Homeless Integrated Delivery System:

The Impact of HIPAA and State Privacy Laws

Patrick J. Webster, Esq.

pwebster@kl.com

412.355.8387

2

What is HIPAA?

H ealth In su ran ce P ortab ility an d A ccou n tab ility A ct of 1996

H ea lth C a re A cce ss ,P o rta b ility , &R e n ew ab ility

P rev e n tin g F rau d & A b u se ;M ed ica l L iab ility R e fo rm

P rivacy

A d m in is tra tiv e S im p lif ic a tio n

H IP A A

3

Rationale for Regulations

Inconsistent or nonexistent state laws regarding standards of privacy for patient data

Inconsistent or nonexistent state laws protecting patient’s rights regarding their data

Exponential increase in availability and scope of patient data

4

Who Is Covered?

“Covered Entities” —Health Plans—Health Care Clearinghouses—Health Care Providers

5

Health Care Providers

Providers who conduct financial and administrative transactions electronically

- electronic billing

- fund transfers

6

What Is Covered?

Protected Health Information (PHI)

Generally, “Individually Identifiable Health Information” that is:

(i) Transmitted by electronic media; or

(ii) Maintained in any electronic medium; or

(iii) Transmitted or stored in any other form or medium.

7

Protected Health Information

Individually Identifiable Health Information

(i) Information created or received by the Covered Entity;

(ii) Relates to past, present, or future physical/mental health condition, treatment or payment for care of the individual;

(iii) Identifies the individual or provides a reasonable basis to identify the individual; and

(iv) Is used in connection with treatment,payment or “Health Care Operations”

8

Health Care Operations

Quality assurance activities Credentialing Accreditation Peer review Case management Training Business planning Certain marketing and fund raising

9

Definition of “Use”

Defined as “the sharing, employment, application, utilization, examination or analysis of” Individually Identifiable Health Information.

Simply put, regulations concerning uses govern the internal transmission of information.

10

Definition of “Disclosure”

HIPAA regulations define “disclosure” to mean “the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.”

Disclosures are releases of information to entities outside the transferor entity

11

General Rule

Covered entities may not use or disclose protected health information unless the Privacy Regulations permit or require them to do so

12

Permitted Uses & Disclosures

1. To the individual patient

2. For treatment, payment or Health Care Operations

3. “Incident to” a permitted or required use or disclosure minimum amount necessary, unless for

treatment purposes; must be in compliance with permitted use or

disclosure; must have adequate safeguards

13

Permitted Uses & Disclosures

4. Pursuant to a valid Authorization

(i) Required when use and disclosure is not otherwise allowed under the

Privacy Rule

(ii) Required for psychotherapy notes

CONTINUED

14

Permitted Uses & Disclosures

5. Pursuant to agreement of patient, which requires…

(i) Patient be informed in advance of the use or disclosure, and

(ii) Patient is given the opportunity to agree, prohibit, or restrict the

disclosure (with exceptions for emergency situations).

CONTINUED

15

Permitted Uses & Disclosures

6. For involvement in the patient’s care and notification purposes

7. The patient agrees and is present

8. Pursuant to the best interests of the patient as determined by the professional judgment of the provider

9. Pursuant to disaster relief efforts

CONTINUED

16

Permitted Uses & Disclosures

10. When required by law

(i) victims of abuse, neglect or domestic violence

(ii) for judicial and administrative proceedings

(iii) law enforcement purposes

11. For public health & oversight purposes

12. To coroner & funeral director

CONTINUED

17

Permitted Uses & Disclosures

13. To organ procurement organizations

14. For research, subject to restrictions

15. To avert a serious threat to health or safety of the person or the public

16. For specialized government functions

CONTINUED

18

Required Disclosures

1.To an individual, when requested

2.When required by HHS to investigate or determine the covered entity’s compliance with HIPAA

19

Privacy Policies

1.Must set forth rights of access and inspection, duties of covered entity, grievance procedures, right to accounting of disclosures

2.Must ensure that uses and disclosures are limited to “Minimum Necessary” information for purpose

20

Minimum Necessary Standard:Exceptions

Requests by a health care provider for treatment purposes

To the individual To HHS when required for enforcement Otherwise required by law

21

Notice of Privacy Practices

Covered entities are required to provide notice detailing privacy practices

The Notice of Privacy Practices must:— Be written in plain language— Contain sufficient detail to put reader on

notice of practices— Contain specific content relating to: rights of

access and inspection, duties of covered entity, grievance procedures and contacts

22

Notice of Privacy Practices

Procedures to be followed:

(i) Notice to be Posted

(ii) “Good faith effort” to obtain written acknowledgment

(iii) Form of acknowledgment to be determined by the covered entity

(iv) Documentation of refusals

(v) Not prerequisite to treatment

CONTINUED

23

Disclosures to Business Associates

Covered Entities must obtain “Satisfactory Assurances” from other entities that are not themselves Covered Entities prior to disclosing Protected Health Information.

Such other entities are generally referred to as “Business

Associates”.

24

Business Associates

1. Generally speaking, a Business Associate is a person or organization that:

(i) Performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information on behalf of a covered entity, or

25

Business Associates

(ii) Provides legal, actuarial, accounting, consulting, data aggregation,

management, administrative, accreditation, or financial services to or for a covered entity, where the provision of services involves the disclosure of individually identifiable health information

CONTINUED

26

Business Associates

Privacy Rule conditions disclosure of Protected Health Information upon “satisfactory assurances” from Business Associate to safeguard the information

“Satisfactory assurances” means business associate will:

— Use information for intended purpose— Safeguard information from misuse— Assist with providing individuals with

access to Protected Health Information

CONTINUED

27

Business Associates

Covered Entity is not required to actively monitor its Business Associates, but… If Covered Entity has actual knowledge of

pattern of activity or practice that constitutes breach of a Business Associate’s assurances, the Covered Entity must:

Take reasonable steps to cure; and If unsuccessful, must terminate (if

feasible) or report to HHS

CONTINUED

28

HIPAA Summary

Comprehensive set of regulations that governs who has access to information, what information is disclosed, and how that information is released

29

General Requirements

HHS recommends that “average” provider or health plan:— Adopt clear privacy procedures— Provide notice to patients about privacy rights and how

information can be used— Train employees so that they understand the privacy

procedures— Designate a Privacy Officer— Secure Patient Records— When necessary, enter into Business Associate

Agreements Size of Provider dictates Level of Compliance

30

Issues Arising from HIPAA & Other Privacy Laws for the Homeless Integrated Delivery System

Prior to HIPAA, confidentiality was addressed (if at all) through a variety of State Laws

Similarities among State approaches, but no uniformity

State Laws often have specific provisions on “Ultra-Sensitive Data” - mental health, drug and alcohol, HIV information

31

Pennsylvania Laws Relating to Sensitive Data

Mental Health Records Mental Health Procedures Act DPW Implementing Regulations Privileged Communications to

Psychiatrists and Licensed Psychologists

32

Laws Relating to Sensitive Data

Drug and Alcohol Records Pennsylvania Drug and Alcohol Abuse

Control Act DOH Implementing Regulations Privileged Communications to

Psychiatrists and Licensed Psychologists

Federal confidentiality regulations – 42 C.F.R. Part 2

33

Pennsylvania Laws Relating to Sensitive Data

HIV Records

Confidentiality of HIV-Related Information Act

34

HIPAA’s Preemption Provisions – State Privacy Laws

Federal privacy law does not preempt a conflicting State law provision that relates to the privacy of health-related information.

35

HIPAA’s Preemption Provisions – State Privacy Laws

THUS --- State Privacy Laws are not

superceded if there is no conflict with Federal law

AND State Privacy Laws are not

superceded if they are more stringent than Federal law

36

State Law and Integration

Because HIPAA is a new law, there has not been an opportunity for the legal system to determine which state privacy laws will be preempted by HIPAA, and which will continue to be enforceable by the individual states.

37

State Law and Integration

Because the purpose of the Homeless Integrated Delivery System is to allow providers of medical health, mental health and substance abuse services to better serve the homeless population, compliance with Pennsylvania’s laws as well as the new HIPAA regulations is crucial to the smooth functioning of the System

38

State Law and Integration

Working with Health Care for the Homeless, we have been developing the necessary agreements, forms and policies necessary to allow the wide array of providers serving this population to participate in the Integration System while complying with all relevant laws, at both the Pennsylvania and Federal levels

39

Integrated Delivery System

Necessary documents and legal analysis for compliance with HIPAA & State privacy laws Standard Sub-Recipient Agreement Authorizations compliant with all

applicable laws Consultation on Business Associate

issues