history of
an applicant
- An EOB and check issued to a policyholder
- A premium bill
22
Uses and Disclosures Under HIPAA
When can a Covered Entity or Business Associate
use or disclose PHI?
For purposes of “treatment, payment and health care
operations”
Pursuant to a valid Authorization
Other narrow purposes where no Authorization is required
To the individual or their designated representative,
regarding their PHI
45 CFR § 164.502(a).
23
Uses and Disclosures Under HIPAA
Common Mistake:
“HIPAA only covers me disclosing information
improperly to third parties”
Reality:
HIPAA does limit disclosures of PHI, but it also limits use
24
Uses and Disclosures Under HIPAA
Common Examples of Use Violating HIPAA:
Looking up the PHI about individuals, in company
systems, without a permissible business purpose
Using PHI in a manner other than what is authorized
(e.g., an “intended purpose” authorization specific to
underwriting does not allow that PHI to be used for
marketing)
25
Minimum Necessary Rule
HIPAA also requires that using/disclosing the minimum
necessary PHI required to accomplish the task
Before looking at information, ask yourself:
“Do I need to know this information to do my
job?”
Before disclosing information, ask yourself:
“Does this person need the information to do
his work?”
45 CFR § 164.502(b).
26
Real World Examples
27
Claims Scenarios: Part I – Third-Party Involvement
Captive Agent calls on behalf of insured to facilitate
filing a claim for insured who has dementia:
- No known power of attorney; third-party designee
deceased
- Agent wants to be present during on-site Functional
Assessment and wants to do the legwork for obtaining
medical records and act as primary contact for insured
going forward
28
Claims Scenarios: Part I – Third-Party Involvement
How much information should the claims
administration team divulge? To what extent may
this agent be involved in the process?
29
Business Associate Agreements
Establish the permitted and required uses and
disclosures of PHI by the business associate
Must provide:
- That the BA will use appropriate safeguards to
prevent the use and disclosure of PHI other than as
provided for by the BAA
45 CFR § 164.504(e) (BAA requirements).
30
Business Associate Agreements
Must provide:
- That any subcontractors, “downstream business
associates,” agree to the same restrictions /
conditions
- That the BA will comply with the requirements that
apply to covered entities in the performance of any
assumed obligations of the covered entity
45 CFR § 164.504(e) (BAA requirements).
31
The Security Rule and Appropriate Safeguards
The Covered Entity or Business Associate must:
Reasonably safeguard PHI from incidental uses or
disclosures made pursuant to an otherwise
permitted use or disclosure
Assure that data and systems are protected from
misuse, unauthorized access, damage, alteration
or disclosure
45 CFR § 164.530(c)(1) (safeguards).
32
The Security Rule and Appropriate Safeguards
The Covered Entity or Business Associate must:
Have in place appropriate administrative,
technical and physical safeguards to protect the
confidentiality, availability and integrity of PHI
Reasonably safeguard PHI from use/disclosure in
violation of the Privacy Rule
45 CFR § 164.530(c)(1) (safeguards).
33
Claims Scenarios: Part I – Third-Party Involvement
Captive Agent calls on behalf of insured to facilitate
filing a claim for insured who has dementia:
- No known power of attorney; third-party
designee deceased
- Agent wants to be present during on-site Functional
Assessment and wants to do the legwork for obtaining
medical records and act as primary contact for insured
going forward
34
Uses and Disclosures Under HIPAA
When can a Covered Entity or Business Associate
use or disclose PHI?
For purposes of “treatment, payment and health care
operations”
Pursuant to a valid Authorization
Other narrow purposes where no Authorization is required
To the individual or their designated representative,
regarding their PHI
45 CFR § 164.502(a).
35
Uses and Disclosures Under HIPAA
Health care operations:
Definition is broad:
- Underwriting, enrollment, premium rating and other
activities related to creation, renewal, or replacement
- Conducting or arranging for medical review, legal
services, and auditing functions
- Business management and general admin. activities
Does not include sales/marketing
45 CFR § 164.501.
36
Claims Scenarios: Part I – Third-Party Involvement
Same scenario as before however now the
daughter calls on behalf of her mother to facilitate
filing a claim:
- Daughter is not the power of attorney
- Daughter is the only sibling of three available to act
as intermediary and provide information
37
Claims Scenarios: Part I – Third-Party Involvement
How much information should the claims
administration team divulge? To what extent may
the daughter be involved in the process?
38
Uses and Disclosures for Third-Party Involvement
A covered entity may “disclose to a family
member, other relative, close personal friend, or
any other person identified by the individual . . .
PHI that is directly relevant to such person’s
involvement with the individual's health care, or
payment related to the same”
45 CFR § 164.510(b)(1)(i).
39
Uses and Disclosures for Third-Party Involvement
If the individual is present and has capacity:
- Must obtain (1) agreement, (2) opportunity to
object, or (3) reasonably infer from the
circumstances the lack of objection
If the individual lacks capacity:
- Only if the covered entity determines that disclosure
is in the best interests of the individual
(professional judgment)
45 CFR § 164.510(b)(2),(3).
40
Claims Scenarios: Part I – Third-Party Involvement
Same scenario as above except now it is the insured’s
neighbor:
- Neighbor is not the power of attorney
- No known power of attorney or immediate family
member
How much information does the claims
administration team divulge? To what extent may the
neighbor be involved in the process?
41
Claims Scenarios: Part II – Claim Status Updates
Insured is considering Home Care services
- Home care provider would like to provide a Plan of Care
within the insured’s benefit limits
- Provider calls to obtain coverage information
How much information does the claims administration
team divulge? To what extent may the care provider
be involved in the process?
42
Treatment, payment, or health care operations
“A covered entity may use or disclose [PHI] for its own
treatment, payment, or health care operations”
“A covered entity may disclose [PHI] to another covered
entity or a health care provider for the payment activities
of the entity that receives the information”
“A covered entity may disclose [PHI] for treatment
activities of a health care provider”
45 CFR § 164.506(c)(1)-(3).
43
Underwriting Scenarios: HIPAA Authorizations
Broker submits generic HIPAA form
to underwriter requesting the release of
client’s PHI from a list of companies
Underwriter has the following concerns:
- Is the form HIPAA compliant?
- Under HIPAA, does it matter that the
form is generic, rather than specific to
each company?
44
Underwriting Scenarios: HIPAA Authorizations
Core elements of a valid authorization:
Meaningful description of the information to be used
Name of “person(s), or class of persons” authorized
Name of “person(s), or class or persons” to whom the
covered entity may disclose
General description of each purpose
Expiration date or expiration event that relates to purpose
Signature and date
45 CFR § 164.508(c)(1).
45
Underwriting Scenarios: HIPAA Authorizations
Required statements of a valid authorization:
- A warning of the possibility of disclosure by recipient
- A statement of the right to revoke authorization
- An explanation of the inability (or, in limited cases, the
ability) to condition treatment, payment, enrollment
or eligibility for benefits on the authorization
45 CFR § 164.508(c)(2).
46
Underwriting Scenarios: Adverse Underwriting Decision
Underwriter declines based on information found
in the medical records—but condition was not
previously disclosed to producer
How much information should the underwriter
disclose to the producer?
47
Minimum Necessary Rule
HIPAA also requires that using/disclosing the
minimum necessary PHI required to accomplish
the task
Before looking at information, ask yourself:
“Do I need to know this information to do my job?”
Before disclosing information, ask yourself:
“Does this person need the information to do his work?”
45 CFR § 164.502(b).
48
Underwriting Scenarios: Privacy Notice and Right to PHI
55 year old attorney (female) applying with husband:
- Admits on her application to high blood
pressure only
- Medical records, prescription profile, MIB reflect
HBP only
- In husband’s medical records, documentation exists
that wife drinks alcohol daily (almost 1 bottle of
wine per night)
49
Underwriting Scenarios: Privacy Notice and Right to PHI
55 year old attorney (female) applying with husband:
- Underwriter declines wife’s application based on
information in husband’s medical record
- Wife submits request for reason and a copy of her file
50
Requests for Access and Timely Action
Under HIPAA, “a covered entity must permit an
individual to request access to inspect or to
obtain a copy of the protected health information
about the individual that is maintained in a
designated record set”
45 CFR § 164.524(b)(1).
51
Requests for Access and Timely Action
The covered entity must respond within 30 days
or request an extension for up to 30 additional
days, in limited circumstances
And a covered entity is required to document and
retain “the designated record sets that are subject
to access by individuals”
45 CFR § 164.524(a)(2), (e)(1).
52
Designated record set:
“(1) A group of records maintained by or for a covered
entity that is: . . .
(ii) The enrollment, payment, claims adjudication,
and case or medical management record systems
maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered
entity to make decisions about individuals”
45 CFR § 164.501.
53
Underwriting Scenarios: Use of Public Information
Underwriter is concerned because billing address and
current residence do not match
Underwriter googles name and discovers client is in a
rehabilitation house for alcohol abusers
Underwriter takes adverse action and declines
coverage
Any issue using internet searches without
authorization?
54
Uses and Disclosures Under HIPAA
When can a Covered Entity or Business Associate
use or disclose PHI?
For purposes of “treatment, payment and health care
operations”
Pursuant to a valid Authorization
Other narrow purposes where no Authorization is required
To the individual or their designated representative,
regarding their PHI
45 CFR § 164.502(a).
55
Uses and Disclosures Under HIPAA
Health care operations:
- Definition is broad
• Underwriting, enrollment, premium rating and other
activities related to creation, renewal, or replacement
• Conducting or arranging for medical review, legal
services, and auditing functions
• Business management and general admin. activities
- Does not include sales/marketing
45 CFR § 164.501.
56
Underwriting Scenarios: Prequalification
Agent sends the underwriter an e-mail requesting a
prequalifying “yes”/“no” and discloses client’s name
and health history
- No HIPAA authorization form received
- BAA agreement in place with agent
Is it a problem to provide the agent with a response like,
“based on the information, client looks Preferred?”
- Is this a permitted use?
57
Questions?
58
Thank You
Stephen A. Serfass
[email protected]
59