Transcript Our Standard Slide Bacground

GSOP 2014 Annual Meeting
HIPAA, HITECH, and Omnibus Rule:
What You Need to Know to Avoid
Liability
© 2014
Jonathan P. Tomes, EMR Legal, Veterans Press
Introduction & Overview of
HIPAA and the HITECH Act
HIPAA
1996
Why Have “Administrative
Simplification?”
•
Standardize the claims processes for efficiency
and auditing
• Patient privacy concerns
 People they know will use the information against them
 People they don’t know will use the information against
them (ID theft)
 Inaccurate information could result in adverse
consequences
The Sensitive Nature of Medical
Information
• Medical records contain a vast amount of
personal information:
 Demographic information.
 Financial information.
 Medical information.
 Lifestyle information.
Concerns with Automated Records
• Collect more information
• Obtain more sophisticated information
• Broader commercial use of collected
information
• Computers make the information more
useful
- Do computers really increase risks of breach
of confidentiality?
So, We Have HIPAA!
•
Health information- Any information, whether oral
or recorded, in any form or medium that is created
or received by a health care provider, etc. and
related to :
 Past, present or future physical or mental health or
condition of an individual,
 The provision of health care to an individual, or,
 To the past, present, or future payment for the provision
of health care to an individual.
Under HIPAA
•
Health care providers who maintain or transmit
health information . . . must maintain reasonable
and appropriate administrative, technical, and
physical safeguards—
 To ensure integrity and confidentiality of the
information.
 To protect against reasonably anticipated—
1. Threats or hazards to the security or integrity of
the information.
2. Unauthorized uses or disclosures of the
information.
Under HIPAA
• Organizational commitment to privacy and
security.
• Ensure compliance by the organization’s
officers and employees.
Criminal Enforcement of HIPAA
HIPAA
Violation
HIPAA’s Criminal Penalties
•
Knowingly obtains or discloses individually
identifiable health information:
 $50,000 fine and imprisonment for one year.
•
Same done under false pretenses:
 $100,000 fine and imprisonment for five years
•
With the intent to sell, transfer, or use the
information for commercial advantage, personal
gain, or malicious harm.
 maximum fine of $250,000 and/or up to 10 years
in prison
Who is liable?
• Employees who obtain or disclose such information without
authorization
• Certain directors, officers, and employees of [covered]
entities may be liable for failing to be HIPAA compliant,
thereby encouraging the perpetrator to commit the HIPAA
crime or, at least, failing to prevent it
• Business Associates: i.e. companies you contract with to
provide services like document shredding, data storage, copy
services, if they do not have adequate security protections
• The HITECH Act extended HIPAA’s criminal liability to
employees and other individuals.
Civil Enforcement of HIPAA
On the Rise
OIG Audits/OCR Complaints
•
HITECH Act requires DHHS to conduct periodic audits
of both covered entities and business associates.
•
Approximately one-third of providers’ and insurers’
noncompliance problems stemmed from lack of
awareness of requirements
•
47 out of 61 health care providers audited haven’t done
a satisfactory security risk analysis, either.
•
77,277 OCR complaints since enforcement began in
April 2003.
•
Individuals whose PHI was the subject of an OCR
enforcement action will get a percentage of any
penalties
Examples
• Massachusetts Eye and Ear Infirmary: $1.5 million for theft of unencrypted
employee laptop
• Affinity Health Plan, Inc.: $1,215,780 for impermissibly disclosing PHI
(returned copiers to a leasing agent without erasing the data on the copier
hard drives.)
• Idaho State University: $400,000 for leaving a server firewall down.
• Cignet Health: $4.3 million for denying patient access and obstructing the
investigation.
• WellPoint, Inc.: $1.7 million for not adequately implementing policies for
authorizing access /for failing to have technical safeguards in place to verify
the person or entity seeking access to electronic protected health information
(“EPHI”) maintained in its application database.
• Shasta Regional Medical Center: $275,000 for improper disclosure of PHI
and failure to sanction workforce members for HIPAA violations.
• MN AG v. Accretive Health, Inc.: $2.5 million (stolen, unencrypted laptop)
Increased Penalties under HITECH
• $1,000 per violation for a violation due to
“reasonable cause and not to willful
neglect” (max $100,000)
• $10,000 for each violation that was due to
willful neglect and is corrected ($250,000
max)
•
$50,000 for each violation if the violation is
not corrected properly (max $1.5 mill per
year).
• These changes are immediately effective
Security Rule
Five Categories of Security
Requirements
1. General Rules.
2. Administrative Safeguards.
3. Physical Safeguards.
4. Technical Safeguards.
5. Documentation Requirement.
Each category has a number of standards, and
most standards have a number of
implementation specifications, either required or
addressable.
1. General Provisions
§ 164.306(a)
• Ensure confidentiality, integrity, and
•
•
•
•
•
availability of electronic PHI (“EPHI”).
Protect against reasonably anticipated
threats or hazards to the security or integrity
of EPHI.
Protect against uses or disclosures not
permitted by Privacy Rule.
Ensure compliance by workforce.
Applies to all EPHI regardless of format.
Internal and external communications.
Security Considerations
• Size, complexity, and capabilities of your
organization
• Your technical infrastructure, hardware,
and software security capabilities.
• Costs of security measures
• Probability and importance of potential
risks to EPHI.
Standards
• A covered entity must comply with all of
the standards.
• Implementation specifications tell how to
meet the standard.
• A covered entity must comply with all
required implementation specifications.
• Addressable specifications may or may
not require the covered entity to follow
them.
Addressable Specifications
•
The covered entity must assess whether each
addressable specification is a reasonable and
appropriate safeguard in its environment with
reference to its likely contribution to protecting
EPHI; and
• Implement it if reasonable and appropriate, or if
implementing it is not reasonable or appropriate—
 Document why it would not be reasonable and
appropriate to implement it; and
 Implement an equivalent alternative measure if
reasonable and appropriate.
2. Administrative Safeguards
§ 164.308
•
•
•
•
•
•
•
•
•
Security management process.
Assigned security responsibility.
Workforce security.
Information access management.
Security awareness and training.
Security incident procedures.
Contingency plan.
Evaluation.
Business associate contracts and other
arrangements.
Security Management Process
•
Implement policies and procedures to prevent, detect,
contain, and correct security violations.
•
Implementation specifications:
 Risk analysis (required).
 Risk management (required). Implement security measures
sufficient to reduce risks and vulnerabilities to a reasonable and
appropriate level.
• Sanction Policy (required). Apply appropriate sanctions to
workforce members who fail to comply with security policies and
procedures.
• Information System Activity Review (required). Implement
procedures to regularly review records of system activity, such as
audit logs, access reports, and security incident tracking reports.
Assigned Security Responsibility
•
Identify the security official who is responsible
for the development and implementation of the
policies and procedures required by the
Security Rule.
•
No implementation specifications—that is, no
particular credentials required.
Workforce Security
•
•
Implement policies and procedures to ensure that all
workforce members have appropriate access to EPHI and to
prevent those who do not have access from obtaining
access.
Implementation specifications:
 Authorization and/or supervision (addressable). Implement
procedures for the authorization and/or supervision of workforce
members who work with EPHI.
 Workforce Clearance Procedure (addressable). Implement
procedures to determine whether access of a workforce member is
appropriate.
 Termination Procedures (addressable). Implement procedures for
terminating access to EPHI upon end of employment or end of need
for access.
Information Access Management
•
Implement policies and procedures for authorizing access
to EPHI.
•
Implementation specifications:

Isolating health care clearinghouse functions (required). If a clearinghouse
is a member of a larger organization, it must implement policies and
procedures that protect EPHI from unauthorized access by the larger
organization.
•
Access authorization (addressable). Implement policies and procedures
for granting access to EPHI, such as through access to a workstation,
transaction, program, process, or other mechanism.
• Access establishment and modification (addressable). Implement policies
and procedures based on access authorization policies that establish,
document, review, and modify a user’s right of access.
Security Awareness and Training
•
Implement a security awareness and training program for
all members of the workforce, including management.
•
Implementation specifications:
 Security reminders (addressable). Periodic security updates.
 Protection from malicious software (addressable). Procedures for
guarding against, detecting, and reporting malicious software.
•
Log-in monitoring (addressable). Procedures for monitoring log-in
attempts and reporting discrepancies.
• Password management (addressable). Procedures for creating,
changing, and safeguarding passwords.
Security Incident Reporting
•
Implement policies and procedures to address
security incidents.
•
Implementation specification: Response and reporting
(required):
 Identify and respond to suspected or known security incidents.
 Mitigate, to the extent possible, harmful effects of security
incidents known to the covered entity.
 Now must notify the subject of the breach of unsecured PHI
if your risk analysis demonstrates a risk of harm from the
breach—compliance date was September 24, 2010.
 Document security incidents and their outcomes.
Security Incident: Secured PHI and
Risk Assessment
•
The DHHS Interim Final Rule specifies encryption and
destruction as the only “safe harbor” methods for
making PHI secure.
•
Must perform a risk assessment and determine and
document whether the breach has compromised PHI
security or privacy.
1.
2.
3.
4.
Nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification.
Unauthorized person who used the PHI or to whom the
disclosure was made.
Whether the PHI was actually acquired or viewed.
Extent to which the risk to the PHI has been mitigated.
Security Incident: Breach defined
•
•
The unauthorized acquisition, access, use, or disclosure of
PHI that compromises the security, privacy, or integrity of
PHI.
The term does not include any unintentional acquisition,
access, use, or disclosure by an employee or agent of the
covered entity or business associate if it was done in good
faith and within the scope of employment and if it was not
further acquired, accessed, used, or disclosed by such
employee or agent.
Security Incident Reporting
•
Breach involving 500 or more patients:
 Must be immediately reported to DHHS, who will then post the
name of the provider on its public website.
 If the patients reside in the same area, must be reported to the
local media.
•
If fewer than 500 individuals:
 must report all breaches to the Secretary of Health and Human Services,
but the report may be in the form of a log on an annual basis.
 Providers and health plans must comply with state security breach laws
“to the extent that they exceed the new security breach notifications
provisions of the [HITECH Act].”
•
Business associates must report a notice of a breach, to
provider, including the identity of the patient(s)
Security Incident: Patient Notice
•
•
•
•
•
First-class mail to individual or next of kin at last known
address or, if specified by the individual, by email
Substitute method if contact information is insufficient
A conspicuous posting (if 10+ affected) on the home
page of the covered entity or notice in major media in
the geographic area where the individuals likely reside.
If urgency exists because of imminent misuse of PHI,
may use telephone or other means of notice.
Content:
 Description of information involved
 Description of investigation, loss mitigation and future protection
 Contact information for questions or additional information (toll-
free number, email address, website or postal address)
Contingency Plan
•
•
Establish (and implement as needed) policies and
procedures for responding to an emergency or other
occurrence that damages systems that contain EPHI.
Implementation specifications:
 Data backup plan (required). Establish and implement procedures to create
and maintain retrievable exact copies of EPHI.
 Disaster recovery plan (required). Establish (and implement as needed)
procedures to restore any loss of data.
 Emergency mode operation plan (required). Establish (and implement as
needed) procedures to enable continuation of critical business processes
for protection of the security of EPHI while operating in emergency mode.
 Testing and revision procedures (addressable). Implement procedures for
periodic testing and revision of contingency plans.
 Application and data criticality analysis (addressable). Implement
procedures for periodic testing and revision of contingency plans.
Evaluation
•
Perform periodic technical and nontechnical evaluations
that establishes the extent to which an entity’s security
policies and procedures meet the Security Rule’s
requirements.
• based initially upon the standards implemented under
this rule; and
• subsequently in response to environmental or
operational changes affecting the security of EPHI
•
No implementation specifications—that is, you determine
how often to update your risk analysis.
Business Associates
•
•
•
•
A covered entity may permit a business associate to
create, receive, maintain, or transmit EPHI on the covered
entity’s behalf only if it obtains satisfactory assurances that
the business associate will appropriately safeguard the
information.
Business associates may also have business associates
(sub-contractors) which are subject to the same
requirements
Note that covered entities are not required to get business
associate contracts in place with their business associates’
subcontractors.
Covered entities and business associates are liable for the
acts of their business associate agents if they have control
over performance of the service
3. Physical Safeguards
§ 164.310
• Facility access controls.
• Workstation use.
• Workstation security.
• Device and media controls.
Facility Access Controls
•
•
P/P to limit physical access to EPHI systems and facilities
in which they are housed, while ensuring that properly
authorized access is allowed.
Implementation specifications:
 Contingency operations (addressable). P/P to support restoration
of lost data under the disaster recovery/emergency plans
 Facility security plan (addressable). P/P to safeguard the facility
and equipment from unauthorized physical access.
• Access control and validation procedures (addressable). P/P to
control and validate a person’s access to facilities based on the
person’s role or function, including visitor control.
• Maintenance records (addressable). P/P to document repairs and
modifications to the physical components of a facility that are related
to security, such as hardware, walls, doors, and locks.
Workstation Use and Security
 Implement policies and procedures that specify the proper
functions to be performed, the manner in which those
functions are to be performed, and the physical attributes
of the surroundings of a specific workstation or class of
workstations that can access EPHI.
 No implementation specifications. I.e., you determine how
to do this.
 Implement physical safeguards for all workstations that
access EPHI to restrict access to authorized users.
 No implementation specifications. I.e., you determine how
to do this.
Device and Media Controls
 Implement policies and procedures that govern
the receipt and removal of hardware and
electronic media that contain EPHI into and out of
a facility and the movement of EPHI within the
facility.
 Implementation specifications:
• Disposal (required). Implement policies and
procedures to address the final disposition of
EPHI and/or the hardware or electronic media
on which it is stored.
• Affinity Health Plan, Inc., settled HIPAA
violations for $1,215,780 (failure to wipe copy
machines).
4. Technical Safeguards
• Access control.
• Audit controls.
• Integrity.
• Person or entity authentication.
• Transmission security.
Access Control
•
•
P/P for electronic information systems that maintain
EPHI to allow access only to those persons or software
programs that have been granted access rights
Implementation:
 Unique user identification (required).
 Emergency access procedure (required). Establish
(and implement as necessary) procedures for
obtaining necessary EPHI during an emergency.
 Automatic logoff (addressable). P/P that terminate an
electronic session after a predetermined time of
inactivity.
 Encryption and decryption (addressable). Implement
a mechanism to encrypt and decrypt EPHI.
Audit Controls, Integrity,
Authentication
•
Audit Controls: Implement mechanisms that record and
examine activity in information systems that contain or
use electronic PHI.
•
Integrity: P/P to protect EPHI from improper alteration or
destruction.
 Implementation specification: Mechanism to authenticate EPHI
(addressable). Implement electronic mechanisms to corroborate
that EPHI has not been altered or destroyed in an unauthorized
manner.
•
Person/Entity Authentication: P/P to verify that each
person or entity seeking access to EPHI is the one
claimed.
Transmission Security
•
•
Implement technical security measures to guard against
unauthorized access to EPHI that is being transmitted
over an electronic communications network.
Implementation specifications:
 Integrity controls (addressable). Implement security
measures to ensure that EPHI is not improperly
modified without detection until disposed of.
 Encryption (addressable). Implement a mechanism to
encrypt EPHI whenever deemed appropriate.
5. P/P and Documentation
Requirements
•
•
•
•
Must implement reasonable and appropriate written
policies and procedures
If changes needed, document and implement them
If an action, activity, or assessment is required by this
Rule, maintain a written (may be electronic) record it
Implementation specifications:
o Time limit (required). Retain the documentation for six (6) years from the
date of its creation or the date that it was last in effect, whichever is later.
• Availability (required). Make documentation available to those persons
responsible for implementing the procedures to which the documentation
pertains.
• Updates (required). Review documentation periodically and update, as
needed, in response to environmental or operational changes affecting the
security of EPHI.
Privacy Rule
Privacy Update
•
•
•
Applies to all PHI, not just EPHI. Applies to covered
entities and business associates.
Don’t use or disclose except as the rule provides!
Under the modified regulations, covered entities may
use protected information:
 With individual authorization (of course) and without
authorization:
 For treatment, payment, and health care
operations, or,
 For specific public and public policy purposes, or,
 When required by law.
HIPAA Gives Specific Rights
•
Some of these rights can be more comprehensive
than existing state law. These rights include the
following:






Right of access (inspect and copy).
Right to an accounting of nonroutine disclosures.
Notice of information practices.
Right to request restrictions on use and disclosure.
Right to alternate communications.
Right to request correction/amendment.
HITECH Changes Regarding
Patient Rights
•
Right to request restriction is now a right to
restrict if the disclosure is to a health plan for
purposes of carrying out payment or health care
operations (not treatment) and the PHI pertains
solely to an item or service for which the
provider has been paid in full.
 Example: Mental health client doesn’t want his PHI to
go to his employer’s self-funded health plan and pays
entire amount himself.
Administrative Requirements
• Covered entities must do the following:
 Have a Privacy Officer.
 Develop a privacy training program.
 Implement safeguards to protect health
information from misuse.
 Establish a complaint system.
 Develop a sanction system.
Privacy Rule Problem Areas
• Right of access.
• Communications with family members.
• Overreaction to perceived potential
breaches.
Do You Provide Patients/Clients
Their Right of Access?
• Probably the right that is most likely to
generate a complaint to DHHS.
• Too many complaints, and . . .
• Failure to provide copies to patients cost
Cignet $4.3 million in fines!
Right to Inspect and Copy PHI
• Notice of Privacy Practices must inform
the individual of this right and the
procedures for exercising this right.
• Covered entity may charge a reasonable
cost-based fee for copies.
Can You Ever Deny Access?
•
A covered entity may deny access to an
individual if the information was obtained from
someone other than a health care provider under
a promise of confidentiality and the access would
be reasonably likely to reveal the source of the
information or a licensed health care professional
has determined that the access is reasonably
likely to endanger the life or physical safety of the
individual or another person.
•
Denials of access require the covered entity to
permit the person to obtain review of the decision
to deny access. 45 C.F.R. § 164.524.
Disclosures to Family Members
•
•
•
•
•
•
May disclose PHI to family members involved in the
patient’s care and for notification purposes under
§ 164.510(b) unless the patient objects.
Not only family members, but also other relatives or
close personal friends.
May disclose PHI that is directly relevant to that care
or payment for that care.
May also disclose to notify such persons of the
patient’s location, condition, or death.
Emphasize this practice in your Notice of Privacy
Practices.
Under Omnibus Rule, may communicate with family
members after the patient’s death.
Overreaction to Perceived
Potential Breaches
Have you heard?
• You can’t call out patient names in the
waiting room.
• You can’t place a chart in the box outside
the doctor’s office.
• All email containing PHI must be
encrypted.
• Others?
None of These Concerns
Is Necessarily True!
• Rather, you perform a risk analysis to
determine whether a risk of improper
disclosure exists in, for example, calling
out a patient’s name.
• If a risk exists, then what is a reasonable,
cost-effective way to protect against it?
• This question leads to our final topic—
how to perform that risk analysis.
Risk Analysis
Risk Analysis
• The key to cost-effective compliance.
• And even more important with the final
Security Rule!
• Now essential with the dramatic effects of
the HITECH Act on HIPAA.
• If you haven’t done a formal, written risk
analysis, any breach would result from
willful neglect!
Importance of Risk Analysis
• Besides risk analysis being a required
implementation specification in the Security
Management Process standard, it is how
you decide whether you must implement an
addressable implementation specification.
• § 164.308 requires risk analysis to “reduce
risks and vulnerabilities to a reasonable and
appropriate” level to comply with
§ 164.306(a).
And Don’t Forget the Security
Provisions of the Privacy Rule
• § 164.530(c)(1) of the final privacy
regulations require covered entities to have
reasonable and appropriate administrative,
technical, and physical safeguards to
protect the privacy of PHI.
• You cannot select “appropriate safeguards”
without first having performed a good risk
analysis.
How Do You Perform
Risk Analysis?
• A methodology.
 Assemble a good team.
 Identify assets.
 Determine what risks exist.
 Evaluate the likelihood of the risks
occurring and the harm if they do.
 Select security measures to guard against
those risks.
 Test and revise.
Assemble a Good Team
Consider involving the following individuals:
•
•
•
•
•
•
•
•
•
•
Director of information management.
Director of health information.
Risk manager.
Representatives of the medical staff and nursing
staff.
Patient representative.
General counsel or other lawyer.
Technical representative.
Human resources representative.
Business office personnel.
Quality assurance.
Identify Assets
• Often a real eye-opener . . .
• Identify information that you must protect.
• Identify components of the system that
the information resides in.
• Identify all system assets, not just
hardware.
• Identify existing security assets.
Identify Risks
• What are the risks to your system and its
assets, including the data residing therein?
• Consider risks in the following areas:
 Threats to patient information.
 In both proper and improper use.
 In both proper and improper disclosure.
 Electronic threats.
 System threats.
 The combined threats of the above.
Consider Potential Threats
• Consider threats in three major areas:
o Threats to the availability of the data.
o Threats to the integrity of the data.
o Threats to the confidentiality of the data.
• Any particular risk that you identify, such
as a virus, may be a threat to one, two, or
all three of the above areas.
Evaluate Each Risk Identified
Increasing Risk
High Probability
Low Risk
Decreasing
Probability
Low Probability
Low Risk
High Probability
High Risk
Increasing
Probability
Low Probability
High Risk
Select Security Measures
• Multiply the number of expected occurrences
by the expected cost of each occurrence to
calculate annual loss expectancy (“ALE”).
• Where the cost is high, select control
measures to protect against the exposure.
• Compare the cost of the control measure(s)
against the ALE to find the true cost.
• ALE may even be a negative number.
Test and Revise
Remember the Security Rule’s Evaluation
Standard:
Periodic review of security measures to
ensure that they remain reasonable and
appropriate.
What Are Standards?
• The regulations call them by many
different names—policies, procedures,
controls.
• Regardless of what you call them, they
differ from the general overall guidance
expressed in your security policy.
• Rather, standards consist of the detailed
instructions as to how to comply with the
goals of your security policy.
The Requirement to Have Standards
•
The security regulations require plans, policies,
procedures, and controls, such as these:
 Sanction policy (also required by the Privacy Rule).
 Data backup plan.
 Disaster recovery plan and emergency mode
operation plan.
 Facility security plan.
 Testing and revision procedure.
 The privacy rules require other standards, such as
how patients may request correction of inaccurate
information and how the facility will handle the
request.
DHHS Audit Protocols
•
The OCR HIPAA Audit program analyzes processes, controls, and
policies of covered entities pursuant to the HITECH Act audit mandate.
OCR established a comprehensive audit protocol that contains the
requirements to be assessed through these audits. The entire audit
protocol is organized around modules, representing separate elements
of privacy, security, and breach notification. The combination of these
multiple requirements may vary based on the type of covered entity
selected for review.
•
The audit protocol covers Privacy Rule requirements for (1) notice of
privacy practices for PHI, (2) rights to request privacy protection for
PHI, (3) access of individuals to PHI, (4) administrative requirements,
(5) uses and disclosures of PHI, (6) amendment of PHI, and (7)
accounting of disclosures.
The protocol covers Security Rule requirements for administrative,
physical, and technical safeguards.
•
•
The protocol covers requirements for the Breach Notification Rule.
•
For the entire audit protocol go to “Audit Program Protocol" at
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.
Unavoidable Employee
Misconduct Defense
•
•
No HIPAA decisions on this defense as yet.
Other federal compliance areas have, however, recognized the
unavailable employee misconduct defense. It can be a defense for
liability for Occupational Health and Safety Act (“OSHA”). For an
organization charged with an OSHA violation to prove the defense
of unavoidable employee misconduct, it must show that the
organization—
– Established work rules to prevent safety violations.
– Adequately informed employees of the rules.
– Effectively enforced the rules upon discovering a violation.
•
These elements of the defense are consistent with our guidance:
– Screen your employees before giving them access.
– Train them and retain training records (adequately inform them).
– Conduct a risk analysis and implement reasonable and appropriate security
measures, including policies and procedures (establish work rules).
– Enforce your security measures and policies (effectively enforce the rules).
– Conduct compliance audits (effectively enforce the rules).
Release of Information Policy
•
Verify the identity of the requester and the
requester’s authority to receive the information. If
you cannot verify the authority, deny the request.
•
Compare the facts and circumstances of the
request to the detailed criteria of the relevant
category or categories under § 164.512 of the
DHHS privacy regulations (see relevant
appendices to Release of Information Policy).
Appendix D. Victims of a crime
• [Name of organization] may disclose PHI in
response to a law enforcement official’s
request for such information about an
individual who is suspected to be a victim of
a crime if (1) the individual agrees to the
disclosure or (2) [name of organization] is
unable to obtain the individual’s agreement
because of incapacity or other emergency
circumstance, provided that the following
conditions apply:
Appendix D. Victims of a crime
(cont’d)
• Law enforcement official represents that such information
is needed to determine whether a violation of law by a
person other than the victim has occurred and that such
information is not intended to be used against the victim.
• Law enforcement official represents that immediate law
enforcement activity that depends upon the disclosure
would be materially and adversely affected by waiting
until the individual is able to agree to the disclosure.
• Disclosure is in the best interests of the individual as
determined by [name of organization], in the exercise of
professional judgment.
Release of Information Policy
(cont’d)
•
If the facts and circumstances do not meet all
of the relevant criteria of at least one category
under § 164.512 of the privacy regulations,
do not release the information. If the facts
and circumstances do meet all of the relevant
criteria of at least one category under §
164.512, do not release the information
until after you have determined whether
another state or federal law prohibits or
restricts the disclosure.
Good Luck!
For additional information call
855.341.8783 x 311or
[email protected]
Please sign up for my free blog on
www.veteranspress.com
www.emrlegal.com
www.veteranspress.com
www.tomesdvorak.com
HIPAA Compliance Library
Resources & Tools for HIPAA Compliance