Download presentation
Presentation is loading. Please wait.
1
Medical Records in Court: Life after HIPAA North Carolina Conference of Superior Court Judges, October 2003 Presented by Jill Moore, UNC School of Government
2
Roadmap Fundamentals of the HIPAA privacy rule History HIPAA vs. state law Covered entities “Protected health information” (PHI) Disclosures of PHI for court proceedings How has HIPAA changed the landscape?
3
HIPAA History Health Insurance Portability and Accountability Act of 1996 Administrative Simplification provisions Health care industry conducting electronic transactions with many different codes and languages high administrative costs Unable to agree on voluntary standards, so requested regulation DHHS directed to establish standards, plus provide for privacy and security of the information
4
HIPAA vs. state law HIPAA privacy rule intended to be a federal floor of privacy protection, by regulating the use and disclosure of health information and individuals’ rights respecting that information HIPAA preempts contrary state laws, unless the contrary law is more stringent In general, a state law is more stringent if it affords greater privacy protection or provides an individual more rights
5
HIPAA vs. state law The hole in the federal floor: State laws that require disclosures of health information are not preempted State laws only preempted if they are contrary to HIPAA HIPAA privacy rule specifically allows disclosures of PHI that are required by state law State laws requiring disclosures are therefore not contrary and not preempted
6
HIPAA vs. state law General rules for NC covered entities—must comply with: HIPAA privacy rule State laws requiring disclosures Example: GS 130A-135—physicians shall report communicable diseases to health department State laws that are more protective of privacy or afford greater individual rights Example: GS 130A-143—may disclose communicable disease information only in specified circumstances
7
Covered entities HIPAA directly regulates only public and private “covered entities”: Health plans Health care clearinghouses Health care providers that transmit health information electronically in connection with a transaction covered by HIPAA
8
Protected health information The HIPAA privacy rule governs how covered entities use and disclose “protected health information” (PHI) PHI is information in any form or medium, including electronic and paper records, and oral communications
9
Protected health information PHI is information that: Identifies an individual (or there is a reasonable basis to believe it can be used to identify the individual), and Relates to one of the following: the past, present, or future physical or mental health or condition of the individual, the provision of health care to the individual, or the past, present, or future payment for the provision of health care.
10
Disclosing PHI General rule—Disclosure of PHI requires the individual’s authorization Authorization must be in writing Forms must include elements specified by the HIPAA privacy rule
11
Disclosing PHI Exceptions—Disclosure without written authorization is permitted: When disclosure is required by privacy rule (only two circumstances: disclosures to individual; disclosures to US DHHS for compliance or enforcement purposes) For treatment, payment, and health care operations
12
Disclosing PHI Exceptions (continued)—Disclosure without written authorization permitted: For certain purposes, such as hospital directories, provided the individual is given an opportunity to agree or object to the disclosure For “national priority” purposes—among other things, child abuse reporting, public health purposes, judicial and administrative proceedings
13
Disclosing PHI for court proceedings Must consider both HIPAA and state law HIPAA permits disclosure of PHI in judicial proceedings without the individual’s written authorization, provided certain requirements are met But in North Carolina, much PHI will be privileged and may only be disclosed in accordance with applicable privilege statutes State privilege statutes afford greater privacy protection and are therefore not preempted
14
Disclosing PHI for court proceedings Medical records and information usually will be privileged, so disclosure will require either the individual’s authorization, or a court order compelling disclosure, if in the court’s opinion disclosure is necessary for a proper administration of justice But information that is PHI per HIPAA but not privileged per state law may be disclosed in accordance with HIPAA procedures
15
Disclosing PHI for court proceedings If the information is privileged and disclosure is made with the individual’s authorization: A covered entity may not disclose the record or information unless the authorization is in writing and includes all the elements required by HIPAA Entities covered only by state law will also require written authorization, but their forms may look different
16
Disclosing PHI in court proceedings If the information is privileged and the individual has not authorized disclosure, the information cannot be disclosed without the requisite findings and court order This applies equally to HIPAA-covered entities and entities that are subject only to state law
17
Disclosing PHI in court proceedings If the information is not privileged but it is PHI, a covered entity may only disclose it: With the individual’s written authorization, or According to the procedures set forth in the HIPAA privacy rule for disclosing without the individual’s authorization.
18
Disclosing PHI in court proceedings A covered entity may disclose PHI that is not privileged without the individual’s authorization in response to: A court order, provided the entity discloses only the PHI expressly authorized by the order. A subpoena, a discovery request, or other lawful process without a court order if: Reasonable efforts are made to notify the individual that disclosure is sought, or Reasonable efforts are made to secure a qualified protective order (as defined in the privacy rule).
19
How has HIPAA changed the landscape? Many holders of health information are covered entities and must comply with both HIPAA and state laws—including some that are not ordinarily seen as health care providers.
20
How has HIPAA changed the landscape? Confusion abounds. Expect: To hear the term “HIPAA” used to refer to all of medical confidentiality law—federal and state. Misperceptions about who is covered by HIPAA. Misunderstandings about how a covered entity may (and must) respond to subpoenas for medical records or information. False beliefs about when a covered entity can and cannot disclose under HIPAA. False beliefs about the continued viability of state law.
21
What has HIPAA changed? What remains the same? Disclosures in court proceedings: Privileged information Changed: Disclosures with individual’s authorization must be in writing and include specific elements Unchanged: Disclosures without individual’s authorization require court order
22
What has HIPAA changed? What remains the same? Disclosures in court proceedings: PHI that is not privileged Changed: Disclosures with individual’s authorization must be in writing and include specific elements Disclosures without individual’s authorization only permitted in response to a court order a subpoena, discovery request or other lawful process with notice or protective order
23
What has HIPAA changed? What remains the same? Disclosures in court proceedings: Health information held by an entity that is not a covered entity under HIPAA Unchanged by HIPAA Other disclosures that may be litigated: Unchanged by HIPAA But will HIPAA ultimately change standard of care?
24
Jill Moore UNC School of Government CB 3330 Knapp Building Chapel Hill, NC 27599-3330 919-966-4442 jill_moore@unc.edu www.medicalprivacy.unc.edu
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.