Transcript Slide 1

HIPAA for Lawyers
Kim C. Stanger
• This is an overview of fairly complex
statutes and regulations.
– No substitute for reading the rules.
• New proposed HIPAA rules are pending.
• In addition to HIPAA, you may be subject
to more restrictive state laws.
– HIPAA establishes floor to patient privacy.
– Must comply with more restrictive state law.
What is HIPAA?
(not HIPPA)
• HIPAA = Health Insurance Portability and
Accountability Act
– Privacy Rules, 45 CFR 164.501 et seq.
• Applies to protected health info (“PHI”)
– Security Rules, 45 CFR 164.301 et seq.
• Applies to electronic PHI
• HITECH Act modified HIPAA
• Covered entities cannot use, access or
disclose protected health info without
patient’s written authorization unless the
use, access or disclosure fits within a
HIPAA exception.
(45 CFR 164.502)
Covered Entities
• Covered entities
– Health care providers
– Health plans, including group health plans if
• 50+ participants, or
• Administered by third party
• Business associates who use PHI to
perform function for covered entity.
– E.g., lawyers who represent covered entities.
Covered Info
• Protected health info (“PHI”)
– Individually identifiable info
– Created or maintained by covered entity
– Concerning an individual’s past, present, or future
health, health care, or payment
– In any form or medium.
• Not:
– “de-identified” info
– Info not created or maintained in covered entity’s role
as a health care provider, e.g., employment records.
HIPAA Penalties
HIPAA Civil Penalties
Did not know and
should not have known
of violation
• $100 to $50,000 per violation
• Up to $1.5 mil for all identical violations per year
• No penalty if correct within 30 days.
• OCR may waive or reduce penalty if excessive
Violation due to
reasonable cause
• $1000 to $50,000 per violation
• Up to $1.5 mil for all identical violations per year
• No penalty if correct within 30 days.
• OCR may waive or reduce penalty if excessive
Willful neglect, but
corrected problem w/in
30 days
• $10,000 to $50,000 per violation
• Up to $1.5 mil for all identical violations per year
* OCR must impose penalty
Willful neglect, but did
• At least $50,000 per violation
not correct problem w/in • Up to $1.5 mil for all identical violations per year
30 days
* OCR must impose penalty
Civil Penalties
• In February 2011, Mass General Hospital
agreed to pay $1,000,000 for HIPAA violations.
– Employee left medical records of 162 patients
on subway while commuting to work.
– Inadequate safeguards to protect info.
HIPAA Civil Penalties
• "We hope the healthcare
industry will take a close look
at [this case] and recognize
that OCR is serious about
HIPAA enforcement. It is a
covered entity's responsibility
to protect its patients' health
– OCR Director Georgina
HIPAA Criminal Penalties
• Criminal penalties apply to employees or other
individuals who obtain or disclose protected
health info (“PHI”) without authorization.
•$50,000 fine
•1 year in prison
Committed under false pretenses •$100,000 fine
•5 years in prison
Intent to sell, transfer, or use for
•$250,000 fine
commercial gain, personal gain, or •10 years in prison
malicious harm
Knowingly obtaining PHI in
violation of law
(42 USC 1320d-6(a))
Recent HIPAA
• Arkansas physician and two hospital
employees improperly accessed murdered
newscaster’s medical information.
• Convictions:
– Physician: $5000 fine + 1 year probation
– Employee 1: $2,500 fine + 1 year probation
– Employee 2: $1,500 fine + 1 year probation
• Covered entities:
– Must self-report if breach of unsecured PHI to:
• Affected patient or next of kin
• Department of Health and Human Services
• Local media if breach involves > 500
– Must log improper disclosures and provide
accounting if requested by patient.
Additional Reasons to Comply with
• HHS must conduct audits.
• State Attorney General can bring lawsuit for
HIPAA violation.
• Effective 2012, patients receive a percentage of
HIPAA fines.
• Covered entity must impose sanctions against
workforce members who violate HIPAA.
• No private cause of action under HIPAA, but
patients can bring lawsuit under common law
• Professional disciplinary actions.
Properly Obtaining PHI
from Healthcare Provider
or Business Associate
Obtaining PHI
• Ways to properly obtain PHI from healthcare
provider or business associate:
Patient obtains info and gives it to you
Written authorization from patient
Subpoena + satisfactory written assurances
Subpoena + provider notifies patient
Court order
Fit within a different HIPAA exception
• May need to educate health care providers.
1. Get Info from Patient
or Personal Rep
• Patients and personal representatives have right
to access and obtain copies of PHI maintained in
designated record set.
(45 CFR 164.524)
• Personal rep = person with authority to make
health care decisions for patient, e.g,.
Other appropriate relative
(45 CFR 164.502(g); see I.C. 39-4504)
Get Info from Patient
or Personal Rep
• Covered entity must allow access or provide
copies in format in which records maintained.
– Electronic or paper
• Covered entity must respond within 30 days.
– May require written request for the records.
– May charge reasonable cost-based fee, e.g.,
cost of materials, labor and postage, not
(45 CFR 164.524)
Get Info from Patient
or Personal Rep
• Covered entity may deny request if:
– Info outside designated record set.
– Psychotherapy notes
– Info compiled in anticipation of litigation
– Info obtained under promise of confidentiality
and disclosure would identify informant
– Licensed health care provider determines that
access would cause substantial harm.
• Decision subject to review
(45 CFR 164.524)
Civil Penalties
• In February, Cignet Health Center fined
$4,300,000 for HIPAA violations.
– Failed to respond to 41 patients’
requests to access info.
– Failed to cooperate with OCR’s
2. Patient Authorization
• Covered entity may disclose PHI to third parties
per valid authorization.
– Authorization cannot be combined with any other
release or document.
– Must contain required elements.
– Must contain required statements.
• Covered entity not required to disclose the info
per the authorization.
• Covered entity may charge a fee.
– Need not be reasonable.
(See 45 CFR 164.508)
Patient Authorization
• Required elements.
Describe info to be disclosed.
Identify persons who may make disclosure
Identify persons to may receive info
Describe purpose of disclosure
• “at request of patient” sufficient if patient originates
– Expiration date or event
• E.g., “at conclusion of litigation”
– Date and signature of patient or personal
– Describe authority of personal representative
(45 CFR 164.508)
Patient Authorization
• Required statements.
– Patient may revoke authorization at anytime.
– Provider may not condition treatment on
– Info disclosed may be re-disclosed and no
longer protected.
(45 CFR 164.508)
Patient Authorization
• Specify the info desired.
– Oral information, recordings, images, etc.
– Treatment, payment, other.
– Documents created or maintained by health
care entity.
– Time frame.
(45 CFR 164.508)
3. Subpoena Signed by
Attorney or Clerk
• Covered entity cannot disclose PHI pursuant to
subpoena signed by attorney in criminal or civil
proceeding unless:
– Accompanied by written assurances that
• Patient was given notice and there were no
objections or objections overruled, or
• Protective order in place; or
– Covered entity notifies patient of subpoena
and patient fails to take action to protect PHI.
(45 CFR 164.512(e))
• HIPAA does not nullify subpoena, but precludes
disclosure unless conditions satisfied.
Subpoena Signed by
Attorney or Clerk
• Subpoena itself may contain satisfactory
written assurances if:
– Patient is party to proceedings;
– Subpoena accompanied by certificate of
service confirming patient or their attorney
was served and had time to object; and
– Time for objection has passed.
(OCR Frequently Asked Question)
Subpoena Signed by
Attorney or Clerk
• Provider should strictly comply with terms of
– Ensure you subpoena proper entity, e.g., custodian of
records v. employee
– Provider may only disclose info specified in
– Provider may not disclose info prior to time specified
in subpoena.
• Patient may be able to object to subpoena until
time specified in subpoena.
• No informal, prehearing discussions.
Subpoena Signed by
Attorney or Clerk
• HIPAA does not address charges for
records in response to subpoena.
– Most court rules entitle recipient to
• Reasonable mileage and witness fees
• Reasonable cost of copies.
– May want to tender fees with subpoena.
4. Subpoena, Order or Warrant
Signed by Judicial Officer
• Provider may disclose info if subpoena,
order or warrant is signed by a judicial
officer or administrative tribunal.
(45 CFR 164.512(e)(1), (f))
• “Judicial officer” not defined.
– Judge or magistrate
– Not prosecutor or clerk of court
• Remember to specify info sought.
5. Grand Jury Subpoena
• Covered entity may disclose info per grand
jury subpoena.
(45 CFR 164.512(e)
6. Administrative Request
• Covered entity may disclose info per
administrative request or civil investigative
demand upon confirmation that:
– Info sought is relevant and material to law
enforcement inquiry,
– Request is specific and limited to extent
possible, and
– De-identified info is insufficient.
(45 CFR 164.512(f))
7. Hospital May Deliver Records
to Court in Response to Subpoena
• In Idaho, hospital may comply with
subpoena by giving notice and filing
records with court under seal.
– Provider may require payment for records
before filing with court.
• Party issuing subpoena may state that
filing records with court is not sufficient.
(I.C. 9-420)
Other Situations in Which
Providers May Disclose PHI
1. Treatment, Payment or Health
Care Operations
• Providers may disclose PHI for purposes
– Treatment
– Payment
– Health care operations, including litigation
• Patient may request restrictions, but
provider need not agree.
(45 CFR 164.506).
2. Family Members and Others
Involved in Care
• Providers may disclose PHI to family and
others involved in health care or payment
for health care if:
– Patient agrees, or
– Patient does not object and provider believes
it is in best interest of patient.
• Disclosure limited to scope of person’s
(45 CFR 164.510)
3. Facility Directory
• Provider may disclose limited info for
purposes of locating patient if ask for
patient by name:
– Patient’s name
– Location in facility
– General condition
• Patient may restrict disclosure.
(45 CFR 164.510)
4. To Avert Serious Threat
• Covered entity may disclose info to
prevent or lesson serious and imminent
threat to health or safety of person or
– Disclose info to entity able to respond to
(45 CFR 164.512(j))
5. Other Law Requires Disclosure
• Provider may disclose PHI if and to the extent
that another law requires disclosure, e.g., to
Child or vulnerable adult abuse
Treatment to victim of crime
Injury by firearm
Credible threat by patient against another person
Certain communicable diseases
(45 CFR 164.512(a))
6. Law Enforcement Purposes
• HIPAA allows providers to disclose info to law
enforcement in limited circumstances.
– Disclosure of limited info to identify or locate a
suspect, fugitive, witness or missing person.
– Disclosures re victim of crime if:
• Victim agrees, or
• If victim is incapacitated or emergency, law
enforcement represents info is not to be used
against victim and cannot wait for info.
– Reporting death involving crime.
– Reporting crime on premises.
– Reporting crime if provider is a victim.
(45 CFR 164.512(f))
7. Prisoner
• Covered entity may disclose info to
correctional institution or law enforcement
having custody of individual if info
necessary for health or safety of the
individual or others.
(45 CFR 164.512(k))
Patient Rights re PHI
Patient Rights
• Request additional restrictions on use or
disclosure of PHI
• Access PHI
• Amend PHI
• Obtain accounting of disclosure of PHI
(45 CFR 164.522-.528)
If You Represent
Health Care
Provider and
Receive PHI…
Business Associates
• Business associates = entities that receive PHI
from covered entity to perform function on behalf
of covered entity, including lawyers.
• Business associates are subject to HIPAA.
– Must not access, use or disclose PHI unless
permitted by HIPAA.
– Must safeguard PHI.
– Must have business associate agreement.
– May be subject to HIPAA penalties if violate HIPAA.
(45 CFR 164.504, -.514)
Contacting Represented or
Employed Providers for Info
Contacting Represented or
Employed Providers
• Cannot contact represented party ex
parte, including persons “whose act or
omission in connection with the matter
may be imputed to the organization for
purposes of civil or criminal liability.”
(Ethical Rule 4.2, Comment 7)
• Prohibits ex parte contacts with employed
providers given HIPAA penalties?
HIPAA Resources
• 45 CFR part 164
• OCR website:
– Summary of regulations
– Frequently asked questions
– Guidance re key aspects of privacy and
security rules
– Sample business associate agreement
Kim Stanger
Hawley Troxell LLP
[email protected]
(208) 388-4843 or (208) 409-7907