HIPAA PRIVACY RULE
HIPAA Summary Outline

    1. HIPAA Patient Privacy Rules
      Robert M. Portman, J.D.
      (202) 639-6880
      rportman@jenner.com
      Jenner & Block
      601 13th Street, NW
      Washington, DC 20005
    2. HIPAA Patient Privacy Rules
    3. Overview of the Privacy Rule
      Nuts & Bolts of Patient Protections
      Compliance & Enforcement
      Preemption
      Legal Challenges
    4. Overview: Key Issues
      History, Breadth & Focus
      What information is and is not covered
      Who is subject to rules
      Business Associate ("BA") rules
      Rules on uses and disclosures of PHI
      "Minimum Necessary Rule" & Verification
      Privacy Notice/Patient Rights
    5. History/Background
      HIPAA '96-where it all started.
      Required Secretary of HHS to issue rules to protect privacy of patient health information if Congress did not act by August 21, 1999.
      Congress did not act. (Quelle surprise!)
      HHS issued final privacy rules-Dec. 2000 .
      HHS Guidance Document-July 2001
      Proposed Modification of Rule-March 2002.
    6. Breadth
      Privacy rule is part of a "suite" of regulations arising out of HIPAA
      Standards for electronic transactions (final)
      Unique identifiers for employers/providers for use in electronic transactions (proposed)
      Several rules to be proposed re electronic transactions involving health plans
      Proposed Security Rule
      Focus here is on Privacy Rule
    7. What is Required of the "Average Provider?"
      For the "average provider," the Privacy Rule requires:
      Providing patients information about their privacy rights and how their PHI may be used.
      Obtaining authorization for certain uses/disclosures.
      Adopting clear privacy practices and procedures.
      Designating a privacy officer responsible for adoption/compliance with these practices.
      Training employees so that they understand these practices.
    8. What Information is Covered?
      All individually identifiable information that is transmitted or maintained in ANY form, not just electronic.
      Major change from original proposed rule.
      Referred to as protected health information or PHI.
    9. Individually Identifiable Info
      Created or received by a covered entity or employer;
      Relates to health or condition, provision of health care, or payment for health care with respect to an individual; and
      Can identify or can be used to identify an individual.
      Note broad definition of payment activities.
    10. Info Not Covered
      Information that cannot be used to identify an individual is not protected.
      How to de-identify information:
      Hire an expert to determine that information to be used or disclosed contains no identifying information.
      Remove all specified identifying information.
    11. Covered Entities and "Friends"
      Health Care Providers
      Health Plans
      Healthcare Clearinghouses
      Business Associates (indirect)
    12. Health Care Providers
      Providers of medical or health services that transmit health information in electronic form, for billing or transferring funds for payment.
      Physicians
      Hospitals
      Home Health Agencies
    13. Health Plans
      Plans that provide or pay for the cost of medical care.
      Group health plans
      Health insurance issuer
      HMOs
      Issuers of LTC policies
      Employee welfare benefit plans
    14. Health Care Clearinghouses
      Entities that process health information from a covered entity.
      Billing services
      Repricing companies
      Community health information systems
      Valued-added networks or switches
    15. Business Associates
      Individuals or entities that receive PHI from covered entities and provide services for or perform functions on behalf of covered entities.
      Employees and volunteers, no; independent contractors, yes.
      May include board members.
      A covered entity may be a business associate of another covered entity.
    16. Business Associates
      Functions on behalf of a covered entity:
      claims processing
      data analysis
      processing or administration
      utilization review
      quality assurance
      billing
      benefit management
      practice management
      repricing
    17. Business Associates
      Services performed for covered entity:
      legal
      actuarial
      accounting
      consulting
      data aggregation
      management
      administrative
      accreditation
      financial
    18. Business Associate's Duties
      Must abide by restrictions on PHI in contract.
      Use appropriate safeguards to protect PHI.
      Ensure that agents or subcontractors agree to same restrictions. ("Chain of Trust" partners)
      Other requirements
      (e.g., make internal practices, books, and records relating to use and disclosure of PHI available to HHS Secretary for purposes of determining covered entity's compliance with HIPAA.)
    19. Business Associate Contract
      Can be an addendum to current contract
      Establish required and permitted uses and disclosures of PHI by BA.
      State that BA may not use or further disclose PHI in violation of HIPAA rules if done by covered entity.
      Note: BA may use PHI for internal management and administration of BA, legal responsibilities, and data aggregation for covered entity.
      Model contract provisions provided by HHS as part of proposed rule modification.
    20. Uses and Disclosures of PHI
      Basic rule: NO USE OR DISCLOSURE EXCEPT AS PERMITTED OR REQUIRED BY RULE.
    21. Permitted Uses and Disclosures
      To the individual (without request).
      With authorization or agreement of the individual.
      Other circumstances specified in rules where authorization not required (e.g., disclosure to business associates).
      Transfer of records upon sale, transfer, consolidation, or merger.
    22. Required Disclosures
      To the individual when requested per rule.
      When required by HHS for investigation or compliance purposes.
    23. Minimum Necessary Rule
      General Rule
      Covered entity must make reasonable efforts to limit permitted uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
      Same requirement applies to requests for PHI from one covered entity to another.
    24. Minimum Necessary Rule
      Minimum necessary usage requires, among other things, identifying:
      employees with need for access to PHI
      categories/types of PHI needed
      conditions for access
      Must also comply with any applicable restrictions (e.g., per patient agreement).
    25. Minimum Necessary Rule
      Okay to rely on requesting party's judgment in some cases (if reliance is reasonable):
      another covered entity
      public officials or agencies
      business associates or workforce member
      researchers acting per IRB/Privacy Board
    26. Minimum Necessary Rule
      Exceptions
      disclosures to or requests by health care provider for treatment
      uses or disclosures to individuals by law or authorization
      disclosures to HHS
      uses or disclosures pursuant to law or compliance requirements
    27. Minimum Necessary Rule
      Modified proposed rule clarifies that conversations between physicians about patient do not violate rule even if they are overheard.
      Modified rule also clarifies that incidental disclosures generally do not violate the rule as long as minimum necessary rule satisfied and other reasonable safeguards adopted.
    28. Verification Requirement
      Covered entity generally must verify the identity of a person requesting PHI and the authority of the requesting party to have access to the PHI (unless known).
      Requirement met if covered entity exercises professional judgment and acts in good faith in making disclosures under the rule.
    29. The Nuts & Bolts of Patient Protections
      Consent
      Authorization
      Exceptions
      Notice of Privacy Practices
      The Rights of Individuals
    30. Consent
      Final Rule would have required physicians and other health care providers to obtain consent from patient for use and disclosure of PHI for treatment, payment, or health care operations (TPH)
      Modified rule eliminates consent requirement and simply requires notice of provider's privacy policies and practices be provided to patient.
      Patients should be asked to acknowledge receipt of privacy policies and practices.
    31. Authorization
      An authorization generally allows use and disclosure of PHI for purposes other than treatment, payment, or health care operations.
      Covered entities must obtain an authorization to make uses and disclosures not otherwise permitted or required under the Privacy Rule.
      An authorization must be written in specific terms, and may allow use and disclosure of PHI by the covered entity seeking the authorization, or by a third party.
    32. Authorization
      Document and retain signed authorizations.
      Provide patient with copy.
      May not condition treatment, payment, or enrollment in health plan or eligibility for benefits on authorization except for research-related treatment and other circumstances specified in rule.
    33. Single Authorization Form
      Final Rule required different types of forms for different types of disclosures.
      Modified Rule requires only one form regardless of type of disclosure.
    34. Authorization Requirements
      Must be written in plain language.
      A copy must be provided to individual if provider seeks authorization.
    35. Authorization Requirements
      A description of the information to be used or disclosed that identifies the PHI in a specific and meaningful fashion.
      The name of those authorized to request disclosure of PHI.
      The name of persons to whom provider may make the requested disclosure.
    36. Authorization Requirements
      A description of each purpose of the requested use or disclosure. "At the request of the individual" is sufficient description of purpose when an individual initiates the authorization and does not provide a statement of the purpose.
      Statement whether provider can condition treatment on authorization.
    37. Authorization Requirements
      An expiration date or event relating to individual or purpose of use or disclosure.
      Signature of individual (or personal representative) and date.
      Statement re individual's right to revoke authorization.
      Statement concerning possibility of redisclosure.
    38. Authorization for Marketing
      Under proposed modification, covered entity must obtain authorization from individual before sending them any marketing materials or selling patient lists.
      But covered entities may communicate freely with patients about treatment options and other health-related information, including disease-management programs.
    39. No Authorization Required
      With individual's agreement in limited circumstances
      Public health activities
      Health oversight programs
      FDA-regulated activities (e.g., adverse incidents)
      Judicial and administrative hearings
      Certain law enforcement purposes
      Concerning decedents to coroners/funeral directors
      Research in certain circumstances
    40. Prior Consents/Authorizations
      Covered entity may continue to use or disclose PHI pursuant to a prior consent, authorization, or other form of legal permission with some restrictions.
      But usually will need to obtain new consent or authorization for data collected after compliance date, except for research studies based on individual's consent.
    41. Privacy Notice
      HIPAA generally provides individuals the right to "adequate notice" of:
      the uses and disclosures of PHI that may be made by the covered entity.
      the individual's rights and the covered entity's legal duties with respect to PHI
      The Notice describes the covered entity's PHI-related privacy practices.
      Specific and detailed requirements for the Notice are set forth in the Privacy Rule
    42. Privacy Notice
      Must provide on first date of service delivery or as soon as reasonably practicable after an emergency.
      Must make good faith effort to obtain a written acknowledgement of receipt of notice from patient or document reasons why acknowledgement not obtained-substitute for consent.
    43. Privacy Notice
      Must be prominently displayed at site of service and/or posted on web site
      Must be available upon request.
      Must issue new notice when material changes.
      Must keep copies of all notices and acknowledgements of receipt.
    44. Rights of Individuals
      To receive privacy notice at time of first delivery of service.
      To request restrictions on uses and disclosures of PHI
      Covered entity not required to agree.
      But if it does so agree, it must comply with restrictions, except for emergencies or other circumstances specified in rules.
      Must document agreement.
      May terminate with individual's agreement or without agreement prospectively only.
    45. Rights of Individuals
      To receive PHI communicated to them by alternative means and at alternative locations to protect confidentiality.
      To inspect and obtain copies of their PHI from covered entity, except for psychotherapy notes and other exceptions, subject to procedures in rules.
    46. Rights of Individuals
      To amend or correct PHI.
      To request an accounting of disclosures in six years prior to request, not including disclosures re treatment, payment, and health care operations, or individuals' requests for PHI, except for disclosures pursuant to written authorization (see proposed modification).
      Rights apply to individual and personal representatives.
    47. Parents of Minors
      For the most part, parents have right to access and control PHI of their minor children.
      Exceptions to this rule track circumstances in which state law precludes such parental access or control (e.g.,permitting HIV testing of minors without parental permission, cases of abuse, etc.) or where parents have agreed to give up access and control.
    48. Research
      Proposed modification clarifies that researchers may combine authorization with informed consent to participate in clinical trial
      Proposal also conforms requirements of research exception to "Common Rule" used for federally-funded research.
    49. Compliance & Other Issues
      Compliance & Enforcement
      Preemption
      Legal Challenges
    50. Compliance
      Covered entities must comply by
      April 14, 200
      One-year extension for BA contract compliance per proposed modification.
    51. Compliance
      Designate privacy official and contact person;
      Train workforce in policies and procedures required to safeguard PHI (different requirements for small and large physician practices);
      Procedures and safeguards to protect PHI and limit incidental uses or disclosures of PHI;
      Institute complaints process; and
      Other requirements set forth in rules.
    52. Compliance: Bus. Assoc.
      Covered entity not responsible for overseeing BA's compliance with terms of agreement.
      But, covered entity violates rule if it knew of a pattern of activity or practice of BA that breached contract, unless covered entity took steps to end the violation and/or terminate the contract, if feasible, or report problem to HHS.
      If BA is also covered entity and it violates its obligations under the BA Agreement, then it will be directly liable under HIPAA.
    53. Compliance: Bus. Assoc.
      Contract must have appropriate termination provisions, including return or destruction of PHI upon material breach, if feasible.
      Proposed rule would give covered entities up to an additional year to modify their contracts with BA's to comply with the privacy rule.
    54. Enforcement
      Individual complaints with Secretary within 180 days of act or omission.
      HHS investigation authority.
      Informal resolution authority.
      Civil Penalties.
      Criminal Penalties.
    55. The Enforcement Provisions:
      42 U.S.C. §§ 1320d-5 & 1320d-6
      42 U.S.C. § 1320d-5 covers civil violations
      42 U.S.C. § 1320d-6 covers criminal violations
      These sections are not found in the HHS Regulations, rather they come from HIPAA itself.
    56. General Penalty for Failure To Comply With Requirements And Standards
      U.S.C. § 1320d-5
      (Civil Violations)
      Punishes any violation of regulations
      Maximum penalty of $100 per violation
      Cap of $25,000 per calendar year for each provision of the regulations that are violated
    57. Wrongful Disclosure of Individually Identifiable Health Information:
      42 U.S.C. § 1320D-6(a)
      (Criminal Violations)

      Violation of federal law
      Violations must be committed "knowingly"
    58. MENS REA And Use Of The Word "Knowingly"
      A person commits an act "knowingly" when it is done purposefully; that is, the act is a product of a conscious design, intentor plan that it be done. Horne v. State of Indiana, 445 N.E.2d 976 (1983).
    59. Three Ways To Violate 42 U.S.C. § 1320d-6
      Knowingly and in violation of the regulations using or causing to be used a unique health identifier;
      Knowingly and in violation of the regulations obtaining individually identifiable health information relating to an individual; and
      Knowingly and in violation of the regulations disclosing individually identifiable health information to another person.
    60. Potential Bases For Criminal Liability
      Employee liability for employee's own conduct
      Liability of privacy officers
      Corporate liability for acts of employees
      Concurrent liability of employees and corporation
      Business Associate Liability
    61. Criminal Penalties For Violating § 1320d-6
      Maximum penalties are set forth in §1320d-6(b).
      Actual sentencing is determined according to the Federal Sentencing Guidelines.
    62. Maximum Penalties
      (42 U.S.C. § 1320d-6(b)(1))
      Any violation:
      $50,000 fine, one year imprisonment, or both.
    63. Maximum Penalties
      (42 U.S.C. § 1320d-6(b)(2))
      If offense is committed under under false pretenses:
      $100,000 fine, 5 years imprisonment, or both.
    64. Maximum Penalties
      (42 U.S.C. § 1320d-6(b)(3))
      If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm:
      $500,000 fine, 10 years imprisonment, or both.
    65. Preemption
      Requirements contrary to federal law are preempted.
      Exceptions
      more stringent state law
      others
      Requests for preemption to be resolved by Secretary of HHS.
    66. Legal Challenges
      South Carolina Medical Association v. HHS
      Association of American Physicians v. HHS