HIPPA: Confidentiality and Privacy Issues

HIPAA: Confidentiality and Privacy IssuesNAHO 2015 ConferenceScottsdale, Arizona

Course Description:Discussion of the nature, types and scope of health care information protected by the HIPPA law; covered entities; non covered entities; the HIPPA privacy rule; balancing privacy against the need to use information to provide high quality health care and protect the public health; how health care information is protected under HIPPA; the duty to protect medical records under HIPPA; electronic health records and HIPPA; remedies for disclosure of protected information subpoenas and court orders that require disclosure of information protected by HIPPA; and related medical records privacy protections under Freedom of Information Act(FOIA) and state public records act provisions.

HIPAA 1HIPAA LEGISLATION The HIPAA legislation was enacted in 1996. The Act combined two bills, one dealing with Insurance portability, and the other dealing with health accountability as that applies to privacy and confidentiality of patient medical records. The legislation was passed in part to address concerns about privacy of medical records with the widespread use of the internet and the accompanying concerns over technological security. Those issues remain today with news stories about eavesdropping and hacking attacks on our government and large health insurers. However the Acts confidentiality requirements apply to medical records and communications whether they are electronic or not. It includes written and verbal communications. HIPAA 2COVERED ENTITIES

HIPAA confidentiality of health care information requirements apply to covered entities. These include:

Any health care provider and its employees including as doctors, dentists, pharmacies, and other patient care organizations such as hospitals, outpatient clinics, home health agencies, and health related businessesAny health insurance company such as Anthem Blue Cross or Kaiser health plan (HMO)

Any health related company that gives or receives health related information such as transcription services or billing companies

HIPAA 3Non covered entities Entities that have health information that are not covered by HIPAA requirements include: life insurers, employers,workers compensation carriers,most schools and school districts,many state agencies like child protective service agencies,most law enforcement agencies,many municipal offices.See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

HIPAA 43. HIPAAs privacy rule is designed to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the publics health and well being. See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html. HIPAA 5The HIPAA privacy rule dictates: 1. What patient information is private2. To whom disclosure is allowed3. How is allowable information disclosed

HIPAA 6Private patient information 1Patient information that is protected by HIPAA is called private patient information. The statutory term is protected health information. This covers information that is unique to an individual such as: Individuals name, address, date of birth, telephone numbers, e-mail addresses, social security numbers, Account numbers (medical record numbers), health plan (insurance) numbers, certificate or license numbers, Web site addresses, fingerprints and voice prints, and photographic images. HIPAA 7Private patient information 2Health care information protected by HIPAA includes: Information your doctors, nurses, and other health care providers put in your medical recordConversations your doctor has about your care or treatment with nurses and othersInformation about you in your health insurers computer systemBilling information about you at your clinicMost other health information about you held by those who must follow these lawshttp://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

HIPAA 8Disclosure of protected health information Health care workers can disclose protected health information for the following purposes:Coordination of treatment and careProvision of good care to patients by health care workersSupport of patients by family members or friends (with patient consent)Payment of health care providersProtection of public health Regulatory reporting (to the government)

HIPAA 9Health care information is protected under HIPAA by Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.Business Associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly. http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

HIPAA 10Health care information can be looked at and received by The Privacy Rule sets rules and limits on who can look at and receive your health informationTo make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:For your treatment and care coordinationTo pay doctors and hospitals for your health care and to help run their businessesWith your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you objectTo make sure doctors give good care and nursing homes are clean and safeTo protect the public's health, such as by reporting when the flu is in your areaTo make required reports to the police, such as reporting gunshot woundsYour health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:Give your information to your employerUse or share your information for marketing or advertising purposes or sell your information See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

HIPAA 11Another purpose for disclosure of protected health information (PHI) related to a patient is to coordinate treatment and care of a patient. PHI may be disclosed under HIPAA to a health care worker who is providing patient care or one who is coordinating patient care. Disclosure of PHI to another health care worker is permitted for the purpose of providing patient care but not permitted merely because the recipient is health care worker. See: http://articles.latimes.com/2008/mar/15/local/me-britney15 (UCLA hospital fires 13 employees who accessed Brittney Spears health care records while she was being treated at the hospital. None of these employees were providing patient care to Ms. Spears.).HIPAA 12Court orders and subpoenas: A covered health care provider or health plan may disclose protected health information required by a court order, including the order of an administrative tribunal. However, the provider or plan may only disclose the information specifically described in the order.A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order. A covered provider or plan may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule are met. Before the covered entity may respond to the subpoena, the Rule requires that it receive evidence that reasonable efforts were made to either: notify the person who is the subject of the information about the request, so the person has a chance to object to the disclosure, or to seek a qualified protective order for the information from the court.

For further information on this topic, please refer to 45 C.F.R. 164.512(e) and OCRsFrequently Asked Questions.See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/courtorders.html

HIPAA 13For disclosures for judicial and administrative proceedings, can notice be provided to the individual's lawyer instead of the individual?Answer:Yes. Acovered entitythat is not a party to litigation must obtain or receive the satisfactory assurances required by45 CFR 164.512(e)before making a disclosure for a judicial or administrative proceeding. Where the satisfactory assurances are in the form of notice to the individual, a written statement and accompanying documentation of notice to the individuals lawyer is considered to be notice to the individual and, thus, suffices, provided the documentation otherwise meets the requirements of 45 CFR 164.512(e)(1)(iii). Specifically, the written statement and accompanying documentation must demonstrate that the notice included sufficient information about the litigation to permit the individual to raise an objection to the court; and that the time for the individual to raise objections has elapsed, with no objections having been filed, or all filed objections having been resolved.

See: http://www.hhs.gov/ocr/privacy/hipaa/faq/judicial_and_administrative_proceedings/707.htmlJudicial Decisions dealing with HIPAA and related issues 1. Pachowitz v. Ledoux, 666 N.W. 2d 88 (2003)2. Proenza Sanfiel v. Department of Health, 749 So. 2d 525 (1999)3. In Re John Doe MD, 595 A. 2d 1290 (1991) 4. Murphy v. Dulay, 768 F.3d 1360 (11th Cir., 2014)5. Mais. v. Gulf Coast Collection Bureau 768 F. 3d 1160 (11th cir., 2014) Lots of other HIPAA case discussions can be found at See: https://www.thesullivangroup.com/risk_resources/ToolBox/Court%20Decisions%20final%202.pdfCivil enforcement of HIPAA statutory provisions 1HIPAA statutory provisions are administered by the Department of Health and Human Services (HHS). HHS has rulemaking authority to flesh out the provisions of the act. Civil enforcement of HIPAA violations are conducted by the Office for Civil Rights. See: http://www.hhs.gov/ocr/office/index.html. OCR investigates HIPAA complaints. These investigations are triggered by a patient complaint. OCR recommends that a complaint be filed within 180 days of the occurrence. OCR recommends that the patient complaint be filed first with the covered entity. While this is not a legal requirement, it does give the institution the opportunity to take corrective action. However, the patient can file their complaint directly with the OCR, if they prefer. Civil Enforcement 2Once OCR receives the complaint, it will first complete an informal review. Later, for more serious cases, it will initiate a formal review. The outcome of a formal review can include requirements for corrective action and the imposition of civil penalties directed toward the institution (the covered entity). Civil penalties include a $ 100.00 penalty for each violation, with a $ 25,000 maximum penalty for each calendar year. Civil penalties are the most common outcome for HIPAA violations, and they apply only to institution, not individuals, because of the doctrine of respondeat superior. The institution is civilly responsible for the acts of its employees.

Criminal liability under HIPAA 1 Criminal prosecutions under HIPAA are relatively rareSee: https://www.law.uh.edu/healthlaw/perspectives/2007/(DM)HIPAACrimCharges.pdf United States v. Richard Gibson is one of those rare cases. Gibson, a phlebotomist, accessed patient information, which he fraudulently used to obtain credit cards. Gibson entered into a plea agreement under which he served 16 months in jail time, and he agreed to pay restitution to the credit card companies. See: http://www.advancedbenefitconsulting.com/HIPAAnews/plea_agreement_us_vs_gibson.pdfCriminal Liability 2 The Department of Justice (DOJ) has been given the authority to prosecute the criminal law violations that are based on HIPAA provisions. An individual who knowingly violates HIPAAs privacy rule and obtains or discloses identifiable patient health information can receive up to $50,000 in fines and one year in prison. The fines go up to $ 100,000 and up to five years in prison if the violation is under false pretenses. The fines go up to $ 250,000 an up to ten years in prison if the violation includes an intent to sell, transfer, or use for commercial advantage personal gain, or malicious harm. Federal criminal prosecutions are handled by local U.S. attorneys offices. Privileged Communications 11.The Nature of Evidentiary PrivilegesEvidentiary privileges protect against disclosure of confidential communications that otherwise could be compelled in the litigation process (either in discovery or at the trial of a lawsuit). When a privilege applies, information that may be very relevant to the resolution of factual disputes in litigation is protected from disclosure. Public policies that support the recognition of privileges include privacy interests, protecting important relationships, and encouraging fuller disclosure of information to a treating professional. Privileged Communications 3Doctor-Patient (Federal Rule of Evidence 501; Uniform Rules of Evidence Rule 503; California Evidence Code Section 994; Snibbe v. Superior Court (2014) 168 Cal. Rptr. 3d 548). This privilege protects the medical privacy interests of patients. This is especially important for patients who are treated by psychiatrists because of the stigma associated with mental illness. The privilege encourages patients to provide full information to their doctor which is necessary for the doctor to provide the best treatment. The privilege recognizes the importance of the doctor-patient relationship. Privileged Communications 4Psychotherapist-Patient (Federal Rule of Evidence 501; Uniform Rules of Evidence Rule 503; California Evidence Code Section 1010;). This privilege broadly applies to protect confidential communications between a patient and a psychiatrist, psychologist, clinical social worker, school psychologist, and marriage and family therapist respectively. This privilege serves many of the same purposes as the doctor patient privilege. Privilege Exceptions 1 1. Most evidentiary privileges have exceptions under which the privilege does not apply and the protected information must be disclosed in discovery or at trial. A. Crime-Fraud exception (Uniform Rules of Evidence Rule 502(d)(1); Cal. Evidence Code Section 956; [lawyer-client privilege exception].Rule 504(d)(4); Cal Evidence Code Section 997 [physician patient privilege exception].Application: This exception applies when the professional services of the doctor or lawyer were sought or obtained by the client or patient to commit a crime or fraud Privilege Exceptions 2B. Patient-Litigant exception (Uniform Rules of Evidence Rule 502(d)(3); Calif. Evidence Code Section 958[lawyer-client relationship]; (Uniform Rules of Evidence Rule 503(d)(3); Calif. Evidence Code Section 999[physician -patient relationship]; Calif. Evidence code Section 1016, 1020 [psychotherapist-patient relationship].Application: This exception applies when the client or patient raises an issue in litigation as to which privileged communications are relevant. Malpractice litigation brought against the lawyer, doctor, or therapist is a good example. Another example would be tort litigation in which the plaintiff puts their physical or mental condition at issue in the lawsuit. A third would be disability claims decided in administrative hearings such as workers compensation and social security disability cases. In those cases, the applicant for benefits puts their physical or mental condition at issue.

Protected Communications 11. Evidentiary privileges protect confidential communications made between a client or patient and the professional (lawyer, doctor, or psychotherapist) from whom they are seeking professional assistance. A. Lawyer-Client: (Uniform Rules of Evidence Rule 502(a)(2),(b); California Evidence Code Section 952).B. Physician-Patient: (Uniform Rules of Evidence Rule 503(a)(1),(b); California Evidence Code Section 992).C. Psychotherapist Patient: (Uniform Rules of Evidence Rule 503(a)(1),(5)(b); California Evidence Code Section 1012).Protected Communications 2Application: Confidential communications protected by privileges are those between the client or patient and the professional (lawyer, doctor, or psychotherapist) that they are consulting for professional assistance. The communications must be made in confidence by means which discloses the information to no third persons other than those who are present to further the interest of the client or patient in the consultation or those to whom disclosure is reasonable necessary to accomplish the clients goals or the patients course of treatment. Protected Communications 3Example: A patient who consults a doctor for a medical condition will often meet with the doctor in a patient examining room. The patient will describe their condition to the doctor. The doctor will examine the patient, maybe run some tests, and then will offer a medical opinion and advice to the patient. The patient information, examination and test results, and the doctors opinion and advice will be protected confidential communications that are protected by the doctor patient privilege and can not be disclosed. Disclosure to nurses or other health care professionals in the course of treatment of the patient does not destroy the privilege. Administrative proceedings 11. Adjudicative hearings: Evidentiary privileges are applicable in administrative adjudicatory proceedings. (2010 MSAPA Section 404(2).) Section 404(2) provides that (2) The presiding officer may exclude evidence in the absence of an objection if the evidence is irrelevant, immaterial, unduly repetitious, or excludable on constitutional or statutory grounds or on the basis of an evidentiary privilege recognized in the courts of this state. The definitions and scope of privileges are based upon state law. 45 states have evidence codes that are largely based upon the Federal Rules of Evidence [See rule 501, FRE]. 1981 MSAPA Section 4-212 is identical to section 404(2). 1961 MSAPA Section 10(1) required agencies to follow the non-jury trial civil rules in adjudicative hearings. Administrative proceedings 44. Non-APA hearings. If the adjudicative hearing is not governed by the state (or federal) APA, then privileges may not be expressly protected, but disclosure waives the protections of the privilege so that hearing officers should be prepared to rule upon privilege claims presented in the hearing. The applicability of a privilege does not change the burden of proof rules so that a litigant may have to choose between relying upon a privilege or disclosing the privileged information and satisfying the burden of proof requirements. This dilemma is present when the only supporting evidence of the privilege holder needed to present their claim is protected by the privilege. This dilemma does not occur when the issues in litigation privilege exception applies to the hearing issues. Confidentiality and Protective Orders 11. 2010 Model State Administrative Procedure Act Section 411(d) (Discovery) provides for the issuance of protective orders: (d) On petition, the presiding officer may issue a protective order for any material for which discovery is sought under this section which is exempt, privileged, or otherwise made confidential or protected from disclosure by law of this state other than this [act] and material the disclosure of which would result in annoyance, embarrassment, oppression, or undue burden or expense to any person.FOIA disclosure 1. Federal agencies are required to furnish any reasonably described record requested by any person for any reason [5 U.S.C. Section 552(a)(3)]. If the agency does not provide the record, or delays in providing the record under very short deadlines [20 days for initial request], the requestor has the right to go to court to compel the production of the records. If the requestor substantially prevails in court the requestor can recover attorneys fees and litigation costs. These fees and costs will be paid by the federal government. FOIA Exemptions 2(4) trade secrets and commercial or financial information obtained from a person and privileged or confidential;(5) inter-agency or intra-agency memorandums or letters which would not be available by law to a party other than an agency in litigation with the agency [this is also called the deliberative process privilege];(6) personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy;

State Public Records Acts 11. Most, if not all states, have public records act that are modeled on FOIA. These acts provide for mandatory disclosure by the state or local agency of government records that are requested and reasonably identified. The acts provide for disclosure by the agency within a short time period after the request is made. and there is judicial enforcement if the agency does not disclose the records. State acts also have exemptions from disclosure that are similar to FOIA exemptions. The same types of parties utilize state public records act provisions for that same purposes[public interest organizations, competing businesses and news media organizations].