Responding to Requests for Information Kimberly J. Ruppel Billee Lightvoet Ward Dickinson Wright PLLC
REQUESTS FOR PHI Requests for protected health information (PHI) can come from a variety of sources: Patients Family and friends Other healthcare providers Other third parties Requests for PHI can come in a variety of forms Focus on requests through “legal” or “administrative” processes
REQUESTS FOR PHI Facts and circumstances dictate HIPAA obligations HIPAA requires disclosure in response to certain requests –Individuals –Secretary of the Department of Health and Human Services (DHHS) HIPAA permits disclosure in other situations
What Form of Requests Can I Expect? Court Order or Grand Jury Subpoena (issued by the Court) HIPAA recognizes that the legal process for obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information. Administrative Request or Civil Investigative Demand (issued by a governmental agency)
What Form Of Requests Can I Expect? Discovery request from a party to a litigation: Request for the Production of Documents; Interrogatories; Notice for a Deposition; Subpoena These are issued by lawyers without the Court’s involvement. Before responding, look for a protective order or an authorization form signed by the individual.
Request Scenarios Personal injury lawsuit Malpractice lawsuit Employment litigation – breach of covenant not to compete Federal or state agency investigation: Consumer protection; Anti-kickback violations; Stark violations; Antitrust violations Criminal law enforcement Public health concerns
DISCLOSURES REQUIRED BY LAW A Covered Entity may disclose PHI to the extent required by law if the disclosure complies with and is limited to the requirements of such law Additional provisions apply to disclosures: About victims of abuse, neglect or domestic violence For judicial and administrative proceedings For law enforcement purposes
DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE PROCEEDINGS A Covered Entity may disclose PHI expressly authorized by an order of a Court or administrative tribunal In response to a subpoena, discovery request or other process not accompanied by a Court order, a Covered Entity may disclose PHI only if: “Satisfactory assurances” (a)the individual has been given notice of the request and has not objected or all objections have been resolved to allow for disclosure; or (b)Reasonable efforts have been made to secure a qualified protective order that (i) prohibits use of the PHI other than for the litigation at issue, and (ii) requires return or destruction of the PHI at the end of the litigation
DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE PROCEEDINGS Corrective actions imposed by the DHHS Office for Civil Rights: What did the hospital do wrong? Responded to a subpoena unaccompanied by a court order Satisfactory Assurances –Failed to determine that reasonable efforts were made to notify the individual of the request –Failed to receive satisfactory assurances that reasonable efforts were made to secure a qualified protective order What corrective actions were imposed? Improved staff awareness through training Revised internal subpoena processing steps
DISCLOSURES FOR LAW ENFORCEMENT PURPOSES A CE may disclose PHI to a “law enforcement official” for a “law enforcement purpose” As required by law In compliance with and as limited by a grand jury subpoena, Court order, Court-ordered warrant, or a subpoena or summons issued by a judicial officer; or Limited information to identify or locate a suspect, fugitive, material witness or missing person Information about an individual suspected to be a victim of a crime Individual agrees to the disclosure; or Individual can’t agree due to incapacity or other emergency, but certain representations are made by official CE determines that disclosure is in the best interest of the patient
DISCLOSURES FOR LAW ENFORCEMENT PURPOSES Information about a decedent to alert law enforcement of the individual’s death if the CE has a suspicion that such death may have resulted from criminal conduct Information the CE believes in good faith is evidence of criminal conduct on the CE’s premises Information relating to a medical emergency (off-premises) if necessary to alert law enforcement to the commission, nature, location and victim(s) of a crime and the identity, description and location of the perpetrator of the crime.
DISCLOSURES FOR HEALTH OVERSIGHT ACTIVITIES A CE may disclose PHI to a health oversight agency for “oversight activities” authorized by law Audits Civil, administrative or criminal investigations or proceedings Inspections Licensure/disciplinary actions For oversight of the health care system and other programs, laws and entities where health information is relevant to eligibility or compliance
DISCLOSURES FOR PUBLIC HEALTH ACTIVITIES HIPAA permits covered entities to disclose PHI to public health authorities, governmental authorities, and other persons in relation to: Controlling/preventing disease, injury or disability Child abuse/neglect reporting Quality, safety and effectiveness of FDA-regulated products/activities Notification of exposure or risk relating to communicable disease Reporting work-related illness or workplace-related medical surveillance Providing proof of student immunization to schools
WHICH LAW APPLIES? If a request for information potentially involves PHI, HIPAA must be considered at the forefront HIPAA is a “floor” – state privacy laws may offer greater protection General Rule: HIPAA applies (preemption) unless: state law “relates to the privacy of individually identifiable health information” AND is more “stringent” than HIPAA If HIPAA and state law don’t conflict, comply with both
WHICH LAW APPLIES? Consider provider-patient privilege laws Applies to physicians, dentists, counselors, optometrists, social workers PHI may not be disclosed without authorization except in the case of a personal injury or malpractice lawsuit by the patient against the provider Parental access Michigan law allows parents to access their children’s medical records in most, but not all, instances
WHEN YOU RECEIVE A REQUEST Initial Assessment Evaluate potential sources of responsive information –Medical Records and EMR –Billing, Scheduling, Administration –Policies/Procedures – and other correspondence –Laptops, smart phones or other mobile devices Involve appropriate personnel –Privacy/Security Officer or other compliance personnel –Risk Management –Internal and/or External Legal Counsel
WHEN YOU RECEIVE A REQUEST Preservation Steps Determine who has “possession, custody or control” Issue a “legal hold” notice to employees and any third parties who may have relevant information Maintain documentation in its original form Suspend routine document and data destruction Proactively implement a document retention procedure Document preservation steps Involve administrative or technology staff to ensure that electronic information is not deleted or destroyed
Why Is Preservation Critical? Legal obligation to preserve potentially relevant evidence Spoliation of Evidence: Destruction (inadvertent or intentional) of information that is relevant to litigation or governmental investigation after you become aware of, or reasonably anticipate, the litigation or investigation Penalties: Monetary damages Presumption that destroyed information would support the opposing party’s case
RESPONDING TO A REQUEST FOR INFORMATION Evaluate the Scope and Burden of the Request Practical Considerations Is the time frame objectionable? Is the volume of information overly burdensome? What is the nature of the lawsuit or investigation? What information is relevant?
RESPONDING TO A REQUEST FOR INFORMATION HIPAA Considerations: Is PHI responsive and, even if not, is it included in potentially relevant data? Would de-identified information satisfy the request? Determine what HIPAA provision(s) apply Involve your Privacy and Security Officers Consult legal counsel as necessary
RESPONDING TO A REQUEST FOR INFORMATION Attempt to negotiate with the opposing party to narrow the request: Timeframe (Federal Court Rules approve limiting to 5 years) Use of search terms for electronic information Identify and agree on employees who are the most likely custodians De-duplication Make reasonable efforts to limit disclosure to minimum necessary Exception for disclosures to the individual, required by law or pursuant to authorization
RESPONDING TO A REQUEST FOR INFORMATION Protective Measures: Consider obtaining the individual’s authorization even if not required Court Involvement may be an option (Motion to Quash) or may be required (Qualified Protective Order) Ask the Court to shift search costs to the requesting party
WHY IS THIS IMPORTANT? Renewed governmental focus New regulations Expanded liability – new players Increased penalties (up to $1.5 Million per violation) Media attention Patient sensitivity/awareness
WHY IS THIS IMPORTANT? Beginning in 2011 – first civil money penalty imposed by OCR: $4.3 million fine for health plan’s denial of access to patient’s own medical records Must provide patient a copy of medical records within 30 days and no later than 60 days of the patient’s request Probably exacerbated by the health plan’s failure to cooperate with OCR’s investigation Inadvertent disclosures can be expensive (more next session): Stolen unencrypted thumb drive resulted in $150,000 settlement Stolen unencrypted laptop resulted in $1.5 million settlement Leased photocopier returned without erasing data resulted in $1.2 million settlement
MITIGATING YOUR RISK Maintain an updated records management program Maintain appropriate HIPAA policies and procedures Carefully select your vendors Train your workforce Document everything Cooperate (reasonably) with OCR and other governmental authorities Know your obligations when an inadvertent disclosure occurs
QUESTIONS?