450 likes | 619 Views
AMC Security and Privacy: Progress and Prospects. State Laws & Regulations: Current Trends and Implications. Katherine M. Keefe Reed Smith LLP Abby Pendleton Wachler & Associates, P.C. Lawrence Hughes American Hospital Association Sissy Holloman University of North Carolina Hospitals.
E N D
AMC Security and Privacy:Progress and Prospects State Laws & Regulations: Current Trends and Implications Katherine M. KeefeReed Smith LLP Abby PendletonWachler & Associates, P.C. Lawrence HughesAmerican Hospital Association Sissy HollomanUniversity of North Carolina Hospitals
HIPAA and State Law:Why it matters Katherine M. Keefe
HIPAA Preemption--General Rule HIPAA’s administrative simplification provisions preempt contrary state law provisions, unless one of four exceptions are met
HIPAA Preemption -- Exceptions • DHHS Secretary exceptions determinations • More stringent state health privacy provisions • State reporting laws • Health plan reporting and information
HIPAA Preemption -- Exceptions • “More Stringent” state law provisions • prohibit or restrict disclosure • permit greater access/amendment rights • require tighter consents/authorizations • require longer/more detailed accountings of disclosures • provide more privacy protection
HIPAA Preemption -- Not Just Theoretical • State law provisions must be factored into HIPAA compliance • Notice of privacy practices must reflect more stringent state laws • Policies and procedures need to operationalize compliance with all relevant laws and regulations
FAQ September 3, 2003 • NPP must reflect more stringent state laws • Multi-state implications • Covered entities need to track changes in state law
HIPAA Definition of State Law Includes: • constitution • statutes • regulations • rules • common law • other state actions having force and effect of law
State Health Privacy Provisions Found in Numerous Laws/Regulations • Professional licensure/certification • Facility licensure/certification • Condition or disease-specific (i.e., mental health, drug and alcohol, HIV/AIDS) • Program-specific (i.e., Medical Assistance, Drug & Alcohol Services, prescription programs) • Statutory privileges
HIPAA Preemption--Challenges • Locating relevant state health privacy provisions • Provision-by-provision analysis required • Implications for multi-state entities • Lack of regulatory guidance
HIPAA Preemption--Practical considerations • Cost • Time • Staying Current
HIPAA Preemption--Collaborations • State associations • Industry-specific • “Mandated” approaches
Discussion Points For State Laws and Regulations- Current Trends Abby Pendleton Wachler & Associates, P.C. 210 East 3rd Street Suite 204 Royal Oak, Michigan 48067 Email: apendleton@wachler.com (248)544-0888
Overview of Discussion Points • State Initiatives Involving Medical Records and Interplay with HIPAA • State Law and HIPAA Interplay Examples: • Mental Health • Patient Rights Concerning Medical Records • HIPAA Liability Through State Channels
State Initiatives- Electronic Health Information Networks • Trends: State initiatives to create electronic health information networks to give patients control of the access to their medical records • Delaware has developed a model for clinical information sharing that moves medical information between hospitals, physicians, etc. but only when the provider needs the information and the patient has given authorization
State Initiatives- Electronic Health Information Networks • Michigan Electronic Medical Record Initiative- involves multiple stakeholders and would give patients control over access to their medical records. Michigan Gov. Granholm has endorsed the initiative. • Kentucky-passed legislation to launch a statewide health information network.
State Law Examples • Mental Health Issues: • HIPAA- Covered Entities can use and disclose PHI including mental health records for T, P, O without a HIPAA authorization or without consent (Different from Psychotherapy Notes- most mental health records are not psychotherapy notes) • State mental health codes may require consent or an authorization to conduct such activities: • Michigan example regarding consent and unlimited access
State Law Examples • State laws governing medical record access and similar rights– Key is to know your state law • What are the timeframe limitations- are they more strict? • Unlimited access or are there exceptions like HIPAA?- denial issues • Charging • HIPAA definition of DRS and State law definition of medical record
State law liability • Will Federal HIPAA establish “standard of care” that will be used in State law actions? • State liability theories to be aware of: • Implied contract • Invasion of privacy • Intentional infliction of emotional distress • Negligence/Malpractice
State Law Issues under HIPAA:A North Carolina Provider’s Perspective Presenter: Sissy Holloman, JD Assistant General Counsel University of North Carolina Hospitals
Statewide Initiatives • NCHICA: Cooperative statewide initiative with representatives from all aspects of health care and various “sub work groups” • North Carolina Hospital Association In-House Counsel Work Group
HIPAA/State Law Challenges • N.C.G.S. § 8-53:Communications between physician and patient. No person, duly authorized to practice physic or surgery, shall be required to disclose any information which he may have acquired in attending a patient in a professional character, and which information was necessary to enable him to prescribe for such patient as a physician, or to do any act for him as a surgeon, and no such information shall be considered public records under G.S. 132-1. Confidential information obtained in medical records shall be furnished only on the authorization of the patient, or if deceased, the executor, administrator, or, in the case of unadministered estates, the next of kin. (Remainder omitted)
HIPAA/State Law Challenges • Interpretation and effect of N.C.G.S. § 8-53 • Although in the evidentiary section of the statutes, § 8-53 is widely interpreted by courts and practitioners to apply outside court proceedings • Interpreted to require an authorization or a court order to disclose information not required or specifically permitted to be disclosed by law • If this interpretation is accurate, § 8-53 would be more stringent than HIPAA since it would prohibit disclosures in circumstances under which such disclosures would be permitted under HIPAA, and thus § 8-53 is not preempted by HIPAA
HIPAA/State Law Challenges • Interpretation and effect of N.C.G.S. § 8-53 • N.C.G.S. § 8-53 deemed broad enough to require covered entities to obtain consent for treatment, payment and health care operations • Many North Carolina hospitals require a general consent for treatment from patients which contains consent for disclosures for TPO purposes • Typically, hospitals use a simpler version of consent since a HIPAA-compliant authorization would not be required
HIPAA/State Law Challenges • Interpretation and effect of N.C.G.S. § 8-53 • Most of the issues arise in the context of the HIPAA Section 164.512 disclosures (“Uses and Disclosures for which an authorization or opportunity to agree or object is not required”) • Most of the subsections provide that the covered entity “may disclose”. If there is no state or federal statute requiring the disclosure, or state statute specifically authorizing the disclosure, § 8-53 is interpreted to govern since more stringent, thus no such disclosure could be made without authorization or court order
HIPAA/State Law Challenges • Interpretation and effect of N.C.G.S. § 8-53 • Affected sections of HIPAA include • 164.512(b) Public Health • 164.512(c) Victims of Abuse, Neglect or DV • 164.512(d) Health Oversight • 164.512(f) Law Enforcement • 164.512(j) Disclosures to avert serious threat • 164.512(k) Specialized Government Functions • 164.514 Limited Data Sets
HIPAA/State Law Challenges • Interpretation and effect of N.C.G.S. § 8-53 • Law Enforcement exception issues include • Limited info for identification/location • Would provide directory information if the patient did not “opt out” of the directory • If patient “opted out” of the directory, § 8-53 seems to prohibit disclosure • Victims of a crime (other than info required by law to be disclosed such as wound reporting) • Decedents (other than info required by law to be disclosed for wound reporting, etc.)
HIPAA/State Law Challenges • Interpretation and effect of N.C.G.S. § 8-53 • Public Health exceptions to HIPAA • Many, but not all, disclosures for public health purposes are “required by law” in NC. For example: • Communicable disease reporting and investigation (N.C.G.S. §§ 130A-135, 130A-144) • Vital statistics (e.g., N.C.G.S. § 130A-101) • Disease monitoring (e.g., N.C.G.S. §§ 130A-131.16 (birth defects), 130A-209 (cancer)) • Bioterrorism reporting (N.C.G.S. § 130A-476(b))
HIPAA/State Law Challenges • Interpretation and effect of N.C.G.S. § 8-53 • Bioterrorism Statute – ED Data Collection (N.C.G.S. § 130A-480) • Mandatory vs. optional participation • Elements to be provided • Public health exception • Limited Data Set • Cost
HIPAA/State Law Challenges • Group is attempting to obtain passage of clarifying statute • Acknowledgement of scope of N.C.G.S. § 8-53 vs. retention of conflict • Which exceptions to clarify—how much is enough for providers; how much is too much for legislators
Conclusion • In states such as North Carolina, the lack of preemption due to more stringent state statutes causes great confusion • North Carolina statutes are inconsistent and confusing and should be clarified or conformed with HIPAA • More specific guidance from OCR is needed
State Laws & Regulations: Current Trends Lawrence Hughes, Regulatory Counsel American Hospital Association
State Activities Generally Good News – Little State Legislative Activity “Mercifully, this is one topic that the Vermont Legislature has not taken up this session, and I do not expect that to change in the coming 12 months.” “Generally speaking, we use HIPAA and the various problems it has caused as rationale for not enacting additional state privacy statutes.”
State Activities (cont.) Harmonization Examples: • Oregon – changes in 2003 to reflect HIPAA • Virginia – Virginia Bar Association study (2004) with resulting legislative proposals (all passed) • Wisconsin – Added “health care operations” to state permitted disclosures (2004) • State hospital association working on a bill to make state states more consistent with HIPAA
State Activities (cont.) Other Areas of State Legislative Activity • Photocopying Fees (MO – 2004; MA – 2003) • Prohibitions on Outsourcing (CA – 2004) • All proposals died • Issue has not resurfaced in CA • Issue has surfaced at the federal level • Government Accounting Office (GAO) study • Legislative proposals
State Activities (cont.) Other Areas of State Legislative Activity • Genetic Privacy (OR – 2005) • SB 1025 • Patient Medical Records Privacy Act (AR – 2005) • Required notice to plaintiff’s attorney when defense obtains plaintiff’s medical records “by using a subpoena, court order or consent form signed by the patient.” • If notice not provided: • No introduction into evidence • No reference “in any manner” during legal proceeding
Future Directions Changing Political Environment Era of Disease-specific protections • Saw enactment of greater protections for patient information (e.g., HIV/AIDS) • Consumer protection still paramount concern • HIPAA protections viewed as weak • HIPAA enforcement viewed as lax
Future Directions (cont.) Changing Political Environment New Era of National Security • Increasing demands for greater access to patient information (e.g., syndromal surveillance) • Law enforcement’s generally negative reactions to HIPAA limitations on access • Experience of less access than previously • HIPAA requirements hinder access • AHA/NAPO Brochure Guidelines for Releasing Patient Information to Law Enforcement (July 2005) • Available at http://www.aha.org/aha/key_issues/hipaa/content/guidelines.pdf
Future Directions (cont.) Changing Political Environment EHR/NHIN • Office of the National Coordinator for Health Information Technology (ONCHIT) – Dr. David Brailer • Increasing recognition of state law variation as a serious legal barrier • Recommendation for federal preemption from the Commission on Systemic Interoperability (CSI)
Current Congressional Proposals Health Information Technology Promotion Act of 2005 (Draft) Sponsor: Nancy Johnson of CT
Contact Lawrence Hughes Regulatory Counsel and Director, Member Relations American Hospital Association (202) 626 –2346 E-mail: lhughes@aha.org Visit the HIPAA section on AHA’s Web site at www.aha.org
Audience Experience Future Implications of State Laws
Audience Poll • My AMC has significant issues associated with state security and privacy laws that exceed HIPAA requirements: • Strongly agree • Agree • Neither agree nor disagree • Disagree • Strongly disagree • Don't know
Audience Poll • My AMC is concerned about future state laws related to information security and privacy: • Strongly agree • Agree • Neither agree nor disagree • Disagree • Strongly disagree • Don't know
Audience Experience • What types of laws do you see taking form in your state? • What are the implications to: • Patient care • Research • Education • How has / is your institution preparing to address these state laws?