HIPAA for Lawyers Kim C Stanger 911 Caution

HIPAA for Lawyers Kim C. Stanger (9/11)

Caution • This is an overview of fairly complex statutes and regulations. – No substitute for reading the rules. • New proposed HIPAA rules are pending. • In addition to HIPAA, you may be subject to more restrictive state laws. – HIPAA establishes floor to patient privacy. – Must comply with more restrictive state law.

What is HIPAA?

HIPAA (not HIPPA) • HIPAA = Health Insurance Portability and Accountability Act – Privacy Rules, 45 CFR 164. 501 et seq. • Applies to protected health info (“PHI”) – Security Rules, 45 CFR 164. 301 et seq. • Applies to electronic PHI • HITECH Act modified HIPAA

HIPAA • Covered entities cannot use, access or disclose protected health info without patient’s written authorization unless the use, access or disclosure fits within a HIPAA exception. (45 CFR 164. 502)

HIPAA: Covered Entities • Covered entities – Health care providers – Health plans, including group health plans if • 50+ participants, or • Administered by third party • Business associates who use PHI to perform function for covered entity. – E. g. , lawyers who represent covered entities.

HIPAA: Covered Info • Protected health info (“PHI”) – Individually identifiable info – Created or maintained by covered entity – Concerning an individual’s past, present, or future health, health care, or payment – In any form or medium. • Not: – “de-identified” info – Info not created or maintained in covered entity’s role as a health care provider, e. g. , employment records.

HIPAA Penalties

HIPAA Civil Penalties Did not know and should • $100 to $50, 000 per violation not have known of • Up to $1. 5 mil for all identical violations per year violation • No penalty if correct within 30 days. • OCR may waive or reduce penalty if excessive Violation due to reasonable cause • $1000 to $50, 000 per violation • Up to $1. 5 mil for all identical violations per year • No penalty if correct within 30 days. • OCR may waive or reduce penalty if excessive Willful neglect, but corrected problem w/in 30 days • $10, 000 to $50, 000 per violation • Up to $1. 5 mil for all identical violations per year * OCR must impose penalty Willful neglect, but did • At least $50, 000 per violation not correct problem w/in • Up to $1. 5 mil for all identical violations per year 30 days * OCR must impose penalty

HIPAA Civil Penalties • In February 2011, Mass General Hospital agreed to pay $1, 000 for HIPAA violations. – Employee left medical records of 162 patients on subway while commuting to work. – Inadequate safeguards to protect info.

HIPAA Civil Penalties • "We hope the healthcare industry will take a close look at [this case] and recognize that OCR is serious about HIPAA enforcement. It is a covered entity's responsibility to protect its patients' health information. " – OCR Director Georgina Verdugo.

HIPAA Criminal Penalties • Criminal penalties apply to employees or other individuals who obtain or disclose protected health info (“PHI”) without authorization. • $50, 000 fine • 1 year in prison Committed under false pretenses • $100, 000 fine • 5 years in prison Intent to sell, transfer, or use for • $250, 000 fine commercial gain, personal gain, or • 10 years in prison malicious harm Knowingly obtaining PHI in violation of law (42 USC 1320 d-6(a))

Recent HIPAA Convictions • Arkansas physician and two hospital employees improperly accessed murdered newscaster’s medical information. • Convictions: – Physician: $5000 fine + 1 year probation – Employee 1: $2, 500 fine + 1 year probation – Employee 2: $1, 500 fine + 1 year probation

Self-Reporting • Covered entities: – Must self-report if breach of unsecured PHI to: • Affected patient or next of kin • Department of Health and Human Services • Local media if breach involves > 500 persons – Must log improper disclosures and provide accounting if requested by patient.

Additional Reasons to Comply with HIPAA • HHS must conduct audits. • State Attorney General can bring lawsuit for HIPAA violation. • Effective 2012, patients receive a percentage of HIPAA fines. • Covered entity must impose sanctions against workforce members who violate HIPAA. • No private cause of action under HIPAA, but patients can bring lawsuit under common law theory. • Professional disciplinary actions.

Properly Obtaining PHI from Healthcare Provider or Business Associate

Obtaining PHI • Ways to properly obtain PHI from healthcare provider or business associate: – – – Patient obtains info and gives it to you Written authorization from patient Subpoena + satisfactory written assurances Subpoena + provider notifies patient Court order Fit within a different HIPAA exception • May need to educate health care providers.

1. Get Info from Patient or Personal Rep • Patients and personal representatives have right to access and obtain copies of PHI maintained in designated record set. (45 CFR 164. 524) • Personal rep = person with authority to make health care decisions for patient, e. g, . – – Guardian Spouse Parent Other appropriate relative (45 CFR 164. 502(g); see I. C. 39 -4504)

Get Info from Patient or Personal Rep • Covered entity must allow access or provide copies in format in which records maintained. – Electronic or paper • Covered entity must respond within 30 days. – May require written request for the records. – May charge reasonable cost-based fee, e. g. , cost of materials, labor and postage, not retrieval. (45 CFR 164. 524)

Get Info from Patient or Personal Rep • Covered entity may deny request if: – Info outside designated record set. – Psychotherapy notes – Info compiled in anticipation of litigation – Info obtained under promise of confidentiality and disclosure would identify informant – Licensed health care provider determines that access would cause substantial harm. • Decision subject to review (45 CFR 164. 524)

HIPAA Civil Penalties • In February, Cignet Health Center fined $4, 300, 000 for HIPAA violations. – Failed to respond to 41 patients’ requests to access info. – Failed to cooperate with OCR’s investigation.

2. Patient Authorization • Covered entity may disclose PHI to third parties per valid authorization. – Authorization cannot be combined with any other release or document. – Must contain required elements. – Must contain required statements. • Covered entity not required to disclose the info per the authorization. • Covered entity may charge a fee. – Need not be reasonable. (See 45 CFR 164. 508)

Patient Authorization • Required elements. – – Describe info to be disclosed. Identify persons who may make disclosure Identify persons to may receive info Describe purpose of disclosure • “at request of patient” sufficient if patient originates – Expiration date or event • E. g. , “at conclusion of litigation” – Date and signature of patient or personal representative – Describe authority of personal representative (45 CFR 164. 508)

Patient Authorization • Required statements. – Patient may revoke authorization at anytime. – Provider may not condition treatment on authorization. – Info disclosed may be re-disclosed and no longer protected. (45 CFR 164. 508)

Patient Authorization • Specify the info desired. – Oral information, recordings, images, etc. – Treatment, payment, other. – Documents created or maintained by health care entity. – Time frame. (45 CFR 164. 508)

3. Subpoena Signed by Attorney or Clerk • Covered entity cannot disclose PHI pursuant to subpoena signed by attorney in criminal or civil proceeding unless: – Accompanied by written assurances that • Patient was given notice and there were no objections or objections overruled, or • Protective order in place; or – Covered entity notifies patient of subpoena and patient fails to take action to protect PHI. (45 CFR 164. 512(e)) • HIPAA does not nullify subpoena, but precludes disclosure unless conditions satisfied.

Subpoena Signed by Attorney or Clerk • Subpoena itself may contain satisfactory written assurances if: – Patient is party to proceedings; – Subpoena accompanied by certificate of service confirming patient or their attorney was served and had time to object; and – Time for objection has passed. (OCR Frequently Asked Question)

Subpoena Signed by Attorney or Clerk • Provider should strictly comply with terms of subpoena. – Ensure you subpoena proper entity, e. g. , custodian of records v. employee – Provider may only disclose info specified in subpoena. – Provider may not disclose info prior to time specified in subpoena. • Patient may be able to object to subpoena until time specified in subpoena. • No informal, prehearing discussions.

Subpoena Signed by Attorney or Clerk • HIPAA does not address charges for records in response to subpoena. – Most court rules entitle recipient to • Reasonable mileage and witness fees • Reasonable cost of copies. – May want to tender fees with subpoena.

4. Subpoena, Order or Warrant Signed by Judicial Officer • Provider may disclose info if subpoena, order or warrant is signed by a judicial officer or administrative tribunal. (45 CFR 164. 512(e)(1), (f)) • “Judicial officer” not defined. – Judge or magistrate – Not prosecutor or clerk of court • Remember to specify info sought.

5. Grand Jury Subpoena • Covered entity may disclose info per grand jury subpoena. (45 CFR 164. 512(e)

6. Administrative Request • Covered entity may disclose info per administrative request or civil investigative demand upon confirmation that: – Info sought is relevant and material to law enforcement inquiry, – Request is specific and limited to extent possible, and – De-identified info is insufficient. (45 CFR 164. 512(f))

7. Hospital May Deliver Records to Court in Response to Subpoena • In Idaho, hospital may comply with subpoena by giving notice and filing records with court under seal. – Provider may require payment for records before filing with court. • Party issuing subpoena may state that filing records with court is not sufficient. (I. C. 9 -420)

Other Situations in Which Providers May Disclose PHI

1. Treatment, Payment or Health Care Operations • Providers may disclose PHI for purposes of – Treatment – Payment – Health care operations, including litigation • Patient may request restrictions, but provider need not agree. (45 CFR 164. 506).

2. Family Members and Others Involved in Care • Providers may disclose PHI to family and others involved in health care or payment for health care if: – Patient agrees, or – Patient does not object and provider believes it is in best interest of patient. • Disclosure limited to scope of person’s involvement. (45 CFR 164. 510)

3. Facility Directory • Provider may disclose limited info for purposes of locating patient if ask for patient by name: – Patient’s name – Location in facility – General condition • Patient may restrict disclosure. (45 CFR 164. 510)

4. To Avert Serious Threat • Covered entity may disclose info to prevent or lesson serious and imminent threat to health or safety of person or public. – Disclose info to entity able to respond to threat. (45 CFR 164. 512(j))

5. Other Law Requires Disclosure • Provider may disclose PHI if and to the extent that another law requires disclosure, e. g. , to report— – – – Child or vulnerable adult abuse Treatment to victim of crime Injury by firearm Credible threat by patient against another person Certain communicable diseases (45 CFR 164. 512(a))

6. Law Enforcement Purposes • HIPAA allows providers to disclose info to law enforcement in limited circumstances. – Disclosure of limited info to identify or locate a suspect, fugitive, witness or missing person. – Disclosures re victim of crime if: • Victim agrees, or • If victim is incapacitated or emergency, law enforcement represents info is not to be used against victim and cannot wait for info. – Reporting death involving crime. – Reporting crime on premises. – Reporting crime if provider is a victim. (45 CFR 164. 512(f))

7. Prisoner • Covered entity may disclose info to correctional institution or law enforcement having custody of individual if info necessary for health or safety of the individual or others. (45 CFR 164. 512(k))

Patient Rights re PHI

Patient Rights • Request additional restrictions on use or disclosure of PHI • Access PHI • Amend PHI • Obtain accounting of disclosure of PHI (45 CFR 164. 522 -. 528)

If You Represent Health Care Provider and Receive PHI…

Business Associates • Business associates = entities that receive PHI from covered entity to perform function on behalf of covered entity, including lawyers. • Business associates are subject to HIPAA. – Must not access, use or disclose PHI unless permitted by HIPAA. – Must safeguard PHI. – Must have business associate agreement. – May be subject to HIPAA penalties if violate HIPAA. (45 CFR 164. 504, -. 514)

Contacting Represented or Employed Providers for Info

Contacting Represented or Employed Providers • Cannot contact represented party ex parte, including persons “whose act or omission in connection with the matter may be imputed to the organization for purposes of civil or criminal liability. ” (Ethical Rule 4. 2, Comment 7) • Prohibits ex parte contacts with employed providers given HIPAA penalties?

HIPAA Resources • 45 CFR part 164 • OCR website: www. hhs. gov/ocr/hipaa – Summary of regulations – Frequently asked questions – Guidance re key aspects of privacy and security rules – Sample business associate agreement

Questions? Kim Stanger Hawley Troxell LLP kstanger@hawleytroxell. com (208) 388 -4843 or (208) 409 -7907