820 likes | 983 Views
Joan M. Wilson DAVIS WRIGHT TREMAINE Anchorage, Alaska joanwilson@dwt.com (907) 257-5337. Primer on HIPAA: A Presentation to the Tort Section of the Alaska Bar Association. Overview of Presentation. HIPAA Lay of the Land Covered Entities HIPAA Privacy Requirements Authorizations
E N D
Joan M. Wilson DAVIS WRIGHT TREMAINE Anchorage, Alaska joanwilson@dwt.com (907) 257-5337 Primer on HIPAA:A Presentation to the Tort Section of the Alaska Bar Association
Overview of Presentation • HIPAA Lay of the Land • Covered Entities • HIPAA Privacy Requirements • Authorizations • Law Enforcement • Court Orders/Subpoenas • HIPAA Security Requirements • Enforcement
HIPAA — The Big Picture Not Just One Issue Health Insurance Portability and Accountability Act of 1996
Privacy and Security • Protects all individually • identifiable health • information: • Paper • Electronic • Oral Privacy of electronic health information
Covered Entities • Health Plans (including many employee benefit plans) • Plans that provide or pay for medical care, including Medicare and Medicaid • Health Care Clearinghouses • Entities that process or facilitate processing non-standard data elements into standard data elements, or vice versa • Providers who electronically transmit any health information in a HIPAA covered transaction • Furnishes, bills or is paid for health care in the normal course of business
Claims or encounter information Health plan eligibility Referral certification and authorization Health care claim status Enrollment and disenrollment Payment and remittance advice Premium payments Coordination of benefits Standard Transactions
Standard TransactionsRequirements for Covered Entities • Providers don’t have to conduct electronic transactions, but they must use the standards if they do • Health plans must — • Use the standards for electronic transactions • Accept standard transactions from providers, and process them promptly • Use the standards if requested of others • Providers and plans may use clearinghouses to comply • CEs are not permitted to vary the standards
Standard Transactions • AHA, Provider Groups Urge Action to Prevent HIPAA Transactions 'Train Wreck‘ • “Rejection of non-standard transactions and resulting reversion to paper transactions by significant number of providers will lead to a major disruption of payments” – Fault Payers • American Clinical Laboratory Assoc. • American Health Care Association • American Hospital Association • American Medical Association • Premier, Inc. • VHA, Inc.
Standard Transactions • Not a One-Sided Issue • OCR Survey – 94% of Medicare Part B Providers Expect Compliance, but Do Worry about Trading Partners (Payers) • Y2K Comparisons • Commercial Reasonableness Guard Against Excessive Policing • Month to Two Month Learning Process • Advise • Other Reserves • Line of Credit • Testing
Privacy Overview The Privacy Rule covers — • Permitted uses and disclosures of protected information • Individual rights • Administrative requirements
PrivacyProtected Health Information • Information relating to— • Past, present or future physical or mental health or condition provision of health care to an individual • Provision of health care or • Past, present or future payment for health care • Created/received by provider, plan, employer or clearinghouse, and • Individually identifiable or reasonable likely to be identifiable • In any medium • Written • Verbal • Electronic
Use and Disclosure • General rule: A covered entity and its workforce, may not use or disclose protected health information, except — • For treatment, payment and operations • With individual permission • After opportunity to agree or object • With an authorization • To the individual • As otherwise permitted or required by HIPAA
Preemption of State Law • General Rule: HIPAA preempts or supercedes all “contrary” State laws • Exceptions: • HHS determination • State law that is “more stringent” • Public health reporting • Insurance oversight • HIPAA — floor for privacyrequirements • Alaska law still will applyin many cases
Required Disclosures • To the individual, pursuant to access right • To the Secretary of DHHS, to determine compliance
Permitted Use and Disclosure —Treatment • Treatment includes — • Provision of health care • Coordination of health care • Referral for health care • May disclose to other providers for treatment
Permitted Use and Disclosure —Payment • Payment includes — • Health plan activities to determine payment responsibilities and make payment • Provider activities to obtain reimbursement • Coverage determinations • Billing and claims management • Medical review, medical data processing • Review of services for medicalnecessity, coverage,appropriateness utilization review
Permitted Use and Disclosure — Payment • Covered entities also may disclose health information to other providers to assist them in obtaining payment and limited operations
Permitted Use and Disclosure —Health Care Operations • Health care operations include — • Quality assessment and improvement • Peer review, education, accreditation, certification, licensing and credentialing • Insurance-related activities • Auditing and compliance programs • Business planning and development • Business management and general administration • Sale, transfer, merger or consolidation of a covered entity with another entity that is or will become covered, including due diligence
Disclosures Requiring an Opportunity to Object • Individuals must have opportunity to agree or object to certain uses or disclosures of PHI: • Directory (name, location, general condition & religious affiliation) • Disclosure to family/friends involved in patient’s treatment of PHI directly related to their involvement • Notification to responsibleperson about location,general condition or death
Individual Authorization • If a use or disclosure is not otherwise permitted, a covered entity may not use or disclose PHI without a valid authorization in place • Core elements: • Meaningful and specific description of information • Name or other specific identification of persons or class of persons authorized to make and receive the requested use or disclosure • Each Purpose • At the request of the individual sufficient on individual initiation • Expiration date/ event • Signature/date/representation of authority
Individual Authorization • Required statements (in plain language): • Right to revoke in writing (with exceptions/limitation) and explanation of how to revoke or reference to Privacy Notice • Whether authorization is a condition of treatment • Potential for redisclosure and no further HIPAA protection • Obtain appropriate signature – copy to individual
Individual Authorization • Give a copy of authorization • Make sure authorization is: • Completely filled in • Signed by appropriate person • Defective authorization is not valid • Covered entity not required todisclose PHI pursuant toauthorization -- disclosurepermissible • Duty of additional inquiry for excessive authorizations? • Address policies/procedures
As required by other laws Public health activities Victims of abuse, etc. Health oversight activities Workers’ compensation Law enforcement purposes Decedents - coroners and medical examiners Organ procurement Research purposes, under limited circumstances Imminent threat to health or safety (to the individual or the public) Specialized government function Judicial and administrative proceedings Permitted DisclosuresAbsent Authorization Government and Other Purposes
Disclosures to Law Enforcement • Required by Law • Victims of Abuse • Law Enforcement Purposes • Victims, Suspects, Detainees • Imminent Threat to Health or Safety • Judicial and Administrative Proceedings • Subpoena vs. Court Order
Disclosures to Law Enforcement • Required by Law • Suspected Child Abuse • Suspected Elderly or Vulnerable Adult Abuse • Certain Injuries • Burns • Bullet wound • Stabbing • Injuries likely to cause death • unless clearly accidental
Disclosures to Law Enforcement Conditions of Disclosure of Abuse • If the disclosure is required by law • If the individual agrees or • If the disclosure is authorized by statute and regulation and provider believes the disclosure is necessary • to prevent serious harm to the individual or other potential victims • Or the individual is unable to agree because of incapacity, a law enforcement officer represents that the PHI is not intended to be used against the individual and an immediate enforcement activity would be materially and adversely affected by waiting for the individual to be able to agree
Disclosures to Law Enforcement • Limited Information for Identification and Location Purposes • If no subpoena, etc., a provider may disclose PHI in response to a law enforcement official’s request for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person
Disclosures to Law Enforcement • Limited Information for Identification and Location Purposes • Subject to that request, Provider may disclose only the following • Name and address • Date and Place of Birth • Social Security Number • ABO blood type and rh factor • Type of Injury • Date and time of treatment • Date and time of death • Description of distinguishing physical characteristics
Disclosures to Law Enforcement • Limited Information for Identification and Location Purposes • Excluded unless other court process or other requirement • DNA • Dental Records • Typing • Samples or analysis of body fluids or tissue
Judicial or Administrative Proceedings A provider may Disclose PHI in the course of a judicial or administrative proceeding, if • Court or administrative tribunal order or • some providers require • Subpoena or discovery request absent court order if • Satisfactory assurance of notice to patient or • Reasonable efforts to secure a protective order
Judicial or Administrative Proceedings • Satisfactory assurance notice to patient, in a writing by requestor and accompanying documentation that evidences: • good faith attempt to provide written notice to patient • Notice contained sufficient information about the litigation or proceeding to permit patient to raise an objection • Time to raise objection lapsed and • No objections filed • Objections filed and resolved by court and disclosure is consistent with resolution
Judicial or Administrative Proceedings • Reasonable Efforts to Secure a Protective Order, in writing and accompanying documentation that evidences • Parties have agreed to a qualified protective order and presented it to the court • Party requesting information has sought the protective order
Judicial or Administrative Proceedings • Qualified Protective Order • Court or Tribunal Order or Stipulation by the Parties • Prohibit use of PHI outside litigation or proceeding • Requires return or destruction of PHI (original and copies) at end of litigation or proceeding
Judicial or Administrative Proceedings • Absent Protective Order from the parties, Provider may still disclose in response to lawful process • It makes reasonable effort to provide notice to the patient (as above) or • Seeks a qualified protective order on its own
Minors • General rule: Parents accorded rights to children’s PHI • Except • Where state or other law expressly identifies the parent’s or child’s rights • Agreement to the contrary
Minors • Where the law is silent and parent ispersonal representative for child • Parent has access/control PHI • Personal Representative – state law question • Where the law is silent and parent is not personal representative • May deny access if permitted under state law and decision made by a licensed health care provider • If law silent, no right to demand PHI
Minors • Exception • Disclosure permitted or denied where necessary to avert serious or imminent threat to the safety or health of the child
Use and Disclosure —Minimum Amount Necessary • Amount of information to be restricted to minimum necessary • Covered entities must make reasonable efforts • Not to use, disclose or receive • More than minimum amount necessary • To accomplish the intended purpose
Use and Disclosure —Minimum Amount Necessary • Exceptions: • Disclosure to a provider for treatment • Not payment and operations • Release authorized by individual or for individual’s own review • Disclosure to HHS • Compliance with HIPAA requirements • Required by law
Minimum Necessary Information • CE may rely on scope of informationrequested by — • A public official • Another covered entity • A “professional” providing services to the CE • Researchers (as long as the research requirements are satisfied) • A CE may not disclose the entire record, unless it is justified • But this does not apply to disclosure to providers for treatment
Incidental Uses and Disclosures • Allows “incidental” uses and disclosures • Secondary use or disclosure • Limited in nature • Cannot be reasonably prevented • By-product of otherwise permissible use or disclosure • Examples include: • Sign-in sheets; calling names in waiting rooms • Discussions in nursing station; rounds • Joint treatment areas • Only if reasonable safeguards are in place • No protections for errors/lack of safeguards • Not included in accounting of disclosures
Auditors, Lawyers,Actuaries Other Covered Entities Billing Firms Clearinghouses Covered Entity TPAs ManagementFirms Accreditation Organizations Consultants, Vendors Use and Disclosure — Who is a Business Associate? • A person who, on behalf of a covered entity — • Performs or assists with a function or activity involving • Individually identifiable information, or • Otherwise covered by HIPAA • Performs certain identified services
Business Associate Contracts — Required Terms • A covered entity may disclose protected health information to business associates if it: • Obtains “satisfactory assurance” that business associates will appropriately safeguard the information • Business associate contract required
Business Associate Contracts — Required Terms • Specific contract content requirements include: • Use and disclose information only as authorized • Implement privacy and security safeguards • Report unauthorized disclosures • Assist with individual rights • Make available its records to HHS • Ensure subcontractors comply • Need to identify all possiblebusiness associates of yourorganization
Business Associates • Covered entity may be liable for a BA’s breach if it knew of a “pattern of activity or practice” in violation of the agreement and • Failed to take reasonable steps to cure the breach or terminate the contract, or report to the Secretary • Otherwise, no affirmative duty to monitor BAs
Business Associate Contracts — Extension • Covered Entities May Operate Under Existing Contracts for up to one year beyond April 14, 2003 • Transition period available for existing written contracts so long as the contract is not renewed or modified between April 14, 2003and April 14, 2004 • Agreement deemed in compliance until the sooner of modification or April 14, 2004 • Caveat: CE still is held to compliance with privacy regulations
Group Health Plan/Plan Sponsor • Plan may not disclose PHI to plan sponsor, without following plan sponsor rules, except • Summary health information to obtain premium bids or modifying/terminating the group health plan • Enrollment and disenrollment information
Group Health Plan/Plan Sponsor • Plan sponsor may receive plan PHI • Amend plan documents • Firewalls between Employer and plan functions • Train personnel • Remember, Plan is a coveredentity
Individual Rights — Right to Notice of Privacy Practices • Individuals have a right to receive Notice of Privacy Practices • What is the notice? • Document in sufficient detail to put the patient on notice of CE’s practices • HHS recommends layered notice (summary + long form) • Written in plain language • Specific content requirements including: • Individual rights and legal duties of covered entity • Complaints and contacts