HIPAA Patient Privacy Rules

May 2002

Robert M. Portman, J.D.(202) 639-6880

rportman@jenner.com

Jenner & Block601 13th Street, NW

Washington, DC 20005

HIPAA Patient Privacy Rules

• Overview of the Privacy Rule• Nuts & Bolts of Patient Protections• Compliance & Enforcement• Preemption• Legal Challenges

Overview: Key Issues

• History, Breadth & Focus• What information is and is not covered• Who is subject to rules• Business Associate (“BA”) rules• Rules on uses and disclosures of PHI• “Minimum Necessary Rule” &

Verification• Privacy Notice/Patient Rights

History/Background• HIPAA ’96—where it all started.• Required Secretary of HHS to issue rules to

protect privacy of patient health information if Congress did not act by August 21, 1999.

• Congress did not act. (Quelle surprise!)• HHS issued final privacy rules—Dec. 2000 .• HHS Guidance Document—July 2001.• Proposed Modification of Rule—March 2002.

Breadth• Privacy rule is part of a “suite” of

regulations arising out of HIPAA– Standards for electronic transactions (final)– Unique identifiers for employers/providers

for use in electronic transactions (proposed)– Several rules to be proposed re electronic

transactions involving health plans– Proposed Security Rule

• Focus here is on Privacy Rule

What is Required of the “Average Provider?”

• For the “average provider,” the Privacy Rule requires:– Providing patients information about their

privacy rights and how their PHI may be used. – Obtaining authorization for certain

uses/disclosures.– Adopting clear privacy practices and

procedures.– Designating a privacy officer responsible for

adoption/compliance with these practices. – Training employees so that they understand

these practices.

What Information is Covered?

• All individually identifiable information that is transmitted or maintained in ANY form, not just electronic.

• Major change from original proposed rule.

• Referred to as protected health information or PHI.

Individually Identifiable Info

• Created or received by a covered entity or employer;

• Relates to health or condition, provision of health care, or payment for health care with respect to an individual; and

• Can identify or can be used to identify an individual.

• Note broad definition of payment activities.

Info Not Covered

• Information that cannot be used to identify an individual is not protected.

• How to de-identify information:– Hire an expert to determine that

information to be used or disclosed contains no identifying information.

– Remove all specified identifying information.

Covered Entities and “Friends”

• Health Care Providers• Health Plans• Healthcare Clearinghouses• Business Associates (indirect)

Health Care Providers

• Providers of medical or health services that transmit health information in electronic form, for billing or transferring funds for payment.– Physicians– Hospitals– Home Health Agencies

Health Plans

• Plans that provide or pay for the cost of medical care.– Group health plans– Health insurance issuers– HMOs– Issuers of LTC policies– Employee welfare benefit plans

Health Care Clearinghouses

• Entities that process health information from a covered entity.– Billing services– Repricing companies– Community health information

systems– Valued-added networks or switches

Business Associates

• Individuals or entities that receive PHI from covered entities and provide services for or perform functions on behalf of covered entities.

• Employees and volunteers, no; independent contractors, yes.

• May include board members.• A covered entity may be a business

associate of another covered entity.

Business Associates• Functions on behalf of a covered entity:

– claims processing– data analysis– processing or administration– utilization review– quality assurance– billing– benefit management– practice management– repricing

Business Associates• Services performed for covered entity:

– legal– actuarial– accounting– consulting– data aggregation– management– administrative– accreditation– financial

Business Associate’s Duties

• Must abide by restrictions on PHI in contract.• Use appropriate safeguards to protect PHI.• Ensure that agents or subcontractors agree to

same restrictions. (“Chain of Trust” partners)• Other requirements

– (e.g., make internal practices, books, and records relating to use and disclosure of PHI available to HHS Secretary for purposes of determining covered entity’s compliance with HIPAA.)

Business Associate Contract

• Can be an addendum to current contract• Establish required and permitted uses and

disclosures of PHI by BA.• State that BA may not use or further disclose

PHI in violation of HIPAA rules if done by covered entity.

• Note: BA may use PHI for internal management and administration of BA, legal responsibilities, and data aggregation for covered entity.

• Model contract provisions provided by HHS as part of proposed rule modification.

Uses and Disclosures of PHI

• Basic rule: NO USE OR DISCLOSURE EXCEPT AS PERMITTED OR REQUIRED BY RULE.

Permitted Uses and Disclosures

• To the individual (without request).• With authorization or agreement of

the individual.• Other circumstances specified in

rules where authorization not required (e.g., disclosure to business associates).

• Transfer of records upon sale, transfer, consolidation, or merger.

Required Disclosures

• To the individual when requested per rule.

• When required by HHS for investigation or compliance purposes.

Minimum Necessary Rule

• General Rule– Covered entity must make reasonable

efforts to limit permitted uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

– Same requirement applies to requests for PHI from one covered entity to another.

Minimum Necessary Rule

• Minimum necessary usage requires, among other things, identifying:– employees with need for access to PHI– categories/types of PHI needed– conditions for access

• Must also comply with any applicable restrictions (e.g., per patient agreement).

Minimum Necessary Rule

• Okay to rely on requesting party’s judgment in some cases (if reliance is reasonable):– another covered entity– public officials or agencies– business associates or workforce

member– researchers acting per IRB/Privacy

Board

Minimum Necessary Rule

• Exceptions– disclosures to or requests by health

care provider for treatment– uses or disclosures to individuals by

law or authorization– disclosures to HHS– uses or disclosures pursuant to law or

compliance requirements

Minimum Necessary Rule

• Modified proposed rule clarifies that conversations between physicians about patient do not violate rule even if they are overheard.

• Modified rule also clarifies that incidental disclosures generally do not violate the rule as long as minimum necessary rule satisfied and other reasonable safeguards adopted.

Verification Requirement

• Covered entity generally must verify the identity of a person requesting PHI and the authority of the requesting party to have access to the PHI (unless known).

• Requirement met if covered entity exercises professional judgment and acts in good faith in making disclosures under the rule.

The Nuts & Bolts of Patient Protections

• Consent• Authorization• Exceptions• Notice of Privacy Practices• The Rights of Individuals

Consent

• Final Rule would have required physicians and other health care providers to obtain consent from patient for use and disclosure of PHI for treatment, payment, or health care operations (TPH).

• Modified rule eliminates consent requirement and simply requires notice of provider’s privacy policies and practices be provided to patient.

• Patients should be asked to acknowledge receipt of privacy policies and practices.

Authorization• An authorization generally allows use and

disclosure of PHI for purposes other than treatment, payment, or health care operations.

• Covered entities must obtain an authorization to make uses and disclosures not otherwise permitted or required under the Privacy Rule.

• An authorization must be written in specific terms, and may allow use and disclosure of PHI by the covered entity seeking the authorization, or by a third party.

Authorization

• Document and retain signed authorizations.

• Provide patient with copy.• May not condition treatment,

payment, or enrollment in health plan or eligibility for benefits on authorization except for research-related treatment and other circumstances specified in rule.

Single Authorization Form

• Final Rule required different types of forms for different types of disclosures.

• Modified Rule requires only one form regardless of type of disclosure.

Authorization Requirements

• Must be written in plain language.• A copy must be provided to

individual if provider seeks authorization.

Authorization Requirements

• A description of the information to be used or disclosed that identifies the PHI in a specific and meaningful fashion.

• The name of those authorized to request disclosure of PHI.

• The name of persons to whom provider may make the requested disclosure.

Authorization Requirements

• A description of each purpose of the requested use or disclosure. “At the request of the individual” is sufficient description of purpose when an individual initiates the authorization and does not provide a statement of the purpose.

• Statement whether provider can condition treatment on authorization.

Authorization Requirements

• An expiration date or event relating to individual or purpose of use or disclosure.

• Signature of individual (or personal representative) and date.

• Statement re individual’s right to revoke authorization.

• Statement concerning possibility of redisclosure.

Authorization for Marketing

• Under proposed modification, covered entity must obtain authorization from individual before sending them any marketing materials or selling patient lists.

• But covered entities may communicate freely with patients about treatment options and other health-related information, including disease-management programs.

No Authorization Required

• With individual’s agreement in limited circumstances

• Public health activities• Health oversight programs• FDA-regulated activities (e.g., adverse

incidents)• Judicial and administrative hearings• Certain law enforcement purposes• Concerning decedents to coroners/funeral

directors• Research in certain circumstances

Prior Consents/Authorizations

• Covered entity may continue to use or disclose PHI pursuant to a prior consent, authorization, or other form of legal permission with some restrictions.

• But usually will need to obtain new consent or authorization for data collected after compliance date, except for research studies based on individual’s consent.

Privacy Notice• HIPAA generally provides individuals the

right to “adequate notice” of:– the uses and disclosures of PHI that may be

made by the covered entity.– the individual’s rights and the covered

entity’s legal duties with respect to PHI.

• The Notice describes the covered entity’s PHI-related privacy practices.

• Specific and detailed requirements for the Notice are set forth in the Privacy Rule

Privacy Notice

• Must provide on first date of service delivery or as soon as reasonably practicable after an emergency.

• Must make good faith effort to obtain a written acknowledgement of receipt of notice from patient or document reasons why acknowledgement not obtained—substitute for consent.

Privacy Notice

• Must be prominently displayed at site of service and/or posted on web site.

• Must be available upon request.• Must issue new notice when

material changes.• Must keep copies of all notices and

acknowledgements of receipt.

Rights of Individuals• To receive privacy notice at time of first

delivery of service.• To request restrictions on uses and

disclosures of PHI– Covered entity not required to agree.– But if it does so agree, it must comply with

restrictions, except for emergencies or other circumstances specified in rules.

– Must document agreement.– May terminate with individual’s agreement

or without agreement prospectively only.

Rights of Individuals

• To receive PHI communicated to them by alternative means and at alternative locations to protect confidentiality.

• To inspect and obtain copies of their PHI from covered entity, except for psychotherapy notes and other exceptions, subject to procedures in rules.

Rights of Individuals

• To amend or correct PHI.• To request an accounting of disclosures in

six years prior to request, not including disclosures re treatment, payment, and health care operations, or individuals’ requests for PHI, except for disclosures pursuant to written authorization (see proposed modification).

• Rights apply to individual and personal representatives.

Parents of Minors

• For the most part, parents have right to access and control PHI of their minor children.

• Exceptions to this rule track circumstances in which state law precludes such parental access or control (e.g.,permitting HIV testing of minors without parental permission, cases of abuse, etc.) or where parents have agreed to give up access and control.

Research

• Proposed modification clarifies that researchers may combine authorization with informed consent to participate in clinical trial.

• Proposal also conforms requirements of research exception to “Common Rule” used for federally-funded research.

Compliance & Other Issues

• Compliance & Enforcement• Preemption• Legal Challenges

Compliance• Covered entities must comply by

April 14, 2003.• One-year extension for BA contract

compliance per proposed modification.

Compliance• Designate privacy official and contact person;• Train workforce in policies and procedures

required to safeguard PHI (different requirements for small and large physician practices);

• Procedures and safeguards to protect PHI and limit incidental uses or disclosures of PHI;

• Institute complaints process; and• Other requirements set forth in rules.

Compliance: Bus. Assoc.• Covered entity not responsible for

overseeing BA’s compliance with terms of agreement.

• But, covered entity violates rule if it knew of a pattern of activity or practice of BA that breached contract, unless covered entity took steps to end the violation and/or terminate the contract, if feasible, or report problem to HHS.

• If BA is also covered entity and it violates its obligations under the BA Agreement, then it will be directly liable under HIPAA.

Compliance: Bus. Assoc.

• Contract must have appropriate termination provisions, including return or destruction of PHI upon material breach, if feasible.

• Proposed rule would give covered entities up to an additional year to modify their contracts with BA’s to comply with the privacy rule.

Enforcement

• Individual complaints with Secretary within 180 days of act or omission.

• HHS investigation authority.• Informal resolution authority.• Civil Penalties.• Criminal Penalties.

The Enforcement Provisions:

42 U.S.C. §§ 1320d-5 & 1320d-6

• 42 U.S.C. § 1320d-5 covers civil violations• 42 U.S.C. § 1320d-6 covers criminal violations• These sections are not found in the HHS

Regulations, rather they come from HIPAA itself.

General Penalty for Failure To Comply With Requirements

And Standards:U.S.C. § 1320d-5(Civil Violations)

• Punishes any violation of regulations• Maximum penalty of $100 per violation• Cap of $25,000 per calendar year for each provision of

the regulations that are violated

Wrongful Disclosure of Individually Identifiable

Health Information:42 U.S.C. § 1320D-6(a)(Criminal Violations)

• Violation of federal law• Violations must be committed “knowingly”

MENS REA And Use Of The Word “Knowingly”

• A person commits an act “knowingly” when it is done purposefully; that is, the act is a product of a conscious design, intent or plan that it be done. Horne v. State of Indiana, 445 N.E.2d 976 (1983).

Three Ways To Violate 42 U.S.C. § 1320d-6

• Knowingly and in violation of the regulations using or causing to be used a unique health identifier;

• Knowingly and in violation of the regulations obtaining individually identifiable health information relating to an individual; and

• Knowingly and in violation of the regulations disclosing individually identifiable health information to another person.

Potential Bases For Criminal Liability

• Employee liability for employee’s own conduct

• Liability of privacy officers• Corporate liability for acts of employees• Concurrent liability of employees and

corporation• Business Associate Liability

Criminal Penalties For Violating § 1320d-6

• Maximum penalties are set forth in §1320d-6(b).

• Actual sentencing is determined according to the Federal Sentencing Guidelines.

Maximum Penalties(42 U.S.C. § 1320d-6(b)

(1))• Any violation:

– $50,000 fine, one year imprisonment, or both.

Maximum Penalties(42 U.S.C. § 1320d-6(b)

(2))• If offense is committed under under

false pretenses:– $100,000 fine, 5 years imprisonment,

or both.

Maximum Penalties(42 U.S.C. § 1320d-6(b)

(3))

• If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm:– $500,000 fine, 10 years

imprisonment, or both.

Preemption

• Requirements contrary to federal law are preempted.

• Exceptions– more stringent state laws– others

• Requests for preemption to be resolved by Secretary of HHS.

Legal Challenges

• South Carolina Medical Association v. HHS

• Association of American Physicians v. HHS

©2002 Jenner & Block LLC