HIPAA Privacy: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA Practice Group Davis Wright.

Slides:



Advertisements
Similar presentations
HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA
Advertisements

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
H OGAN & H ARTSON, L.L.P.
Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
Anne Arundel County Fire Department
Confidentiality and HIPAA
HIPAA Privacy Rule Training
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Health Insurance Portability and Accountability Act (HIPAA)
Information Sharing and Cross-System Collaboration John Petrila, J.D., LL.M. Professor, University of South Florida
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
1 Disclosures © HIPAA Pros 2002 All rights reserved.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Advanced HIPAA Privacy Compliance Strategies: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA.
Advanced HIPAA Privacy Compliance Strategies: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA.
HIPAA – How Will the Regulations Impact Research?.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Practicing In Harmony with HIPAA The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
A NATIONAL HIPAA SUMMIT AUDIOCONFERENCE Davis Wright Tremaine LLP Legal Requirements For Vendor And Clearinghouse HIPAA Compliance; Business Associate.
Davis Wright Tremaine LLP The Seventh National HIPAA Summit HIPAA Privacy: Privacy Rule Compliance on Public Health Activities and Research Thomas E. Jeffry,
HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
Health Insurance Portability and Accountability Act (HIPAA) © 2013 Project Lead The Way, Inc.Principles of Biomedical Science.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA Training Workshop #2 Trainer: Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
Paul T. Smith Davis Wright Tremaine LLP
HIPAA Pros - Disclosures
Disability Services Agencies Briefing On HIPAA
Business Associate Contracts: Time Is Running Out . . .
National Congress on Health Care Compliance
The Health Insurance Portability and Accountability Act
Advanced Issues in Business Associate Contracting
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
New School Violence Law; HIPAA Privacy Training
South Jordan City Fire Department
The Health Insurance Portability and Accountability Act
Presentation transcript:

HIPAA Privacy: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA Practice Group Davis Wright Tremaine LLP Seattle, WA Davis Wright Tremaine LLP

2 HIPAA Privacy — A Timeline November 3, 1999: Proposed privacy regulations February 17, 2000: Comment period closes after extension. Record number of comments received December 28, 2000: Final privacy regulations published March 1-30, 2001: Second comment period April 14, 2001: Effective date of final privacy regulations July 2001: HHS Guidance issues March 27, 2002: Proposed amendments to final regulations published April 14, 2003: Compliance date (except small health plans) April 26, 2002: Comment period for proposed amendment closes April 14, 2003: Compliance date for small plans 1996: HIPAA is enacted into law

Davis Wright Tremaine LLP 3 HIPAA Roulette

Davis Wright Tremaine LLP 4 Business Associates  Identifying business associates  Disagreements on BA status  Negotiation  Tracking contracts

Davis Wright Tremaine LLP 5 Who is a Business Associate?  A person who, on behalf of a covered entity or OHCA —  Performs or assists with a function or activity involving Individually identifiable information, or Otherwise covered by HIPAA  Performs certain identified services  A person who, on behalf of a covered entity or OHCA —  Performs or assists with a function or activity involving Individually identifiable information, or Otherwise covered by HIPAA  Performs certain identified services Auditors, Actuaries Billing Firms Lawyers ClearinghousesTPAs Covered Entity Management Companies Consultants, Vendors Accreditation Organizations

Davis Wright Tremaine LLP 6 Who Are Business Associates?  Medical staff... No, Yes, It depends  Medical device company... Probably Not  Research sponsor... Usually Not ─ Follow research rules  Record storage/destruction... Depends  Accreditation organizations... Yes  Software vendor... Maybe  Collection agencies... Yes  Medical staff... No, Yes, It depends  Medical device company... Probably Not  Research sponsor... Usually Not ─ Follow research rules  Record storage/destruction... Depends  Accreditation organizations... Yes  Software vendor... Maybe  Collection agencies... Yes

Davis Wright Tremaine LLP 7 Business Associate Contracts — Required Terms Under Privacy Rule  Use and disclose information only as authorized in the contract  No further uses and disclosures  Not to exceed what the covered entity may do  Implement appropriate safeguards  Report unauthorized disclosures to covered entity  Facilitate covered entity’s access, amendment and accounting of disclosures obligations  Allow HHS access to determine CE’s compliance  Return/destroy protected health information upon termination of arrangement, if feasible  If not feasible, extend BAC protections  Ensure agents and subcontractors comply  Authorize termination by covered entity  Use and disclose information only as authorized in the contract  No further uses and disclosures  Not to exceed what the covered entity may do  Implement appropriate safeguards  Report unauthorized disclosures to covered entity  Facilitate covered entity’s access, amendment and accounting of disclosures obligations  Allow HHS access to determine CE’s compliance  Return/destroy protected health information upon termination of arrangement, if feasible  If not feasible, extend BAC protections  Ensure agents and subcontractors comply  Authorize termination by covered entity

Davis Wright Tremaine LLP 8 Business Associate Contracts — Required Terms Under Security Rule  Implement administrative, physical and technical safeguards that reasonably and appropriately protect the  Confidentiality,  Integrity and  Availability  Of electronic protected health information  Ensure any agent agrees to same restrictions  Report any security incident  Authorize termination if the covered entity determines business associate has breached  When to implement?  Implement administrative, physical and technical safeguards that reasonably and appropriately protect the  Confidentiality,  Integrity and  Availability  Of electronic protected health information  Ensure any agent agrees to same restrictions  Report any security incident  Authorize termination if the covered entity determines business associate has breached  When to implement?

Davis Wright Tremaine LLP 9 Business Associate Contracts  Contract management system  Process to:  Revisit existing relationships and contracts  Address future relationships  Establish an approach under security regulations  Build off of existing approach  Templates  Elevate issues as needed  Contract management system  Process to:  Revisit existing relationships and contracts  Address future relationships  Establish an approach under security regulations  Build off of existing approach  Templates  Elevate issues as needed

Davis Wright Tremaine LLP 10 De-Identification

Davis Wright Tremaine LLP 11 De-Identification  Information is presumed de-identified if—  Qualified person determines that risk of re-identification is “very small” or  The following identifiers are removed: NameAddressRelativesEmployer DatesTelephoneFax SSNMR#Plan IDAccount # License #Vehicle IDURLIP address FingerprintsPhotographsOther unique identifier  And the CE does not have actual knowledge that the recipient is able to identify the individual  Information is presumed de-identified if—  Qualified person determines that risk of re-identification is “very small” or  The following identifiers are removed: NameAddressRelativesEmployer DatesTelephoneFax SSNMR#Plan IDAccount # License #Vehicle IDURLIP address FingerprintsPhotographsOther unique identifier  And the CE does not have actual knowledge that the recipient is able to identify the individual

Davis Wright Tremaine LLP 12 De-Identification  Beware small communities  Identify what workforce needs to know de-identification rules. For example,  Marketing  Medical staff who lecture  Beware small communities  Identify what workforce needs to know de-identification rules. For example,  Marketing  Medical staff who lecture

Davis Wright Tremaine LLP 13 Limited Data Sets

Davis Wright Tremaine LLP 14 Limited Data Set — Not Quite De-Identified  Limited Data Set = PHI that excludes direct identifiers except:  Full dates  Geographic detail of city, state and 5-digit zip code  Not de-identified  Special rules apply  Limited Data Set = PHI that excludes direct identifiers except:  Full dates  Geographic detail of city, state and 5-digit zip code  Not de-identified  Special rules apply

Davis Wright Tremaine LLP 15 Data Use Agreements  A covered entity may use or disclose a limited data set if recipient signs data use agreement but only for  Research,  Public health or  Health care operations  Required Elements of Data Use Agreement:  Permitted uses and disclosures by recipient  Who may use or receive limited data set  Recipient must: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals  A covered entity may use or disclose a limited data set if recipient signs data use agreement but only for  Research,  Public health or  Health care operations  Required Elements of Data Use Agreement:  Permitted uses and disclosures by recipient  Who may use or receive limited data set  Recipient must: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals

Davis Wright Tremaine LLP 16 Data Use Agreements  Likely Uses  State hospital associations  Public health agencies (for non-mandatory reporting)  Research  Caveat:  If recipient of limited data set is to create the limited data set  Need business associate contract and data use agreement  Not included in an accounting of disclosures  Likely Uses  State hospital associations  Public health agencies (for non-mandatory reporting)  Research  Caveat:  If recipient of limited data set is to create the limited data set  Need business associate contract and data use agreement  Not included in an accounting of disclosures

Davis Wright Tremaine LLP 17 Accounting of Disclosures

Davis Wright Tremaine LLP 18 Accounting of Disclosures  Patient has the right to receive an accounting of disclosures of the patient’s PHI  Accounting includes:  Date of disclosure  Recipient name and address  Description of information disclosed  Purpose of disclosure  Patient has the right to receive an accounting of disclosures of the patient’s PHI  Accounting includes:  Date of disclosure  Recipient name and address  Description of information disclosed  Purpose of disclosure

Davis Wright Tremaine LLP 19 Accounting of Disclosures  Exceptions:  Treatment, payment and health care operations  Individual access  Directories, persons involved in care  Pursuant to authorizations  National security or intelligence  Incidental disclosures  Limited date set  Prior to April 14, 2003  Exceptions:  Treatment, payment and health care operations  Individual access  Directories, persons involved in care  Pursuant to authorizations  National security or intelligence  Incidental disclosures  Limited date set  Prior to April 14, 2003

Davis Wright Tremaine LLP 20 Accounting of Disclosures – Problems  Cumbersome process with few requests to date  Patients often want information that is excepted  Tricky issues  Date ranges acceptable (e.g., access to a universe of records during limited time)  For disclosures made routinely within set time: Intervals acceptable (e.g., “gunshot wound within 48 hours after treatment” plus date of treatment)  Dealing with Business Associates  Cumbersome process with few requests to date  Patients often want information that is excepted  Tricky issues  Date ranges acceptable (e.g., access to a universe of records during limited time)  For disclosures made routinely within set time: Intervals acceptable (e.g., “gunshot wound within 48 hours after treatment” plus date of treatment)  Dealing with Business Associates

Davis Wright Tremaine LLP 21 Accounting of Disclosures ─ Approaches  Track all disclosures at time of the disclosure  Do analysis if patient makes a request  Abbreviated accounting  Tip: clarify the request before beginning (but do not discourage request)  Track all disclosures at time of the disclosure  Do analysis if patient makes a request  Abbreviated accounting  Tip: clarify the request before beginning (but do not discourage request)

Davis Wright Tremaine LLP 22 Disclosures to Law Enforcement

Davis Wright Tremaine LLP 23 Disclosures to Law Enforcement  When required by law  In compliance with court orders, court-ordered warrants, subpoenas or summons as issued by a judicial officer or grand jury subpoenas  To respond to an administrative request  To respond to a request about a victim of a crime, and  The victim agrees or  If victim is not able to agree, law enforcement representation (not used against victim/and necessary)  When required by law  In compliance with court orders, court-ordered warrants, subpoenas or summons as issued by a judicial officer or grand jury subpoenas  To respond to an administrative request  To respond to a request about a victim of a crime, and  The victim agrees or  If victim is not able to agree, law enforcement representation (not used against victim/and necessary)

Davis Wright Tremaine LLP 24 Disclosures to Law Enforcement  To report child abuse or neglect  To report adult abuse, neglect or domestic violence if  The patient agrees  Required by law  Permissible and necessary to prevent serious harm  To report a death in suspicious circumstances  To report a crime on the premises  To report child abuse or neglect  To report adult abuse, neglect or domestic violence if  The patient agrees  Required by law  Permissible and necessary to prevent serious harm  To report a death in suspicious circumstances  To report a crime on the premises

Davis Wright Tremaine LLP 25 Disclosures to Law Enforcement  To respond to a request for purposes of identifying a suspect, fugitive, material witness or missing person  Limited information  Name, address, date and place of birth, SSN, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, description of distinguishing features  To report a person who has admitted to a violent crime that the CE reasonably believes may have caused serious injury to a victim as long as not made as a request for therapy  Limited information  To respond to a request for purposes of identifying a suspect, fugitive, material witness or missing person  Limited information  Name, address, date and place of birth, SSN, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, description of distinguishing features  To report a person who has admitted to a violent crime that the CE reasonably believes may have caused serious injury to a victim as long as not made as a request for therapy  Limited information

Davis Wright Tremaine LLP 26 Disclosures to Law Enforcement  As necessary to report criminal activity in off-site medical emergencies  When consistent with applicable legal and ethical standards  To avoid serious and imminent threat  To identify a person who appears to be an escapee  For specialized governmental law enforcement  Intelligence  Inmate  As necessary to report criminal activity in off-site medical emergencies  When consistent with applicable legal and ethical standards  To avoid serious and imminent threat  To identify a person who appears to be an escapee  For specialized governmental law enforcement  Intelligence  Inmate

Davis Wright Tremaine LLP 27 Disclosure to Law Enforcement  Preemption considerations  State law plays a critical role in analysis  Develop detailed policies and procedures  Tip: Identify go-to people  Tip: Two tier approach Basic approach for majority of work force Detailed approach for those making the decisions  Tip: Consider a community meeting with providers and law enforcement to agree on ground rules  Preemption considerations  State law plays a critical role in analysis  Develop detailed policies and procedures  Tip: Identify go-to people  Tip: Two tier approach Basic approach for majority of work force Detailed approach for those making the decisions  Tip: Consider a community meeting with providers and law enforcement to agree on ground rules

Davis Wright Tremaine LLP 28 Misunderstandings and Unrealistic Expectations

Davis Wright Tremaine LLP 29 Misunderstandings and Unrealistic Expectations  Must train workforce  Should train/educate patients  Areas of confusion  Opting out of facility directory Approach to foster understanding of consequences  Requests for additional privacy protections Patient has right to ask Covered entity has right to say “No” Covered entity is bound by a “Yes” Approach to promote consistency  Accounting of disclosure  Must train workforce  Should train/educate patients  Areas of confusion  Opting out of facility directory Approach to foster understanding of consequences  Requests for additional privacy protections Patient has right to ask Covered entity has right to say “No” Covered entity is bound by a “Yes” Approach to promote consistency  Accounting of disclosure

Davis Wright Tremaine LLP 30 Complaints

Davis Wright Tremaine LLP 31 Complaint Process  Must provide process to receive complaints  Must document all complaints and their disposition  Tip: Make it easy for a patient to complain  Written only vs. any medium  Be aware of local complaints that may become OCR complaints  Must provide process to receive complaints  Must document all complaints and their disposition  Tip: Make it easy for a patient to complain  Written only vs. any medium  Be aware of local complaints that may become OCR complaints

Davis Wright Tremaine LLP 32 Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.