HIPAA and CINA Proceedings A Presentation to the Law and Community Health Section of the Alaska Bar...

HIPAA and CINA ProceedingsHIPAA and CINA ProceedingsA Presentation to the Law and Community Health Section of the A Presentation to the Law and Community Health Section of the

Alaska Bar AssociationAlaska Bar Association

February 24, 2004 February 24, 2004

Joan M. Wilson, J.D.Joan M. Wilson, J.D.

DAVIS WRIGHT TREMAINEDAVIS WRIGHT TREMAINE

Anchorage, AlaskaAnchorage, Alaska

[email protected]@dwt.com

(907) 257-5337(907) 257-5337

Overview of PresentationOverview of Presentation

HIPAA Lay of the LandHIPAA Lay of the Land

HIPAA Privacy RequirementsHIPAA Privacy Requirements Disclosures (With and Without Disclosures (With and Without

Authorization)Authorization)

Individual RightsIndividual Rights

RecommendationsRecommendations

MeMe

Attorney, AnchorageAttorney, Anchorage

LitigatorLitigator Hired GunHired Gun Commercial DisputesCommercial Disputes Employment LitigationEmployment Litigation

How Did I Get Into How Did I Get Into Health Care?Health Care?

SubpoenasSubpoenas Medicaid Fraud TrialMedicaid Fraud Trial HIPAAHIPAA

What’s New in HIPAAWhat’s New in HIPAARipped from the HeadlinesRipped from the Headlines

What’s New In HIPAAWhat’s New In HIPAA(Ripped from the Headlines)(Ripped from the Headlines)

Reported (to me), Friday, February 13, 2004 Reported (to me), Friday, February 13, 2004 from the from the American Journal of PsychiatryAmerican Journal of Psychiatry Mrs. A, a 79-year-old woman without a previous Mrs. A, a 79-year-old woman without a previous

psychiatric history, was found in a pool of blood as a psychiatric history, was found in a pool of blood as a result of a self-inflicted gunshot woundresult of a self-inflicted gunshot wound

Mrs. A’s husband reported that she had recently Mrs. A’s husband reported that she had recently received a letter from her insurance company received a letter from her insurance company regarding its new HIPAA policiesregarding its new HIPAA policies

She misinterpreted the Notice to mean that her She misinterpreted the Notice to mean that her insurance company was discontinuing her coverageinsurance company was discontinuing her coverage

HIPAA — THE BIG PICTURE HIPAA — THE BIG PICTURE Not Just One IssueNot Just One Issue

Health Insurance Portability and Accountability Act of 1996

HIPAAHIPAA

Title IPortability

Title IPortability

Title IIAdministrativeSimplification

Title IIAdministrativeSimplification

Titles III,IV, V

Titles III,IV, V

ElectronicSignature

ElectronicSignature

HealthIdentifiers

HealthIdentifiers

Transaction Standards

Transaction Standards SecuritySecurity PrivacyPrivacy

Privacy and SecurityPrivacy and Security

SecurityPrivacy

Ensures:•Privacy•Accessibility•Integrityof electronichealth information

Protects all individuallyidentifiable healthinformation:•Paper•Electronic•Oral

Privacy of electronichealth information

Covered EntitiesCovered Entities

Health Plans (including many employee benefit Health Plans (including many employee benefit plans)plans) Plans that provide or pay for medical carePlans that provide or pay for medical care

Health Care ClearinghousesHealth Care Clearinghouses Entities that process or facilitate processing non-Entities that process or facilitate processing non-

standard data elements into standard data elements, or standard data elements into standard data elements, or vice versavice versa

Providers who electronically transmit any Providers who electronically transmit any health information in a HIPAA covered health information in a HIPAA covered transactiontransaction Furnishes, bills or is paid for health care in the normal Furnishes, bills or is paid for health care in the normal

course of businesscourse of business

HIPAA Penalties and HIPAA Penalties and EnforcementEnforcement

Civil penaltiesCivil penalties $100 per violation$100 per violation $25,000 annual cap for violations of “identical” $25,000 annual cap for violations of “identical”

requirementrequirementCriminal penaltiesCriminal penalties Wrongful disclosure: up to $5,000 and/or 1 year jail timeWrongful disclosure: up to $5,000 and/or 1 year jail time False pretenses: False pretenses: $100,000 and/or 5 yrs imprisonment $100,000 and/or 5 yrs imprisonment For profit/with malice: up to $250,000 and/or 10 yrs in For profit/with malice: up to $250,000 and/or 10 yrs in

jailjailOther “penalties”or liabilityOther “penalties”or liability Standard of careStandard of care ReputationReputation

Potential Civil Liability — Potential Civil Liability — Ratcheting Duty of CareRatcheting Duty of CareTort – NegligenceTort – NegligenceTort - Invasion of PrivacyTort - Invasion of PrivacyTort - Breach of Confidence (Physician-Patient)Tort - Breach of Confidence (Physician-Patient)Tort – DefamationTort – DefamationTort- FraudTort- FraudStatutory - Consumer FraudStatutory - Consumer FraudContract - Breach of Confidentiality Clauses/PoliciesContract - Breach of Confidentiality Clauses/PoliciesContract - Breach of Express or Implied WarrantyContract - Breach of Express or Implied WarrantyContract - Suits by Business AssociatesContract - Suits by Business AssociatesEmployment -related suits (HIPAA sanctions issues)Employment -related suits (HIPAA sanctions issues)

Privacy OverviewPrivacy Overview

The Privacy Rule covers —The Privacy Rule covers —

Permitted uses and disclosures of Permitted uses and disclosures of protected informationprotected information

Individual rightsIndividual rights

Administrative requirementsAdministrative requirements

PrivacyPrivacyProtected Health Information Protected Health Information Information relating to—Information relating to—

Past, present or future physical or mental health or Past, present or future physical or mental health or condition provision of health care to an individualcondition provision of health care to an individual

Provision of health care orProvision of health care or

Past, present or future payment for health carePast, present or future payment for health care

Created/received by provider, plan, employer or clearinghouseCreated/received by provider, plan, employer or clearinghouse

Individually identifiable or reasonable Individually identifiable or reasonable likely to be identifiablelikely to be identifiable

In any mediumIn any medium WrittenWritten

VerbalVerbal

ElectronicElectronic

Preemption of State LawPreemption of State Law

General Rule: HIPAA preempts or General Rule: HIPAA preempts or supercedes all “contrary” State lawssupercedes all “contrary” State laws

Exceptions:Exceptions: HHS determinationHHS determination State law that is “more stringent” State law that is “more stringent” Public health reportingPublic health reporting Insurance oversightInsurance oversight

HIPAA — floor for privacy requirementsHIPAA — floor for privacy requirements

Alaska law still will apply in many casesAlaska law still will apply in many cases

Use and DisclosureUse and Disclosure

General rule: A covered entity and its General rule: A covered entity and its workforce, may not use or disclose protected workforce, may not use or disclose protected health information, except —health information, except — For treatment, payment and operations For treatment, payment and operations With individual permissionWith individual permission

After opportunity to agree or objectAfter opportunity to agree or object

With an authorizationWith an authorization To the individualTo the individual As otherwise permitted or required by HIPAAAs otherwise permitted or required by HIPAA

Required DisclosuresRequired Disclosures

To the individual, pursuant to access rightTo the individual, pursuant to access right

To the Secretary of DHHS, to determine To the Secretary of DHHS, to determine compliancecompliance

Permitted Disclosures Absent Permitted Disclosures Absent Authorization Authorization

As required by other lawsAs required by other laws

Public health activitiesPublic health activities

Victims of abuse, etc.Victims of abuse, etc.

Health oversight activitiesHealth oversight activities

Workers’ compensationWorkers’ compensation

Law enforcement purposesLaw enforcement purposes

Decedents - coroners Decedents - coroners and medical examinersand medical examiners

Organ procurementOrgan procurement

Research purposes, under Research purposes, under limited circumstanceslimited circumstances

Imminent threat to health Imminent threat to health or safety (to the individual or safety (to the individual or the public)or the public)

Specialized government Specialized government functionfunction

Judicial and administrative Judicial and administrative proceedingsproceedings

Individual Authorization Individual Authorization

If a use or disclosure is not otherwise If a use or disclosure is not otherwise permitted, authorization requiredpermitted, authorization required

Core elements:Core elements: Meaningful and specific description of informationMeaningful and specific description of information

Persons or Class of Persons authorized to Persons or Class of Persons authorized to disclose/receive disclosuredisclose/receive disclosure

Purpose Purpose

At the Request of the IndividualAt the Request of the Individual

Expiration date/ event Expiration date/ event

Individual Authorization Individual Authorization

Required statements:Required statements: Right to revokeRight to revoke

Whether authorization is a condition of treatmentWhether authorization is a condition of treatment

Potential for redisclosurePotential for redisclosure

Obtain appropriate signature – Obtain appropriate signature – copy to individualcopy to individual

Individual AuthorizationIndividual Authorization

Give a copy of authorizationGive a copy of authorization

Make sure authorization is:Make sure authorization is: Completely filled inCompletely filled in Signed by appropriate personSigned by appropriate person

Defective authorization is not validDefective authorization is not valid

Covered entity not required to disclose PHI Covered entity not required to disclose PHI pursuant to authorization pursuant to authorization disclosure permissibledisclosure permissible Duty of additional inquiry for Duty of additional inquiry for

excessive authorizations?excessive authorizations? Address policies/proceduresAddress policies/procedures

Psychotherapy NotesPsychotherapy Notes

A covered entity must obtain an authorization for A covered entity must obtain an authorization for and use or disclosure of psychotherapy notes, and use or disclosure of psychotherapy notes, exceptexcept

For treatment, payment, or operationsFor treatment, payment, or operations Use by the originator for treatmentUse by the originator for treatment Use by the covered entity for training of its mental health Use by the covered entity for training of its mental health

professionalsprofessionals Defense of the covered entity against action brought by Defense of the covered entity against action brought by

individualindividual Determining HIPAA complianceDetermining HIPAA compliance Required by lawRequired by law Oversight Activities (audit, investigation)Oversight Activities (audit, investigation) Imminent threatImminent threat Not listed as exception – judicial proceedingsNot listed as exception – judicial proceedings

Psychotherapy NotesPsychotherapy Notes

DefinitionDefinition Notes of mental health professional documenting or analyzing Notes of mental health professional documenting or analyzing

the contents of a conversation during a counseling session (kept the contents of a conversation during a counseling session (kept separate from rest of record)separate from rest of record)

ExcludesExcludes Medication prescription and monitoringMedication prescription and monitoring Start and stop timesStart and stop times Modalities and frequencies of treatmentModalities and frequencies of treatment Clinical test resultsClinical test results Summary of diagnosis, functional status, treatment plan, Summary of diagnosis, functional status, treatment plan,

prognosis, and progress to dateprognosis, and progress to date

No Compound AuthorizationNo Compound Authorization May only be combined with another authorization for May only be combined with another authorization for

psychotherapy Notespsychotherapy Notes

MinorsMinors

General rule: Parents accorded rights to General rule: Parents accorded rights to children’s PHIchildren’s PHI

ExceptExcept Where state or other law expressly identifies the Where state or other law expressly identifies the

parent’s or child’s rightsparent’s or child’s rights

STD testing, pregnancySTD testing, pregnancy

Minor Living AloneMinor Living Alone Agreement to the contraryAgreement to the contrary

MinorsMinors

Where the law is silent and parent is Where the law is silent and parent is personal representative for childpersonal representative for child Parent has access/control PHIParent has access/control PHI Personal Representative – state law questionPersonal Representative – state law question

Where the law is silent and parent is not Where the law is silent and parent is not personal representativepersonal representative May deny access if permitted under state law and May deny access if permitted under state law and

decision made by a licensed health care providerdecision made by a licensed health care provider If law silent, no right to demand PHIIf law silent, no right to demand PHI

MinorsMinors

ExceptionException Disclosure permitted or denied where necessary to Disclosure permitted or denied where necessary to

avert serious or imminent threat to the safety or avert serious or imminent threat to the safety or health of the childhealth of the child

Minimum Necessary Minimum Necessary InformationInformation

CE may rely on scope of information CE may rely on scope of information requested by —requested by — A public officialA public official Another covered entityAnother covered entity A “professional” providing services to the CEA “professional” providing services to the CE Researchers (as long as the research Researchers (as long as the research

requirements are satisfied)requirements are satisfied)

A CE may not disclose the entire record, A CE may not disclose the entire record, unless it is justifiedunless it is justified But this does not apply to disclosure to providers But this does not apply to disclosure to providers

for treatmentfor treatment

Individual RightsIndividual Rights

Provide notice to individuals by the first date of service

Posted in prominent location

Available upon request

On website

Acknowledgment

Individual Rights — Right to Individual Rights — Right to Notice of Privacy PracticesNotice of Privacy Practices

Individual Rights —Individual Rights —Right to AccessRight to Access

Right to request access own protected Right to request access own protected health informationhealth information Reviewable and unreviewable grounds for denialReviewable and unreviewable grounds for denial Explanation of reasons for denialExplanation of reasons for denial Allow review of denial if appropriateAllow review of denial if appropriate

Individual Rights —Individual Rights —Right to Request AmendmentRight to Request Amendment

Individual may request amendment of Individual may request amendment of his/her recordshis/her records

In response, covered entity may — In response, covered entity may — Accept amendmentAccept amendment Deny of amendmentDeny of amendment

Grounds include: not created by entity;Grounds include: not created by entity;information is accurate and complete;information is accurate and complete;information is not subject to accessinformation is not subject to access

Statement of disagreement (by individual)Statement of disagreement (by individual)

Rebuttal statement (by covered entity)Rebuttal statement (by covered entity)

Record-keeping/linkingRecord-keeping/linking

Individual Rights —Individual Rights —Accounting of DisclosuresAccounting of Disclosures

Right to receive an accounting of disclosuresRight to receive an accounting of disclosures

Accounting includes:Accounting includes: Date of disclosureDate of disclosure Recipient name and addressRecipient name and address Description of information disclosedDescription of information disclosed Purpose of disclosurePurpose of disclosure

Individual Rights —Individual Rights —Accounting of DisclosuresAccounting of Disclosures

Exceptions include: Exceptions include: Treatment, payment and health care operationsTreatment, payment and health care operations Individual access Individual access Directories, persons involved in careDirectories, persons involved in care Pursuant to authorizationsPursuant to authorizations National security or intelligenceNational security or intelligence Incidental disclosuresIncidental disclosures Limited date setLimited date set Prior to April 14, 2003Prior to April 14, 2003

Individual Rights — Right to Individual Rights — Right to Request Additional ProtectionsRequest Additional Protections

Right to request additional privacy protectionsRight to request additional privacy protections Covered entity may refuseCovered entity may refuse

If agrees If agrees bound (except in emergency) bound (except in emergency)

Be careful in granting requestsBe careful in granting requests

Right to request to receive Right to request to receive communications in communications in alternative fashionalternative fashion Must accommodate reasonableMust accommodate reasonable

requestsrequests

Permitted DisclosuresPermitted Disclosures Government and Other Government and Other

PurposesPurposesAs required by other lawsAs required by other laws

Public health activitiesPublic health activities

Victims of abuse, etc.Victims of abuse, etc.

Health oversight activitiesHealth oversight activities

Workers’ compensationWorkers’ compensation

Law enforcement purposesLaw enforcement purposes

Decedents - coroners Decedents - coroners and medical examinersand medical examiners

Organ procurementOrgan procurement

Research purposes, under Research purposes, under limited circumstanceslimited circumstances

Imminent threat to health Imminent threat to health or safety (to the individual or safety (to the individual or the public)or the public)

Specialized government Specialized government functionfunction

Judicial and administrative Judicial and administrative proceedingsproceedings

As Required By Other LawsAs Required By Other Laws

Where State Law Requires Where State Law Requires Providers or Administrators Providers or Administrators to Report to Law to Report to Law Enforcement or OCS, HIPAA Enforcement or OCS, HIPAA permits such disclosurespermits such disclosures

Reports of Suspected Child Reports of Suspected Child Abuse or NeglectAbuse or Neglect

Reports of Vulnerable Adult Reports of Vulnerable Adult Abuse, Neglect, or Abuse, Neglect, or AbandonmentAbandonment

Follow State LawFollow State Law

Question for Providers: Question for Providers: How Much to DiscloseHow Much to Disclose

Judicial or Administrative Judicial or Administrative ProceedingsProceedings

A provider A provider maymay Disclose PHI in the course of a judicial Disclose PHI in the course of a judicial or administrative proceeding, ifor administrative proceeding, if Court or administrative tribunal order Court or administrative tribunal order

some providers requiresome providers requireDisclose only the PHI expressly requested by the Disclose only the PHI expressly requested by the orderorder

Absent court Order, by subpoena or discovery request, Absent court Order, by subpoena or discovery request, ifif

Satisfactory assurance of notice to individual whose Satisfactory assurance of notice to individual whose PHI is at issue orPHI is at issue orReasonable efforts to secure a protective orderReasonable efforts to secure a protective order


Satisfactory assurance notice to Individual Satisfactory assurance notice to Individual Writing and Documentation ofWriting and Documentation of

good faith attempt to provide written notice to patient good faith attempt to provide written notice to patient Notice contained sufficient information about the Notice contained sufficient information about the litigation or proceeding to permit patient to raise an litigation or proceeding to permit patient to raise an objectionobjectionTime to raise objection lapsed andTime to raise objection lapsed and

No objections filedNo objections filed Objections filed and resolved by court and disclosure is Objections filed and resolved by court and disclosure is

consistent with resolutionconsistent with resolution


Reasonable Efforts to Secure a Protective OrderReasonable Efforts to Secure a Protective OrderWriting and Documentation evidenceWriting and Documentation evidence

Parties have agreed to a qualified protective Parties have agreed to a qualified protective order and presented it to the courtorder and presented it to the courtParty requesting information has sought the Party requesting information has sought the protective orderprotective order

Issue Issue Is this operable when PHI is not the PHI of one Is this operable when PHI is not the PHI of one of the partiesof the parties


Qualified Protective Qualified Protective Order Order Court or Tribunal Order Court or Tribunal Order

or Stipulation by the or Stipulation by the PartiesParties

Prohibit use of PHI Prohibit use of PHI outside litigation or outside litigation or proceedingproceedingRequires return or Requires return or destruction of PHI destruction of PHI (original and copies) (original and copies) at end of litigation or at end of litigation or proceeding proceeding


Absent Protective Order Absent Protective Order from the parties, from the parties, Provider may still Provider may still disclose in response to disclose in response to lawful processlawful process It makes reasonable It makes reasonable

effort to provide notice effort to provide notice to the patient (as to the patient (as above) orabove) or

Seeks a qualified Seeks a qualified protective order on its protective order on its ownown

More Stringent LawMore Stringent Law

If another law governing production of If another law governing production of records in judicial proceedings is more records in judicial proceedings is more stringent than HIPAA, it must be followedstringent than HIPAA, it must be followed

Substance Abuse Treatment RegulationsSubstance Abuse Treatment Regulations 42 C.F.R. Part Two42 C.F.R. Part Two

Comply with both?Comply with both?


Much Can Be Accomplished With a Well-worded Much Can Be Accomplished With a Well-worded Continuing AuthorizationContinuing Authorization

Recipient -- DHSS and Department of LawRecipient -- DHSS and Department of Law Purpose of Disclosure – At Request of Individual or For Purpose of Disclosure – At Request of Individual or For

Adjudication Regarding Care of Minor ChildAdjudication Regarding Care of Minor Child Expiration Date or EventExpiration Date or Event

How Long are Cases in the SystemHow Long are Cases in the System

Until Completion of Child in Need of Aid ProceedingsUntil Completion of Child in Need of Aid Proceedings CautionCaution

May be revoked at any timeMay be revoked at any time

Psychotherapy Notes Psychotherapy Notes


If Court ProceedingsIf Court Proceedings Be Timely in RequestsBe Timely in Requests Legal Issues to ResolveLegal Issues to Resolve

HIPAA – Permissive DisclosureHIPAA – Permissive Disclosure Likely Legal Question with Protective or even Likely Legal Question with Protective or even other Orders where PHI is of a non-partyother Orders where PHI is of a non-party

Notice May be Best Route to goNotice May be Best Route to go

Substance Abuse Treatment regulations still Substance Abuse Treatment regulations still operable for Some Providersoperable for Some Providers

ComplaintComplaintDo Not Use Providers as Your ExpertsDo Not Use Providers as Your Experts

Questions?Questions?

HIPAA and CINA Proceedings A Presentation to the Law and Community Health Section of the Alaska Bar...

Documents

Transcript of HIPAA and CINA Proceedings A Presentation to the Law and Community Health Section of the Alaska Bar...