HIPPA Overview Jeffrey A. Walker Walker & Mann Laurel Street, Suite 204, Rancho Cucamonga, CA Phone: Fax:

Who is Covered? Covered Entities Any entity that transmits any protected health information [PHI] in electronic form, set forth in 45 CFR §§

Affiliate Covered Entities Covered entities under common ownership or control, which may designate themselves a single covered entity. For Example: Hospitals Medical Centers HMO/PPO IPA

Entities with Multiple Covered Functions Such as a care provider that operates an employee health plan Must comply with the rules as affecting each one of its functions. For Example: Blue Cross HealthNet PacifiCare

Health Care Clearinghouses Any entity that converts PHI received from third parties to or from its proprietary format for internal processing Liable as business associates Examples: Claims processors/administrators Data analysis firms NOTE: California law does not cover information held by clearinghouses, but their functions are. Both California law or Federal law can apply.

Health Plan Any individual or group plan, governmental or private, that provides or pays for medical care. – Small, self-administered employee plans excluded – Possible danger for private companies – Government Program Exclusion HIPAA is more inclusive than California Law

Health Care Providers Compliance is only required for electronic transmission. Any person or organization that furnishes, bills or is paid for health care in the normal course of business A provider that uses an agent (a clearinghouse or billing service) must comply with HIPAA California law is not as broad as HIPAA, but it applies to all defined providers regardless of electronic transmission.

Defined Providers:  Licensed individuals  Clinics  Health Dispensaries  Health Facilities & Corporations organized primarily for maintaining medical information/making it available to providers/patients.  Medical Groups  Independent Practice Associations  Pharmacy Benefits Managers

Hybrid Entities Covered entities whose business activities include covered and non- covered functions – These entities have to designate which portions must be HIPAA compliant – Must take special care to protect against disclosure – Examples:

Organized Health Care Arrangement This is a label that can apply to any organized health care arrangement. – Not automatic… Examples: –Hospitals –Preferred Medical Providers –Medical Foundations –Some Health Plan/Insurer Arrangements

Business Associates Any one who works for, but not as a member of the workforce, a HIPAA covered entity. – Assisting with a function or activity involving the use or disclosure of PHI: Claims Processing Data Analysis Quality Assurance – Providing service or consulting to HIPAA covered entity: Legal Financial Administrative

When do Privacy Rules Apply?

Use or Disclosure Not for Marketing Purposes D efined as any purpose meant to encourage others to purchase or use a certain product or service unless:  Authorized by patient, or  Face-to-face communication between covered entity and individual, or  A promotional gift of nominal value, like offering free bandages or pens.

Limited use or disclosure for fundraising is permissible if: Information is limited AND A notice of privacy indicates this AND The entity provides an opt-out option Use or Disclosure (cont.)

Media Purposes If the patient has not asked that information be withheld, no one can obtain the location or condition unless that person already knows of and uses the patient’s name. – Primary Purpose – Special Care in Certain Situations – Limit disclosure to General Terms good, fair, stable, serious, critical, or deceased.

Protected Health Information (PHI) Defined: individually identifiable health information relating to a person’s health, care received, and or payment for services. Covered entities must use reasonable safeguards to prevent disclosure of PHI, unless: Authorized by the patient, or The information relates to the purposes of treatment, or Purposes of payment and health care operations NOTE: Does not include employment records for persons employed by a covered entity

Privacy Rights of the Individual

Patients can request restriction of use Except for certain limited use/full uses allowed or required by law: In Facility Directories For Limited Public Health Activities Reporting abuse, neglect, domestic violence or other crimes Health agency oversight activities or law enforcement investigations Judicial/administrative proceedings Identifying decedents to coroners and medical examiners or determining cause of death Organ procurement Certain research activities Workers’ Comp programs Any other uses or disclosures otherwise required by law

Access & Inspection (generally) – Summaries – Under HIPAA Provider Liability Required Access: time requirements left to states –CA law requires hospitals to keep records for 7 years Personal Representatives Required manner of access

Reporting Disclosure – Patient’s right to an accounting of disclosures, EXCEPT if disclosure relates to: Carrying out treatment, payment, health care operations, or if part of a limited data set. In Facility Directories For Limited Public Health Activities Reporting abuse, neglect, domestic violence or other crimes Health agency oversight activities or law enforcement investigations Judicial/administrative proceedings Identifying decedents to coroners and medical examiners or determining cause of death Organ procurement Certain research activities Workers’ Comp programs ANY DISCLOSURE PRIOR TO APRIL 14, 2003

When Can Disclosure Occur When authorized – Requirements for valid authorization: Written/Typed Signed and Dated Indicates authorizer/authorized recipient Indicates the information to be disclosed and permitted use(s) States the right to revoke and entitlement to copies States no condition on treatment Specifies expiration date (continues to “Minimum Necessary”)

“Minimum Necessary” Standard … reasonable efforts to limit the information disclosed to the minimum amount necessary to complete the task… The Exception Identification Requirements

Waiver of Confidentiality Applicable in the research context: 3 HIPAA criteria for waiver of consent/authorization:  PHI use and disclosure cannot pose more than minimal risk to the privacy of the individual  The research could not practicably be conducted without the waiver or alteration of authorization  The research cannot practicably be conducted without access to and use of the protected health information

Waiver of Confidentiality (cont.) Guidelines:  The entity must have an adequate plan to protect identifiers from improper use and disclosure  Identifiers must be destroyed ASAP  The entity must provide written assurances to subjects against reuse or re-disclosure

Compliance & Enforcement The HIPAA Process The Department of Health and Human Services & The Department of Justice HHS initially investigates all complaints –Fines between $100 and $25,000 –No incident standards established! –Anybody can file complaints! DOJ takes over when HHS finds criminal conduct Violators face state & federal enforcement!

Compliance & Enforcement (con’t.) California administrative fines and penalties No more than $25,000 when negligent/known and willful UNLESS Violator attempts to profit (i.e. by selling the information), then up to $250,000. Anyone who receives information and discloses it as described is liable. California Exceptions –Unaware or Unfound –Reasonable Cause/Correction –Caused by criminal activity (DOJ takes over) Criminal Penalties (preclusion) –$50,000/1 Yr –$100,000/5 Yrs –$250,000/10 Yrs