HIPAA for Governments & MunicipalitiesHealth plans Insurers Group health plans (e.g., employee...
32
HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA [email protected] Davis Wright Tremaine LLP
Transcript of HIPAA for Governments & MunicipalitiesHealth plans Insurers Group health plans (e.g., employee...
HIPAAfor
Governments & Municipalities
Rebecca L. Williams, RN, JDPartner, Co-Chair of HIT/HIPAA PracticeDavis Wright Tremaine LLPSeattle, [email protected]
Davis Wright Tremaine LLP
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
2
HIPAA’s Applicability to Government
HIPAA’s Applicability to Government
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
3
Administrative Simplification: What Does HIPAA Do?
Administrative Simplification: What Does HIPAA Do?
Transaction StandardsPrivacy Standards
Restrictions on use anddisclosure of PHIIndividual rightsAdministrative requirements
Security StandardsEnsure confidentiality, integrity and availability of electronic PHIProtect against reasonably anticipated threats to security or integrity of electronic PHIProtect against reasonably anticipated uses or disclosures of electronic PHIEnsure compliance by workforce
Transaction StandardsPrivacy Standards
Restrictions on use anddisclosure of PHIIndividual rightsAdministrative requirements
Security StandardsEnsure confidentiality, integrity and availability of electronic PHIProtect against reasonably anticipated threats to security or integrity of electronic PHIProtect against reasonably anticipated uses or disclosures of electronic PHIEnsure compliance by workforce
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
4
Covered Entities Under HIPAACovered Entities Under HIPAAHealth care providers engaging in electroniccovered transactionsHealth plans
InsurersGroup health plans (e.g., employee benefit plans)Employee welfare benefit plan established for employees of two or more employersMedicaidApproved state child health planNot a health plan: other government-funded programs
Principal purpose is other than providing or paying the cost of health care orPrincipal activity is direct care or making grants to fund direct care
Health care clearinghousesSponsors of Medicare prescription drug cards
Health care providers engaging in electroniccovered transactionsHealth plans
InsurersGroup health plans (e.g., employee benefit plans)Employee welfare benefit plan established for employees of two or more employersMedicaidApproved state child health planNot a health plan: other government-funded programs
Principal purpose is other than providing or paying the cost of health care orPrincipal activity is direct care or making grants to fund direct care
Health care clearinghousesSponsors of Medicare prescription drug cards
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
5
Others Affected by HIPAAOthers Affected by HIPAA
Business associatesPerform certain functions on behalf of Covered EntityInvolves receipt, use, disclosure, creation of PHIWritten assurances that meet specific minimum requirements
Plan sponsorFiduciary duty to ensure HIPAA compliance of its plan(s)
Business associatesPerform certain functions on behalf of Covered EntityInvolves receipt, use, disclosure, creation of PHIWritten assurances that meet specific minimum requirements
Plan sponsorFiduciary duty to ensure HIPAA compliance of its plan(s)
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
6
HybridsHybrids
Single legal entityCovered functions = covered entityBusiness functions include both
Covered functionsNoncovered functions
May designate “health care components”Component that would be a covered entity if a separate legal entityOther components may be addedHealth care components are treated as separate from rest of the legal entityDocument designation
Single legal entityCovered functions = covered entityBusiness functions include both
Covered functionsNoncovered functions
May designate “health care components”Component that would be a covered entity if a separate legal entityOther components may be addedHealth care components are treated as separate from rest of the legal entityDocument designation
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
7
Affiliated Covered Entity
Affiliated Covered Entity
Covered entities under “common ownership” or “common control”
Common ownership – ownership or equity interest of 5% or moreCommon control – entity has the power, directly or indirectly, to significantly influence or direct the actions or policies
Designation to act as a single covered entity
Covered entities under “common ownership” or “common control”
Common ownership – ownership or equity interest of 5% or moreCommon control – entity has the power, directly or indirectly, to significantly influence or direct the actions or policies
Designation to act as a single covered entity
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
8
General HIPAA ConsiderationsGeneral HIPAA Considerations
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
9
Covered Entity With Multiple Covered Functions
Covered Entity With Multiple Covered Functions
Single covered entity that engages in
ProviderPlanClearinghouse and/orMedicare prescription drug sponsor
Must comply with each applicable set of requirements
Based on each distinct function
Single covered entity that engages in
ProviderPlanClearinghouse and/orMedicare prescription drug sponsor
Must comply with each applicable set of requirements
Based on each distinct function
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
10
General HIPAA Considerations: Preemption
General HIPAA Considerations: Preemption
Is the State law contrary to HIPAA?If not contrary, both requirements applyIf contrary
HIPAA preempts or supercedes contrary state lawUNLESS state law provides
Greater privacy protectionsGreater individual rights
Is the State law contrary to HIPAA?If not contrary, both requirements applyIf contrary
HIPAA preempts or supercedes contrary state lawUNLESS state law provides
Greater privacy protectionsGreater individual rights
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
11
General HIPAA ConsiderationsGeneral HIPAA ConsiderationsHIPAA may apply to
Government agency (or component) itselfCovered entities that deal with government agencies
If agency needs/wants information from covered entities or is a covered entity:
Identify applicable permittedand required disclosuresEducate on applicablerequirementsBring into compliancecorrespondence, forms, etc.
HIPAA may apply toGovernment agency (or component) itselfCovered entities that deal with government agencies
If agency needs/wants information from covered entities or is a covered entity:
Identify applicable permittedand required disclosuresEducate on applicablerequirementsBring into compliancecorrespondence, forms, etc.
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
12
General HIPAA ConsiderationsGeneral HIPAA ConsiderationsMinimum necessary
Must make reasonable efforts toLimit PHI to the minimum necessary to accomplish the intended purpose
Applies to uses, disclosures and requestsNot applicable to
TreatmentRequired by lawAuthorizationsAccess to patientDisclosures to HHS
But note: Only to the extent specifically permitted or required
Minimum necessaryMust make reasonable efforts to
Limit PHI to the minimum necessary to accomplish the intended purpose
Applies to uses, disclosures and requestsNot applicable to
TreatmentRequired by lawAuthorizationsAccess to patientDisclosures to HHS
But note: Only to the extent specifically permitted or required
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
13
General HIPAA ConsiderationsGeneral HIPAA Considerations
Verification requirementsIdentityAuthorityDocumentation, statements or representations that otherwise may be necessary
Notice of privacy practicesBound by notice
Verification requirementsIdentityAuthorityDocumentation, statements or representations that otherwise may be necessary
Notice of privacy practicesBound by notice
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
14
General HIPAA ConsiderationsGeneral HIPAA Considerations
Individual RightsAccessAmendmentAccounting of disclosuresRequests for additional privacy protections
Individual RightsAccessAmendmentAccounting of disclosuresRequests for additional privacy protections
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
15
Activities Under HIPAAActivities Under HIPAA
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
16
HIPAA in Inter-Agency/Interdisciplinary TeamsHIPAA in Inter-Agency/Interdisciplinary Teams
Governments often use multidisciplinary teamsAllows combination of expertise and focusMay include:
Covered entities/covered componentsNon-covered entities
Can PHI be shared among these teams?
Governments often use multidisciplinary teamsAllows combination of expertise and focusMay include:
Covered entities/covered componentsNon-covered entities
Can PHI be shared among these teams?
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
17
Inter-Agency/Interdisciplinary Teams –HIPAA Permitted Disclosures
Inter-Agency/Interdisciplinary Teams –HIPAA Permitted Disclosures
Treatment, payment or health care operationsMay use or disclose PHI for TPOMay disclose PHI for the treatment activities of a providerMay disclose PHI for the payment activities of a provider or covered entityMay disclose PHI to another covered entity for recipient’s limited health care operation
Both have/had a relationship with individualOperations pertain to that relationshipLimited operations: QA, credentializing, training and fraud and abuse detection
Treatment, payment or health care operationsMay use or disclose PHI for TPOMay disclose PHI for the treatment activities of a providerMay disclose PHI for the payment activities of a provider or covered entityMay disclose PHI to another covered entity for recipient’s limited health care operation
Both have/had a relationship with individualOperations pertain to that relationshipLimited operations: QA, credentializing, training and fraud and abuse detection
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
18
Inter-Agency/Interdisciplinary Teams –Permitted HIPAA Disclosures
Inter-Agency/Interdisciplinary Teams –Permitted HIPAA Disclosures
May disclose when required by lawOnly to the extent requiredNote additional requirements
Bring disclosure under standards for Abuse/ neglect reporting; Judicial and administrative proceedings, or Law enforcement
Public health reportingHealth care oversight
May disclose when required by lawOnly to the extent requiredNote additional requirements
Bring disclosure under standards for Abuse/ neglect reporting; Judicial and administrative proceedings, or Law enforcement
Public health reportingHealth care oversight
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
19
Inter-Agency/Interdisciplinary Teams –Permitted HIPAA Disclosures
Inter-Agency/Interdisciplinary Teams –Permitted HIPAA Disclosures
Special rules for covered government programs providing public benefits
Government program health plan may disclose certain eligibility and enrollment information to another agency administering/providing public benefits if required or authorizedCovered government agency administering a public benefits program may disclose PHI to another like agency if
The programs serve similar populationsNecessary to coordinate covered function or to improve administration/management
Special rules for covered government programs providing public benefits
Government program health plan may disclose certain eligibility and enrollment information to another agency administering/providing public benefits if required or authorizedCovered government agency administering a public benefits program may disclose PHI to another like agency if
The programs serve similar populationsNecessary to coordinate covered function or to improve administration/management
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
20
Inter-Agency/Interdisciplinary Teams –Permitted HIPAA Disclosures
Inter-Agency/Interdisciplinary Teams –Permitted HIPAA Disclosures
AuthorizationMust comply with all applicablelaws
HIPAAState lawHeighten confidentiality requirements
Protected classes of informationSubstance abuse regulationsPrivacy Act
Draft to include all relevant team players
AuthorizationMust comply with all applicablelaws
HIPAAState lawHeighten confidentiality requirements
Protected classes of informationSubstance abuse regulationsPrivacy Act
Draft to include all relevant team players
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
21
HIPAA in Public HealthHIPAA in Public HealthTension between
Benefits of total access to all health informationPublic concern over confidentiality
Permissible disclosures without patient authorizationRequired by law (e.g., mandatory reporting, gunshot wounds, certain communicable diseases), births and deaths, birth defects)For public health activities (intended to cover the spectrum of public health activities)
Prevention and control of disease, injuryCommunicable disease notificationChild abuse or neglect reportingFDA-regulated product or activityWork-related injury or illness
Necessary to avert a serious threat to health or safetyOther abuse, neglect or domestic violenceTPODe-identified information and limited data set
Tension betweenBenefits of total access to all health informationPublic concern over confidentiality
Permissible disclosures without patient authorizationRequired by law (e.g., mandatory reporting, gunshot wounds, certain communicable diseases), births and deaths, birth defects)For public health activities (intended to cover the spectrum of public health activities)
Prevention and control of disease, injuryCommunicable disease notificationChild abuse or neglect reportingFDA-regulated product or activityWork-related injury or illness
Necessary to avert a serious threat to health or safetyOther abuse, neglect or domestic violenceTPODe-identified information and limited data set
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
22
HIPAA in Public Health:De-Identification
HIPAA in Public Health:De-Identification
Information is presumed de-identified if—Qualified person determines that risk of re-identification is “very small” orThe following identifiers are removed:
Information is presumed de-identified if—Qualified person determines that risk of re-identification is “very small” orThe following identifiers are removed:
Other unique identifierPhotographsFingerprintsIP AddressURLVehicle IDLicense #Account #Plan IDMR#SSNe-mailFaxTelephoneDatesEmployer Relatives Address Name
And the CE does not have actual knowledge thatthe recipient is able to identify the individualAnd the CE does not have actual knowledge thatthe recipient is able to identify the individual
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
23
HIPAA in Public Health:Limited Data Set
HIPAA in Public Health:Limited Data Set
Limited Data Set = PHI that excludes direct identifiers except:
Full datesGeographic detail of city, state and 5-digit zip code
Not completely de-identifiedSpecial rules apply
Limited Data Set = PHI that excludes direct identifiers except:
Full datesGeographic detail of city, state and 5-digit zip code
Not completely de-identifiedSpecial rules apply
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
24
HIPAA in Public Health: Data Use Agreements
HIPAA in Public Health: Data Use Agreements
Limited Purposes: Research, Public healthHealth care operations
Recipient must enter into a Data Use Agreement:Permitted uses and disclosures by recipientWho may use or receive limited data setRecipient must:
Not further use or disclose informationUse appropriate safeguardsReport impermissible use or disclosureEnsure agents complyNot identify the information or contact the individuals
Limited Purposes: Research, Public healthHealth care operations
Recipient must enter into a Data Use Agreement:Permitted uses and disclosures by recipientWho may use or receive limited data setRecipient must:
Not further use or disclose informationUse appropriate safeguardsReport impermissible use or disclosureEnsure agents complyNot identify the information or contact the individuals
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
25
HIPAA in Public HealthHIPAA in Public Health
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
26
HIPAA in Disaster SituationsHIPAA in Disaster SituationsFacility Directory – covered entities maydisclose PHI if patient is asked for byname:
NameCondition (e.g., undetermined, good, fair, serious, critical)Location within facilityReligion (release to clergy only)
Notification in Disaster Relief EffortsDisclosures to public or private entity authorized to assist in disaster relief effortsDisclosures for notification of individual’s location or general condition to family member, personal representative or another responsible for care
Subject to opportunity to agree or objectRecognize professional judgment
Facility Directory – covered entities maydisclose PHI if patient is asked for byname:
NameCondition (e.g., undetermined, good, fair, serious, critical)Location within facilityReligion (release to clergy only)
Notification in Disaster Relief EffortsDisclosures to public or private entity authorized to assist in disaster relief effortsDisclosures for notification of individual’s location or general condition to family member, personal representative or another responsible for care
Subject to opportunity to agree or objectRecognize professional judgment
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
27
HIPAA in EMSHIPAA in EMSEMS generally is covered entity or covered health care component and must comply with HIPAABeware of HIPAA overkill: Balance between patient care and minimum necessary
If name and description of condition is needed, it should be givenIf directions are needed, get them
Police often want information from EMSReporting crime in emergencies (not at a health care facility) to report
Commission and nature of a crimeIdentity, description and location of perpetratorLocation of a crime or victim
Some disclosures requirerepresentations on part of lawenforcement that may be able tobe given in advance (e.g., formalannual request and representationletter)
EMS generally is covered entity or covered health care component and must comply with HIPAABeware of HIPAA overkill: Balance between patient care and minimum necessary
If name and description of condition is needed, it should be givenIf directions are needed, get them
Police often want information from EMSReporting crime in emergencies (not at a health care facility) to report
Commission and nature of a crimeIdentity, description and location of perpetratorLocation of a crime or victim
Some disclosures requirerepresentations on part of lawenforcement that may be able tobe given in advance (e.g., formalannual request and representationletter)
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
28
HIPAA in SchoolsHIPAA in SchoolsSchools have long protected confidentiality, e.g., Family Education Rights and Privacy ActTwo-prong analysis
Is school – or person/entity providing services to the school – covered entity?
Examples – school nurse, speech therapist, psychologist, school-based clinicsEngage in health care provider activitiesEngage in electronic HIPAA transaction
Is PHI involved?Exception for FERPA – covered records (beware FERPA exceptions, such as for oral communication and sole possession)Treatment records of older students exception
Schools have long protected confidentiality, e.g., Family Education Rights and Privacy ActTwo-prong analysis
Is school – or person/entity providing services to the school – covered entity?
Examples – school nurse, speech therapist, psychologist, school-based clinicsEngage in health care provider activitiesEngage in electronic HIPAA transaction
Is PHI involved?Exception for FERPA – covered records (beware FERPA exceptions, such as for oral communication and sole possession)Treatment records of older students exception
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
29
HIPAA in PrisonsHIPAA in PrisonsA covered entity may disclose PHI to a correctional institution (or law enforcement official) having lawful custody of an inmate
Upon institution’s representation that the PHI is necessary for:
The provision of health care to the inmateThe health and safety of the inmate – or others at the correctional institutionThe health and safety of inmates, officers or other persons responsible for transporting/transferring inmatesLaw enforcement on correctional institution’s premises Administration and maintenance of the safety, security and good order of the correctional institution
A covered entity may disclose PHI to a correctional institution (or law enforcement official) having lawful custody of an inmate
Upon institution’s representation that the PHI is necessary for:
The provision of health care to the inmateThe health and safety of the inmate – or others at the correctional institutionThe health and safety of inmates, officers or other persons responsible for transporting/transferring inmatesLaw enforcement on correctional institution’s premises Administration and maintenance of the safety, security and good order of the correctional institution
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
30
HIPAA in PrisonsHIPAA in PrisonsLimited rights of prisonersNotice of Privacy Practices
Not applicable to inmates or correctionalinstitutionsAccess
Covered correctionalinstitution – or provider under such institution’s direction – may deny inmate’s request for access if it would jeopardize
The health, safety, security, custody or rehabilitationof the individual or other inmatesSafety of any officer, employee or others
Unreviewable grounds for denialAmendment
May be denied if the record is not subject to accessAccounting of Disclosure
Suspend right to an accounting if law enforcementRepresents that it may reasonably impede the agencies’ activities Specify a time period for the suspension
Limited rights of prisonersNotice of Privacy Practices
Not applicable to inmates or correctionalinstitutionsAccess
Covered correctionalinstitution – or provider under such institution’s direction – may deny inmate’s request for access if it would jeopardize
The health, safety, security, custody or rehabilitationof the individual or other inmatesSafety of any officer, employee or others
Unreviewable grounds for denialAmendment
May be denied if the record is not subject to accessAccounting of Disclosure
Suspend right to an accounting if law enforcementRepresents that it may reasonably impede the agencies’ activities Specify a time period for the suspension
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
31
QuestionsQuestions
Dav
is W
righ
t T
rem
ain
eD
avis
Wri
ght
Tre
mai
ne
LL
PL
LP
32
SEA 17726921v1SEA 17726921v1
