Stephen A. Serfass
Stephen.Serfass@dbr.com

Introduction
 Legal Landscape
 Key HIPAA Terminology
 Real World Case Studies
1

2

Legal Overview: Federal Law
 HIPAA (amended by HITECH)
Governs covered entities’ use/disclosure of “Protected Health
Information” (PHI)
Financial consequences are significant for violations
Establishes breach notification obligation
No private right of action, but may be used to inform standard of care (e.g., state law cause of action for negligence claim)
Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 2014 WL
5507439 (Ct. Nov. 11, 2014)
3

Legal Overview: Federal Law (cont.)
 Breach victims have had success holding employers accountable for HIPAA violations by employees
Pharmacist exposed information of a woman (suspected of having an STD) to her now-husband
Claims of negligence/professional malpractice that attach through respondeat superior liability
Indiana Court of Appeals upheld $1.4 Million verdict against
Walgreens (employer). See Walgreens v. Hinchy, No. 49A02-
1311-CT-950, (Ind. Ct. App. Nov. 14, 2014 )
4

Legal Overview: Federal Law (cont.)

Governs Nonpublic Personal Information (NPI) held by financial institutions
No private right of action
Enforced by state insurance regulators; if similar state statute, state law supersedes GLB
5

Legal Overview: Federal Law (cont.)
 Other Federal private party claims under
Electronic Communications Privacy Act; Stored
Communications Act; Video Privacy Protection
Act; Driver’s Privacy Protection Act; Family
Educational Rights and Privacy Act
6

Legal Overview: State Law

47 states require prompt notification (as fast as
15 days)
• 28 States – report to government & media if substantial impact (>500 people)
• Some states set thresholds for the notice requirement
(e.g., reasonable basis to believe breach will result in harm)
7

Legal Overview: State Law (cont.)

Apply to data in paper format (at least 3 states)
Some states (36) establish penalties and (11) private rights of action
Statutes typically define: Data breach, Types of protected information, Type of notice required
8

Legal Overview: State Law (cont.)

Some Go Beyond Breach Notification – Require implementation of active security measures to prevent data breaches (AR, CA, MD, MA, RI, OR,
TX, UT)
Unfair and Deceptive Trade Practices Acts –
Variation on Consumer Protection Act; Enforced by attorney general
9

10


 Title I protects health insurance coverage for workers and their families when they change or lose their jobs
 Title II, also known as the Administrative
Simplification provisions, established standards for the privacy and security of health information; later codified in the Privacy Rule and the Security Rule
11

What is HITECH?
 The Health Information Technology for
Economic and Clinical Health Act (“HITECH”) was enacted as part of the American Recovery and Reinvestment Act of 2009
HITECH updated and extended the Privacy Rule and
Security Rule
Created a tiered civil penalty structure for non-compliance
12

Why HIPAA Matters
 HIPAA is enforceable by the Federal and
State authorities
The Federal Government: the Department of Health and Human Services’ Office for Civil Rights
Each state’s Attorney General
There is no private right of action by individuals
13

Why HIPAA Matters
 HIPAA contains both Civil and Criminal
Penalties for non-compliance
Civil penalties range from $100 to $50,000 per violation
Criminal penalties: individuals, Covered Entities or
Business Associates who “knowingly” obtain or disclose
PHI in violation of the Privacy Rule
Criminal penalties can include fines and prison time
14

Recent OCR Enforcement Actions
 New York Presbyterian/Columbia University
Hospital: 4.8M – May 2014
 Concentra: 1.7M – April 2014
 Affinity Health Plan: 1.2M – August 2013
 WellPoint: 1.7M – July 2013
15

Who is Covered by HIPAA?
 HIPAA applies to “Covered Entities” and their
“Business Associates”
 Covered Entities include health plans, health care clearinghouses, and health care providers
“Health Plan” includes issuers of health insurance and long-term care insurance
“Health Plan” sweeps within its scope issuers of certain combination products (life/LTCi, for example)
45 CFR § 160.103.
16

Who is Covered by HIPAA?
 A Covered Entity can designate itself a “hybrid” entity and only govern part of its operations under HIPAA – those aspects that include the
“health plan”
45 CFR § 160.103. 17

Who is Covered by HIPAA?
 A “Business Associate” performs functions or activities that use/disclose Protected Health Information on behalf of a Covered Entity
 Every Business Associate must enter into a HIPAAcompliant Business Associate Agreement with the entity it is serving (Covered Entity or “upstream Business
Associate”)
 Business Associates now also are regulated directly by HIPAA
45 CFR § 164.104(a),(b).
18

What is Protected Health Information?
 Protected Health Information, or “PHI”, refers to individually identifiable health information which can be linked to a particular person
 Electronic PHI or “EPHI” is PHI stored electronically
(as opposed to on paper)
 PHI includes spoken information
45 CFR § 160.103 (Protected Health Information).
19

What is Protected Health Information?
 If the info is “individually identifiable,” that information is PHI if it relates to:
The individual’s past, present or future physical or mental health or condition
The provision of health care to the individual
The past, present, or future payment for the provision of health care to the individual
45 CFR § 160.103 (Health Information).
20

What is Protected Health Information?
 Common Mistake: “PHI is just the medical records we get from doctors about our insureds”
 Reality: The fact that an individual has an insurance policy at all is PHI because this fact relates to the past, present, or future payment of health care
21

What is Protected Health Information?
 Examples of PHI:
List of policyholders’ names and enrollment status
Underwriter’s notes assessing the medical history of an applicant
An EOB and check issued to a policyholder
A premium bill
22

Uses and Disclosures Under HIPAA
When can a Covered Entity or Business Associate use or disclose PHI?
 For purposes of “treatment, payment and health care operations”
 Pursuant to a valid Authorization
 Other narrow purposes where no Authorization is required
 To the individual or their designated representative, regarding their PHI
45 CFR § 164.502(a).
23

Uses and Disclosures Under HIPAA
Common Mistake:
“HIPAA only covers me disclosing information improperly to third parties”
Reality:
HIPAA does limit disclosures of PHI, but it also limits use
24

Uses and Disclosures Under HIPAA
Common Examples of Use Violating HIPAA:
 Looking up the PHI about individuals, in company systems, without a permissible business purpose
 Using PHI in a manner other than what is authorized
(e.g., an “intended purpose” authorization specific to underwriting does not allow that PHI to be used for marketing)
25

Minimum Necessary Rule
 HIPAA also requires that using/disclosing the minimum
necessary PHI required to accomplish the task
Before looking at information, ask yourself:
“Do I need to know this information to do my job?”
Before disclosing information, ask yourself:
“Does this person need the information to do his work?”
45 CFR § 164.502(b).
26

27

Claims Scenarios: Part I – Third-Party Involvement
 Captive Agent calls on behalf of insured to facilitate filing a claim for insured who has dementia:
No known power of attorney; third-party designee deceased
Agent wants to be present during on-site Functional
Assessment and wants to do the legwork for obtaining medical records and act as primary contact for insured going forward
28

Claims Scenarios: Part I – Third-Party Involvement
 How much information should the claims administration team divulge? To what extent may this agent be involved in the process?
29

Business Associate Agreements
 Establish the permitted and required uses and disclosures of PHI by the business associate
 Must provide
:
That the BA will use appropriate safeguards to prevent the use and disclosure of PHI other than as provided for by the BAA
45 CFR § 164.504(e) (BAA requirements).
30

Business Associate Agreements
 Must provide:
That any subcontractors, “downstream business associates,” agree to the same restrictions / conditions
That the BA will comply with the requirements that apply to covered entities in the performance of any assumed obligations of the covered entity
45 CFR § 164.504(e) (BAA requirements).
31

The Security Rule and Appropriate Safeguards
The Covered Entity or Business Associate must:
 Reasonably safeguard PHI from incidental uses or disclosures made pursuant to an otherwise permitted use or disclosure
 Assure that data and systems are protected from misuse, unauthorized access, damage, alteration or disclosure
45 CFR § 164.530(c)(1) (safeguards).
32

The Security Rule and Appropriate Safeguards
The Covered Entity or Business Associate must:
 Have in place appropriate administrative, technical and physical safeguards to protect the confidentiality, availability and integrity of PHI
 Reasonably safeguard PHI from use/disclosure in violation of the Privacy Rule
45 CFR § 164.530(c)(1) (safeguards).
33

Claims Scenarios: Part I – Third-Party Involvement
 Captive Agent calls on behalf of insured to facilitate filing a claim for insured who has dementia:
No known power of attorney; third-party designee deceased
Agent wants to be present during on-site Functional
Assessment and wants to do the legwork for obtaining medical records and act as primary contact for insured going forward
34

Uses and Disclosures Under HIPAA
When can a Covered Entity or Business Associate use or disclose PHI?
 For purposes of “treatment, payment and health care operations”
 Pursuant to a valid Authorization
 Other narrow purposes where no Authorization is required
 To the individual or their designated representative, regarding their PHI
45 CFR § 164.502(a).
35

Uses and Disclosures Under HIPAA
Health care operations:
 Definition is broad:
Underwriting, enrollment, premium rating and other activities related to creation, renewal, or replacement
Conducting or arranging for medical review, legal services, and auditing functions
Business management and general admin. activities
 Does not include sales/marketing
45 CFR § 164.501.
36

Claims Scenarios: Part I – Third-Party Involvement
 Same scenario as before however now the daughter calls on behalf of her mother to facilitate filing a claim:
Daughter is not the power of attorney
Daughter is the only sibling of three available to act as intermediary and provide information
37

Claims Scenarios: Part I – Third-Party Involvement
 How much information should the claims administration team divulge? To what extent may the daughter be involved in the process?
38

Uses and Disclosures for Third-Party Involvement
 A covered entity may “disclose to a family member, other relative, close personal friend, or any other person identified by the individual . . .
PHI that is directly relevant to such person’s involvement with the individual's health care, or payment related to the same”
45 CFR § 164.510(b)(1)(i). 39

Uses and Disclosures for Third-Party Involvement
 If the individual is present and has capacity:
Must obtain (1) agreement, (2) opportunity to object, or (3) reasonably infer from the circumstances the lack of objection
 If the individual lacks capacity:
Only if the covered entity determines that disclosure is in the best interests of the individual
(professional judgment)
40 45 CFR § 164.510(b)(2),(3).

Claims Scenarios: Part I – Third-Party Involvement
 Same scenario as above except now it is the insured’s neighbor:
Neighbor is not the power of attorney
No known power of attorney or immediate family member
 How much information does the claims administration team divulge? To what extent may the neighbor be involved in the process?
41

Claims Scenarios: Part II – Claim Status Updates
 Insured is considering Home Care services
Home care provider would like to provide a Plan of Care within the insured’s benefit limits
Provider calls to obtain coverage information
 How much information does the claims administration team divulge? To what extent may the care provider be involved in the process?
42

Treatment, payment, or health care operations
 “A covered entity may use or disclose [PHI] for its own treatment, payment, or health care operations”
 “A covered entity may disclose [PHI] to another covered entity or a health care provider for the payment activities of the entity that receives the information”
 “A covered entity may disclose [PHI] for treatment activities of a health care provider”
45 CFR § 164.506(c)(1)-(3). 43

Underwriting Scenarios: HIPAA Authorizations
 Broker submits generic HIPAA form to underwriter requesting the release of client’s PHI from a list of companies
 Underwriter has the following concerns:
Is the form HIPAA compliant?
Under HIPAA, does it matter that the form is generic, rather than specific to each company?
44

Underwriting Scenarios: HIPAA Authorizations
Core elements of a valid authorization:
 Meaningful description of the information to be used
 Name of “person(s), or class of persons” authorized
 Name of “person(s), or class or persons” to whom the covered entity may disclose
 General description of each purpose
 Expiration date or expiration event that relates to purpose
 Signature and date
45 CFR § 164.508(c)(1).
45

Underwriting Scenarios: HIPAA Authorizations
 Required statements of a valid authorization:
A warning of the possibility of disclosure by recipient
A statement of the right to revoke authorization
An explanation of the inability (or, in limited cases, the ability) to condition treatment, payment, enrollment or eligibility for benefits on the authorization
45 CFR § 164.508(c)(2).
46

Underwriting Scenarios: Adverse Underwriting Decision
 Underwriter declines based on information found in the medical records—but condition was not previously disclosed to producer
 How much information should the underwriter disclose to the producer?
47

Minimum Necessary Rule
 HIPAA also requires that using/disclosing the
minimum necessary PHI required to accomplish the task
Before looking at information, ask yourself:
“Do I need to know this information to do my job?”
Before disclosing information, ask yourself:
“Does this person need the information to do his work?”
45 CFR § 164.502(b).
48

Underwriting Scenarios: Privacy Notice and Right to PHI
 55 year old attorney (female) applying with husband:
Admits on her application to high blood pressure only
Medical records, prescription profile, MIB reflect
HBP only
In husband’s medical records, documentation exists that wife drinks alcohol daily (almost 1 bottle of wine per night)
49

Underwriting Scenarios: Privacy Notice and Right to PHI
 55 year old attorney (female) applying with husband:
Underwriter declines wife’s application based on information in husband’s medical record
Wife submits request for reason and a copy of her file
50

Requests for Access and Timely Action
 Under HIPAA, “a covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a
designated record set”
45 CFR § 164.524(b)(1).
51

Requests for Access and Timely Action
 The covered entity must respond within 30 days or request an extension for up to 30 additional days, in limited circumstances
 And a covered entity is required to document and retain “the designated record sets that are subject to access by individuals”
45 CFR § 164.524(a)(2), (e)(1).
52

Designated record set:
 “(1) A group of records maintained by or for a covered entity that is: . . .
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals”
45 CFR § 164.501.
53

Underwriting Scenarios: Use of Public Information
 Underwriter is concerned because billing address and current residence do not match
 Underwriter googles name and discovers client is in a rehabilitation house for alcohol abusers
 Underwriter takes adverse action and declines coverage
 Any issue using internet searches without authorization?
54

Uses and Disclosures Under HIPAA
When can a Covered Entity or Business Associate use or disclose PHI?
 For purposes of “treatment, payment and health care
operations”
 Pursuant to a valid Authorization
 Other narrow purposes where no Authorization is required
 To the individual or their designated representative, regarding their PHI
45 CFR § 164.502(a).
55

Uses and Disclosures Under HIPAA
 Health care operations:
Definition is broad
• Underwriting, enrollment, premium rating and other activities related to creation, renewal, or replacement
• Conducting or arranging for medical review, legal services, and auditing functions
• Business management and general admin. activities
Does not include sales/marketing
45 CFR § 164.501.
56

Underwriting Scenarios: Prequalification
 Agent sends the underwriter an e-mail requesting a prequalifying “yes”/“no” and discloses client’s name and health history
No HIPAA authorization form received
BAA agreement in place with agent
 Is it a problem to provide the agent with a response like,
“based on the information, client looks Preferred?”
Is this a permitted use?
57

58

Stephen.Serfass@dbr.com
59