manatt | phelps | phillips Managing Patient Authorization in Regional Health Information Organizations Thirteenth National HIPAA Summit September 26, 2006 Prepared by: Robert Belfort, Esq. Manatt, Phelps & Phillips LLP 7 Times Square, 23rd Floor New York, NY 10036 (212) 830-7270 rbelfort@manatt.com manatt manatt | phelps | phillips BelfortR--Conc4.05--9.26@11am H13
Key Factors Driving Privacy Practices Law Public Trust BelfortR--Conc4.05--9.26@11am H13
Preliminary Observations HIPAA is a road map, not an impediment, to data exchange State privacy laws pose the greatest challenge to data exchange projects A project’s technical model affects the privacy analysis A project’s business plan affects the privacy analysis role of payors use of clinical decision support participation of researchers or public health authorities
Patient Authorization Under HIPAA Technical Model Peer to Peer Central Data Repository Mirrors Exchange of Paper Records New data set created by central entity No authorization if exchange only for TPO Transfer of ownership of new data set requires authorization
Patient Authorization Under State Law Written/oral Express/implied General/specific HIV Mental health Substance abuse Family Planning Nature of Consent Type of Information Patchwork of State Laws Which State’s Law? Licensure of Data Holder Hospital Physician Laboratory Pharmacy HMO Point of transmission Point of receipt Residence of patient Storage of data
Opt In vs. Opt Out Consent ISSUE OPT OUT OPT IN Regulatory Uncertainty - + Risk of Patient Claims Public Trust Ease of Implementation Patient Participation Rate
Scope of Consent Options Disclosures by provider obtaining consent Disclosures by all providers participating in RHIO Disclosures by specified providers
Options for Managing Sensitive Health Information Specialized consent for certain facilities or providers Specialized consent for certain patients Data filtering
Role of RHIO in Consent Management Level of Centralized Control Mandated standard consent form with central auditing Mandated consent form without auditing Model consent form for voluntary adoption General representation of “compliance” by providers No reference to consent in user agreements
Emerging State Laws Directly Regulating Health Data Management Companies California Texas Other states?
Other Consent Management Issues Revocation of consent Restrictions on uses Authority of parents to sign on behalf of minor children
Minimum Necessary Rule Disclosures for treatment purposes not subject to minimum necessary rule Disclosures for payment or health care operations (e.g., quality improvement) must meet minimum necessary standard Providers may rely on request by another covered entity for minimum necessary compliance purposes Participation of payors tends to heighten minimum necessary concerns False patient matches may raise minimum necessary issues
Verification of Patient Relationships RHIO participants must demonstrate treatment or coverage relationship with patient whose data they seek to access Which patient identifiers will participants be required to provide for verification purposes? Can patient relationships be “registered” up front to avoid case-by-case verification? Role of “break the glass” access?
Business Associate Requirements Technical Model Peer To Central Data Repository RHIO is BA of Each Participant Data Segregated by Provider Data is Integrated and Cannot be Traced to Data Source BA “return or destruction” standard not satisfied
Other Business Associate Issues Data aggregation Data de-identification “Public interest” disclosures – e.g., research, public health Role of BA in responding to patient requests Indemnification
Potential Privacy-Related Claims HIPAA civil and criminal penalties Enforcement by state health departments under state privacy laws FTC or state attorney general claims based on “consumer fraud” theories Common law claims by patients or patient classes (e.g., breach of fiduciary duty, negligence) 80371471