HEALTH IN

SURANCE

PORT

ABILITY

AND

ACCOUNTABILI

TY A

CT

1

99

6

WHEN HIPAA WAS PASSED - WHAT DID IT DO?

2

WHO DOES HIPAA AFFECT? – COVERED ENTITIES

A Covered Entity is:

• A Health Plan• A Health Care Provider (who

uses electronic transactions)• A Clearinghouse

See 42 USC 1320d – 1320d-9 for Privacy related statutes; 45 CFR Parts 160 and 164

3

WHAT IS PROTECTED HEALTH INFORMATION (PHI)

• Comes from a health care provider or health plan

• Identifies an individual or could be used to identify an individual

• Describes the health care, condition, or payments of an individual

4

PHI - CONT.

• Describes the demographics of an individual, including such things as name, address, date of birth, telephone number, social security number, medical records number, or any other unique identifying characteristic

• Excludes FERPA protected information, employer held information, and records re a person dead for over 50 years

45 CFR 160.1035

HIPAA BUSINESS STRUCTURES

Covered Entities

Hybrid Entities

Business Associates

6

HYBRID ENTITIES

AZ government took a unique approach and declared itself a Hybrid. It looked at each agency’s business operations and determined which components would be HIPAA covered. DHS, AHCCCS, ADOA, DES, DCS, and Universities all have HIPAA covered components

Many other states started at the agency level only; cf AZ has a state privacy officer at ADOA

7

BUSINESS ASSOCIATE

A Business Associate (BA) is an agent or contractor that provides a service on behalf of the covered entity and comes into contact with PHI. 45 CFR 160.103

A Business Associate Agreement (BAA) should be executed prior to the services taking place

The AG’s Office is a BA to DHS, DES, and DCS. AGO Business and Finance is the keeper of these agreements

AGO or state contractors who see/hold an AZ HIPAA covered client’s PHI are also Business Associates. This may include experts, consultants, law firms, and court reporters

8

PORTABILITY OF PHI

Transactions/sharing of PHI between Covered Entities and Business Associates for the purposes of Treatment, Payment, and Health Care Operations (TPO) are allowable without an individual’s authorization 45 CFR 164.502(a), -506, and -508(a)(2)

9

PUBLIC HEALTH AUTHORITIES

10

Disclosures to a Public Health Authority are allowable

A Public Health Authority is an entity that is responsible for public health matters as part of its official mandate • Preventing or controlling disease, injury, and disability• Vital events like deaths and births

The AZ Department of Health Services is the primary state Public Health Authority in Arizona

Other Public Health Authorities are agencies that perform activities authorized by law, including audits, inspections, licensure, and civil, administrative, and criminal investigations• State and local health departments• FDA• Centers for Disease Control and Prevention• Agencies authorized to take reports of child/adult abuse or neglect45 CFR 164.501 and -512(b) and (c)

HEALTH OVERSIGHT AGENCIES

11

A Health Oversight Agency is one that performs activities authorized by law including audits, investigations, inspections, licensure, and civil, administrative, and criminal investigations/prosecutions. 45 CFR 164.501 and -512(d)

The goals of these public agencies include:• Preventing fraud • Ensuring non-discrimination • Improving quality of care• Monitoring safety • Ensuring compliance with legal requirements

Examples of agencies that fall in this category are:• Medicaid Fraud Units • US DOJ

• State Insurance Commissioners

• Professional Licensing Boards

• OSHA • US DHHS Office for Civil Rights

• EPA • FDA

RELEASE OF PHI TO LAW ENFORCEMENT

12

• With an authorization• With a subpoena, court order, or summons• When the PHI pertains to specific injuries such as a gun shot

wound, powder burn, or knife wound (state law may require = “required by law”)

• In an attempt to minimize imminent danger (avert a serious threat)

• Necessary to locate a suspect, fugitive, material witness, or missing person and the disclosure will avoid or minimize an imminent danger

• The information is related to the victim of a crime• The information is regarding a crime on the covered entity’s

property• The reporting of child or vulnerable adult abuse or neglect and

other mandatory reporting • Special considerations for homeland security and national

security45 CFR 164.512(f)

AUTHORIZATIONS

A subpoena, court or administrative tribunal order, or an authorization is needed for anything outside of disclosures for TPO, those mandated by law, or to a health care oversight agency or public health authority45 CFR 164.502(a) and -512; ARS 12-2294.01

An authorization is always needed for psychotherapy notes. 45 CFR 164.501 and -512

13

ELEMENTS OF AN AUTHORIZATION

• The authorization must be written in plain language

• Is to contain a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion

• Has the name or other specific identification of the person(s), or class of persons authorized to make the requested use or disclosure

• Contains a description of each purpose of the requested use or disclosure

• Has an expiration date or expiration event that relates to the individual or the purpose of the use or disclosure

• Is signed by the individual (or a personal rep.) and dated

14

REQUIRED STATEMENTS

• The individual’s right to revoke the authorization in writing and:• A description of how the individual

may revoke the authorization; and• The ability or inability to condition

treatment, payment, enrollment, or eligibility for benefits on the authorization

• The consequences to individuals if they refuse to sign the authorization

45 CFR 164.508(b)

15

AUTHORIZED REPRESENTATIVE OR DESIGNATED REPRESENTATIVE

16

An Authorized or Designated Representative may sign an authorization as long as the entity releasing the information has a record of this conveyance of authority on file. 45 CFR 164.502(g)

Under HIPAA, this is a state law determination and is the individual who makes health care decisions for another individual (a parent, via a specific power of attorney, guardianship order, etc.)

RE-DISCLOSURE

Unless prohibited by Federal or State law, PHI authorized by an individual for disclosure may be subject to re-disclosure and no longer protected by HIPAA .45 CFR 164.508(c)(2)(iii)

Whether the information remains protected depends on whether the recipient is subject to other Federal or State privacy laws, court protective orders, or other lawful process

17

RE-DISCLOSURE IN LITIGATION

Once the medical or behavioral health records are obtained by a party in civil litigation, they will likely be subject to discovery unless another law protects them or they are deemed not relevant by a court Efforts to protect the privacy interests of complainants in suits brought by the State may result in both disclosure of the records or even court sanctions

18

TORT: MEDICAL MALPRACTICE, NEGLIGENCE, WRONGFUL DEATH…..

19

When a HIPAA covered provider such as a hospital, doctor’s office, dentist, or clinic is sued by a former patient or the estate of a former patient, it may use and disclose the PHI of the alleged victim as part of the litigation (subject to being sealed by a court)

This is allowable under “Health Care Operations.” 45 CFR 164.501

If the HIPAA covered entity is not a party to the proceeding, then a HIPAA authorization, court order, subpoena, or other lawful process must be used to obtain the PHI

CORRECTIONAL INSTITUTIONS

20

PHI may be shared with a correctional institution if it is to be used for the provision of health care to the inmate or for the health and safety of employees of the institution and/or other inmates. 45 CFR 164.501

The AZ Department of Corrections is not a covered entity as long as it does not engage in electronic billing

HIPAA only applies to providers performing electronic billing (unless they opt in) 45 CFR 160.103

Inmates are not entitled to a Notice of Privacy Practices. They may not obtain copies of their medical records if it poses a threat to the health and safety of the inmate, other inmates, or staff of the institution

BREACH

Misuse or loss of PHI is a breach and must be mitigated, along with notification to both the Secretary of the US DHHS and the client/patient

If the loss or misuse affects more than 500 individuals, then the media must be notified45 CFR 164.402, -404, -406, and -408

21

HHS OFFICE FOR CIVIL RIGHTS

22

Date Entity Violation OCR Settlement(Cost of mitigation and notification not included)

June 23, 2014 Parkview Health System

Medical records dumping

$800,000

April 22, 2014 Concentra Health Services

Stolen Laptop $1,975,220

December 27, 2013

Adult & Pediatric Dermatology P.C.

Lack of policies and procedures in place to address breach notifications

$150,000

August 14, 2013

Affinity Health Plan

Photocopier memory not deleted before sale

$1,215,780

July 11, 2013 WellPoint Inc. Web Portal breach $1,700,000

May 21, 2013 Idaho State University

Patient data was accessible due to the firewall being disabled

$400,000

January 2, 2013

Hospice of North Idaho

Stolen Laptop –affecting less than 500 individuals

$50,000

June 26, 2012 Alaska Medicaid Stolen USB Drive $1,700,000

September 17, 2012

Massachusetts Eye and Ear Infirmary

Stolen Laptop $1,500,000

PHI MUST BE SECURED IN ALL FORMS

• Written information (reports, charts, letters, messages, etc…)

• Oral communication (phone calls, meetings, informal conversations, etc….)

• E-mail, computerized and electronic information (computer records, faxes, voicemail, etc…)

23

COMPLAINTS

All patients/clients and employees have the right to file a written complaint with the Covered Entity or with the US DHHS if they feel their or another individual’s HIPAA rights have been violated45 CFR 164.530

Once a complaint has been filed, retaliation is prohibited45 CFR 164.530DM 4119229 Aug. 2014

24