HIPAA CONFIDENTIALITY Paul A. Stewart, Esq. Foley & Lardner One Maritime Plaza, 6th Floor San Francisco, CA pastewart@foleylaw.com
What’s to Simplify? Health Claims Encounter Information Attachments to Health Claims Health Plan Enrollment/Disenrollment Eligibility Verification Claims Payments/Remittance Advice Payment of Premiums First Report of Injury Referral Certification/Authorization Claim Status Coordination of Benefits
Who Must Comply? A “Health Care Provider” - Furnishes, Bills or Gets Paid for Health Care Services or Supplies A “Health Plan” - Provides or Pays for Medical Care A “Health Care Clearinghouse” - processes non-standard into standard data elements “Business Partners” - Agents of Covered Entities
To What Do Regulations Apply? “Health Information” (security regulations) Created by providers, health plans, public health authorities, employers, life insurers, schools or universities Relates to the physical/mental condition, provision of health care, payment
To What Do Regulations Apply? (cont’d) “Protected Health Information” (“PHI”) (confidentiality regulations) health information identifies the individual or could reasonably be used to identify the individual
When To Comply? Whenever health information is electronically transmitted or maintained (security regulations) Whenever protected health information is electronically transmitted or maintained in connection with a standard transaction (confidentiality regulations) Obligations apply to information, not documents
Why Comply? Civil Monetary Penalties: up to $100 Per Violation/Per Person, with $25,000 Annual Limit Per Each Standard Violated Criminal Penalties for “Knowing Misuse”: $50,000–$250,000; Prison 1–10 years Greatest Penalties Reserved for Intent to Sell/Transfer/Use for Commercial Advantage, Personal Gain or Malicious Harm
What are the confidentiality Rules? Disclosure/Use prohibited except as permitted by the regulation Permitted Disclosures: As authorized by the individual For health care treatment, payment, operations (except research and psychotherapy notes) In connection with national policy activities
What are the Rules? (cont’d) Required Disclosures Request by the individual Investigation of compliance by government Circumstances Requiring Individual Authorization Marketing; sale, rental, barter; eligibility; fundraising; employers; research unrelated to treatment; psychotherapy notes Minimum Necessary
What are the Rules? (cont’d) Patient Rights To Receive Adequate Notice of Information Practices To Inspect and Copy PHI To Request Amendment/Correction of PHI To Request Restriction on Uses/Disclosure of PHI To Receive Accounting of Uses/Disclosures
What Do I Have To Do? Designate a Privacy Official Contact person/office Assess whether HIPAA preempts state law Assess current policies and procedures Develop comprehensive policies and procedures Draft contracts - Business partner/Chain of trust agreements
Preemption Assess whether HIPAA preempts state law Federal standard, requirement or implementation specification contrary to state law Exceptions State law is necessary for certain purposes State law is more stringent State law relates to audits, licensure, certification, reporting of child abuse, births, deaths, injuries, public health activities
Policies and Procedures Assess current policies and procedures What does your organization do to ensure PHI is not improperly disclosed? How do you monitor compliance with your current policies and procedures? What are the consequences in your organization if PHI is disclosed in violation of current legal requirements/p&p’s? Are your policies and procedures written?
Policies and Procedures (cont’d) Develop comprehensive policies and procedures related to: Determining when disclosures are permitted/required Conditions applicable to certain permitted disclosures Minimum necessary standard Authorizations
Policies and Procedures (cont’d) De-identifying PHI Business partners Deceased individuals Right to requests for restrictions Right to notice of information practices Right to access
Policies and Procedures (cont’d) Right to accounting of disclosures Right to amendments and corrections Verification of identity/authority of requester Training Sanctions Complaints Changes in policies or procedures
Further Documentation Must create documents related to the following and retain such documents for six years: Requested restrictions Contracts with business partners Authorization forms Notifications of information practices
Further Documentation (cont’d) Statements regarding access/denial to PHI All accountings provided Denials of amendment/correction requests Employee certifications Complaints
Business Partner Contracts Examples: Lawyers, auditors, consultants, TPA’s, DP firms Disclosures only as permitted/required No disclosures if disclosure by covered entity would violate regulation Safeguards established to prevent improper uses/disclosures Improper uses/disclosures reported Consistent subcontracts Right of access provided
Business Partner Contracts (cont’d) Access by Secretary of DHHS to books/records pertaining to uses/disclosures PHI returned/destroyed upon termination of contract Amendments/corrections incorporated Third party beneficiaries/Liability to Patients for breach Termination upon improper use/disclosure Material breach may be noncompliance Need for audit trail