Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA

Published byDestiny Dillon Modified over 11 years ago

Similar presentations

Presentation on theme: "HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA"— Presentation transcript:

1 HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA beckywilliams@dwt.com Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA beckywilliams@dwt.com Davis Wright Tremaine LLP

2 2 HIPAAs Applicability to Government

3 Davis Wright Tremaine LLP 3 Administrative Simplification: What Does HIPAA Do? Transaction Standards Privacy Standards Restrictions on use and disclosure of PHI Individual rights Administrative requirements Security Standards Ensure confidentiality, integrity and availability of electronic PHI Protect against reasonably anticipated threats to security or integrity of electronic PHI Protect against reasonably anticipated uses or disclosures of electronic PHI Ensure compliance by workforce Transaction Standards Privacy Standards Restrictions on use and disclosure of PHI Individual rights Administrative requirements Security Standards Ensure confidentiality, integrity and availability of electronic PHI Protect against reasonably anticipated threats to security or integrity of electronic PHI Protect against reasonably anticipated uses or disclosures of electronic PHI Ensure compliance by workforce

4 Davis Wright Tremaine LLP 4 Covered Entities Under HIPAA Health care providers engaging in electronic covered transactions Health plans Insurers Group health plans (e.g., employee benefit plans) Employee welfare benefit plan established for employees of two or more employers Medicaid Approved state child health plan Not a health plan: other government-funded programs Principal purpose is other than providing or paying the cost of health care or Principal activity is direct care or making grants to fund direct care Health care clearinghouses Sponsors of Medicare prescription drug cards Health care providers engaging in electronic covered transactions Health plans Insurers Group health plans (e.g., employee benefit plans) Employee welfare benefit plan established for employees of two or more employers Medicaid Approved state child health plan Not a health plan: other government-funded programs Principal purpose is other than providing or paying the cost of health care or Principal activity is direct care or making grants to fund direct care Health care clearinghouses Sponsors of Medicare prescription drug cards

5 Davis Wright Tremaine LLP 5 Others Affected by HIPAA Business associates Perform certain functions on behalf of Covered Entity Involves receipt, use, disclosure, creation of PHI Written assurances that meet specific minimum requirements Plan sponsor Fiduciary duty to ensure HIPAA compliance of its plan(s) Business associates Perform certain functions on behalf of Covered Entity Involves receipt, use, disclosure, creation of PHI Written assurances that meet specific minimum requirements Plan sponsor Fiduciary duty to ensure HIPAA compliance of its plan(s)

6 Davis Wright Tremaine LLP 6 Hybrids Single legal entity Covered functions = covered entity Business functions include both Covered functions Noncovered functions May designate health care components Component that would be a covered entity if a separate legal entity Other components may be added Health care components are treated as separate from rest of the legal entity Document designation Single legal entity Covered functions = covered entity Business functions include both Covered functions Noncovered functions May designate health care components Component that would be a covered entity if a separate legal entity Other components may be added Health care components are treated as separate from rest of the legal entity Document designation

7 Davis Wright Tremaine LLP 7 Affiliated Covered Entity Covered entities under common ownership or common control Common ownership – ownership or equity interest of 5% or more Common control – entity has the power, directly or indirectly, to significantly influence or direct the actions or policies Designation to act as a single covered entity Covered entities under common ownership or common control Common ownership – ownership or equity interest of 5% or more Common control – entity has the power, directly or indirectly, to significantly influence or direct the actions or policies Designation to act as a single covered entity

8 Davis Wright Tremaine LLP 8 General HIPAA Considerations

9 Davis Wright Tremaine LLP 9 Covered Entity With Multiple Covered Functions Single covered entity that engages in Provider Plan Clearinghouse and/or Medicare prescription drug sponsor Must comply with each applicable set of requirements Based on each distinct function Single covered entity that engages in Provider Plan Clearinghouse and/or Medicare prescription drug sponsor Must comply with each applicable set of requirements Based on each distinct function

10 Davis Wright Tremaine LLP 10 General HIPAA Considerations: Preemption Is the State law contrary to HIPAA? If not contrary, both requirements apply If contrary HIPAA preempts or supercedes contrary state law UNLESS state law provides Greater privacy protections Greater individual rights Is the State law contrary to HIPAA? If not contrary, both requirements apply If contrary HIPAA preempts or supercedes contrary state law UNLESS state law provides Greater privacy protections Greater individual rights

11 Davis Wright Tremaine LLP 11 General HIPAA Considerations HIPAA may apply to Government agency (or component) itself Covered entities that deal with government agencies If agency needs/wants information from covered entities or is a covered entity: Identify applicable permitted and required disclosures Educate on applicable requirements Bring into compliance correspondence, forms, etc. HIPAA may apply to Government agency (or component) itself Covered entities that deal with government agencies If agency needs/wants information from covered entities or is a covered entity: Identify applicable permitted and required disclosures Educate on applicable requirements Bring into compliance correspondence, forms, etc.

12 Davis Wright Tremaine LLP 12 General HIPAA Considerations Minimum necessary Must make reasonable efforts to Limit PHI to the minimum necessary to accomplish the intended purpose Applies to uses, disclosures and requests Not applicable to Treatment Required by law Authorizations Access to patient Disclosures to HHS But note: Only to the extent specifically permitted or required Minimum necessary Must make reasonable efforts to Limit PHI to the minimum necessary to accomplish the intended purpose Applies to uses, disclosures and requests Not applicable to Treatment Required by law Authorizations Access to patient Disclosures to HHS But note: Only to the extent specifically permitted or required

13 Davis Wright Tremaine LLP 13 General HIPAA Considerations Verification requirements Identity Authority Documentation, statements or representations that otherwise may be necessary Notice of privacy practices Bound by notice Verification requirements Identity Authority Documentation, statements or representations that otherwise may be necessary Notice of privacy practices Bound by notice

14 Davis Wright Tremaine LLP 14 General HIPAA Considerations Individual Rights Access Amendment Accounting of disclosures Requests for additional privacy protections Individual Rights Access Amendment Accounting of disclosures Requests for additional privacy protections

15 Davis Wright Tremaine LLP 15 Activities Under HIPAA

16 Davis Wright Tremaine LLP 16 HIPAA in Inter-Agency/ Interdisciplinary Teams Governments often use multidisciplinary teams Allows combination of expertise and focus May include: Covered entities/ covered components Non-covered entities Can PHI be shared among these teams? Governments often use multidisciplinary teams Allows combination of expertise and focus May include: Covered entities/ covered components Non-covered entities Can PHI be shared among these teams?

17 Davis Wright Tremaine LLP 17 Inter-Agency/Interdisciplinary Teams – HIPAA Permitted Disclosures Treatment, payment or health care operations May use or disclose PHI for TPO May disclose PHI for the treatment activities of a provider May disclose PHI for the payment activities of a provider or covered entity May disclose PHI to another covered entity for recipients limited health care operation Both have/had a relationship with individual Operations pertain to that relationship Limited operations: QA, credentializing, training and fraud and abuse detection Treatment, payment or health care operations May use or disclose PHI for TPO May disclose PHI for the treatment activities of a provider May disclose PHI for the payment activities of a provider or covered entity May disclose PHI to another covered entity for recipients limited health care operation Both have/had a relationship with individual Operations pertain to that relationship Limited operations: QA, credentializing, training and fraud and abuse detection

18 Davis Wright Tremaine LLP 18 Inter-Agency/Interdisciplinary Teams – Permitted HIPAA Disclosures May disclose when required by law Only to the extent required Note additional requirements Bring disclosure under standards for Abuse/ neglect reporting; Judicial and administrative proceedings, or Law enforcement Public health reporting Health care oversight May disclose when required by law Only to the extent required Note additional requirements Bring disclosure under standards for Abuse/ neglect reporting; Judicial and administrative proceedings, or Law enforcement Public health reporting Health care oversight

19 Davis Wright Tremaine LLP 19 Inter-Agency/Interdisciplinary Teams – Permitted HIPAA Disclosures Special rules for covered government programs providing public benefits Government program health plan may disclose certain eligibility and enrollment information to another agency administering/providing public benefits if required or authorized Covered government agency administering a public benefits program may disclose PHI to another like agency if The programs serve similar populations Necessary to coordinate covered function or to improve administration/management Special rules for covered government programs providing public benefits Government program health plan may disclose certain eligibility and enrollment information to another agency administering/providing public benefits if required or authorized Covered government agency administering a public benefits program may disclose PHI to another like agency if The programs serve similar populations Necessary to coordinate covered function or to improve administration/management

20 Davis Wright Tremaine LLP 20 Inter-Agency/Interdisciplinary Teams – Permitted HIPAA Disclosures Authorization Must comply with all applicable laws HIPAA State law Heighten confidentiality requirements Protected classes of information Substance abuse regulations Privacy Act Draft to include all relevant team players Authorization Must comply with all applicable laws HIPAA State law Heighten confidentiality requirements Protected classes of information Substance abuse regulations Privacy Act Draft to include all relevant team players

21 Davis Wright Tremaine LLP 21 HIPAA in Public Health Tension between Benefits of total access to all health information Public concern over confidentiality Permissible disclosures without patient authorization Required by law (e.g., mandatory reporting, gunshot wounds, certain communicable diseases), births and deaths, birth defects) For public health activities (intended to cover the spectrum of public health activities) Prevention and control of disease, injury Communicable disease notification Child abuse or neglect reporting FDA-regulated product or activity Work-related injury or illness Necessary to avert a serious threat to health or safety Other abuse, neglect or domestic violence TPO De-identified information and limited data set Tension between Benefits of total access to all health information Public concern over confidentiality Permissible disclosures without patient authorization Required by law (e.g., mandatory reporting, gunshot wounds, certain communicable diseases), births and deaths, birth defects) For public health activities (intended to cover the spectrum of public health activities) Prevention and control of disease, injury Communicable disease notification Child abuse or neglect reporting FDA-regulated product or activity Work-related injury or illness Necessary to avert a serious threat to health or safety Other abuse, neglect or domestic violence TPO De-identified information and limited data set

22 Davis Wright Tremaine LLP 22 HIPAA in Public Health: De-Identification Information is presumed de-identified if Qualified person determines that risk of re-identification is very small or The following identifiers are removed: Information is presumed de-identified if Qualified person determines that risk of re-identification is very small or The following identifiers are removed: NameAddressRelativesEmployer DatesTelephoneFaxe-mail SSNMR#Plan IDAccount # License #Vehicle IDURLIP Address FingerprintsPhotographsOther unique identifier And the CE does not have actual knowledge that the recipient is able to identify the individual

23 Davis Wright Tremaine LLP 23 HIPAA in Public Health: Limited Data Set Limited Data Set = PHI that excludes direct identifiers except: Full dates Geographic detail of city, state and 5-digit zip code Not completely de- identified Special rules apply Limited Data Set = PHI that excludes direct identifiers except: Full dates Geographic detail of city, state and 5-digit zip code Not completely de- identified Special rules apply

24 Davis Wright Tremaine LLP 24 HIPAA in Public Health: Data Use Agreements Limited Purposes: Research, Public health Health care operations Recipient must enter into a Data Use Agreement: Permitted uses and disclosures by recipient Who may use or receive limited data set Recipient must: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals Limited Purposes: Research, Public health Health care operations Recipient must enter into a Data Use Agreement: Permitted uses and disclosures by recipient Who may use or receive limited data set Recipient must: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals

25 Davis Wright Tremaine LLP 25 HIPAA in Public Health

26 Davis Wright Tremaine LLP 26 HIPAA in Disaster Situations Facility Directory – covered entities may disclose PHI if patient is asked for by name: Name Condition (e.g., undetermined, good, fair, serious, critical) Location within facility Religion (release to clergy only) Notification in Disaster Relief Efforts Disclosures to public or private entity authorized to assist in disaster relief efforts Disclosures for notification of individuals location or general condition to family member, personal representative or another responsible for care Subject to opportunity to agree or object Recognize professional judgment Facility Directory – covered entities may disclose PHI if patient is asked for by name: Name Condition (e.g., undetermined, good, fair, serious, critical) Location within facility Religion (release to clergy only) Notification in Disaster Relief Efforts Disclosures to public or private entity authorized to assist in disaster relief efforts Disclosures for notification of individuals location or general condition to family member, personal representative or another responsible for care Subject to opportunity to agree or object Recognize professional judgment

27 Davis Wright Tremaine LLP 27 HIPAA in EMS EMS generally is covered entity or covered health care component and must comply with HIPAA Beware of HIPAA overkill: Balance between patient care and minimum necessary If name and description of condition is needed, it should be given If directions are needed, get them Police often want information from EMS Reporting crime in emergencies (not at a health care facility) to report Commission and nature of a crime Identity, description and location of perpetrator Location of a crime or victim Some disclosures require representations on part of law enforcement that may be able to be given in advance (e.g., formal annual request and representation letter) EMS generally is covered entity or covered health care component and must comply with HIPAA Beware of HIPAA overkill: Balance between patient care and minimum necessary If name and description of condition is needed, it should be given If directions are needed, get them Police often want information from EMS Reporting crime in emergencies (not at a health care facility) to report Commission and nature of a crime Identity, description and location of perpetrator Location of a crime or victim Some disclosures require representations on part of law enforcement that may be able to be given in advance (e.g., formal annual request and representation letter)

28 Davis Wright Tremaine LLP 28 HIPAA in Schools Schools have long protected confidentiality, e.g., Family Education Rights and Privacy Act Two-prong analysis Is school – or person/entity providing services to the school – covered entity? Examples – school nurse, speech therapist, psychologist, school-based clinics Engage in health care provider activities Engage in electronic HIPAA transaction Is PHI involved? Exception for FERPA – covered records (beware FERPA exceptions, such as for oral communication and sole possession) Treatment records of older students exception Schools have long protected confidentiality, e.g., Family Education Rights and Privacy Act Two-prong analysis Is school – or person/entity providing services to the school – covered entity? Examples – school nurse, speech therapist, psychologist, school-based clinics Engage in health care provider activities Engage in electronic HIPAA transaction Is PHI involved? Exception for FERPA – covered records (beware FERPA exceptions, such as for oral communication and sole possession) Treatment records of older students exception

29 Davis Wright Tremaine LLP 29 HIPAA in Prisons A covered entity may disclose PHI to a correctional institution (or law enforcement official) having lawful custody of an inmate Upon institutions representation that the PHI is necessary for: The provision of health care to the inmate The health and safety of the inmate – or others at the correctional institution The health and safety of inmates, officers or other persons responsible for transporting/transferring inmates Law enforcement on correctional institutions premises Administration and maintenance of the safety, security and good order of the correctional institution A covered entity may disclose PHI to a correctional institution (or law enforcement official) having lawful custody of an inmate Upon institutions representation that the PHI is necessary for: The provision of health care to the inmate The health and safety of the inmate – or others at the correctional institution The health and safety of inmates, officers or other persons responsible for transporting/transferring inmates Law enforcement on correctional institutions premises Administration and maintenance of the safety, security and good order of the correctional institution

30 Davis Wright Tremaine LLP 30 HIPAA in Prisons Limited rights of prisoners Notice of Privacy Practices Not applicable to inmates or correctional institutions Access Covered correctional institution – or provider under such institutions direction – may deny inmates request for access if it would jeopardize The health, safety, security, custody or rehabilitation of the individual or other inmates Safety of any officer, employee or others Unreviewable grounds for denial Amendment May be denied if the record is not subject to access Accounting of Disclosure Suspend right to an accounting if law enforcement Represents that it may reasonably impede the agencies activities Specify a time period for the suspension Limited rights of prisoners Notice of Privacy Practices Not applicable to inmates or correctional institutions Access Covered correctional institution – or provider under such institutions direction – may deny inmates request for access if it would jeopardize The health, safety, security, custody or rehabilitation of the individual or other inmates Safety of any officer, employee or others Unreviewable grounds for denial Amendment May be denied if the record is not subject to access Accounting of Disclosure Suspend right to an accounting if law enforcement Represents that it may reasonably impede the agencies activities Specify a time period for the suspension

31 Davis Wright Tremaine LLP 31 Questions

32 Davis Wright Tremaine LLP 32 SEA 17726921v1

Download ppt "HIPAA for Governments & Municipalities Rebecca L. Williams, RN, JD Partner, Co-Chair of HIT/HIPAA Practice Davis Wright Tremaine LLP Seattle, WA"

Similar presentations

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.

Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.

Pennsylvania Bureau of Workers’ Compensation Conference December 4, 2003 Beth L. Rubin  2003 Dechert LLP HIPAA Privacy Rule Basics.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.

NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
North Carolina State University Health Information Privacy 4/16/03.

North Carolina State University Health Information Privacy 4/16/03.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA

Similar presentations

Ads by Google