1. manatt | phelps | phillips
Managing Patient Authorization in Regional Health Information Organizations Thirteenth National HIPAA Summit September 26, 2006
Prepared by: Robert Belfort, Esq.
Manatt, Phelps & Phillips LLP 7 Times Square, 23rd Floor New York, NY (212)
manatt
manatt | phelps | phillips
H13

2. Key Factors Driving Privacy Practices
Law
Public Trust
H13

3. Preliminary Observations
HIPAA is a road map, not an impediment, to data exchange
State privacy laws pose the greatest challenge to data exchange projects
A project’s technical model affects the privacy analysis
A project’s business plan affects the privacy analysis
role of payors
use of clinical decision support
participation of researchers or public health authorities

4. Patient Authorization Under HIPAA
Technical Model
Peer to Peer
Central Data Repository
Mirrors Exchange of Paper Records
New data set created by central entity
No authorization if exchange only for TPO
Transfer of ownership of new data set requires
authorization

5. Patient Authorization Under State Law
Written/oral
Express/implied
General/specific
HIV
Mental health
Substance abuse
Family Planning
Nature of Consent
Type of Information
Patchwork of
State Laws
Which State’s Law?
Licensure of Data Holder
Hospital
Physician
Laboratory
Pharmacy
HMO
Point of transmission
Point of receipt
Residence of patient
Storage of data

6. Opt In vs. Opt Out Consent
ISSUE
OPT OUT
OPT IN
Regulatory Uncertainty - +
Risk of Patient Claims
Public Trust
Ease of Implementation
Patient Participation Rate

7. Scope of Consent Options
Disclosures by provider obtaining consent
Disclosures by all providers participating in RHIO
Disclosures by specified providers

8. Options for Managing Sensitive Health Information
Specialized consent for certain facilities or providers
Specialized consent for certain patients
Data filtering

9. Role of RHIO in Consent Management
Level of
Centralized
Control
Mandated standard consent form with central auditing
Mandated consent form without auditing
Model consent form for voluntary adoption
General representation of “compliance” by providers
No reference to consent in user agreements

10. Emerging State Laws Directly Regulating Health Data Management Companies
California
Texas
Other states?

11. Other Consent Management Issues
Revocation of consent
Restrictions on uses
Authority of parents to sign on behalf of minor children

12. Minimum Necessary Rule
Disclosures for treatment purposes not subject to minimum necessary rule
Disclosures for payment or health care operations (e.g., quality improvement) must meet minimum necessary standard
Providers may rely on request by another covered entity for minimum necessary compliance purposes
Participation of payors tends to heighten minimum necessary concerns
False patient matches may raise minimum necessary issues

13. Verification of Patient Relationships
RHIO participants must demonstrate treatment or coverage relationship with patient whose data they seek to access
Which patient identifiers will participants be required to provide for verification purposes?
Can patient relationships be “registered” up front to avoid case-by-case verification?
Role of “break the glass” access?

14. Business Associate Requirements
Technical Model
Peer To
Central
Data
Repository
RHIO is
BA of Each
Participant
Data
Segregated by
Provider
Data is Integrated
and Cannot be Traced to
Data Source
BA “return or
destruction”
standard
not satisfied

15. Other Business Associate Issues
Data aggregation
Data de-identification
“Public interest” disclosures – e.g., research, public health
Role of BA in responding to patient requests
Indemnification

16. Potential Privacy-Related Claims
HIPAA civil and criminal penalties
Enforcement by state health departments under state privacy laws
FTC or state attorney general claims based on “consumer fraud” theories
Common law claims by patients or patient classes (e.g., breach of fiduciary duty, negligence)