Add to collection(s) Add to saved
  1. Social Science
  2. Law

Patricia Tooley Vice President, Privacy Compliance, Memorial

advertisement 
Patricia Tooley
Vice President, Privacy Compliance, Memorial Hermann Health System
Monique Allen
Associate General Counsel Clinical Operations, Memorial Hermann
Health System
Jesse M. Coleman
Senior Associate, Norton Rose Fulbright US, LLP


The Office for Civil Rights' crackdown on HIPAA violations
over the past year will "pale in comparison" to the next 12
months, a U.S. Department of Health and Human Services
attorney recently told an American Bar Association
conference.
The Office for Civil Rights has been levying fines to make
healthcare entities take notice: nine settlements since June
1, 2013, have totaled more than $10 million. That includes
a record $4.8 million fine announced in May against New
York-Presbyterian Hospital and Columbia University.
FierceHealthIT: “OCR predicts spike in HIPAA fines”
June 16, 2014
3
1.
2.
3.
4
How to satisfy HIPAA and Texas privacy laws
when requesting protected health
information;
Cases in which satisfying HIPAA and Texas
Privacy laws is only the first step; and
What steps a family law practitioner needs to
take before issuing a subpoena for protected
health information.
5
•
HIPAA Privacy Rule (45 C.F.R. pts. 160, 164)
prohibits disclosure of “protected health information”
by “covered entities” except under specific
circumstances.
• Texas Health and Safety Code Chapter 241
governs the disclosure of Health Care Information by
Hospitals in Texas.
• Texas Health and Safety Code Chapter 181
governs the privacy of medical records in Texas.
6
• Both federal and state privacy laws may apply to any given situation.
• Federal and State laws are not always written to make sense when
applied together.
• If federal law applies, it has supremacy over any given state law and
therefore controls. 45 C.F.R. § 160.203.
• Federal rules permitting disclosure often allow States to enforce greater
restrictions and protections than federal law. 45 C.F.R. § 160.202.
• Federal laws restricting disclosure will often state, “as permitted by law,”
which may provide a State-law exception from the federal restriction.
7
Is the information
protected?
Yes
No
Has there been
proper
authorization?
Is the disclosure
permitted or
required?
Yes
No
Is the disclosure
permitted or
required?
Permitted
Consult
Policies/Protocols
8
Do not produce
Required
Produce
Permitted
Consult
Policies/Protocols
Required
Produce
Protected health information (PHI) means
individually identifiable health information that
[subject to certain exceptions] is:
i. Transmitted by electronic media;
ii. Maintained in electronic media; or
iii. Transmitted or maintained in any other form or
medium.
45 C.F.R. § 160.103
9


1
0
HIPAA Privacy Rule: (1) A health plan. (2) A health care
clearinghouse. (3) A health care provider who
transmits any health information in electronic form in
connection with a transaction covered by this
subchapter. 45 C.F.R. § 160.103.
Texas “Covered Entity”: “any person who … comes
into possession of protected health information.”
Tex. Health & Safety Code § 181.001.
Written authorization. Tex. Health & Safety Code § 241.152.
A patient's health care information may be disclosed without the patient's authorization [under specific circumstances] if the disclosure
is …
(1) for directory information;
(2) to a health care provider who is rendering health care to the patient when the request for the disclosure is made;
(3) to a transporting emergency medical services provider for the purpose of:
(4) to a member of the clergy specifically designated by the patient;
(5) to a procurement organization;
(6) to a prospective health care provider;
(7) to a person authorized to consent to medical treatment;
(8) to an employee or agent of the hospital;
(9) to a federal, state, or local government agency or authority to the extent authorized or required by law;
(10) to a hospital that is the successor in interest to the hospital maintaining the health care information;
(11) to the American Red Cross for the specific purpose;
(12) to a regional poison control center;
(13) to a health care utilization review agent;
(14) for use in a research project authorized by an institutional review board under federal law;
(15) to health care personnel of a penal or other custodial institution;
(16) to facilitate reimbursement;
(17) to a health maintenance;
(18) to satisfy a request for medical records of a deceased or incompetent person;
(19) to comply with a court order
(20) related to a judicial proceeding in which the patient is a party and the disclosure is requested under a subpoena issued under …
the Texas Rules of Civil Procedure or Code of Criminal Procedure.
Tex. Health & Safety Code § 241.153(20).
1
1



1
2
Authorization by individual or personal representative. 45 C.F.R.
§§ 164.508(a) (authorization required), 164.512(a)(1)(right of
access).
Court order. 45 C.F.R. § 164.512(e)(1)(i).
Subpoena accompanied by “satisfactory assurances” that:
◦ The PHI Individual has been given proper notice of the request;
or
◦ Reasonable efforts have been made to secure a qualified
protective order. 45 C.F.R. § 164.512(e)(1)(ii), (iv)-(v).
For an authorization to be valid under federal law, it must contain the following elements:
1. A description of the information to be used or disclosed that identifies the information in a specific and
meaningful fashion.
2. The name or other specific identification of the person(s), or class of persons, authorized to make the
requested use or disclosure.
3. The name or other specific identification of the person(s), or class of persons, to whom the covered
entity may make the requested use or disclosure.
4. A description of each purpose of the requested use or disclosure. The statement “at the request of the
individual” is a sufficient description of the purpose when an individual initiates the authorization and
does not, or elects not to, provide a statement of the purpose.
5. An expiration date or an expiration event that relates to the individual or the purpose of the use or
disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the
authorization is for a use or disclosure of protected health information for research, including for the
creation and maintenance of a research database or research repository.
6. Signature of the individual and date. If the authorization is signed by a personal representative of the
individual, a description of such representative's authority to act for the individual must also be provided.
45 C.F.R. § 164.508(c)(1).
1
3
An authorization to a hospital is valid only if it:
1.
is in writing;
2.
is dated and signed by the patient or the patient's legally
authorized representative;
3.
identifies the information to be disclosed;
4.
identifies the person or entity to whom the information is to be
disclosed; and
5.
is not contained in the same document that contains the consent to
medical treatment obtained from the patient.
Tex. Health & Safety Code § 241.152(b)
1
4
 Go to www.memorialhermann.org
 Type “Medical Records Authorization” in the search box.
 Choose the applicable authorization.
OR…
 Go to
www.memorialhermann.org/patientscaregivers/release-of-medical-records/
NOTE: Memorial Hermann will recognize any authorization (not just
its own) containing all the necessary elements.
1
5
•
“Personal Representative” is defined under federal law as an individual with
authority to act on behalf of individual “under applicable law.” 45 C.F.R.
164.502(g). Includes but is not restricted to a Texas “Legally Authorized
Representative.”
• If an authorization is signed by a personal representative of the individual, a
description of such representative's authority to act for the individual must also
be provided. 45 C.F.R. § 164.508(c)(vi).
• Restrictions exist on a personal representative’s authority when a licensed
health care professional has determined, in the exercise of professional
judgment, that access to PHI is reasonably likely to cause substantial harm to
the individual or another person. See, e.g. 45 C.F.R. §§ 164.502(g)(5);
164.524(a)(3).
1
6
• “Legally authorized representative” means:
– a parent or legal guardian if the patient is a minor;
– a legal guardian if the patient has been adjudicated incapacitated to manage the
patient's personal affairs;
– an agent of the patient authorized under a durable power of attorney for health care;
– an attorney ad litem appointed for the patient;
– a person authorized to consent to medical treatment on behalf of the patient under
Chapter 313;
– a guardian ad litem appointed for the patient;
– a personal representative or heir of the patient, as defined by Section 3, Texas
Probate Code, if the patient is deceased;
– an attorney retained by the patient or by the patient's legally authorized
representative; or
– a person exercising a power granted to the person in the person's capacity as an
attorney-in-fact or agent of the patient by a statutory durable power of attorney that
is signed by the patient as principal.
Tex. Health & Safety Code § 241.151(5).
1
7

“Satisfactory assurances” regarding a qualified protective order requires
“a written statement and accompanying documentation” demonstrating
that:
a)
The parties to the dispute giving rise to the request for information have agreed to a
qualified protective order and have presented it to the court or administrative tribunal
with jurisdiction over the dispute; or
b) The party seeking the protected health information has requested a qualified protective
order from such court or administrative tribunal.

A “qualified protective order” means, “an order of a court or of an
administrative tribunal or a stipulation by the parties to the litigation or
administrative proceeding” that:
a)
Prohibits the parties from using or disclosing the protected health information for any
purpose other than the litigation or proceeding for which such information was
requested; and
b) Requires the return to the covered entity or destruction of the protected health
information (including all copies made) at the end of the litigation or proceeding.
See Template Handout
1
8

“[T]he hospital or its agent may charge a reasonable fee for
providing the health care information except payment
information and is not required to permit the examination,
copying, or release of the information requested until the fee is
paid unless there is a medical emergency.” Tex. Health & Safety
Code § 241.154(b).

1
9
Memorial Hermann is authorized take up to fifteen days from
receiving a proper request and payment to make the information
available. TEX. HEALTH & SAFETY CODE § 241.154(a).
2
0
42 U.S.C. § 290dd-2 allows for production of
substance-abuse treatment records only by
• Written consent of treated individual, or
• an appropriate order of a court of competent
jurisdiction granted after application showing good
cause therefor, including the need to avert a
substantial risk of death or serious bodily harm.
2
1
Tex. Family Code § 261.201 – makes records associated with child
abuse investigations confidential.

A court may order the disclosure of information that is confidential
under this section if:
(1) a motion has been filed with the court requesting the release of
the information;
(2) a notice of hearing has been served on the investigating agency
and all other interested parties; and
(3) after hearing and an in camera review of the requested
information, the court determines that the disclosure of the
requested information is:
(A) essential to the administration of justice; and
(B) not likely to endanger the life or safety of:
(i) a child who is the subject of the report of alleged or suspected
abuse or neglect;
(ii) a person who makes a report of alleged or suspected abuse
or neglect; or
(iii) any other person who participates in an investigation of
reported abuse or neglect or who provides care for the child.
22


2
3
Texas Gov’t Code § 420.001 et seq. governs the
production of Sexual Assault Nurse Examination
reports and investigation materials.
◦ Requires consent from personal representative, or
◦ Criminal subpoena.
45 C.F.R. § 164.502(g)(5) – allows a covered entity to
withhold PHI from personal representative even with
“satisfactory assurances” if it believes individual
subject to abuse and disclosing would endanger
individual.



24
Psychotherapy Notes (not subject to review); and
Information compiled in reasonable anticipation of,
or for use in, a civil, criminal, or administrative
action or proceeding.
45 C.F.R. § 164.524(a)(2)
Covered entity may also deny access if a licensed
health care professional has determined, in the
exercise of professional judgment, that the access
requested is reasonably likely to endanger the life
or physical safety of the individual or another
person (subject to review).
45 C.F.R. § 164.524(a)(3)
2
5

Do I have a court order to obtain the PHI?

If I do not have a court order, do I have a valid authorization?
◦ Does my authorization meet Texas and federal law requirements?
◦ Is my authorization from the individual for whom I am seeking PHI?
◦ If not, does my client have the authority to request the PHI?

If I do not have a court order or authorization, does my subpoena
contain all the necessary information?
◦ can I provide satisfactory assurances that notice has been given, or
◦ can I provide satisfactory assurances that a qualified protective order has been requested?


26
Is the information I am seeking subject to additional protections
(substance abuse, child abuse, psychotherapy, SANE)?
Have I requested an invoice and paid the necessary fees for the records
under Texas Health & Safety Code?



2
7
For substance abuse records, have I previous obtained an
order showing good cause containing the elements in 42
U.S.C. § 290dd-2?
For records associated with a child abuse investigation,
have I previously obtained an order showing good cause to
obtaining the requested materials containing the elements
of Tex. Family Code § 261.201(b)?
For records associated with SANE kits, do I have consent
from personal representative or a criminal subpoena? See
Tex. Gov’t Code § 420.0735


28
Please request your records so that they can be
provided to you with a business records
affidavit more than 14 days before you have any
hearing, so you can serve them on other
parties, pursuant to Tex. R. Evid. 902(10)(A).
For cases filed after September 1, 2014, the
court may order (for good cause shown) that a
business record be treated as presumptively
authentic, even if the proponent fails to comply
with the 14-day service rule.
Patricia Tooley
Vice President, Privacy Compliance,
Memorial Hermann Health System
713-538-5910
patricia.tooley@memorialhermann.org

Monique Allen
Associate General Counsel Clinical Operations
Memorial Hermann Health System
713-242-2420
monique.allen3@memorialhermann.org

Jesse M. Coleman
Senior Associate, Norton Rose Fulbright
713-651-5647
jesse.coleman@nortonrosefulbright.com

29
Related documents
Permission to Release Grade Information Authorization of Grade Disclosure
Permission to Release Grade Information Authorization of Grade Disclosure
HEALTHCARE STATUS AUTHORIZATION
HEALTHCARE STATUS AUTHORIZATION
Authorization for purchase of office supplies, toner and copy paper
Authorization for purchase of office supplies, toner and copy paper
Download
advertisement