Medical Society
of the State of New York
(MSSNY)

HIPAA PRIVACY RULE
HIPAA Summary Outline

1. HIPAA Patient Privacy Rules
   Robert M. Portman, J.D.
   (202) 639-6880
   rportman@jenner.com
   Jenner & Block
   601 13th Street, NW
   Washington, DC 20005
2. HIPAA Patient Privacy Rules
   
3. Overview of the Privacy Rule
   Nuts & Bolts of Patient Protections
   Compliance & Enforcement
   Preemption
   Legal Challenges
4. Overview: Key Issues
   History, Breadth & Focus
   What information is and is not covered
   Who is subject to rules
   Business Associate ("BA") rules
   Rules on uses and disclosures of PHI
   "Minimum Necessary Rule" & Verification
   Privacy Notice/Patient Rights
5. History/Background
   HIPAA '96-where it all started.
   Required Secretary of HHS to issue rules to protect privacy of patient health information if Congress did not act by August 21, 1999.
   Congress did not act. (Quelle surprise!)
   HHS issued final privacy rules-Dec. 2000 .
   HHS Guidance Document-July 2001
   Proposed Modification of Rule-March 2002.
6. Breadth
   Privacy rule is part of a "suite" of regulations arising out of HIPAA
   Standards for electronic transactions (final)
   Unique identifiers for employers/providers for use in electronic transactions (proposed)
   Several rules to be proposed re electronic transactions involving health plans
   Proposed Security Rule
   Focus here is on Privacy Rule
7. What is Required of the "Average Provider?"
   For the "average provider," the Privacy Rule requires:
   Providing patients information about their privacy rights and how their PHI may be used.
   Obtaining authorization for certain uses/disclosures.
   Adopting clear privacy practices and procedures.
   Designating a privacy officer responsible for adoption/compliance with these practices.
   Training employees so that they understand these practices.
8. What Information is Covered?
   All individually identifiable information that is transmitted or maintained in ANY form, not just electronic.
   Major change from original proposed rule.
   Referred to as protected health information or PHI.
9. Individually Identifiable Info
   Created or received by a covered entity or employer;
   Relates to health or condition, provision of health care, or payment for health care with respect to an individual; and
   Can identify or can be used to identify an individual.
   Note broad definition of payment activities.
10. Info Not Covered
    Information that cannot be used to identify an individual is not protected.
    How to de-identify information:
    Hire an expert to determine that information to be used or disclosed contains no identifying information.
    Remove all specified identifying information.
11. Covered Entities and "Friends"
    Health Care Providers
    Health Plans
    Healthcare Clearinghouses
    Business Associates (indirect)
12. Health Care Providers
    Providers of medical or health services that transmit health information in electronic form, for billing or transferring funds for payment.
    Physicians
    Hospitals
    Home Health Agencies
13. Health Plans
    Plans that provide or pay for the cost of medical care.
    Group health plans
    Health insurance issuer
    HMOs
    Issuers of LTC policies
    Employee welfare benefit plans
14. Health Care Clearinghouses
    Entities that process health information from a covered entity.
    Billing services
    Repricing companies
    Community health information systems
    Valued-added networks or switches
15. Business Associates
    Individuals or entities that receive PHI from covered entities and provide services for or perform functions on behalf of covered entities.
    Employees and volunteers, no; independent contractors, yes.
    May include board members.
    A covered entity may be a business associate of another covered entity.
16. Business Associates
    Functions on behalf of a covered entity:
    claims processing
    data analysis
    processing or administration
    utilization review
    quality assurance
    billing
    benefit management
    practice management
    repricing
17. Business Associates
    Services performed for covered entity:
    legal
    actuarial
    accounting
    consulting
    data aggregation
    management
    administrative
    accreditation
    financial
18. Business Associate's Duties
    Must abide by restrictions on PHI in contract.
    Use appropriate safeguards to protect PHI.
    Ensure that agents or subcontractors agree to same restrictions. ("Chain of Trust" partners)
    Other requirements
    (e.g., make internal practices, books, and records relating to use and disclosure of PHI available to HHS Secretary for purposes of determining covered entity's compliance with HIPAA.)
19. Business Associate Contract
    Can be an addendum to current contract
    Establish required and permitted uses and disclosures of PHI by BA.
    State that BA may not use or further disclose PHI in violation of HIPAA rules if done by covered entity.
    Note: BA may use PHI for internal management and administration of BA, legal responsibilities, and data aggregation for covered entity.
    Model contract provisions provided by HHS as part of proposed rule modification.
20. Uses and Disclosures of PHI
    Basic rule: NO USE OR DISCLOSURE EXCEPT AS PERMITTED OR REQUIRED BY RULE.
21. Permitted Uses and Disclosures
    To the individual (without request).
    With authorization or agreement of the individual.
    Other circumstances specified in rules where authorization not required (e.g., disclosure to business associates).
    Transfer of records upon sale, transfer, consolidation, or merger.
22. Required Disclosures
    To the individual when requested per rule.
    When required by HHS for investigation or compliance purposes.
23. Minimum Necessary Rule
    General Rule
    Covered entity must make reasonable efforts to limit permitted uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
    Same requirement applies to requests for PHI from one covered entity to another.
24. Minimum Necessary Rule
    Minimum necessary usage requires, among other things, identifying:
    employees with need for access to PHI
    categories/types of PHI needed
    conditions for access
    Must also comply with any applicable restrictions (e.g., per patient agreement).
25. Minimum Necessary Rule
    Okay to rely on requesting party's judgment in some cases (if reliance is reasonable):
    another covered entity
    public officials or agencies
    business associates or workforce member
    researchers acting per IRB/Privacy Board
26. Minimum Necessary Rule
    Exceptions
    disclosures to or requests by health care provider for treatment
    uses or disclosures to individuals by law or authorization
    disclosures to HHS
    uses or disclosures pursuant to law or compliance requirements
27. Minimum Necessary Rule
    Modified proposed rule clarifies that conversations between physicians about patient do not violate rule even if they are overheard.
    Modified rule also clarifies that incidental disclosures generally do not violate the rule as long as minimum necessary rule satisfied and other reasonable safeguards adopted.
28. Verification Requirement
    Covered entity generally must verify the identity of a person requesting PHI and the authority of the requesting party to have access to the PHI (unless known).
    Requirement met if covered entity exercises professional judgment and acts in good faith in making disclosures under the rule.
29. The Nuts & Bolts of Patient Protections
    Consent
    Authorization
    Exceptions
    Notice of Privacy Practices
    The Rights of Individuals
30. Consent
    Final Rule would have required physicians and other health care providers to obtain consent from patient for use and disclosure of PHI for treatment, payment, or health care operations (TPH)
    Modified rule eliminates consent requirement and simply requires notice of provider's privacy policies and practices be provided to patient.
    Patients should be asked to acknowledge receipt of privacy policies and practices.
31. Authorization
    An authorization generally allows use and disclosure of PHI for purposes other than treatment, payment, or health care operations.
    Covered entities must obtain an authorization to make uses and disclosures not otherwise permitted or required under the Privacy Rule.
    An authorization must be written in specific terms, and may allow use and disclosure of PHI by the covered entity seeking the authorization, or by a third party.
32. Authorization
    Document and retain signed authorizations.
    Provide patient with copy.
    May not condition treatment, payment, or enrollment in health plan or eligibility for benefits on authorization except for research-related treatment and other circumstances specified in rule.
33. Single Authorization Form
    Final Rule required different types of forms for different types of disclosures.
    Modified Rule requires only one form regardless of type of disclosure.
34. Authorization Requirements
    Must be written in plain language.
    A copy must be provided to individual if provider seeks authorization.
35. Authorization Requirements
    A description of the information to be used or disclosed that identifies the PHI in a specific and meaningful fashion.
    The name of those authorized to request disclosure of PHI.
    The name of persons to whom provider may make the requested disclosure.
36. Authorization Requirements
    A description of each purpose of the requested use or disclosure. "At the request of the individual" is sufficient description of purpose when an individual initiates the authorization and does not provide a statement of the purpose.
    Statement whether provider can condition treatment on authorization.
37. Authorization Requirements
    An expiration date or event relating to individual or purpose of use or disclosure.
    Signature of individual (or personal representative) and date.
    Statement re individual's right to revoke authorization.
    Statement concerning possibility of redisclosure.
38. Authorization for Marketing
    Under proposed modification, covered entity must obtain authorization from individual before sending them any marketing materials or selling patient lists.
    But covered entities may communicate freely with patients about treatment options and other health-related information, including disease-management programs.
39. No Authorization Required
    With individual's agreement in limited circumstances
    Public health activities
    Health oversight programs
    FDA-regulated activities (e.g., adverse incidents)
    Judicial and administrative hearings
    Certain law enforcement purposes
    Concerning decedents to coroners/funeral directors
    Research in certain circumstances
40. Prior Consents/Authorizations
    Covered entity may continue to use or disclose PHI pursuant to a prior consent, authorization, or other form of legal permission with some restrictions.
    But usually will need to obtain new consent or authorization for data collected after compliance date, except for research studies based on individual's consent.
41. Privacy Notice
    HIPAA generally provides individuals the right to "adequate notice" of:
    the uses and disclosures of PHI that may be made by the covered entity.
    the individual's rights and the covered entity's legal duties with respect to PHI
    The Notice describes the covered entity's PHI-related privacy practices.
    Specific and detailed requirements for the Notice are set forth in the Privacy Rule
42. Privacy Notice
    Must provide on first date of service delivery or as soon as reasonably practicable after an emergency.
    Must make good faith effort to obtain a written acknowledgement of receipt of notice from patient or document reasons why acknowledgement not obtained-substitute for consent.
43. Privacy Notice
    Must be prominently displayed at site of service and/or posted on web site
    Must be available upon request.
    Must issue new notice when material changes.
    Must keep copies of all notices and acknowledgements of receipt.
44. Rights of Individuals
    To receive privacy notice at time of first delivery of service.
    To request restrictions on uses and disclosures of PHI
    Covered entity not required to agree.
    But if it does so agree, it must comply with restrictions, except for emergencies or other circumstances specified in rules.
    Must document agreement.
    May terminate with individual's agreement or without agreement prospectively only.
45. Rights of Individuals
    To receive PHI communicated to them by alternative means and at alternative locations to protect confidentiality.
    To inspect and obtain copies of their PHI from covered entity, except for psychotherapy notes and other exceptions, subject to procedures in rules.
46. Rights of Individuals
    To amend or correct PHI.
    To request an accounting of disclosures in six years prior to request, not including disclosures re treatment, payment, and health care operations, or individuals' requests for PHI, except for disclosures pursuant to written authorization (see proposed modification).
    Rights apply to individual and personal representatives.
47. Parents of Minors
    For the most part, parents have right to access and control PHI of their minor children.
    Exceptions to this rule track circumstances in which state law precludes such parental access or control (e.g.,permitting HIV testing of minors without parental permission, cases of abuse, etc.) or where parents have agreed to give up access and control.
48. Research
    Proposed modification clarifies that researchers may combine authorization with informed consent to participate in clinical trial
    Proposal also conforms requirements of research exception to "Common Rule" used for federally-funded research.
49. Compliance & Other Issues
    Compliance & Enforcement
    Preemption
    Legal Challenges
50. Compliance
    Covered entities must comply by
    April 14, 200
    One-year extension for BA contract compliance per proposed modification.
51. Compliance
    Designate privacy official and contact person;
    Train workforce in policies and procedures required to safeguard PHI (different requirements for small and large physician practices);
    Procedures and safeguards to protect PHI and limit incidental uses or disclosures of PHI;
    Institute complaints process; and
    Other requirements set forth in rules.
52. Compliance: Bus. Assoc.
    Covered entity not responsible for overseeing BA's compliance with terms of agreement.
    But, covered entity violates rule if it knew of a pattern of activity or practice of BA that breached contract, unless covered entity took steps to end the violation and/or terminate the contract, if feasible, or report problem to HHS.
    If BA is also covered entity and it violates its obligations under the BA Agreement, then it will be directly liable under HIPAA.
53. Compliance: Bus. Assoc.
    Contract must have appropriate termination provisions, including return or destruction of PHI upon material breach, if feasible.
    Proposed rule would give covered entities up to an additional year to modify their contracts with BA's to comply with the privacy rule.
54. Enforcement
    Individual complaints with Secretary within 180 days of act or omission.
    HHS investigation authority.
    Informal resolution authority.
    Civil Penalties.
    Criminal Penalties.
55. The Enforcement Provisions:
    42 U.S.C. §§ 1320d-5 & 1320d-6
    42 U.S.C. § 1320d-5 covers civil violations
    42 U.S.C. § 1320d-6 covers criminal violations
    These sections are not found in the HHS Regulations, rather they come from HIPAA itself.
56. General Penalty for Failure To Comply With Requirements And Standards
    U.S.C. § 1320d-5
    (Civil Violations)
    Punishes any violation of regulations
    Maximum penalty of $100 per violation
    Cap of $25,000 per calendar year for each provision of the regulations that are violated
57. Wrongful Disclosure of Individually Identifiable Health Information:
    42 U.S.C. § 1320D-6(a)
    (Criminal Violations)
    Violation of federal law
    Violations must be committed "knowingly"
58. MENS REA And Use Of The Word "Knowingly"
    A person commits an act "knowingly" when it is done purposefully; that is, the act is a product of a conscious design, intentor plan that it be done. Horne v. State of Indiana, 445 N.E.2d 976 (1983).
59. Three Ways To Violate 42 U.S.C. § 1320d-6
    Knowingly and in violation of the regulations using or causing to be used a unique health identifier;
    Knowingly and in violation of the regulations obtaining individually identifiable health information relating to an individual; and
    Knowingly and in violation of the regulations disclosing individually identifiable health information to another person.
60. Potential Bases For Criminal Liability
    Employee liability for employee's own conduct
    Liability of privacy officers
    Corporate liability for acts of employees
    Concurrent liability of employees and corporation
    Business Associate Liability
61. Criminal Penalties For Violating § 1320d-6
    Maximum penalties are set forth in §1320d-6(b).
    Actual sentencing is determined according to the Federal Sentencing Guidelines.
62. Maximum Penalties
    (42 U.S.C. § 1320d-6(b)(1))
    Any violation:
    $50,000 fine, one year imprisonment, or both.
63. Maximum Penalties
    (42 U.S.C. § 1320d-6(b)(2))
    If offense is committed under under false pretenses:
    $100,000 fine, 5 years imprisonment, or both.
64. Maximum Penalties
    (42 U.S.C. § 1320d-6(b)(3))
    If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm:
    $500,000 fine, 10 years imprisonment, or both.
65. Preemption
    Requirements contrary to federal law are preempted.
    Exceptions
    more stringent state law
    others
    Requests for preemption to be resolved by Secretary of HHS.
66. Legal Challenges
    South Carolina Medical Association v. HHS
    Association of American Physicians v. HHS