HIPAA PRIVACY RULE
HIPAA Summary Outline
- HIPAA Patient Privacy Rules
Robert M. Portman, J.D.
(202) 639-6880
rportman@jenner.com
Jenner & Block
601 13th Street, NW
Washington, DC 20005
- HIPAA Patient Privacy Rules
- Overview of the Privacy Rule
Nuts & Bolts of Patient Protections
Compliance & Enforcement
Preemption
Legal Challenges
- Overview: Key Issues
History, Breadth & Focus
What information is and is not covered
Who is subject to rules
Business Associate ("BA") rules
Rules on uses and disclosures of PHI
"Minimum Necessary Rule" & Verification
Privacy Notice/Patient Rights
- History/Background
HIPAA '96-where it all started.
Required Secretary of HHS to issue rules to protect privacy of patient health information if Congress did not act by August 21, 1999.
Congress did not act. (Quelle surprise!)
HHS issued final privacy rules-Dec. 2000 .
HHS Guidance Document-July 2001
Proposed Modification of Rule-March 2002.
- Breadth
Privacy rule is part of a "suite" of regulations arising out of HIPAA
Standards for electronic transactions (final)
Unique identifiers for employers/providers for use in electronic transactions (proposed)
Several rules to be proposed re electronic transactions involving health plans
Proposed Security Rule
Focus here is on Privacy Rule
- What is Required of the "Average Provider?"
For the "average provider," the Privacy Rule requires:
Providing patients information about their privacy rights and how their PHI may be used.
Obtaining authorization for certain uses/disclosures.
Adopting clear privacy practices and procedures.
Designating a privacy officer responsible for adoption/compliance with these practices.
Training employees so that they understand these practices.
- What Information is Covered?
All individually identifiable information that is transmitted or maintained in ANY form, not just electronic.
Major change from original proposed rule.
Referred to as protected health information or PHI.
- Individually Identifiable Info
Created or received by a covered entity or employer;
Relates to health or condition, provision of health care, or payment for health care with respect to an individual; and
Can identify or can be used to identify an individual.
Note broad definition of payment activities.
- Info Not Covered
Information that cannot be used to identify an individual is not protected.
How to de-identify information:
Hire an expert to determine that information to be used or disclosed contains no identifying information.
Remove all specified identifying information.
- Covered Entities and "Friends"
Health Care Providers
Health Plans
Healthcare Clearinghouses
Business Associates (indirect)
- Health Care Providers
Providers of medical or health services that transmit health information in electronic form, for billing or transferring funds for payment.
Physicians
Hospitals
Home Health Agencies
- Health Plans
Plans that provide or pay for the cost of medical care.
Group health plans
Health insurance issuer
HMOs
Issuers of LTC policies
Employee welfare benefit plans
- Health Care Clearinghouses
Entities that process health information from a covered entity.
Billing services
Repricing companies
Community health information systems
Valued-added networks or switches
- Business Associates
Individuals or entities that receive PHI from covered entities and provide services for or perform functions on behalf of covered entities.
Employees and volunteers, no; independent contractors, yes.
May include board members.
A covered entity may be a business associate of another covered entity.
- Business Associates
Functions on behalf of a covered entity:
claims processing
data analysis
processing or administration
utilization review
quality assurance
billing
benefit management
practice management
repricing
- Business Associates
Services performed for covered entity:
legal
actuarial
accounting
consulting
data aggregation
management
administrative
accreditation
financial
- Business Associate's Duties
Must abide by restrictions on PHI in contract.
Use appropriate safeguards to protect PHI.
Ensure that agents or subcontractors agree to same restrictions. ("Chain of Trust" partners)
Other requirements
(e.g., make internal practices, books, and records relating to use and disclosure of PHI available to HHS Secretary for purposes of determining covered entity's compliance with HIPAA.)
- Business Associate Contract
Can be an addendum to current contract
Establish required and permitted uses and disclosures of PHI by BA.
State that BA may not use or further disclose PHI in violation of HIPAA rules if done by covered entity.
Note: BA may use PHI for internal management and administration of BA, legal responsibilities, and data aggregation for covered entity.
Model contract provisions provided by HHS as part of proposed rule modification.
- Uses and Disclosures of PHI
Basic rule: NO USE OR DISCLOSURE EXCEPT AS PERMITTED OR REQUIRED BY RULE.
- Permitted Uses and Disclosures
To the individual (without request).
With authorization or agreement of the individual.
Other circumstances specified in rules where authorization not required (e.g., disclosure to business associates).
Transfer of records upon sale, transfer, consolidation, or merger.
- Required Disclosures
To the individual when requested per rule.
When required by HHS for investigation or compliance purposes.
- Minimum Necessary Rule
General Rule
Covered entity must make reasonable efforts to limit permitted uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Same requirement applies to requests for PHI from one covered entity to another.
- Minimum Necessary Rule
Minimum necessary usage requires, among other things, identifying:
employees with need for access to PHI
categories/types of PHI needed
conditions for access
Must also comply with any applicable restrictions (e.g., per patient agreement).
- Minimum Necessary Rule
Okay to rely on requesting party's judgment in some cases (if reliance is reasonable):
another covered entity
public officials or agencies
business associates or workforce member
researchers acting per IRB/Privacy Board
- Minimum Necessary Rule
Exceptions
disclosures to or requests by health care provider for treatment
uses or disclosures to individuals by law or authorization
disclosures to HHS
uses or disclosures pursuant to law or compliance requirements
- Minimum Necessary Rule
Modified proposed rule clarifies that conversations between physicians about patient do not violate rule even if they are overheard.
Modified rule also clarifies that incidental disclosures generally do not violate the rule as long as minimum necessary rule satisfied and other reasonable safeguards adopted.
- Verification Requirement
Covered entity generally must verify the identity of a person requesting PHI and the authority of the requesting party to have access to the PHI (unless known).
Requirement met if covered entity exercises professional judgment and acts in good faith in making disclosures under the rule.
- The Nuts & Bolts of Patient Protections
Consent
Authorization
Exceptions
Notice of Privacy Practices
The Rights of Individuals
- Consent
Final Rule would have required physicians and other health care providers to obtain consent from patient for use and disclosure of PHI for treatment, payment, or health care operations (TPH)
Modified rule eliminates consent requirement and simply requires notice of provider's privacy policies and practices be provided to patient.
Patients should be asked to acknowledge receipt of privacy policies and practices.
- Authorization
An authorization generally allows use and disclosure of PHI for purposes other than treatment, payment, or health care operations.
Covered entities must obtain an authorization to make uses and disclosures not otherwise permitted or required under the Privacy Rule.
An authorization must be written in specific terms, and may allow use and disclosure of PHI by the covered entity seeking the authorization, or by a third party.
- Authorization
Document and retain signed authorizations.
Provide patient with copy.
May not condition treatment, payment, or enrollment in health plan or eligibility for benefits on authorization except for research-related treatment and other circumstances specified in rule.
- Single Authorization Form
Final Rule required different types of forms for different types of disclosures.
Modified Rule requires only one form regardless of type of disclosure.
- Authorization Requirements
Must be written in plain language.
A copy must be provided to individual if provider seeks authorization.
- Authorization Requirements
A description of the information to be used or disclosed that identifies the PHI in a specific and meaningful fashion.
The name of those authorized to request disclosure of PHI.
The name of persons to whom provider may make the requested disclosure.
- Authorization Requirements
A description of each purpose of the requested use or disclosure. "At the request of the individual" is sufficient description of purpose when an individual initiates the authorization and does not provide a statement of the purpose.
Statement whether provider can condition treatment on authorization.
- Authorization Requirements
An expiration date or event relating to individual or purpose of use or disclosure.
Signature of individual (or personal representative) and date.
Statement re individual's right to revoke authorization.
Statement concerning possibility of redisclosure.
- Authorization for Marketing
Under proposed modification, covered entity must obtain authorization from individual before sending them any marketing materials or selling patient lists.
But covered entities may communicate freely with patients about treatment options and other health-related information, including disease-management programs.
- No Authorization Required
With individual's agreement in limited circumstances
Public health activities
Health oversight programs
FDA-regulated activities (e.g., adverse incidents)
Judicial and administrative hearings
Certain law enforcement purposes
Concerning decedents to coroners/funeral directors
Research in certain circumstances
- Prior Consents/Authorizations
Covered entity may continue to use or disclose PHI pursuant to a prior consent, authorization, or other form of legal permission with some restrictions.
But usually will need to obtain new consent or authorization for data collected after compliance date, except for research studies based on individual's consent.
- Privacy Notice
HIPAA generally provides individuals the right to "adequate notice" of:
the uses and disclosures of PHI that may be made by the covered entity.
the individual's rights and the covered entity's legal duties with respect to PHI
The Notice describes the covered entity's PHI-related privacy practices.
Specific and detailed requirements for the Notice are set forth in the Privacy Rule
- Privacy Notice
Must provide on first date of service delivery or as soon as reasonably practicable after an emergency.
Must make good faith effort to obtain a written acknowledgement of receipt of notice from patient or document reasons why acknowledgement not obtained-substitute for consent.
- Privacy Notice
Must be prominently displayed at site of service and/or posted on web site
Must be available upon request.
Must issue new notice when material changes.
Must keep copies of all notices and acknowledgements of receipt.
- Rights of Individuals
To receive privacy notice at time of first delivery of service.
To request restrictions on uses and disclosures of PHI
Covered entity not required to agree.
But if it does so agree, it must comply with restrictions, except for emergencies or other circumstances specified in rules.
Must document agreement.
May terminate with individual's agreement or without agreement prospectively only.
- Rights of Individuals
To receive PHI communicated to them by alternative means and at alternative locations to protect confidentiality.
To inspect and obtain copies of their PHI from covered entity, except for psychotherapy notes and other exceptions, subject to procedures in rules.
- Rights of Individuals
To amend or correct PHI.
To request an accounting of disclosures in six years prior to request, not including disclosures re treatment, payment, and health care operations, or individuals' requests for PHI, except for disclosures pursuant to written authorization (see proposed modification).
Rights apply to individual and personal representatives.
- Parents of Minors
For the most part, parents have right to access and control PHI of their minor children.
Exceptions to this rule track circumstances in which state law precludes such parental access or control (e.g.,permitting HIV testing of minors without parental permission, cases of abuse, etc.) or where parents have agreed to give up access and control.
- Research
Proposed modification clarifies that researchers may combine authorization with informed consent to participate in clinical trial
Proposal also conforms requirements of research exception to "Common Rule" used for federally-funded research.
- Compliance & Other Issues
Compliance & Enforcement
Preemption
Legal Challenges
- Compliance
Covered entities must comply by
April 14, 200
One-year extension for BA contract compliance per proposed modification.
- Compliance
Designate privacy official and contact person;
Train workforce in policies and procedures required to safeguard PHI (different requirements for small and large physician practices);
Procedures and safeguards to protect PHI and limit incidental uses or disclosures of PHI;
Institute complaints process; and
Other requirements set forth in rules.
- Compliance: Bus. Assoc.
Covered entity not responsible for overseeing BA's compliance with terms of agreement.
But, covered entity violates rule if it knew of a pattern of activity or practice of BA that breached contract, unless covered entity took steps to end the violation and/or terminate the contract, if feasible, or report problem to HHS.
If BA is also covered entity and it violates its obligations under the BA Agreement, then it will be directly liable under HIPAA.
- Compliance: Bus. Assoc.
Contract must have appropriate termination provisions, including return or destruction of PHI upon material breach, if feasible.
Proposed rule would give covered entities up to an additional year to modify their contracts with BA's to comply with the privacy rule.
- Enforcement
Individual complaints with Secretary within 180 days of act or omission.
HHS investigation authority.
Informal resolution authority.
Civil Penalties.
Criminal Penalties.
- The Enforcement Provisions:
42 U.S.C. §§ 1320d-5 & 1320d-6
42 U.S.C. § 1320d-5 covers civil violations
42 U.S.C. § 1320d-6 covers criminal violations
These sections are not found in the HHS Regulations, rather they come from HIPAA itself.
- General Penalty for Failure To Comply With Requirements And Standards
U.S.C. § 1320d-5
(Civil Violations)
Punishes any violation of regulations
Maximum penalty of $100 per violation
Cap of $25,000 per calendar year for each provision of the regulations that are violated
- Wrongful Disclosure of Individually Identifiable Health Information:
42 U.S.C. § 1320D-6(a)
(Criminal Violations)
Violation of federal law
Violations must be committed "knowingly"
- MENS REA And Use Of The Word "Knowingly"
A person commits an act "knowingly" when it is done purposefully; that is, the act is a product of a conscious design, intentor plan that it be done. Horne v. State of Indiana, 445 N.E.2d 976 (1983).
- Three Ways To Violate 42 U.S.C. § 1320d-6
Knowingly and in violation of the regulations using or causing to be used a unique health identifier;
Knowingly and in violation of the regulations obtaining individually identifiable health information relating to an individual; and
Knowingly and in violation of the regulations disclosing individually identifiable health information to another person.
- Potential Bases For Criminal Liability
Employee liability for employee's own conduct
Liability of privacy officers
Corporate liability for acts of employees
Concurrent liability of employees and corporation
Business Associate Liability
- Criminal Penalties For Violating § 1320d-6
Maximum penalties are set forth in §1320d-6(b).
Actual sentencing is determined according to the Federal Sentencing Guidelines.
- Maximum Penalties
(42 U.S.C. § 1320d-6(b)(1))
Any violation:
$50,000 fine, one year imprisonment, or both.
- Maximum Penalties
(42 U.S.C. § 1320d-6(b)(2))
If offense is committed under under false pretenses:
$100,000 fine, 5 years imprisonment, or both.
- Maximum Penalties
(42 U.S.C. § 1320d-6(b)(3))
If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm:
$500,000 fine, 10 years imprisonment, or both.
- Preemption
Requirements contrary to federal law are preempted.
Exceptions
more stringent state law
others
Requests for preemption to be resolved by Secretary of HHS.
- Legal Challenges
South Carolina Medical Association v. HHS
Association of American Physicians v. HHS