Title: Practicing In Harmony with HIPAA
1Practicing In Harmony with HIPAA
The views and opinions expressed in the
presentation are those of the presenter, and not
necessarily official positions of the United
States Department of Justice.
2Purpose
- Underscore the commitment of DOJ to facilitate
covered entity compliance with HIPAA while
pursuing its legitimate governmental functions - Discuss the different functions of DOJ with
reference to HIPAA disclosures
3The Multiple Hats of DOJ
- Health Oversight
- Law Enforcement
- Representing Government Entities
- VA Hospital, Rural Health Clinic, Government
Employees - Prosecuting Criminal Violations of 42 USC 1320d-6
- The activity will dictate the applicable HIPAA
provision which permits disclosure - DOJ is NOT a covered entity
4Which HIPAA Exception Permits Disclosure to DOJ?
- Least restrictive exception applies
- Health Oversight (45 CFR 164.512(d))
- (Essentially preserved the pre-HIPAA landscape on
disclosures) - Law enforcement (45 CFR 164.152(f)
- Representing a government agency (45 CFR
164.508)
5Informing the Covered Entity
- Informing the covered entity which provision of
HIPAA permits the requested disclosure - May be written, may be oral
6Permitted Disclosures to Law Enforcement
- Pursuant to Process and Required by law
164.512(f)(1) - Court Orders, Warrants, Judicial Subpoenas
- Grand Jury Subpoenas
- Administrative Request/Demand/Subpoena, provided
that - Relevant and material to legitimate L.E. inquiry
- Specific limited in scope to extent reasonably
practicable in light of the purpose - De-identified information could not reasonably be
used - Covered entity can rely on representations on the
face of the administrative subpoena
(164.514(h)(2)(A))
7Permitted Disclosures to Law Enforcement
- Other Provisions of 164.512 (f)
- 8 items for Identification and Location of
suspects, material witness, missing person - Victims of crime, but unless required by law or
process, certain limitations for victims of
abuse, neglect or domestic violence - Decedents, if under suspicious circumstances
- Crime on premises
- Reporting crime in an emergency
8One Health Oversight Note
- Health oversight has been discussed by Anne
MacArthur of the OIG - Special Note About Administrative Subpoenas used
in furtherance of health oversight activity - When a health oversight activity, 164.512(d)
governs the limitations in 164.512(f)(a) are
irrelevant (including restrictions on L.E.
administrative subpoenas) only apply to law
enforcement activity
9Some Other Special Circumstances
- Avert serious threat to health or safety
164.512(j) - Specialized government functions -164.512(k)
- National Security and Intelligence
- Protective Services for President and others
- Correctional institutions and other law
enforcement custodial situations
10Suspension of Audit Trail Disclosure
- A covered entity must suspend an individuals
right to an account when an oral or written
request is made by a health oversight or law
enforcement official for the length of time
requested by the official. 45 CFR 164.528
(a)(2) - Oral request (good for up to 30 days) followed by
written request - Document the request.
- Reasonably likely to impede the agencys
activities
11Preemption of State Privacy Law
- A HIPAA standard, requirement or implementation
specification, preempts a state law concerning
the privacy of protected health information,
unless the state law - Is contrary to HIPAA, and
- Relates to the privacy of Individually
Identifiable Health Information, and - Is more stringent than a provision of the HIPAA
medical privacy rules - U.S. Constitution supremacy clause
12Criminal Violations of HIPAA Privacy Rules
- HIPAA create a criminal violation for improper
disclosure or receipt of protected health
information 42 U.S.C. 1320d-6 - DOJ investigates and prosecutes criminal
violations of this statute primarily
investigated by FBI - 3-levels of escalating penalties keyed to
egregiousness of the offense conduct - Direct complaints, or referrals from HHS-OCR
13Conclusion
- We are committed to facilitating the disclosure
of protected health information for health
oversight and law enforcement purposes in
compliance with HIPAA - We will firmly resist efforts by covered entities
to constrict the exceptions which HIPAA permits - We will investigate complaints of criminal HIPAA
violations and prosecute where appropriate. - Ian DeWaal, Senior Counsel
- Department of Justice,
- Criminal Division, Fraud Section