CAN THE CANNED FORMS: Practical Advice in Implementing HIPAA Privacy Policies and Forms Margaret Marchak, Esq. Rachel Nosowsky, Esq. HIPAA Summit West Friday, June 6, 2003

CANNED POLICIES AND FORMS Prepackaged Form Policy Flaws: Close tracking of regulatory text in policies (terms are foreign to most non-lawyers) Accuracy (may have been written years before effective date, or even modifications date) Regulatory history overlooked, particularly where preamble conflicts with subsequent guidance Subsequent recent formal and informal guidance often not included Canned policies and forms can serve as a good starting point, but don’t rely on them too heavily

CANNED POLICIES AND FORMS Other applicable mandates generally missing (state law, accreditation requirements, etc.) Guidance on actual procedures Inflexible: Institutional considerations not addressed Translation across types of covered entities unavailable Forms either simplistic or overly burdensome

Case Study: RESEARCH Research supposedly is not regulated under HIPAA so some canned policies inadequately address the subject Basic regulatory requirements, together with continuously updated guidance, are complex Although OCR and OHRP have adopted the position that HIPAA does not amend the Common Rule and the requirements of the two regulations are independent, the fact is that covered entities performing research are required to comply with both mandates and cannot practically segregate their compliance efforts Institutional considerations are critical for human subjects research policies The devil is really in the detail of the procedures, not a policy that parrots the regulation

Case Study: RESEARCH HIPAA SAYS: Patient authorization generally is required to use or disclose PHI for research –Systematic investigation –Designed to develop or contribute to generalizable knowledge Outcomes evaluation is not research if the primary objective is other than to develop or contribute to generalizable knowledge Exceptions –Reviews preparatory to research –Research on decedents –HIPAA waivers (different criteria from Common Rule) –No PHI (de-identified data sets) or limited data sets with data use agreements

Case Study: RESEARCH ISSUES Databases and registries under the Common Rule and HIPAA Common Rule consents and HIPAA authorizations Certifications to the covered entity for reviews preparatory to research and research on decedents Recruiting subjects under the Common Rule and HIPAA Waivers under the Common Rule and HIPAA Exemption, deidentification and limited data sets Accounting requirements Business associate contracts Oversight/enforcement: roles of IRBs and Privacy Officials

Case Study: Individual Rights Issues Canned forms for this generally of significant and unworkable length Single Policy For Access, Amendments, and Accountings logical since exceptions and timelines are similar Creating a policy to adapt to the organizational environment (without alienating the workforce)

Case Study: Individual Rights Policy: Use of definitions: Using every defined term in Privacy Rule is recipe for disaster Identify existing entry point for patient/member communications at covered entity Incorporate individual rights administration through established processes within the covered entity, e.g., use of the grievance process required by state law for a health plan as the HIPAA complaint process

Case Study: Individual Rights Forms Using Forms in Support of the Policy to Document Compliance Without Killing a Forest (Request For Access, Denial of Access, Notice of Charges, Request For Amendment, Notice of Extension To Respond) Combining Forms Designate Department/Individual For Monitoring Forms

Case Study: Individual Rights Drafting Considerations: Denial of Amendment. Covered Entity may deny a request for an amendment if Covered Entity determines that the PHI that is the subject of the request meets an exception because the PHI (a) was not created by Covered Entity (unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment); (b) is not part of the Designated Record Set; (c) is not available for inspection or copying in accordance with the policy on Access Rights; or (d) is accurate and complete -OR- (e) not supported by documentation

Case Study: Individual Rights Use of Authorizations Accounting For Public Health: TPO or Required by Law? Software package vs. current applications

Case Study: Business Associates Will the “real” business associates please stand up? Issues for wannabee business associates who are covered entities behaving as such –Timelines for compliance with individual rights –Reliance upon exceptions applicable to the covered entity vs. the covered entity as a business associate, e.g., accountings –Permitted disclosures

Case Study: Business Associates Who should produce the form: the government, the covered entity or the business associate? Beware of the form produced by business associates from the outer limits (limitation of liability, restrictions on receipt of PHI, disclaimers of ERISA liability) Working cooperatively with your business associates

Conclusion Home grow the final policies and forms, even if you start with a purchased form