Transcript Document

HIPAA Patient Privacy Rules
May 2002
Robert M. Portman, J.D.
(202) 639-6880
[email protected]
Jenner & Block
601 13th Street, NW
Washington, DC 20005
HIPAA Patient Privacy Rules
•
•
•
•
•
Overview of the Privacy Rule
Nuts & Bolts of Patient Protections
Compliance & Enforcement
Preemption
Legal Challenges
Overview: Key Issues
•
•
•
•
•
•
History, Breadth & Focus
What information is and is not covered
Who is subject to rules
Business Associate (“BA”) rules
Rules on uses and disclosures of PHI
“Minimum Necessary Rule” &
Verification
• Privacy Notice/Patient Rights
History/Background
• HIPAA ’96—where it all started.
• Required Secretary of HHS to issue rules to
protect privacy of patient health information if
Congress did not act by August 21, 1999.
• Congress did not act. (Quelle surprise!)
• HHS issued final privacy rules—Dec. 2000 .
• HHS Guidance Document—July 2001.
• Proposed Modification of Rule—March 2002.
Breadth
• Privacy rule is part of a “suite” of regulations
arising out of HIPAA
– Standards for electronic transactions (final)
– Unique identifiers for employers/providers for use
in electronic transactions (proposed)
– Several rules to be proposed re electronic
transactions involving health plans
– Proposed Security Rule
• Focus here is on Privacy Rule
What is Required of the
“Average Provider?”
• For the “average provider,” the Privacy Rule
requires:
– Providing patients information about their privacy
rights and how their PHI may be used.
– Obtaining authorization for certain
uses/disclosures.
– Adopting clear privacy practices and procedures.
– Designating a privacy officer responsible for
adoption/compliance with these practices.
– Training employees so that they understand these
practices.
What Information is
Covered?
• All individually identifiable information
that is transmitted or maintained in ANY
form, not just electronic.
• Major change from original proposed
rule.
• Referred to as protected health
information or PHI.
Individually Identifiable Info
• Created or received by a covered entity
or employer;
• Relates to health or condition, provision
of health care, or payment for health
care with respect to an individual; and
• Can identify or can be used to identify
an individual.
• Note broad definition of payment
activities.
Info Not Covered
• Information that cannot be used to
identify an individual is not protected.
• How to de-identify information:
– Hire an expert to determine that
information to be used or disclosed
contains no identifying information.
– Remove all specified identifying
information.
Covered Entities and
“Friends”
•
•
•
•
Health Care Providers
Health Plans
Healthcare Clearinghouses
Business Associates (indirect)
Health Care Providers
• Providers of medical or health services
that transmit health information in
electronic form, for billing or transferring
funds for payment.
– Physicians
– Hospitals
– Home Health Agencies
Health Plans
• Plans that provide or pay for the cost of
medical care.
– Group health plans
– Health insurance issuers
– HMOs
– Issuers of LTC policies
– Employee welfare benefit plans
Health Care Clearinghouses
• Entities that process health information
from a covered entity.
– Billing services
– Repricing companies
– Community health information systems
– Valued-added networks or switches
Business Associates
• Individuals or entities that receive PHI from
covered entities and provide services for or
perform functions on behalf of covered
entities.
• Employees and volunteers, no; independent
contractors, yes.
• May include board members.
• A covered entity may be a business associate
of another covered entity.
Business Associates
• Functions on behalf of a covered entity:
–
–
–
–
–
–
–
–
–
claims processing
data analysis
processing or administration
utilization review
quality assurance
billing
benefit management
practice management
repricing
Business Associates
• Services performed for covered entity:
–
–
–
–
–
–
–
–
–
legal
actuarial
accounting
consulting
data aggregation
management
administrative
accreditation
financial
Business Associate’s
Duties
• Must abide by restrictions on PHI in contract.
• Use appropriate safeguards to protect PHI.
• Ensure that agents or subcontractors agree
to same restrictions. (“Chain of Trust”
partners)
• Other requirements
– (e.g., make internal practices, books, and records
relating to use and disclosure of PHI available to
HHS Secretary for purposes of determining
covered entity’s compliance with HIPAA.)
Business Associate
Contract
• Can be an addendum to current contract
• Establish required and permitted uses and
disclosures of PHI by BA.
• State that BA may not use or further disclose
PHI in violation of HIPAA rules if done by
covered entity.
• Note: BA may use PHI for internal
management and administration of BA, legal
responsibilities, and data aggregation for
covered entity.
• Model contract provisions provided by HHS
as part of proposed rule modification.
Uses and Disclosures of PHI
• Basic rule: NO USE OR DISCLOSURE
EXCEPT AS PERMITTED OR
REQUIRED BY RULE.
Permitted Uses and
Disclosures
• To the individual (without request).
• With authorization or agreement of the
individual.
• Other circumstances specified in rules
where authorization not required (e.g.,
disclosure to business associates).
• Transfer of records upon sale, transfer,
consolidation, or merger.
Required Disclosures
• To the individual when requested per
rule.
• When required by HHS for investigation
or compliance purposes.
Minimum Necessary Rule
• General Rule
– Covered entity must make reasonable
efforts to limit permitted uses and
disclosures of PHI to the minimum
necessary to accomplish the intended
purpose of the use, disclosure, or request.
– Same requirement applies to requests for
PHI from one covered entity to another.
Minimum Necessary Rule
• Minimum necessary usage requires,
among other things, identifying:
– employees with need for access to PHI
– categories/types of PHI needed
– conditions for access
• Must also comply with any applicable
restrictions (e.g., per patient
agreement).
Minimum Necessary Rule
• Okay to rely on requesting party’s
judgment in some cases (if reliance is
reasonable):
– another covered entity
– public officials or agencies
– business associates or workforce member
– researchers acting per IRB/Privacy Board
Minimum Necessary Rule
• Exceptions
– disclosures to or requests by health care
provider for treatment
– uses or disclosures to individuals by law or
authorization
– disclosures to HHS
– uses or disclosures pursuant to law or
compliance requirements
Minimum Necessary Rule
• Modified proposed rule clarifies that
conversations between physicians
about patient do not violate rule even if
they are overheard.
• Modified rule also clarifies that
incidental disclosures generally do not
violate the rule as long as minimum
necessary rule satisfied and other
reasonable safeguards adopted.
Verification Requirement
• Covered entity generally must verify the
identity of a person requesting PHI and
the authority of the requesting party to
have access to the PHI (unless known).
• Requirement met if covered entity
exercises professional judgment and
acts in good faith in making disclosures
under the rule.
The Nuts & Bolts of Patient
Protections
•
•
•
•
•
Consent
Authorization
Exceptions
Notice of Privacy Practices
The Rights of Individuals
Consent
• Final Rule would have required physicians
and other health care providers to obtain
consent from patient for use and disclosure of
PHI for treatment, payment, or health care
operations (TPH).
• Modified rule eliminates consent requirement
and simply requires notice of provider’s
privacy policies and practices be provided to
patient.
• Patients should be asked to acknowledge
receipt of privacy policies and practices.
Authorization
• An authorization generally allows use and
disclosure of PHI for purposes other than
treatment, payment, or health care
operations.
• Covered entities must obtain an authorization
to make uses and disclosures not otherwise
permitted or required under the Privacy Rule.
• An authorization must be written in specific
terms, and may allow use and disclosure of
PHI by the covered entity seeking the
authorization, or by a third party.
Authorization
• Document and retain signed
authorizations.
• Provide patient with copy.
• May not condition treatment, payment,
or enrollment in health plan or eligibility
for benefits on authorization except for
research-related treatment and other
circumstances specified in rule.
Single Authorization Form
• Final Rule required different types of
forms for different types of disclosures.
• Modified Rule requires only one form
regardless of type of disclosure.
Authorization Requirements
• Must be written in plain language.
• A copy must be provided to individual if
provider seeks authorization.
Authorization Requirements
• A description of the information to be
used or disclosed that identifies the PHI
in a specific and meaningful fashion.
• The name of those authorized to
request disclosure of PHI.
• The name of persons to whom provider
may make the requested disclosure.
Authorization Requirements
• A description of each purpose of the
requested use or disclosure. “At the
request of the individual” is sufficient
description of purpose when an
individual initiates the authorization and
does not provide a statement of the
purpose.
• Statement whether provider can
condition treatment on authorization.
Authorization Requirements
• An expiration date or event relating to
individual or purpose of use or
disclosure.
• Signature of individual (or personal
representative) and date.
• Statement re individual’s right to revoke
authorization.
• Statement concerning possibility of
redisclosure.
Authorization for Marketing
• Under proposed modification, covered
entity must obtain authorization from
individual before sending them any
marketing materials or selling patient
lists.
• But covered entities may communicate
freely with patients about treatment
options and other health-related
information, including disease-
No Authorization Required
• With individual’s agreement in limited
circumstances
• Public health activities
• Health oversight programs
• FDA-regulated activities (e.g., adverse
incidents)
• Judicial and administrative hearings
• Certain law enforcement purposes
• Concerning decedents to coroners/funeral
directors
• Research in certain circumstances
Prior Consents/Authorizations
• Covered entity may continue to use or
disclose PHI pursuant to a prior
consent, authorization, or other form of
legal permission with some restrictions.
• But usually will need to obtain new
consent or authorization for data
collected after compliance date, except
for research studies based on
individual’s consent.
Privacy Notice
• HIPAA generally provides individuals the right
to “adequate notice” of:
– the uses and disclosures of PHI that may be made
by the covered entity.
– the individual’s rights and the covered entity’s
legal duties with respect to PHI.
• The Notice describes the covered entity’s
PHI-related privacy practices.
• Specific and detailed requirements for the
Notice are set forth in the Privacy Rule
Privacy Notice
• Must provide on first date of service
delivery or as soon as reasonably
practicable after an emergency.
• Must make good faith effort to obtain a
written acknowledgement of receipt of
notice from patient or document
reasons why acknowledgement not
obtained—substitute for consent.
Privacy Notice
• Must be prominently displayed at site of
service and/or posted on web site.
• Must be available upon request.
• Must issue new notice when material
changes.
• Must keep copies of all notices and
acknowledgements of receipt.
Rights of Individuals
• To receive privacy notice at time of first
delivery of service.
• To request restrictions on uses and
disclosures of PHI
– Covered entity not required to agree.
– But if it does so agree, it must comply with
restrictions, except for emergencies or other
circumstances specified in rules.
– Must document agreement.
– May terminate with individual’s agreement or
without agreement prospectively only.
Rights of Individuals
• To receive PHI communicated to them
by alternative means and at alternative
locations to protect confidentiality.
• To inspect and obtain copies of their
PHI from covered entity, except for
psychotherapy notes and other
exceptions, subject to procedures in
rules.
Rights of Individuals
• To amend or correct PHI.
• To request an accounting of disclosures in six
years prior to request, not including
disclosures re treatment, payment, and health
care operations, or individuals’ requests for
PHI, except for disclosures pursuant to
written authorization (see proposed
modification).
• Rights apply to individual and personal
representatives.
Parents of Minors
• For the most part, parents have right to
access and control PHI of their minor
children.
• Exceptions to this rule track circumstances in
which state law precludes such parental
access or control (e.g.,permitting HIV testing
of minors without parental permission, cases
of abuse, etc.) or where parents have agreed
to give up access and control.
Research
• Proposed modification clarifies that
researchers may combine authorization
with informed consent to participate in
clinical trial.
• Proposal also conforms requirements of
research exception to “Common Rule”
used for federally-funded research.
Compliance & Other Issues
• Compliance & Enforcement
• Preemption
• Legal Challenges
Compliance
• Covered entities must comply by
April 14, 2003.
• One-year extension for BA contract
compliance per proposed modification.
Compliance
• Designate privacy official and contact person;
• Train workforce in policies and procedures
required to safeguard PHI (different
requirements for small and large physician
practices);
• Procedures and safeguards to protect PHI
and limit incidental uses or disclosures of
PHI;
• Institute complaints process; and
• Other requirements set forth in rules.
Compliance: Bus. Assoc.
• Covered entity not responsible for overseeing
BA’s compliance with terms of agreement.
• But, covered entity violates rule if it knew of a
pattern of activity or practice of BA that
breached contract, unless covered entity took
steps to end the violation and/or terminate the
contract, if feasible, or report problem to HHS.
• If BA is also covered entity and it violates its
obligations under the BA Agreement, then it
will be directly liable under HIPAA.
Compliance: Bus. Assoc.
• Contract must have appropriate
termination provisions, including return
or destruction of PHI upon material
breach, if feasible.
• Proposed rule would give covered
entities up to an additional year to
modify their contracts with BA’s to
comply with the privacy rule.
Enforcement
• Individual complaints with Secretary
within 180 days of act or omission.
• HHS investigation authority.
• Informal resolution authority.
• Civil Penalties.
• Criminal Penalties.
The Enforcement Provisions:
42 U.S.C. §§ 1320d-5 & 1320d-6
• 42 U.S.C. § 1320d-5 covers civil violations
• 42 U.S.C. § 1320d-6 covers criminal
violations
• These sections are not found in the HHS
Regulations, rather they come from HIPAA
itself.
General Penalty for Failure To
Comply With Requirements And
Standards:
U.S.C. § 1320d-5
(Civil Violations)
• Punishes any violation of regulations
• Maximum penalty of $100 per violation
• Cap of $25,000 per calendar year for each
provision of the regulations that are violated
Wrongful Disclosure of
Individually Identifiable Health
Information:
42 U.S.C. § 1320D-6(a)
(Criminal Violations)
• Violation of federal law
• Violations must be committed
“knowingly”
MENS REA And Use Of The
Word “Knowingly”
• A person commits an act “knowingly”
when it is done purposefully; that is, the
act is a product of a conscious design,
intent or plan that it be done. Horne v.
State of Indiana, 445 N.E.2d 976
(1983).
Three Ways To Violate 42
U.S.C. § 1320d-6
• Knowingly and in violation of the regulations
using or causing to be used a unique health
identifier;
• Knowingly and in violation of the regulations
obtaining individually identifiable health
information relating to an individual; and
• Knowingly and in violation of the regulations
disclosing individually identifiable health
information to another person.
Potential Bases For
Criminal Liability
• Employee liability for employee’s own
conduct
• Liability of privacy officers
• Corporate liability for acts of employees
• Concurrent liability of employees and
corporation
• Business Associate Liability
Criminal Penalties For
Violating § 1320d-6
• Maximum penalties are set forth in
§1320d-6(b).
• Actual sentencing is determined
according to the Federal Sentencing
Guidelines.
Maximum Penalties
(42 U.S.C. § 1320d-6(b)(1))
• Any violation:
– $50,000 fine, one year imprisonment, or
both.
Maximum Penalties
(42 U.S.C. § 1320d-6(b)(2))
• If offense is committed under under
false pretenses:
– $100,000 fine, 5 years imprisonment, or
both.
Maximum Penalties
(42 U.S.C. § 1320d-6(b)(3))
• If the offense is committed with the
intent to sell, transfer, or use individually
identifiable health information for
commercial advantage, personal gain,
or malicious harm:
– $500,000 fine, 10 years imprisonment, or
both.
Preemption
• Requirements contrary to federal law
are preempted.
• Exceptions
– more stringent state laws
– others
• Requests for preemption to be resolved
by Secretary of HHS.
Legal Challenges
• South Carolina Medical
Association v. HHS
• Association of American
Physicians v. HHS
©2002 Jenner & Block LLC