Privacy Requirements of GLBA HIPAA Presented by Becky
Privacy Requirements of GLBA & HIPAA Presented by: Becky Williams, R. N. , J. D. Partner Davis Wright Tremaine Seattle, Washington beckywilliams@dwt. com (206) 628 -7769 Tom Jeffry, J. D. Partner Davis Wright Tremaine Los Angeles, California tomjeffry@dwt. com (213) 633 -6882 1
Overview of Presentation Gramm Leach Bliley Act (GLBA) HIPAA Lay of the Land Covered Entities Uses and Disclosures Individual Rights Administrative Responsibilities Enforcement 2
Gramm Leach-Bliley Act (GLB) Protects privacy of consumer information held by “financial institutions” Requires companies to give consumers privacy notices that explain information sharing practices Consumers have the right to limit some sharing of info Financial institutions may not disclose to a nonaffiliated third party any nonpublic personal information unless: n n n 3 Provides notice to consumer of company’s privacy policy, and Provides opportunity to “opt out” Under FCRA, Consumers have right to “opt out” of sharing credit info even if only shared with affiliates.
GLB – Applicability “Financial Institutions” -- companies that offer financial products or services: n n As a result, GLBA applies to: n n Loans Investment advice Insurance Banking services n n n 4 Banks Brokerages Insurance Companies Credit Companies Mortgage Companies Tax Preparers Debt Collectors
GLB Notice Requirements Must be clear, conspicuous, accurate statement of privacy policy Must include: n n n Must be mailed or delivered in person Initial notice - earlier of 7/1/01 or at 1 st transaction Annually thereafter as long as customer relationship continues what info company collects about consumers and customers With whom company shares info How it protects or safeguards info Applies to all non-public info company gathers about consumers 5
What is Nonpublic Personal Information? Personally identifiable financial information Any listing derived from using personally identifiable information Does not include public info including: n n n Government records Widely distributed media Disclosures required to be made by the government 6
What is Personally Identifiable Financial Information? Provided by the consumer Derived from a transaction Otherwise obtained in connection with product or service 7
Exceptions for disclosure n n n n n Service Providers Joint Marketing Processing and Servicing Transactions Consent of the customer Protect confidentiality or security Lawyers, auditors and examiners Right to Financial Privacy Reporting to credit bureau Sale, merger or transfer of assets Comply with federal, state or local law 8
What is the Opt-Out Provision? The right of the consumer to instruct the financial institution not to disclose nonpublic personal information. n n Must be explained in the Privacy Notices Levels of opt-out alternatives 9
GLB Part II Consumer advocates attack notices as dense and unreadable “The biggest waste of paper in human history” (Ralph Nader) Consumers demand non-existent rights FTC Workshop, Dec. 2001 – Examines problems with GLBA notices Expect future modifications to GLBA Beware of state action (CA!) 10
HIPAA — Not Just One Issue Health Insurance Portability and Accountability Act of 1996 HIPAA Title I Portability Transaction Standards Health Identifiers Title II Administrative Simplification Enforcement 11 Titles III, IV, V Security Privacy
Privacy Rules — A Winding Road Proposed: December 28, 2000 Final: February 2001 Amendments Published August 14, 2002 Guidance: October 2002 and December 2002 Compliance: n April 14, 2003 for most n April 14, 2003 for small plans 12
Covered Entities Health Plans n Include many employee benefit plans pay for medical care Health Care Clearinghouses n Process or facilitate processing non-standard data elements into standard data elements, or vice versa Providers who Electronically Transmit any Health Information in a HIPAA Covered Transaction 13
Standard Transactions Claims or encounter information Enrollment and disenrollment Health plan eligibility Payment and remittance advice Referral certification and authorization Premium payments Health care claim status Deferred: u u Coordination of benefits First report of injury Claims attachment 14
Other Affected by HIPAA, but Not Necessarily Covered Entity Business Associates Plan Sponsors 15
Privacy ─ What is Covered? Protected Health Information relating to— n Past, present or future physical or mental health or condition provision of health care to an individual n Provision of health care or n Past, present or future payment for health care n Created/received by provider, plan, employer or clearinghouse Individually Identifiable or Reasonable Likely to be Identifiable In any Medium n Written n Verbal n Electronic 16
What is Covered? Employment Records Covered Entity’s own Employment Records are Excluded from PHI n Employment records not defined n Functional test Patient vs. excused absence from work, accommodation under FMLA, ADA, etc State law implication 17
De-Identification Information is presumed de-identified if— n Qualified person must determine that risk of re-identification is “very small” or n The following identifiers are removed or concealed: Name Dates SSN License # Fingerprints n Address Telephone MR# Vehicle ID Photographs Relatives Employer Fax e-mail Plan ID Account # URL IP address Other unique identifier And the CE does not have actual knowledge that the recipient could use it to identify the individual 18
Limited Data Set Information not Completely De-identified, but which can be used for Research, Public Health and Health Care Operations n Excludes 16 identifiers n Data use agreement with recipient n Not included in accounting 19
Use and Disclosure General rule: A covered entity may not use or disclose PHI except — n n For treatment, payment and operations To the individual With individual permission After opportunity to agree or object With an authorization As otherwise permitted or required by HIPAA 20
Disclosures Requiring an Opportunity to Object Individuals Must Have Opportunity to Agree or Object to Certain Uses or Disclosures of PHI: n Directory (name, location, general condition & religious affiliation) n Disclosure to family/friends involved in patient’s treatment of PHI directly related to their involvement n Notification to responsible person about location, general condition or death 21
Permitted Disclosures Government and Other Purposes As Required by Laws Organ Procurement Public Health Activities Research Purposes, under limited circumstances Victims of Abuse, etc. Imminent Threat to Health or Safety (to the Individual or the Public) Health Oversight Activities Workers’ Compensation Law Enforcement Purposes Specialized Government Function Decedents ─ Coroners and Medical Examiners Judicial and Administrative Proceedings 22
Individual Authorization If a Use or Disclosure is Not otherwise Permitted, Authorization Required Core Elements and Required Statements Obtain Appropriate Signature — Copy to Individual Defective Authorization is not Valid Issues: n n Duty of additional inquiry for excessive authorizations? Confusion between individual access and authorization 23
Use and Disclosure — Minimum Amount Necessary Amount of Information to be Restricted to Minimum Necessary n n Covered entities must make reasonable efforts Not to use, disclose or receive More than minimum amount necessary To accomplish the intended purpose 24
Use and Disclosure — Minimum Amount Necessary Exceptions: n Disclosure to a provider for treatment Not payment and operations n n Release authorized by individual or for individual’s own review Disclosure to HHS Compliance with HIPAA requirements Required by law 25
Use and Disclosure — Minimum Amount Necessary Minimum Use n n n Identify workforce members and their level of access Do not attempt to access information that you do not need to know to perform your duties Employees face sanctions for violating this rule Minimum Disclosure/Request n n Recurring and routine disclosures: Follow policies and procedures Other disclosures: Follow criteria Determination on case-by-case basis 26
Incidental Uses/Disclosures Allows “Incidental” Uses and Disclosures n Secondary use or disclosure n Limited in nature n Cannot be reasonably prevented n By-product of permissible use or disclosure Only if Reasonable Safeguards are in Place Examples include: n Sign-in sheet; calling names in waiting area n Joint treatment areas Not included in accounting of disclosures 27
Use and Disclosure — Who is a Business Associate? A person who, on behalf of a Covered Entity — n n Billing Firms Performs or assists with a function or activity involving Clearinghouses Individually identifiable information, or Management Otherwise covered Firms by HIPAA Performs certain identified services 28 Auditors, Lawyers, Actuaries Covered Entity Consultants, Vendors Other Covered Entities TPAs Accreditation Organizations
Business Associate Contracts — Required Terms A Covered Entity may Disclose Protected Health Information to Business Associates if it: n n Obtains “satisfactory assurance” that business associates will appropriately safeguard the information Business associate contract required Specific Contract Content Requirements n The elements of which are based upon the covered entity’s obligations under HIPAA 29
Business Associates Covered Entity may be Liable for a BA’s Breach if it Knew of a “Pattern of Activity or Practice” in Violation of the Agreement and Failed to Take Reasonable Steps to Cure the Breach or Terminate the Contract, or Report to the Secretary Otherwise, No Affirmative Duty to Monitor BAs 30
Business Associate Contracts — Transition Rule Covered Entities May Operate Under Existing Contracts for up to One Year beyond April 14, 2003 n n n Transition period available for existing written contracts so long as the contract has not been renewed or modified after October 14, 2002 Agreement deemed in compliance until the sooner of modification or April 14, 2004 Caveat: CE still is held to compliance with privacy regulations 31
Marketing is Any Communication that Encourages the Purchase or Use of a Product of Service, but Not: n n n Communications to direct or recommend alternative treatments, therapies, health care providers or care settings Communications for treatment, case management or care coordination Communications describing a health related product or service provided by the covered entity or included in a plan of benefits 32
Marketing Authorization is Required for Marketing Except — n n Face-to-face encounter Promotional gifts of nominal value If the Covered Entity is Receiving Remuneration for the Marketing, the Authorization Must State that Remuneration is Involved 33
Fundraising CE may Use or Disclose to BA or Related Foundation for Purposes of Raising Funds for CE’s Benefit — n n Demographic information Dates of health care provided CE Must Include Opt-Out Information in Fundraising Materials 34
Research General Rule: No Use or Disclosure of PHI for Research Exceptions n n Authorization Special rules apply IRB or Privacy Board Waiver Specified criteria must be considered Special representations for On-site use for preparatory to research protocol Research on decedents 35
Special Organizational Rules Hybrid Entity n n n Single legal entity that is a covered entity Both covered and non-covered activities Designated health care components as hybrid Hybrid status is a choice If Hybrid n n Only covered functions subject to HIPAA Disclosure of PHI to non health care component must be in conformance with HIPAA Need adequate firewalls, policies, procedures Does not limit liability of entire entity 36
Special Organizational Rules Covered Entity with Multiple Covered Functions n n n Entity that engages in multiple functions making it any combination of a health plan, covered health care provider, or health care clearinghouse Must comply with all relevant standards General rule: treat as legally separate entities 37
Special Organizational Rules Affiliated Covered Entities n Legally separate entities that may designate themselves as a single covered entity if under common ownership or control n Compliance Same standards Separately subject to liability 38
Special Organizational Rules Organized Health Care Arrangements n Clinically integrated setting involving more than one provider n A health care system that holds itself out as a system and has shared UR, QA or payment arrangements n Group health plan and its insurer or HMO Members of an OHCA — n Are not one another’s business associates n May use a joint notice of privacy practices and acknowledgment n May disclose PHI to another member of the OHCA for health care operations of 39 the OHCA
Group Health Plan/Plan Sponsor Plan May Not Disclose PHI to Plan Sponsor, Without Following Plan Sponsor Rules, Except n Summary health information to obtain premium bids or modifying/terminating the group health plan n Enrollment and disenrollment information 40
Group Health Plan/Plan Sponsor may Receive Plan PHI n n n Amend plan documents Firewalls between employer and plan functions Train personnel Remember, Plan is a Covered Entity 41
Individual Rights 42
Individual Rights — Right to Notice of Privacy Practices Direct Treatment Providers must Provide Notice to Individuals by the First Date of Service Acknowledgment Posted in Prominent Location On Website 43
Individual Rights — Right to Access to PHI Individuals are Entitled to Access (inspection and copying) of their Own PHI Exceptions — n n n Access likely to endanger life or physical safety Information is about another, and access likely to cause substantial harm to him or her Information obtained under promise of confidentiality Information compiled for legal proceedings Psychotherapy notes Prohibited by CLIA 44
Individual Rights — Right to Access Right to Request Access own PHI n Reviewable and unreviewable grounds for denial Prohibited by CLIA = non-reviewable n Explanation of reasons for denial Can Individual’s Access Laboratory PHI? 45
Individual Rights — Right to Request Amendment Individual May Request Amendment of Own Records In Response, Covered Entity May — n n Accept amendment Deny of amendment. Grounds include: not created by entity; information is accurate and complete; information is not subject to access Statement of Disagreement (by individual) Rebuttal Statement (by covered entity) Record-keeping/Linking 46
Individual Rights — Accounting of Disclosures Accounting includes: n n Date of disclosure Recipient name and address Description of information disclosed Purpose of disclosure 47
Individual Rights — Accounting of Disclosures Exceptions include: n n n n Treatment, payment and health care operations Individual access Directories, persons involved in care Pursuant to authorizations National security or intelligence Incidental disclosures Limited date set Prior to April 14, 2003 48
Individual Rights — Right to Request Additional Protections Right to Request Additional Privacy Protections n Covered entity may refuse n If agrees bound (except in emergency) n Be careful in granting requests 49
Individual Rights — Right to Request Alternative Communications Right to Request to Receive Communications in Alternative Fashion n Must accommodate reasonable requests 50
Administrative Requirements 51
Administrative Requirements Documented Policies, Procedures and Systems Designate Privacy Official and Contact Person Implement Adequate Safeguards to Protect PHI from Intentional or Accidental Misuse Mitigation Complaint Mechanism No Intimidation/Retaliation No Requirement to Waive Rights 52
Administrative Requirements — Workforce Training and Sanctions Privacy and Security Awareness Training to n Entire workforce by compliance date n New employees following hire n Affected employees after material changes in policies Training to be Documented Systems of Sanctions — Consistent Enforcement 53
What’s Next? 54
Security Rule – Status Proposed Standards Published August, 1998 Final Standards Published February 20, 2003 Statute and Portions of Privacy Rule Touching upon Security Apply Now 55
Security What Information Is Protected? All Protected Health Information that is Electronically Maintained or Transmitted Compare: the Privacy Standards Protect All Individually Protected Health Information, in Whatever Form 56
Security Key to Security Rules Covered entities must: Ensure the Confidentiality, Integrity and Availability of all Electronic PHI Created, Received, Maintained or Transmitted by CE Protect against Reasonably Anticipated — n n Threats or hazards to security or integrity Unauthorized uses or disclosures Ensure Workforce Compliance with Security Rule 57
Security Approach Standards Implementation Specifications n Required n Addressable Assess reasonableness Implement if reasonable If not reasonable, document reason, implement equivalent alternative Technology Neutral 58
Security Overview Administrative Safeguards Physical Safeguards Technical Safeguards Other Requirements n n Organizational requirements Policies, procedures and documentation 59
Compliance & Sanctions Civil Violations Criminal Violations 60
Compliance & Sanctions Civil Penalties n n n 61 $100 per violation Up to $25, 000 annually for violations of “identical” requirement or prohibitions Don’t be fooled by the cap
Criminal Violations Improperly uses or causes to be used a unique health identifier Improperly obtains individually identifiable health information Discloses such health information to another person Up to $50, 000 and/or 1 year jail time 62
Criminal Penalties If Wrongful Disclosure is n Done under false pretenses: The penalty is up to $100, 000 and/or 5 years imprisonment n For profit or with malice Up to $250, 000 and/or 10 years in jail 63
Enforcement Status OCR to Enforce Privacy CMS to enforce TCS, security and employee identifiers DOJ to enforce criminal penalties Final Interim Enforcement Regulations published April 17, 2003/Effective May 17, 2003 n n n Focus on Civil Penalties by HHS First installment Comments due June 16, 2003 64
Enforcement Limits on HHS’s Authority to Impose CMPs n Not punishable under criminal statute n Person did not know─and by exercising reasonable diligence would not know─violation of HIPAA To HHS’s Satisfaction Due to Reasonable Cause, not Willful Neglect n Corrected within designated time period (e. g. , 30 days) May be Reduced or Waived n 6 year statute of limitations Let Complaints be OCR’s Guide 65
Compliance & Sanctions Other “Penalties” or Liability n State tort remedies — standard of care n Reputation n Competitive market position 66
HIPAA — A Foreign Language 67
A Tower of Babel Anticipate confusion from everyone Anticipate the Flow of Information to be Affected Anticipate Cash Flows related to Information Flows to be Affected 68
Solutions Plan Ahead Create Common Expectations by n n Regional and national collaboration Establish Clear Operational Procedures with Non. HIPAA Entities Assess your Liability Develop Enterprise-Wide Standards 69
Final Thoughts HIPAA is Here It will Keep us on our Toes We are Going to Get Very Good at HIPAA 70
Questions?
- Slides: 71