Embed Size (px)
Citation preview
HIPAA: An Overview; Obtaining and Using your Client’s Mental Health, Drug, and Alcohol Treatment
Records
Presented by Steven D. Wolcott - Attorney At Law
Contact Information:104 W Kansas St. Liberty, Missouri 64068
Phone: (816) [email protected]
Glossary of Terms- Business Associate (BA) : A person or organization that performs a function or activity on behalf
of a covered entity, but is not part of a covered entity’s workforce. A business associate can also be a covered entity in its own right.
- Covered Entity (CE) : Any business entity that must comply with HIPAA regulations, which includes healthcare providers, health plans and healthcare clearinghouses. For purposes of HIPAA, health care providers include hospitals, physicians, and other caregivers.
- Electronic Health Record (EHR) : An Electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one healthcare organization.
- Electronic Medical Record (EMR) : An electronic record of health-related information on an individual that can be created, gathered, managed, and consulted by authorized clinicians and staff within one healthcare organization.
HIPAAIn 1996, Congress passed the Health Insurance Portability and Accountability
Act (HIPAA) which among other things:- Offers protection for personal health information,- Gives patients more control over their own health information,- Sets limits on the procurement, usage, and disclosure of a patient’s
records, and- Establishes a series of privacy standards for healthcare providers, which
provides penalties for those who do not follow these standards.
HIPAA Privacy RulesGeneral:
The HIPPA Privacy Rule (45 CFR Parts 160 and 164) provides the first comprehensive Federal protection for the privacy of health and mental health information. The rule is intended to provide strong legal protections to ensure the privacy of individual health information, without interfering with patient access to treatment, health care operations, or quality of care.
The Privacy Rule applies to “covered entities” which generally includes health plans and health care providers who transmit health information in electronic form. “Covered entities” include almost all health and mental care providers, whether they are outpatient, residential, or inpatient providers, as well as other persons or organizations that bill and/or are paid for health care
HIPAA Privacy RulesBasic Principles of the Privacy Rule:
1. The Privacy Rule protects all “protected health information” (PHI), including individually identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements.
2. A major purpose of the Privacy Rule is to define and limit the circumstances under which an individual’s PHI may be used or disclosed by covered entities. Generally, a covered entity may not use or disclose PHI to others, except:
a. as the Privacy Rule permits or requires; or
b. as authorized by the person (or personal representative) who is the subject of the health information. A HIPPA-compliant Authorization must contain specific information required by the Privacy Rules
3. A covered entity must provide individuals (or their personal representatives) with access to their own PHI (unless there are permitted grounds for the denial), and must provide an accounting of the disclosures of their PHI to others, upon their request.
4. The Privacy Rule supersedes State law, but the State laws which provide greater privacy protections or which give individuals greater access to their own PHI remain in effect
Health Information PrivacyWhen does the Privacy Rule Allow covered entities to disclose protected health information to law enforcement officials?Answer:The Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information to law enforcement officials, without the individual’s written authorization, under specific circumstances summarized further. Disclosures for law enforcement purposes are permitted as follows:
To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. The Rule recognizes that a legal process in obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information (45 CFR 164.512(f)(1)(ii)(A)-(B))
To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request may be made without judicial involvement, the Rule requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material, specific and limited in-scope, and de-identified information cannot be used (45 CFR 164.512(f)(1)(ii)(C))
Health Information PrivacyTo respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness
or missing person; but the covered entity must limit disclosures of PHI to name and address, date and place of birth, SSN, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request (45 CFR 164.512(f)(2))
This Same limited information may be reported to Law Enforcement:About a suspected perpetrator of a crime when the report is made by the victim who is a member of
the covered entity’s workforce (45 CFR 164.502(j)(2));To identify or apprehend an individual who has admitted participation in a violent crime that the
covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)-(3)).
Health Information PrivacyTo respond to a request for PHI about a victim of a crime, and the victim agrees. If, because of an emergency
or the person’s incapacity, the individual cannot agree, the covered entity may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in its best interests of the individual whose information is requested (45 CFR 164.512(f)(3)).
Where Child abuse victims or adult victims of abuse, neglect or domestic violence are concerned, other provisions of the Rule apply:
Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports and the agreement of the individual is not required (45 CFR 164.512(b)(1)(ii)).
Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports (45 CFR 164.512(c)):
If the individual agrees;If the report is required by law; orIf expressly authorized by law, and based on the exercise of professional judgment, the report is
necessary to prevent serious harm to the individual or others, or in certain other emergency situations (see 45 CFR 164.512(c)(1)(iii)(B)).
Notice to the individual of the report may be required (see 45 CFR 164.512(c)(2))
Health Information PrivacyTo report PHI into law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)). For example, state
laws commonly require health care providers to report incidents of gunshot or stab wounds, or other violent injuries; and the rule permits disclosures of PHI as necessary to comply with these laws.
To alert law enforcement to the death of an individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4))
Information about a decedent may also be shared with medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties (45 CFR 164.512(g)(1)).
To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).
Electronic Code of Federal Regulations
§2.1 Statutory authority for confidentiality of drug and abuse patient recordsThe restrictions of these regulations upon disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug and Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C 1175). That section as amended was transferred by Pub. L. 98-24 to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3.
§2.2 Statutory authority for confidentiality of alcohol and abuse patient recordsThe restrictions of these regulations upon the disclosure and use of alcohol abuse patient records were initially authorized by section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C 4582). The section as amended was transferred by Pub. L. 98-24 to section 523 of the Public Health Service Act which is codified at 42 U.S.C 290ee-3Penalty for first and subsequent offenses:Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined not more than $500 in the case of the first offense, and not more than $5,000 in the case of each subsequent offense
Confidentiality of Alcohol and Drug Abuse Patient RecordsSubpart A:
Electronic Code of Federal Regulations
§2.11 Definitions:Alcohol Abuse means the use of an alcoholic beverage which impairs the physical, mental, emotional, or social well-being of the userDrug Abuse means the use of a psychoactive substance for other than medicinal purposes which impairs the physical, mental, emotional,or social well-being of the userDiagnosis means any reference to an individual’s alcohol or drug abuse or to an condition which is identified as having been caused by that abuse which is made for the purpose of treatment or referral of treatmentDisclose or disclosure means a communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the record of a patient who has been identified Patient means any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an alcohol or drug abuser in order to determine that individual’s eligibility to participate in a programRecords means any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program
Subpart B-General Provisions
Penalties for Violation 1) Civil Monetary Penalties: The Department of Health and Human Services (HHS) may impose
civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement- not to exceed $25,000 per calendar year for multiple violations of the same Privacy Rule requirement. Generally, HHS may not impose civil monetary penalties when a violation is due to reasonable cause, there was no “willful neglect,” and the covered entity corrected the violation within 30 days of when it knew (or should have know) of the violation.
2) Criminal Penalties: A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA could face a fine of $50,000 and imprisonment for up to one year. If the wrongful conduct involves “false pretenses” the criminal penalties could increase up to a fine of $100,000 and up to five years imprisonment. A fine of up to $250,000 and up to ten years imprisonment could be imposed if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information “for commercial advantage, personal gain, or malicious harm”
24 S.W.3d 220 (2000)Judy FIERSTEIN, Respondent/Cross-Appellant
v.DePAUL HEALTH CENTER, Appellant/Cross-Respondent
Nos. ED 76518, ED 76544Missouri Court of Appeals, Eastern District, Division Four.
May 9, 2000.Motion for rehearing and/or Transfer Denied June 14, 2000
Application for Transfer Denied August 29, 2000
FIERSTEIN v. DHCDefendant, DePaul Health Center, appeals from the judgement, entered pursuant to jury verdicts, in favor of plaintiff, Judy L. Fierstein, in her action for breach of fiduciary duty for the wrongful release of her medical records. The jury awarded actual and punitive damages.
Plaintiff brought an action against DePaul for the wrongful release of her medical records, alleging a breach of fiduciary duty owed to her under the physician-patient privilege. The jury returned verdicts in favor of plaintiff, awarding her $10,000.00 in actual damages and $375,000.00 in punitive damages. The trial entered judgment in accordance with the jury verdict for actual damages; but granted remittitur as to the punitive damages, reducing the punitive damage award to $25,000.00, and entered judgment on the punitive damage count in that amount. Both parties appeal from that judgment.
320 S.W.3d 145 (2010)STATE ex rel. Bobbie Jean PROCTOR and Vincent Proctor, Relators,
v.The Honorable Edith L. MESSINA, Circuit Judge, Sixteenth Judicial
Circuit, Jackson County, Missouri, Respondent.No. SC 90610.
Supreme Court of Missouri, En Banc.August 31, 2010
State ex rel. Proctor v. Messina In State ex rel. Collins v. Roldan, 289 S.W.3d 780, 783 (Mo.App.2009), the court noted that pursuant to the Supremacy Clause of the United States Constitution, HIPAA may preempt Missouri law on the *148 issue of ex parte communications between an attorney and a treating physician. The court did not examine or decide the issue because the case was decided on other grounds. ld. at 784 n. 6. The issue of whether or not HIPAA preempts Missouri Law is an issue of first impression in Missouri Courts.
Congress included an express preemption clause in HIPAA. See 42 U.S.C.A. § 1320d-7(a). Because HIPAA contains an express preemption clause, this Court’s task is to construe the plain language of the statute to determine the extent to which Congress intended for HIPAA to preempt state law. CSX Transp., 507 U.S. at 664, 113 S.Ct. 1732.
Preemption Clause - Proctor v. Messina
HIPAA’s preemption clause is contained in 42 U.S.C.A § 1320d-7, which states:1. General Rule: Except as provided in paragraph (2), a provision or requirement under this part,
or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of state law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
2. Exceptions: A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall not supersede a contrary provision of State Law, if the provision of State Law-
a. is a provision the Secretary determines-i. is necessary-
1. to prevent fraud and abuse;2. To ensure appropriate State regulation of insurance and health plans;3. for State reporting on health care delivery or costs; or4. for other purposes; or
a. addresses controlled substances
HIPAA Generally - Proctor v. MessinaThis Court’s examination of HIPAA’s privacy rule reviews the text of the regulations mindful of the intent of Congress in directing the Secretary to issue rules and regulations to implement the HIPAA Privacy Rule. In HIPAA, Congress directed the Secretary to promulgate rules and regulations designed to ensure the privacy of patients’ medical information. 42 U.S.C.A § 1320d-2(d)(2)(A); see also Crenshaw v. MONY Life Ins. Co., 318 F.Supp.2d 1015, 1028 (S.D.Ca;.2004); Moreland v. Austin, 284 Ga. 730, 670 S.E.2d 68, 70 (2008) .
The HIPAA regulations draw no distinction between formal versus informal disclosures and, instead, broadly prohibit all disclosures in the absence of a specifically enumerated exception to this general rule of prohibition. Specifically, the Secretary defined protected “Health Information” as:
[A]ny information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer,
life insurer, school or university, or health-care clearinghouse; and2. Relates to the past, present, or future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past. present, or future payment for the provision of health care to an individual.
Ex Parte Communications - Proctor v. Messina
Missouri Law on the Issue of Ex Parte Communications:Missouri common law historically provides that a litigant patent in a personal injury lawsuit could not be compelled by court order to sign medical authorizations consenting to ex parte communications with treating physicians. State ex rel. Woytus v. Ryan, 776 S.W.2d 389, 395 (Mo. Banc 1989).
Subsequently, this court issued a pair of companion opinions addressing voluntary and informal ex parte communications between plaintiff’s treating physician and defendant or defendant’s representatives in a medical malpractice case. Brandt v. Pelican, S.W.2d at 661 (Mo. banc 1993) (Brandt I) Brandt v. Med. Def. Assocs., 856 S.W.2d 667 (Mo. Banc 1993) (Brandt II)
Authorized Disclosure - Proctor v. Messina Under 45 C.F.R. § 164.512(e)(1), HIPAA authorizes disclosure in the course of any judicial or administrative proceeding:
1. Permitted Disclosures. A covered entity may disclose PHI in the course of any judicial or administrative proceeding:
a. In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order; or
b. In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:
i. The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is subject of the PHI that has been requested has been given notice of the request; or
ii. The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.
Conclusion - Proctor vs. Messina
In the instant case, by issuing a purported formal order that was directed to non-party medical providers and, essentially, providing an advisory opinion to
said non-party medical providers about the trial court’s understanding of the law on informal ex parte communications, the trial court exceeded its authority, and
the preliminary writ of prohibition is made permanent.
All concur.
How to File a ComplaintIf you believe that a covered entity or business associate
violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules, you may file a
complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities and their
business associates.
HIPAA Omnibus RuleAs of January 17th, 2013, HIPAA regulations have had a massive update
and overhaul to protect patients. The new laws more extensively hold second and third party businesses responsible to keep Patient Health Information (PHI) private. The OCR of the United States Department of Health and Human Services adopted the HIPAA Omnibus Rule as an overall and update to the USA’s existing volumes of the HIPAA Law and HI TECH Law. The Final Rule or the final HIPAA Omnibus Rule (78 Fed. Reg. 5566) has some important modifications to HIPAA as we know it. They are required to begin functioning within your workplace, beginning March 26, 2013.
More Information at: (http://hipaaomnibusrule.com/)
HITECH ActThe American Recovery and Reinvestment Act of 2015 includes the Health
Information Technology for Economic and Clinical Health (HITECH) Act.The HITECH Act provides Medicare and Medicaid monetary incentives for
hospitals and physicians to adopt electronic health records (EHRs) and also provides grants for the development of a health information exchange (HIE). These incentives and grants were created to stimulate health care providers to adopt technology necessary to improve the efficiency of patient healthcare.
HITECH Act provides over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR). According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for “meaningful use” of a certified EHR system starting in 2015
How does HITECH Effect HIPAA?1) Applies the same HIPAA privacy and security requirements (and penalties)
for covered entities to business associates2) Establishes mandatory federal privacy and security breach reporting
requirements for HIPAA covered entities and business associates3) Creates new privacy requirements for HIPAA covered entities and business
associates, including new accounting disclosure requirements and restrictions on sales and marketing
4) Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods
5) Mandates that the new security requirements must be incorporated into all business associate contracts
