NAHO 2015 Conference
Scottsdale, Arizona
Course Description:

 Discussion of the nature, types and scope of health care
information protected by the HIPPA law; covered entities; non
covered entities; the HIPPA privacy rule; balancing privacy
against the need to use information to provide high quality
health care and protect the public health; how health care
information is protected under HIPPA; the duty to protect
medical records under HIPPA; electronic health records and
HIPPA; remedies for disclosure of protected information
subpoenas and court orders that require disclosure of
information protected by HIPPA; and related medical records
privacy protections under Freedom of Information Act(FOIA)
and state public records act provisions.

HIPAA 1
 HIPAA LEGISLATION
 The HIPAA legislation was enacted in 1996. The Act combined
two bills, one dealing with Insurance portability, and the other
dealing with health accountability as that applies to privacy and
confidentiality of patient medical records. The legislation was
passed in part to address concerns about privacy of medical
records with the widespread use of the internet and the
accompanying concerns over technological security. Those issues
remain today with news stories about eavesdropping and
hacking attacks on our government and large health insurers.
However the Act’s confidentiality requirements apply to medical
records and communications whether they are electronic or not.
It includes written and verbal communications.
HIPAA 2
 COVERED ENTITIES
 HIPAA confidentiality of health care information requirements apply
to covered entities. These include:
 Any health care provider and its employees including as doctors,
dentists, pharmacies, and other patient care organizations such as
hospitals, outpatient clinics, home health agencies, and health related
businesses
 Any health insurance company such as Anthem Blue Cross or Kaiser
health plan (HMO)
 Any health related company that gives or receives health related
information such as transcription services or billing companies
HIPAA 3
 Non covered entities
 Entities that have health information that are not covered







by HIPAA requirements include:
“life insurers, employers,
workers compensation carriers,
most schools and school districts,
many state agencies like child protective service agencies,
most law enforcement agencies,
many municipal offices.”
See:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/con
sumers/index.html
HIPAA 4
 3. HIPAA’s privacy rule is designed “to assure that
individuals’ health information is properly protected
while allowing the flow of health information needed
to provide and promote high quality health care and to
protect the public’s health and well being”. See:
http://www.hhs.gov/ocr/privacy/hipaa/understanding
/special/mhguidance.html.
HIPAA 5
 The HIPAA privacy rule dictates:
 1. What patient information is private
 2. To whom disclosure is allowed
 3. How is allowable information disclosed
HIPAA 6
 Private patient information 1
 Patient information that is protected by HIPAA is
called “private patient information”. The statutory
term is protected health information. This covers
information that is unique to an individual such as:
 Individual’s name, address, date of birth, telephone
numbers, e-mail addresses, social security numbers,
 Account numbers (medical record numbers), health
plan (insurance) numbers, certificate or license
numbers, Web site addresses, fingerprints and voice
prints, and photographic images.
HIPAA 7
 Private patient information 2
 Health care information protected by HIPAA includes:
 “Information your doctors, nurses, and other health care





providers put in your medical record
Conversations your doctor has about your care or treatment with
nurses and others
Information about you in your health insurer’s computer system
Billing information about you at your clinic
Most other health information about you held by those who
must follow these laws”
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consume
rs/index.html
HIPAA 8
 Disclosure of protected health information
 Health care workers can disclose protected health






information for the following purposes:
Coordination of treatment and care
Provision of good care to patients by health care workers
Support of patients by family members or friends (with
patient consent)
Payment of health care providers
Protection of public health
Regulatory reporting (to the government)
HIPAA 9
 Health care information is protected under HIPAA by
 “Covered entities must put in place safeguards to protect your health
information and ensure they do not use or disclose your health
information improperly.
 Covered entities must reasonably limit uses and disclosures to the
minimum necessary to accomplish their intended purpose.
 Covered entities must have procedures in place to limit who can view
and access your health information as well as implement training
programs for employees about how to protect your health information.
 Business Associates also must put in place safeguards to protect your
health information and ensure they do not use or disclose your health
information improperly.”
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/ind
ex.html

HIPAA 10
 Health care information can be looked at and received by “The Privacy Rule sets rules
and limits on who can look at and receive your health information
 To make sure that your health information is protected in a way that does not interfere
with your health care, your information can be used and shared:
 For your treatment and care coordination
 To pay doctors and hospitals for your health care and to help run their businesses
 With your family, relatives, friends, or others you identify who are involved with your
health care or your health care bills, unless you object
 To make sure doctors give good care and nursing homes are clean and safe
 To protect the public's health, such as by reporting when the flu is in your area
 To make required reports to the police, such as reporting gunshot wounds
 Your health information cannot be used or shared without your written permission
unless this law allows it. For example, without your authorization, your provider
generally cannot:
 Give your information to your employer
 Use or share your information for marketing or advertising purposes or sell your
information” See:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
HIPAA 11
 Another purpose for disclosure of protected health
information (PHI) related to a patient is to coordinate
treatment and care of a patient. PHI may be disclosed
under HIPAA to a health care worker who is providing
patient care or one who is coordinating patient care.
Disclosure of PHI to another health care worker is
permitted for the purpose of providing patient care but not
permitted merely because the recipient is health care
worker. See:
http://articles.latimes.com/2008/mar/15/local/mebritney15 (UCLA hospital fires 13 employees who accessed
Brittney Spears health care records while she was being
treated at the hospital. None of these employees were
providing patient care to Ms. Spears.).
HIPAA 12
 Court orders and subpoenas: “A covered health care provider or health plan may disclose
protected health information required by a court order, including the order of an
administrative tribunal. However, the provider or plan may only disclose the information
specifically described in the order.
 A subpoena issued by someone other than a judge, such as a court clerk or an attorney in
a case, is different from a court order. A covered provider or plan may disclose
information to a party issuing a subpoena only if the notification requirements of the
Privacy Rule are met. Before the covered entity may respond to the subpoena, the Rule
requires that it receive evidence that reasonable efforts were made to either: notify the
person who is the subject of the information about the request, so the person has a
chance to object to the disclosure, or to seek a qualified protective order for the
information from the court.”
 For further information on this topic, please refer to 45 C.F.R. § 164.512(e) and
OCR’s Frequently Asked Questions.”
See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/courtorders.html
HIPAA 13
 For disclosures for judicial and administrative proceedings, can notice be
provided to the individual's lawyer instead of the individual?
 Answer:
 Yes. A covered entity that is not a party to litigation must obtain or receive the
satisfactory assurances required by 45 CFR 164.512(e) before making a disclosure for a
judicial or administrative proceeding. Where the satisfactory assurances are in the form
of notice to the individual, a written statement and accompanying documentation of
notice to the individual’s lawyer is considered to be notice to the individual and, thus,
suffices, provided the documentation otherwise meets the requirements of 45 CFR
164.512(e)(1)(iii). Specifically, the written statement and accompanying documentation
must demonstrate that the notice included sufficient information about the litigation to
permit the individual to raise an objection to the court; and that the time for the
individual to raise objections has elapsed, with no objections having been filed, or all
filed objections having been resolved.
 See:
http://www.hhs.gov/ocr/privacy/hipaa/faq/judicial_and_administrative_proceedings/70
7.html
Judicial Decisions dealing with
HIPAA and related issues
 1. Pachowitz v. Ledoux, 666 N.W. 2d 88 (2003)
 2. Proenza Sanfiel v. Department of Health, 749 So. 2d 525





(1999)
3. In Re John Doe MD, 595 A. 2d 1290 (1991)
4. Murphy v. Dulay, 768 F.3d 1360 (11th Cir., 2014)
5. Mais. v. Gulf Coast Collection Bureau 768 F. 3d 1160 (11th
cir., 2014)
Lots of other HIPAA case discussions can be found at
See:
https://www.thesullivangroup.com/risk_resources/ToolBo
x/Court%20Decisions%20final%202.pdf
Civil enforcement of HIPAA
statutory provisions 1
 HIPAA statutory provisions are administered by the
Department of Health and Human Services (HHS). HHS
has rulemaking authority to flesh out the provisions of the
act. Civil enforcement of HIPAA violations are conducted
by the Office for Civil Rights. See:
http://www.hhs.gov/ocr/office/index.html. OCR
investigates HIPAA complaints. These investigations are
triggered by a patient complaint. OCR recommends that a
complaint be filed within 180 days of the occurrence. OCR
recommends that the patient complaint be filed first with
the covered entity. While this is not a legal requirement, it
does give the institution the opportunity to take corrective
action. However, the patient can file their complaint
directly with the OCR, if they prefer.
Civil Enforcement 2
 Once OCR receives the complaint, it will first complete an
informal review. Later, for more serious cases, it will
initiate a formal review. The outcome of a formal review
can include requirements for corrective action and the
imposition of civil penalties directed toward the
institution (the covered entity). Civil penalties include a $
100.00 penalty for each violation, with a $ 25,000 maximum
penalty for each calendar year. Civil penalties are the most
common outcome for HIPAA violations, and they apply
only to institution, not individuals, because of the doctrine
of respondeat superior. The institution is civilly responsible
for the acts of its employees.
Criminal liability under HIPAA 1
 Criminal prosecutions under HIPAA are relatively rare
 See:
https://www.law.uh.edu/healthlaw/perspectives/2007/(D
M)HIPAACrimCharges.pdf
 United States v. Richard Gibson is one of those rare cases.
Gibson, a phlebotomist, accessed patient information,
which he fraudulently used to obtain credit cards. Gibson
entered into a plea agreement under which he served 16
months in jail time, and he agreed to pay restitution to the
credit card companies.
 See:
http://www.advancedbenefitconsulting.com/HIPAAnews/
plea_agreement_us_vs_gibson.pdf
Criminal Liability 2
 The Department of Justice (DOJ) has been given the
authority to prosecute the criminal law violations that are
based on HIPAA provisions. An individual who knowingly
violates HIPAA’s privacy rule and obtains or discloses
identifiable patient health information can receive up to
$50,000 in fines and one year in prison. The fines go up to $
100,000 and up to five years in prison if the violation is
under false pretenses. The fines go up to $ 250,000 an up to
ten years in prison if the violation includes an intent to sell,
transfer, or use for commercial advantage personal gain, or
malicious harm. Federal criminal prosecutions are
handled by local U.S. attorneys offices.
Privileged Communications 1
 1.The Nature of Evidentiary Privileges
 Evidentiary privileges protect against disclosure of
confidential communications that otherwise could be
compelled in the litigation process (either in discovery or at
the trial of a lawsuit). When a privilege applies,
information that may be very relevant to the resolution of
factual disputes in litigation is protected from disclosure.
Public policies that support the recognition of privileges
include privacy interests, protecting important
relationships, and encouraging fuller disclosure of
information to a treating professional.
Privileged Communications 3
 Doctor-Patient (Federal Rule of Evidence 501; Uniform
Rules of Evidence Rule 503; California Evidence Code
Section 994; Snibbe v. Superior Court (2014) 168 Cal.
Rptr. 3d 548). This privilege protects the medical
privacy interests of patients. This is especially
important for patients who are treated by psychiatrists
because of the stigma associated with mental illness.
The privilege encourages patients to provide full
information to their doctor which is necessary for the
doctor to provide the best treatment. The privilege
recognizes the importance of the doctor-patient
relationship.
Privileged Communications 4
 Psychotherapist-Patient (Federal Rule of Evidence 501;
Uniform Rules of Evidence Rule 503; California
Evidence Code Section 1010;). This privilege broadly
applies to protect confidential communications
between a patient and a psychiatrist, psychologist,
clinical social worker, school psychologist, and
marriage and family therapist respectively. This
privilege serves many of the same purposes as the
doctor patient privilege.
Privilege Exceptions 1
 1. Most evidentiary privileges have exceptions under which
the privilege does not apply and the protected information
must be disclosed in discovery or at trial.
 A. Crime-Fraud exception (Uniform Rules of Evidence Rule
502(d)(1); Cal. Evidence Code Section 956; [lawyer-client
privilege exception].Rule 504(d)(4); Cal Evidence Code
Section 997 [physician patient privilege exception].
 Application: This exception applies when the professional
services of the doctor or lawyer were sought or obtained by
the client or patient to commit a crime or fraud
Privilege Exceptions 2
 B. Patient-Litigant exception (Uniform Rules of Evidence Rule
502(d)(3); Calif. Evidence Code Section 958[lawyer-client relationship];
(Uniform Rules of Evidence Rule 503(d)(3); Calif. Evidence Code
Section 999[physician -patient relationship]; Calif. Evidence code
Section 1016, 1020 [psychotherapist-patient relationship].
 Application: This exception applies when the client or patient raises an
issue in litigation as to which privileged communications are relevant.
Malpractice litigation brought against the lawyer, doctor, or therapist is
a good example. Another example would be tort litigation in which the
plaintiff puts their physical or mental condition at issue in the lawsuit.
A third would be disability claims decided in administrative hearings
such as worker’s compensation and social security disability cases. In
those cases, the applicant for benefits puts their physical or mental
condition at issue.
Protected Communications 1
 1. Evidentiary privileges protect confidential
communications made between a client or patient and
the professional (lawyer, doctor, or psychotherapist)
from whom they are seeking professional assistance.
 A. Lawyer-Client: (Uniform Rules of Evidence Rule
502(a)(2),(b); California Evidence Code Section 952).
 B. Physician-Patient: (Uniform Rules of Evidence Rule
503(a)(1),(b); California Evidence Code Section 992).
 C. Psychotherapist –Patient: (Uniform Rules of
Evidence Rule 503(a)(1),(5)(b); California Evidence
Code Section 1012).
Protected Communications 2
 Application: Confidential communications protected
by privileges are those between the client or patient
and the professional (lawyer, doctor, or
psychotherapist) that they are consulting for
professional assistance. The communications must be
made in confidence by means which discloses the
information to no third persons other than those who
are present to further the interest of the client or
patient in the consultation or those to whom
disclosure is reasonable necessary to accomplish the
clients goals or the patients course of treatment.
Protected Communications 3
 Example: A patient who consults a doctor for a medical
condition will often meet with the doctor in a patient
examining room. The patient will describe their condition
to the doctor. The doctor will examine the patient, maybe
run some tests, and then will offer a medical opinion and
advice to the patient. The patient information, examination
and test results, and the doctor’s opinion and advice will be
protected confidential communications that are protected
by the doctor patient privilege and can not be disclosed.
Disclosure to nurses or other health care professionals in
the course of treatment of the patient does not destroy the
privilege.
Administrative proceedings 1
 1. Adjudicative hearings: Evidentiary privileges are
applicable in administrative adjudicatory proceedings.
(2010 MSAPA Section 404(2).) Section 404(2) provides that
“(2) The presiding officer may exclude evidence in the
absence of an objection if the evidence is irrelevant,
immaterial, unduly repetitious, or excludable on
constitutional or statutory grounds or on the basis of an
evidentiary privilege recognized in the courts of this
state.” The definitions and scope of privileges are based
upon state law. 45 states have evidence codes that are
largely based upon the Federal Rules of Evidence [See rule
501, FRE]. 1981 MSAPA Section 4-212 is identical to section
404(2). 1961 MSAPA Section 10(1) required agencies to
follow the non-jury trial civil rules in adjudicative hearings.
Administrative proceedings 4
 4. Non-APA hearings. If the adjudicative hearing is not
governed by the state (or federal) APA, then privileges may
not be expressly protected, but disclosure waives the
protections of the privilege so that hearing officers should
be prepared to rule upon privilege claims presented in the
hearing. The applicability of a privilege does not change the
burden of proof rules so that a litigant may have to choose
between relying upon a privilege or disclosing the
privileged information and satisfying the burden of proof
requirements. This dilemma is present when the only
supporting evidence of the privilege holder needed to
present their claim is protected by the privilege. This
dilemma does not occur when the issues in litigation
privilege exception applies to the hearing issues.
Confidentiality and Protective
Orders 1
 1. 2010 Model State Administrative Procedure Act
Section 411(d) (Discovery) provides for the issuance of
protective orders: “(d) On petition, the presiding
officer may issue a protective order for any material for
which discovery is sought under this section which is
exempt, privileged, or otherwise made confidential or
protected from disclosure by law of this state other
than this [act] and material the disclosure of which
would result in annoyance, embarrassment,
oppression, or undue burden or expense to any
person.”
FOIA disclosure
 1. Federal agencies are required to furnish any
reasonably described record requested by any person
for any reason [5 U.S.C. Section 552(a)(3)]. If the
agency does not provide the record, or delays in
providing the record under very short deadlines [20
days for initial request], the requestor has the right to
go to court to compel the production of the records. If
the requestor substantially prevails in court the
requestor can recover attorneys fees and litigation
costs. These fees and costs will be paid by the federal
government.
FOIA Exemptions 2
 (4) trade secrets and commercial or financial
information obtained from a person and privileged or
confidential;
 (5) inter-agency or intra-agency memorandums or
letters which would not be available by law to a party
other than an agency in litigation with the agency [this
is also called the deliberative process privilege];
 (6) personnel and medical files and similar files the
disclosure of which would constitute a clearly
unwarranted invasion of personal privacy;
State Public Records Acts 1
 1. Most, if not all states, have public records act that are
modeled on FOIA. These acts provide for mandatory
disclosure by the state or local agency of government
records that are requested and reasonably identified. The
acts provide for disclosure by the agency within a short
time period after the request is made. and there is judicial
enforcement if the agency does not disclose the records.
State acts also have exemptions from disclosure that are
similar to FOIA exemptions. The same types of parties
utilize state public records act provisions for that same
purposes[public interest organizations, competing
businesses and news media organizations].