Transcript HIPAA and Terrorism

HIPAA and Terrorism
HIPAA and Terrorism
• Prepared by CPT Harry Lawson, Esq. of
Houston MRG, Texas Medical Rangers
• Disclaimer: This powerpoint does not
constitute legal advice
What is HIPAA ?
• Health Insurance Portability and Accountability
Act
• .Protects health insurance coverage if change or lose job
• .Requires national standards for electronic healthcare
transactions
• .It established national rules about the security and privacy of
health data
Why was it needed?
• No constitutional or other historic right to
privacy for health information
• .Concern that electronic technology would
destroy health information privacy
• .Standards needed for electronic
healthcare transactions
Who is covered by HIPAA?
• .Covered entities: health plans, health care
clearinghouses and health-care providers
conducting transactions electronically.
• .Focused today on health care
professionals
Are the Texas Medical Rangers
covered by HIPAA?
• A definite maybe; Probably covered
• .Public health authority providing
vaccinations are covered like a doctor
• .National Guard, volunteer organizations
providing health care services to
individuals trigger coverage of HIPAA,
even during an emergency
HIPAA “Privacy Rule”
– .What information is covered?
• .Protected Health Information definition
• .Individually identifiable data
What does the privacy rule require?
• Notifying patients about their privacy
rights, privacy policies, and how their
Protected Health Information will be used
or disclosed
What does the privacy rule require?
• .No disclosure of Protected Health
Information unless exception applies:
– to facilitate treatment or payment
– As authorized by the patient
– Disclosures required by law
What does the privacy rule require?
• Covered entity must take reasonable steps to
ensure confidentiality by establishing internal
privacy policies.
• Employees trained to understand privacy
policies.
• Establishing safeguards to protect confidentiality
• Account for disclosures of Protected Health
Information
HIPAA “Minimum Necessary”
Standard
• .Limit Protected Health Information
disclosed to only the information
necessary
• .Limit access to people who need it
HIPAA Minimum Necessary
Standard does not apply to:
• .Disclosures by health care provider for
treatment purposes
• .Disclosures to the patient
• .Disclosures made pursuant to patient’s
authorization
• .Disclosures required by law, or a disaster
situation
Patients Rights
• .Health care provider must give notice of privacy
practices
– .Distinguish from, “ consent for treatment” and
authorization for release of medical records
– .Notice given on first contact
– .Notice posted in office
– .Good-faith effort required to obtain written
acknowledgment of receipt of privacy practice notice
Patients Rights
– .Patient may request copies of health information
– .Patient may request correction of inaccurate health
information
– .Patient’s right to be notified of disclosure of Protected
Held Information
– .Patient’s right to file complaints with federal
Department of Health and Human Services, Office for
Civil rights for HIPAA rules violation.
HIPAA is the minimum required
level of legal privacy protection
• .Federal law preempts state law unless
state law provides more protection.
• .State and Federal Public Health laws,
child abuse, birth or death records are not
affected by HIPAA.
Incidental disclosure of Protected
Health Information
• Impossible to guarantee no disclosures of
Protected Health Information
• .Example : nurses station Whiteboard; overheard
conversation about patient’s condition
Incidental disclosure of Protected
Health Information
• .In “Incidental” use or disclosure is
permitted if :
– .Disclosure cannot be reasonably prevented
– .Limited in nature, and
– .Occurs as a result of another use or
disclosure permitted by the initial Privacy
financial Rule
Incidental disclosure of Protected
Health Information
• .Secondary disclosure arising from a
disclosure that violates the Privacy Rule is
not a permitted “Incidental” disclosure
– .Example: hospital employee having access
to Protected Health Information, but access is
not necessary to do her job; if someone
overhears a hospital employee discussing a
patient’s condition; that is not a permitted
“Incidental” disclosure.
Administrative, technical, and
physical safeguards to protect
privacy.
– .Reasonable safeguards are required
– .Extent of safeguards balanced against effect
on patient care and financial and
administrative burden
Administrative, technical, and
physical safeguards to protect
privacy.
• .Safeguards include customary practices
– .Speaking quietly when discussing patient’s
condition in a public area
– .Avoid using patient’s name in elevators are
public places
– .Physical security for written and electronic
records such as locks, firewalls and
passwords
Disclosures to Parents
• .Parents are permitted access to children’s
health information
• .Exception: when parent agrees that a
minor and the health-care provider may
have a confidential relationship
• .Exception: neglected or abused child
Disclosures to family, friends,
“significant other”
• Disclosure to a family member, relative, close
personal friend, or persons identified by the
patient of medical information relevant to such
persons involved with the patient’s care or
payment related to the patient’s care.
• .If patient is present, health-care provider may
disclose medical information if the patient does
not object.
Disclosures to family, friends,
“significant other”
• .If patient incapacitated, health
professionals judgment call to disclose
health information to these people.
• .Health-care provider must feel disclosure
is in the best interest of patient
• .Hospital or health care provider may
refuse to provide any medical information
to family without patient’s consent, but
HIPAA allows disclosure
Hospital / shelter patient directory
information disclosed to the public
• .A hospital or shelter may maintain a public
directory including patients name, location in the
facility and condition in general terms and
disclose such information to anyone who asked
for the patient by name.
• .Patient must be informed of this practice and
have the opportunity to opt out.
Hospital / shelter patient directory
information disclosed to the public
– .If patient incapacitated, hospital/shelter may
disclose directory information if no knowledge
of patients objection and feel that in patient’s
best interest.
– .Hospital/shelter is not required to have
directory information disclosure and may
require prior approval by the patient before
allowing listing.
Patient will not sign receipt for the
privacy notice
– .The health-care provider cannot refuse to
provide services for this reason only.
– .Health-care provider is only required to make
a “good faith” effort to obtain signed
acknowledgment
Can the health-care providers be
sued by a patient?
• .The HIPAA law does not give patients the right
to sue. (But lawyers are creative)
• .Only recourse for a violation is to file a
complaint with HHS Civil Rights Office
• .Possible Fines from $100 to $250,000 and
prison terms for violations. but government relies
upon voluntary compliance and no penalties
have been issues for violations.
HIPAA in emergency situations Hurricane Katrina
• .Government issued a bulletin to clarify
HIPAA rules in an emergency
HIPAA in emergency situations Hurricane Katrina
• .Treatment:- Health-care providers were
permitted to share health information as
necessary to provide treatment, defined as:
– sharing information with other health-care providers,
shelters and clinics
– Referring patients for treatment to providers in areas
where patients have relocated
– Coordinating patient care with emergency relief
workers or others helping to find patients appropriate
health care.
Hurricane Katrina
• .Notification. - Health care providers were permitted to
share patient information to notify family members of
patients’ location, general condition or death
– verbal permission to be obtained where the possible but if the
patient is incapacitated the health-care providers judgment call
to disclose, if felt in patient’s best interest.
– Sharing health information with a disaster relief organization, like
American Red Cross does not require patient’s permission if
doing so would interfere with the organization’s ability to respond
to the emergency.
Hurricane Katrina
• Imminent danger.
– Patient’s health information could be shared
with third parties to prevent a serious and
imminent threat to health
Shelter patient directories
• Shelter facilities can tell the public who ask
about patients; if they are at the shelter,
their location in the facility and the
patient’s general condition.
• the American Red Cross is not a “covered
entity” subject to HIPAA and has no
restriction from sharing patient information
HIPAA’s special rules in a public
health emergency --Terrorism
.Health information disclosure without patient
consent obviously necessary in public health
emergency such as bioterrorism
– .Public-health officials, law enforcement, national
security officials, in the health-care establishment
must exchange healthcare information
– .Identifiable information for individuals, groups,
families, people within defined geographic boundaries
is required to be disclosed
Terrorism - requires balancing of
society’s need for health data with
the individual’s need for privacy
• . Personal privacy rights are still important
in a public health emergency
• .Patients may fail to cooperate in public health
programs, criminal investigations, or their own care
if they have privacy concerns.
• .Widespread lack of cooperation with government
in a bioterrorism event could be disastrous.
HIPAA disaster situation rules allow
disclosure of health information
during a public health emergency
– .For treatment purposes by health-care providers
– .To avert serious threats to public health or safety
– .For public health purposes such as avoiding epidemics
– .To protect national security
– .Necessary for law enforcement investigations
– .Required by judicial or administrative proceedings
What does the public health
emergency rule allow?
.Some confusion about the application of the
privacy rule could limit the flow of health data
for bioterrorism prevention.
• Example: some health-care providers were
reluctant to release health data associated with
recent flu outbreaks fearing violations of the
privacy rule and concerns about record-keeping for
disclosures of health information
What does the public health
emergency rule allow?
• .Treatment. - After a terrorist attack
medical care will be fragmented & chaotic
under triage conditions. Do health care
providers have to follow the normal privacy
concerns in exchanging information about
their patients?
• No. - Information may be exchanged
when necessary for appropriate treatment
What does the public health
emergency rule allow?
• .Imminent threat to public health and
safety: - Health information may be
disclosed to persons who are able to
abate the threat. If the health care
provider believes the disclosure is
necessary to avoid an imminent threat,
such as an unexplained disease outbreak
suspected to be a Bioterrorist attack
What does the public health
emergency rule allow?
• Public-health officials: - Health-care
providers can disclose health information:
– when required by law, such as, statutory
reporting requirements
– When requested by public health authorities
– To individuals who may have been exposed to
infectious disease
What does the public health
emergency rule allow?
• National security
– Disclosure is allowed to intelligence and
national security agencies where a threat to
national security is involved
What does the public health
emergency rule allow?
• .Law enforcement:
– Disclosures of health information to law
enforcement officials may be made in
connection with reporting a possible crime, or
to identify a suspect, fugitive or witness
involved in a bioterrorist event
– Useful to report a terrorist who spilled his
anthrax powder prematurely
What does the public health
emergency rule allow?
• Judicial or administrative Proceedings
– Healthcare providers are permitted to
disclose health information in response to a
court order or a subpoena or discovery
request
Conclusion
• To balance the government’s need for
health information in a disaster situation
with the individuals rights to privacy –
• HIPAA law will have to be understood and
interpreted carefully
• to facilitate response efforts and avoid
information delays
Texas Medical Rangers