E
Q
U A LIT
CONFIDENTIALITY IN THE
WORKPLACE UNDER HIPAA &
ILLINOIS MHDDCA
Presentation to the
Disability Rights
Consortium
April 27, 2011
By John W. Whitcomb
Senior Attorney
Equip for Equality
1
Y
R
EQ
O
U IP F

2
The purpose of this Act was “to improve
portability and continuity of health insurance
coverage . . . to combat waste, fraud, and
abuse in health insurance and health care
delivery . . . and for other purposes.”
The Act was later amended to add Security
and Privacy Regulations. The Security and
Privacy Regulations address the privacy and
disclosure of protected health information.
Y
EQ

R
Health Insurance Portability and
Accountability Act (HIPAA)
O
E
Q
U IP F
U A LIT
E
Q
U A LIT
What is Protected?


3
Y
R
EQ
O
U IP F
Protected Health Information (PHI)
An individual's PHI encompasses individually
identifiable information, whether oral or written,
that is created or received by a health care
provider, health plan or health care
clearinghouse which relates to a person's
physical or mental health, to the provision of
health care to that person, or to the payment
for that person's health care.
E
Q
U A LIT
Covered Entities


4
Y
R
EQ
O
U IP F
Covered entities under HIPAA are health
plans (which include health insurance
companies, company health plans, HMOs
and government health programs such as
Medicare), health care providers and
health care clearinghouses.
“Health care clearinghouses” are entities
that convert health care information from
nonstandard formats into HIPAA standard
formats, and vice versa.
Y
R
EQ
O
E
Q
U IP F
U A LIT
EMPLOYERS


5
Employers are specifically exempted from
coverage under HIPAA.
Employment records are excluded from the
definition of PHI, and so not subject to the
protections of HIPAA. 45 C.F.R. § 160.103.
E
Q
U A LIT
Hybrids


6
Y
R
EQ
O
U IP F
HIPAA also encompasses “hybrid”
organizations, which are “covered entities”
whose business activities include both covered
and non-covered functions.
The Privacy Rule permits any covered entity to
elect hybrid status and comply with the Privacy
Rule only as it relates to its covered activities.
Y
R
EQ
O
E
Q
U IP F
U A LIT
Group Health Plans



7
“Group health plans,” which are employee
benefit plans that provide actual health care
benefits to employees.
It includes not only major medical plans, but also
vision, dental, group long-term care plans.
“Section 125” plans or “flexible spending
accounts” which allow employees to select
certain health care benefits (or other kinds of
employee benefits) are included.
E
Q
U A LIT
Self Insured Plans


8
Y
R
EQ
O
U IP F
An employer that retains some administrative
functions concerning the administration of an
employee health plan may fall within the HIPAA
Privacy Rule.
The Privacy Rule will also apply to an employer
that receives private health information from a
covered entity.
E
Q
U A LIT
Business Associates

9
Y
R
EQ
O
U IP F
Business associates are those
companies/employers that conduct business
with covered entities (i.e., health plans, health
care providers and clearinghouses), and who
provide assistance to covered entities.
Y
R
EQ
O
E
Q
U IP F
U A LIT
Business Associate Contracts

10
In allowing health care providers and plans to
give PHI to “business associates,” the Privacy
Rule conditions such disclosures on the provider
or plan obtaining by contract, assurance that the
business associate will use the information only
for the purposes for which they were engaged by
the covered entity, will safeguard the information
from misuse, and will help the covered entity
comply with the covered entity's duties to provide
individuals with access to health information
about them and a history of certain disclosures.
11
Y
EQ

R
American Recovery and
Reinvestment Act of 2009 (ARRA)
O
E
Q
U IP F
U A LIT
Another part of ARRA, the Health Information
Technology for Economic and Clinical Health Act
(“HITECH”), as of February 10, 2010, imposes
significant new privacy and security requirements
on group health plans and other covered entities
subject to HIPAA. HITECH primarily affects
group health plans in two areas for 2010: breach
notification and the business associate rules.
E
Q
Y
R
EQ
O
U IP F
U A LIT
Business Associates under HITECH

12
Business associates are directly subject to most
of the security and privacy rules of HIPAA. As a
result, group health plans will wish to amend
their business associate agreements to
incorporate these new responsibilities, including
the business associate's duty to notify the plan of
any breach of unsecured PHI, and to allocate the
risks associated with the costs of compliance in
the event of a breach.
E
Q
U A LIT
Enforcement


13
Y
R
EQ
O
U IP F
No private right of action under HIPAA.
Complaints can be filed with the Office of Civil
Rights at the Department of Health & Human
Services.
Y
R
EQ
O
E
Q
U IP F
U A LIT
Penalties



14
Civil monetary penalty is based on the offender's
scienter.
An unknowing violation is subject to a minimum
penalty of $100 per violation, and a maximum of
$50,000 per violation, with a yearly cap of $1.5
million.
Violations resulting from willful neglect are
subject to a minimum penalty of $10,000 per
violation and a maximum penalty of $50,000 per
violation, with a yearly cap of $1.5 million.
E
Q
Y
R
EQ
O
U IP F
U A LIT
Cooney v. Chicago Public Schools,
943 N.E.2d 23 (Ill. App. 1st Dist. 2010)
All Printing & Graphics, Inc., was retained by the Board of
Education of the City of Chicago (Board) to print,
package and mail a “Chicago Public Schools–COBRA
Open Enrollment List” to over 1,700 former CPS
employees. The mailing, sent sometime between
November 23, 2006, and November 27, 2006, informed
the former employees that as COBRA participants, they
could change their insurance benefit plans. The list sent
to each plaintiff contained the names of all 1,750
plaintiffs, along with their addresses, social security
numbers, marital status, medical and dental insurers and
health insurance plan information (COBRA list).
15 Are they violating HIPAA?
E
Q
U A LIT
Cooney v. Chicago Public Schools
Holding: HIPAA prohibits the disclosure of
16
Y
R
EQ
O
U IP F
“individually identifiable health information to
another person.” 42 U.S.C. 1320d–6(a)(3)
(2006). But, “employment records held by a
covered entity in its role as employer” are
specifically excluded from HIPAA protection. 45
C.F.R. § 160.103 (2006). Because the Board
held plaintiffs' health insurance elections in its
role as an employer, the Board's disclosure falls
outside HIPAA's coverage.
E
Q
Y
R
EQ
O
U IP F
U A LIT
Illinois Mental Health and Developmental
Disabilities Confidentiality Act (MHDDCA)
Designed to protect the confidentiality of patients
to ensure that no information about their
treatment, or the fact that they are being treated
at all, is released without the patient's consent.
Therapists and mental health providers cannot
disclose records to anyone without consent of
patient except for narrow exceptions
17
Y
R
EQ
O
E
Q
U IP F
U A LIT
Consensual Disclosure
18
The Act provides for the consensual
disclosure of information by a recipient.
740 ILCS 110/5. Section 5 makes it clear
that a recipient may consent to disclosure
of information for a limited purpose and
that any agency or person who obtains
confidential and privileged information may
not redisclose the information without the
recipient's specific consent.
Y
R
EQ
O
E
Q
U IP F
U A LIT
Employers
Employer must get permission to
redisclose even for application of benefits.
 MHDDCA is stricter than HIPAA and
therefore has precedence.

19
E
Q
Y
R
EQ
O
U IP F
U A LIT
Remedies

Actual Damages.
–

Injunctive or Affirmative Relief.
–

20
Reimbursed for any monetary loss suffered or other
losses incurred as a result of the violation of the Act.
This may include compensation for emotional pain and
suffering.
Court may requiring the person to do something or to
prohibit that person from doing something
Fees and costs.
Y
R
EQ
O
E
Q
U IP F
U A LIT
Karraker v. Rent-a-Center,
315 F.Supp. 2d 675 (C.D. Ill. 2005)

21
Plaintiffs, current and former employees of Rent-a-Center
(RAC), alleged that RAC required all employees or
outside applicants seeking management positions to take
a battery of written tests, collectively referred to as the
Management Test. Several tests included in the
Management Test were personality inventories that
inquired about personal information including sexual
preferences and orientation, religious beliefs and
practices, and medical conditions.
Y
R
EQ
O
E
Q
U IP F
U A LIT
Karraker v. Rent-a-Center

22
APT scored and interpreted the Management Test for
RAC, creating a two-page psychological profile about the
individuals. RAC distributed this report to the employees'
immediate supervisor and placed a copy of it in the
employees' personnel file. RAC used the test results in
deciding which employees to promote and what
additional training to require. Plaintiffs assert that RAC
formulated no policy or procedure for keeping the test
results confidential.
E
Q
Y
R
EQ
O
U IP F
U A LIT
Karraker v. Rent-a-Center
Claim: Specifically, Plaintiffs claim that the
Management Tests were “psychological tests”
and that the profiles APT provided to RAC
prescribed personal growth exercises that the
employee must undergo if he wanted a
management job. The profiles summarized
psychological characteristics of the individual
employees and then recommended corrective
action, a function of the tests that constituted
mental health services.
23
E
Q
U A LIT
Karraker v. Rent-a-Center
24
Y
R
EQ
O
U IP F
Holding: Although Plaintiffs' characterization of
the tests and the MHDDCA are indeed novel, it
is perhaps possible for them to develop facts
that would establish a claim under the Act. It is,
therefore, inappropriate to dismiss their claims
at this stage in the proceedings. (7th Circuit
subsequently ruled that the MMPI was a
psychological test and the defendant’s use of it
was a violation of the ADA – see, Karraker,
411 F.3d 831 (7th Cir. 2005)
25
Y
EQ
QUESTIONS?
R
CONFIDENTIALITY IN THE
WORKPLACE UNDER HIPAA &
ILLINOIS MHDDCA
O
E
Q
U IP F
U A LIT