Practicing in Harmony with HIPAA

advertisement
Practicing In Harmony
with HIPAA
The views and opinions expressed in the presentation are
those of the presenter, and not necessarily official positions
of the United States Department of Justice.
Purpose
• Underscore the commitment of DOJ to
facilitate covered entity compliance with
HIPAA while pursuing its legitimate
governmental functions
• Discuss the different functions of DOJ with
reference to HIPAA disclosures
The Multiple Hats of DOJ
• Health Oversight
• Law Enforcement
• Representing Government Entities
– VA Hospital, Rural Health Clinic, Government
Employees
• Prosecuting Criminal Violations of 42 USC
1320d-6
• The activity will dictate the applicable HIPAA
provision which permits disclosure
• DOJ is NOT a covered entity
Which HIPAA Exception Permits
Disclosure to DOJ?
• Least restrictive exception applies:
• Health Oversight (45 CFR § 164.512(d))
– (Essentially preserved the pre-HIPAA
landscape on disclosures)
• Law enforcement (45 CFR § 164.152(f)
• Representing a government agency (45
CFR § 164.508)
Informing the Covered Entity
• Informing the covered entity which
provision of HIPAA permits the requested
disclosure
• May be written, may be oral
Permitted Disclosures to Law
Enforcement
• Pursuant to Process and Required by law
164.512(f)(1)
– Court Orders, Warrants, Judicial Subpoenas
– Grand Jury Subpoenas
– Administrative Request/Demand/Subpoena, provided
that
• Relevant and material to legitimate L.E. inquiry
• Specific & limited in scope to extent reasonably practicable in
light of the purpose
• De-identified information could not reasonably be used
• Covered entity can rely on representations on the face of the
administrative subpoena (164.514(h)(2)(A))
Permitted Disclosures to Law
Enforcement
• Other Provisions of § 164.512 (f)
– 8 items for Identification and Location of
suspects, material witness, missing person
– Victims of crime, but unless required by law or
process, certain limitations for victims of
abuse, neglect or domestic violence
– Decedents, if under suspicious circumstances
– Crime on premises
– Reporting crime in an emergency
One Health Oversight Note
• Health oversight has been discussed by Anne
MacArthur of the OIG
• Special Note About Administrative Subpoenas
used in furtherance of health oversight activity
• When a health oversight activity, §164.512(d)
governs – the limitations in 164.512(f)(a) are
irrelevant (including restrictions on L.E.
administrative subpoenas) – only apply to law
enforcement activity
Some Other Special
Circumstances
• Avert serious threat to health or safety –
§164.512(j)
• Specialized government functions §164.512(k)
– National Security and Intelligence
– Protective Services for President and others
– Correctional institutions and other law
enforcement custodial situations
Suspension of Audit Trail
Disclosure
• A covered entity must suspend an individual’s
right to an account when an oral or written
request is made by a health oversight or law
enforcement official for the length of time
requested by the official. 45 CFR § 164.528
(a)(2)
• Oral request (good for up to 30 days) followed
by written request
• Document the request.
• “Reasonably likely to impede the agency’s
activities”
Preemption of State Privacy Law
• A HIPAA standard, requirement or
implementation specification, preempts a state
law concerning the privacy of protected health
information, unless the state law:
– Is contrary to HIPAA, and
– Relates to the privacy of Individually Identifiable
Health Information, and
– Is more stringent than a provision of the HIPAA
medical privacy rules
• U.S. Constitution supremacy clause
Criminal Violations of HIPAA
Privacy Rules
• HIPAA create a criminal violation for improper
disclosure or receipt of protected health
information – 42 U.S.C. 1320d-6
• DOJ investigates and prosecutes criminal
violations of this statute; primarily investigated
by FBI
• 3-levels of escalating penalties keyed to
egregiousness of the offense conduct
• Direct complaints, or referrals from HHS-OCR
Conclusion
• We are committed to facilitating the disclosure of
protected health information for health oversight and
law enforcement purposes in compliance with HIPAA
• We will firmly resist efforts by covered entities to
constrict the exceptions which HIPAA permits
• We will investigate complaints of criminal HIPAA
violations and prosecute where appropriate.
Ian DeWaal, Senior Counsel
Department of Justice,
Criminal Division, Fraud Section
Download