Health Information Privacy and Security

Stephen K. PhillipsHooper, Lundy & Bookman, PC

Scope of Presentation

• Health information exchanges (HIEs) and emerging issues

• New Part 2 substance abuse regulations• California privacy protections and their relationship with

HIPAA and Part 2• 2017 privacy and security law developments• Enforcement trends• AB 1688

26

Health Information Exchange (HIE) and Privacy Developments

• HIE policy and adoption is driving privacy law change

• Current privacy laws hinder HIE adoption• New Part 2 regulations designed to

accommodate HIEs• HIE highlights flaws in federal privacy

preemption scheme• Sensitive data restrictions are a significant

barrier to HIEs27

How an HIE Operates

28

Types of HIEs

• HIEs may be either “conduits” or “business associates”

• Conduits never access or maintain data (e.g., postal service, telecom carriers)

• Be suspicious of conduit claims – vendors want to claim conduit status to avoid being a business associate and subject to HIPAA

29

Conduit HIEs

30

HIE Functionality Within an Electronic Health Record (EHR)

31

HIEs v. Patient Portals

• An HIE is not a patient portal and never allows patient access

• A patient portal often connects via an interface to an EHR

• An EHR interfaces with an HIE but an HIE does not interface with a patient portal

32

EHR with HIE and Patient Portal Interfaces

33

HIE Documentation

34

Common HIE Rules

35

Consent Models: Opt-in v. Opt-out

• Patient consent for most permitted uses and disclosures of patient information through an HIE is not required by HIPAA or California law

• But, most HIEs voluntarily require either opt-in or opt-out patient consent

• Opt-in consent require patients to affirmatively consent to having their medical information disclosed through an HIE

• Opt-out models require patient to affirmatively request not having their medical information disclosed

• Opt-in models typically depress patient participation in an HIE and are therefore less common than opt-out models

36

HIPAA and Part 2 Preemption Scheme

37

Sensitive Data

• Except for psychotherapy notes and genetic information, HIPAA treats all protected health information in the same way.

• State and other federal laws often provide special protection to certain types of sensitive health information. If these protections provide greater privacy rights to patients than HIPAA, they apply.

38

Sensitive Data and Consent

• Few EHRs and few HIEs have capability of flagging or filtering sensitive data

• Opt-in/opt-out needed to address sensitive data consent requirements

39

Privacy Map

40

Part 2 Applicability – Broader than you think

41

New Part 2 Regulations

42

2017 Final Rule – Part 2

• Disclosure – revised definition• Medical Emergencies – revised definition• Substance abuse disorder (SUD) – new definition• Patient – revised definition• Records – new requirement• Research – consent rules eased• Audits – ACO audits accommodated• Security – Security requirements added• Consent – consent rules eased

43

2018 Part 2 Final Rules

• Disclosures for Payment and health care operations –permitted without consent

• Re-disclosure notice – notice requirement abbreviated• Audit disclosures

44

Comparison Chart – HIPAA and Part 2

45

42 CFR Part 2 (Updated Final Rule) HIPAA

Disclosures for Payment and Health Care Operations Activities

Consent required for disclosures for payment and health care operations.

Can be further disclosed to contractors, subcontractors, or legal representatives for payment and health care operations activities without additional consent. Contracts must comply with Part 2 requirements.

Case management and care coordination are not health care operations activities.

Permits the disclosure of PHI without patient authorization for the purposes of payment and health care operations, subject to the minimum necessary rule.

Case management and care coordination are considered to be health care operations.

Patients have the right to request restrictions on how a provider will use and disclose PHI for payment and health care operations. A provider is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees.

Comparison Chart – HIPAA and Part 2

46

Disclosures for Diagnosis, Treatment or Referral Activities

Patient consent is still required for disclosure for purposes of diagnosis, treatment, or referral for treatment (including care coordination and case management).

Consent process differentiates between those with a “treating provider relationship” and other entities.

In order for information to be shared for treatment purposes through an HIE using a general designation, the consent must specify the following in the “to whom” field:

1. The name of the HIE,

2. A general designation of a class of participants with a treating provider relationship with the patient (e.g., “my current and future treating providers”), and

3. A statement of the patient’s right to a List of Disclosures from the HIE.

Permits the disclosure of PHI without patient authorization for the purpose of treatment.

A treating provider relationship is not required for disclosures for purposes of treatment.

A provider is not required to agree to an individual’s request for a restriction on disclosures for treatment purposes, but is bound by any restrictions to which it agrees.

Comparison Chart – HIPAA and Part 2

47

Prohibition on Re-disclosure

Part 2 requires any disclosure of SUD records made with the patient’s written consent to include a prohibition on re-disclosure. Each disclosure made with the patient’s written consent must now be accompanied by either one of the following written statements:

Instead of the full disclosure (over 900 characters), providers can use the following, abbreviated notice that is more compatible with EHR free-text limitations: “42 CFR part 2 prohibits unauthorized disclosure of these records.”

HIPAA does not prohibit re-disclosure.

A valid authorization to disclose PHI must include a statement that information used or disclosed pursuant to an authorization may be subject to re-disclosure by the recipient and no longer protected by the rule.

California SUD Laws

• Like part 2 but apply to SUD treatment programs not just those federal/state funded

48

Psych Notes

• HIPAA• Separate from medical record• Exclude medication Rx/monitoring, lab tests, summary of

diagnosis, functional status, treatment plan, symptoms, prognosis or progress

• CA• Covers medical info relating to patient in outpatient

psychotherapy services but allows CMIA-permissible disclosures if requester signs special use document

49

LPS Data

• LPS Act covers (i) State-funded mental health and (ii) State-funded developmental disability services

50

SB 241 – LPS Amendment

• LPS Act provides that information and records obtained in the course of providing mental health and developmental services are confidential, but allows disclosure of communications under specified circumstances.

• Effective Jan. 1, 2018, SB 241 allows disclosure to a business associate or for health care operations purposes, as long as the disclosure complies with HIPAA.

51

CMS on Texting

52

CMS Guidance on Texting

• Texting patient information among members of Hospital and CAHs health care team OK if through a secure platform.

• Texting of patient orders is prohibited regardless of the platform utilized. “The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs).”

• Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.

53

FDA Common Rules Changes

• Single IRB• Independent IRBs• Broad Consent• No secondary use waiver• Biospecimens

54

Enforcement Trends

• Office of Civil Rights (OCR) Audit Program• Key OCR Settlements• California Enforcement Reforms

55

OCR Audit Program

• HIPAA conducts two types of audits, on-site and desk.

• Phase 1 HIPAA Audit Program, begun in 2012, included on-site audits by auditors who interviewed key personnel and observed processes and operations to determine compliance with the HIPAA Privacy and Security Rules.

• The Phase 2 HIPAA audit program, now underway, consists of desk audits.

56

Late Breach Notifications

• OCR - first settlement agreement for failure to file timely breach notification

• Notice provided to patients after 104 days, to media after 106 days and to OCR after 101 days

• $475,00 fine plus a corrective action plan required• Delay due to internal miscommunications

57

Absence of BAA

• A provider paid $31,000 and entered into correction action plan with OCR, where the provider could not produce a business associate agreement with a vendor that provided record storage services.

• Header on OCR's website with respect to this particular settlement, "No Business Associate Agreement? $31K Mistake," underscores that OCR takes such noncompliance seriously.

• Sends the message that OCR will scrutinize business associate relationships as a critical part of privacy and security compliance.

58

California Enforcement Trends

• On January 5, 2018, CDPH issued 42 medical information breach administrative penalties to various health care facilities.

• The recently issued penalties incorporated new procedures for determining medical breach penalty amounts.

• In the past, CDPH assessed penalties at the statutory maximum. The new procedures now consider the factors stated in HSC 1280.15(a).

• To be codified in new regulations59

California Enforcement Trends

• By mid-2018 enforcement centralized in new breach investigation unit (Medical Breach Enforcement Section)

• Should lead to faster and more consistent enforcement• Emphasis on individual penalties

60

Appeal Backlog Continues

• Immediate surrender = 25% fine reduction by statute• Appeals take several years, often lead to 50% reduction

in fines

61

Tips from CA Enforcement

• Consistently and frequently communicate policies• Emphasize unacceptability of snooping• Emphasize caution in oral communications in front

of others• Encrypt portable devices• Have good data backup and restoration systems to

address ransomware attacks

62

AB 1688

• Effective Jan. 1, 2018, Medi-Cal providers must maintain records for 10 years, up from 7

• Hospitals should review MA and Part D plan contracts to ensure compliance with contract requirements, expect amendments to those plans to address AB 1688

63

Questions?

Thank you

Stephen K. PhillipsHooper, Lundy & Bookman, PCsphillips@health-law.com

65