HIPAA Privacy Regulation

1
HIPAA Privacy Regulation

• Daniel Brzovic, Protection Advocacy, Inc.

2
OVERVIEW

• Overview of HIPAA Privacy Regulation
• Basic elements of regulation

3
Privacy Regulation of the Health Insurance
Portability and Accountability Act of 1996
(HIPAA).

• Provides for uniform national privacy standards
  so that records can be transmitted and stored
  electronically
• Provides for individuals to have access to their
  own records and an opportunity to correct them so
  that electronic records can be accurate
• Requires that privacy and security be built into
  the policies and practices of health care
  providers and health plans.
• Allows for the free flow of protected health
  information for treatment, payment and health
  care operations.

4
Key Concepts

• Covered Entities The HIPAA Privacy Rule applies
  to health care providers, health plans and health
  care clearinghouses
• Who transmit any health information
  electronically
• Protected Health Information - PHI Any oral or
  recorded information relating to the past,
  present, or future physical or mental health of
  an individual, the provision of health care to
  the individual or the payment for health care
• Treatment, payment or other health care
  operations The HIPPA privacy rule does not
  impose disclosure restrictions on the exchange of
  medical files for the purposes of treatment,
  payment or other health care operations

5
Key concepts contd.

• Minimum Necessary Standard Whenever a covered
  entity uses or discloses protected health
  information or requests such information from
  another covered entity, it must make reasonable
  efforts to limit the information to the minimum
  amount necessary to accomplish the intended
  purpose of the use or disclosure
• This standard is not as strict if the patient
  initiates the disclosure (i.e., signs an
  authorization form)

6
Basic Elements of Privacy Regulation

• National Standard
• Notice
• Confidentiality
• Psychotherapy Notes
• Limits on Employers
• Hospital Directories
• Access
• Right to Amend
• Accounting of Disclosures
• Safeguards, Security
• Complaints

7
National Standard

• The HIPAA Privacy Rule establishes a national
  standard for health privacy. It sets a minimum
  federal standard, a baseline with minimum
  protections for consumers. Stronger or more
  stringent i.e. more privacy protective state
  laws still remain in effect. States are also
  free to enact stronger protections in the future.

8
HIPAA Preemption

• Preempts less stringent state privacy laws
• This means state laws providing less protection
  for confidentiality than HIPAA does
• This also means state laws providing less access
  for an individual to the individuals own
  records, and less opportunity to correct the
  records
• California law is more stringent than HIPAA in
  some respects, and less stringent in others

9
California Privacy Laws

• Confidentiality of Medical Information Act
  Civil Code 56 et seq.
• Lanterman-Petris-Short Act WIC 5328 et seq.
• Lanterman Act WIC 4514 et seq.
• Alcohol/substance abuse and HIV records
• Patient Access to Medical Records Act HSC
  123110 et seq.
• Other statutes.

10
Notice

• Notice of Privacy Practices
• Good faith effort to obtain signature
• Signature is not required, or condition for
  treatment
• Not a consent form

11
Confidentiality Exceptions

• Patient (or representative) signs valid
  authorization for release
• Disclosure required by law
• Public health activities
• Victims of abuse, neglect, domestic violence.
• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Specialized government purposes
• Other enumerated purposes

12
Authorization for Release

• PHI may be released to anyone if the patient (or
  personal representative) signs a valid
  authorization.
• The authorization must be filled out completely.
• The authorization must contain
• Name of information provider
• Name of information recipient
• Description of PHI to be disclosed
• Purpose of disclosure or use

13
Authorization (Continued)

• Disclosure can be very broad, e.g.
• Any and all providers may disclose to
• Anyone
• Any and all of my PHI
• This authorization is at my request
• It is best to have a narrowly-tailored
  authorization
• You should go over the authorization with the
  client carefully, and make sure the client is
  only disclosing what is necessary

14
Authorization (Continued)

• The authorization must also contain
• Notice that if PHI is disclosed by the recipient,
  it may no longer be protected under HIPAA
• Notice that the authorization may be revoked
  unless the provider has taken action in reliance
  on the authorization
• If the authorization is obtained by a provider,
  notice that treatment, payment, enrollment, or
  eligibility for benefits cannot be conditioned on
  signing the authorization, and exceptions

15
Authorization (Continued)

• The authorization must also contain
• Expiration date or event
• Signature and date
• Relationship or authority of person signing if
  signed by someone other than the patient
• A copy of the authorization must be given to the
  individual (if the authorization is obtained by
  the provider)
• There must be a separate authorization for
  psychotherapy notes
• There must be a separate authorization for non PHI

16
Authorization (Continued)

• Additional California requirements
• The authorization must be in 14-point type or
  handwritten by the person who signs it
• The use as well as the disclosure can be
  restricted
• Revocation must be in writing
• There must be a notice that the individual is
  entitled to a copy
• There must be an expiration date (rather than a
  date or event)
• Under California law, further release of the
  information also requires the same type of
  written authorization

17
Psychotherapy Notes

• Mental health providers may not disclose
  psychotherapy notes without first obtaining a
  patients voluntary authorization, except in
  specific instances
• Psychotherapy notes are a narrow category
• Psychotherapy notes are notes by a mental health
  professional documenting or analyzing the
  contents of conversation during a private
  counseling session or a group, joint, or family
  counseling session and that are separated from
  the rest of the individuals medical record.

18
Limits on Employers

• Health care providers and health plans are barred
  from disclosing identifiable health information
  to employer
• In California, employers have the same
  confidentiality requirements as medical care
  providers

19
Hospital Directories

• Right to opt-out of having name and health status
  publicly available in a hospitals directory
• In California (subject to opt-out requirements)
  if someone requests information about a patient
  by name, the hospital may release information
  about the individuals general condition and
  location in the hospital

20
Access

• Right to see and copy own medical records (Does
  this include third parties?)
• Copies must be supplied within 30 days of request
• Reasonable fee
• California access law is preempted in most cases
  with notable exceptions

21
Right to Amend

• Right to amend or supplement own protected health
  information as long as the covered entity
  maintains the information
• The covered entity must act no later than 60 days
  after it receives the request
• Grievance procedure for refusal to amend
• In addition, California law allows an addendum of
  not more than 250 words to be added to medical
  records

22
Accounting of Disclosures

• Right to receive an accounting of disclosures of
  PHI made by the covered entity during the six
  years prior to the date that request was made
• Includes disclosures to or by business
  associates, but not disclosures related to
  treatment, payment, or health care operations, or
  if authorization was given

23
Safeguards, Staff training, Privacy Officer

• Covered entities must have appropriate technical
  and administrative safeguards in place to protect
  information
• Training of staff
• Appoint Privacy Officer

24
Complaints When Your Rights Are Violated

• Contact Privacy Officer of organization that
  violated privacy regulation
• File a Federal complaint with the Department of
  Health and Human Services Office for Civil Rights
• Seek State level recourse (in California, this
  may include an action for damages under
  California law)