Practicing In Harmony with HIPAA The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions of the United States Department of Justice. Purpose • Underscore the commitment of DOJ to facilitate covered entity compliance with HIPAA while pursuing its legitimate governmental functions • Discuss the different functions of DOJ with reference to HIPAA disclosures The Multiple Hats of DOJ • Health Oversight • Law Enforcement • Representing Government Entities – VA Hospital, Rural Health Clinic, Government Employees • Prosecuting Criminal Violations of 42 USC 1320d-6 • The activity will dictate the applicable HIPAA provision which permits disclosure • DOJ is NOT a covered entity Which HIPAA Exception Permits Disclosure to DOJ? • Least restrictive exception applies: • Health Oversight (45 CFR § 164.512(d)) – (Essentially preserved the pre-HIPAA landscape on disclosures) • Law enforcement (45 CFR § 164.152(f) • Representing a government agency (45 CFR § 164.508) Informing the Covered Entity • Informing the covered entity which provision of HIPAA permits the requested disclosure • May be written, may be oral Permitted Disclosures to Law Enforcement • Pursuant to Process and Required by law 164.512(f)(1) – Court Orders, Warrants, Judicial Subpoenas – Grand Jury Subpoenas – Administrative Request/Demand/Subpoena, provided that • Relevant and material to legitimate L.E. inquiry • Specific & limited in scope to extent reasonably practicable in light of the purpose • De-identified information could not reasonably be used • Covered entity can rely on representations on the face of the administrative subpoena (164.514(h)(2)(A)) Permitted Disclosures to Law Enforcement • Other Provisions of § 164.512 (f) – 8 items for Identification and Location of suspects, material witness, missing person – Victims of crime, but unless required by law or process, certain limitations for victims of abuse, neglect or domestic violence – Decedents, if under suspicious circumstances – Crime on premises – Reporting crime in an emergency One Health Oversight Note • Health oversight has been discussed by Anne MacArthur of the OIG • Special Note About Administrative Subpoenas used in furtherance of health oversight activity • When a health oversight activity, §164.512(d) governs – the limitations in 164.512(f)(a) are irrelevant (including restrictions on L.E. administrative subpoenas) – only apply to law enforcement activity Some Other Special Circumstances • Avert serious threat to health or safety – §164.512(j) • Specialized government functions §164.512(k) – National Security and Intelligence – Protective Services for President and others – Correctional institutions and other law enforcement custodial situations Suspension of Audit Trail Disclosure • A covered entity must suspend an individual’s right to an account when an oral or written request is made by a health oversight or law enforcement official for the length of time requested by the official. 45 CFR § 164.528 (a)(2) • Oral request (good for up to 30 days) followed by written request • Document the request. • “Reasonably likely to impede the agency’s activities” Preemption of State Privacy Law • A HIPAA standard, requirement or implementation specification, preempts a state law concerning the privacy of protected health information, unless the state law: – Is contrary to HIPAA, and – Relates to the privacy of Individually Identifiable Health Information, and – Is more stringent than a provision of the HIPAA medical privacy rules • U.S. Constitution supremacy clause Criminal Violations of HIPAA Privacy Rules • HIPAA create a criminal violation for improper disclosure or receipt of protected health information – 42 U.S.C. 1320d-6 • DOJ investigates and prosecutes criminal violations of this statute; primarily investigated by FBI • 3-levels of escalating penalties keyed to egregiousness of the offense conduct • Direct complaints, or referrals from HHS-OCR Conclusion • We are committed to facilitating the disclosure of protected health information for health oversight and law enforcement purposes in compliance with HIPAA • We will firmly resist efforts by covered entities to constrict the exceptions which HIPAA permits • We will investigate complaints of criminal HIPAA violations and prosecute where appropriate. Ian DeWaal, Senior Counsel Department of Justice, Criminal Division, Fraud Section