E Q U A LIT CONFIDENTIALITY IN THE WORKPLACE UNDER HIPAA & ILLINOIS MHDDCA Presentation to the Disability Rights Consortium April 27, 2011 By John W. Whitcomb Senior Attorney Equip for Equality 1 Y R EQ O U IP F 2 The purpose of this Act was “to improve portability and continuity of health insurance coverage . . . to combat waste, fraud, and abuse in health insurance and health care delivery . . . and for other purposes.” The Act was later amended to add Security and Privacy Regulations. The Security and Privacy Regulations address the privacy and disclosure of protected health information. Y EQ R Health Insurance Portability and Accountability Act (HIPAA) O E Q U IP F U A LIT E Q U A LIT What is Protected? 3 Y R EQ O U IP F Protected Health Information (PHI) An individual's PHI encompasses individually identifiable information, whether oral or written, that is created or received by a health care provider, health plan or health care clearinghouse which relates to a person's physical or mental health, to the provision of health care to that person, or to the payment for that person's health care. E Q U A LIT Covered Entities 4 Y R EQ O U IP F Covered entities under HIPAA are health plans (which include health insurance companies, company health plans, HMOs and government health programs such as Medicare), health care providers and health care clearinghouses. “Health care clearinghouses” are entities that convert health care information from nonstandard formats into HIPAA standard formats, and vice versa. Y R EQ O E Q U IP F U A LIT EMPLOYERS 5 Employers are specifically exempted from coverage under HIPAA. Employment records are excluded from the definition of PHI, and so not subject to the protections of HIPAA. 45 C.F.R. § 160.103. E Q U A LIT Hybrids 6 Y R EQ O U IP F HIPAA also encompasses “hybrid” organizations, which are “covered entities” whose business activities include both covered and non-covered functions. The Privacy Rule permits any covered entity to elect hybrid status and comply with the Privacy Rule only as it relates to its covered activities. Y R EQ O E Q U IP F U A LIT Group Health Plans 7 “Group health plans,” which are employee benefit plans that provide actual health care benefits to employees. It includes not only major medical plans, but also vision, dental, group long-term care plans. “Section 125” plans or “flexible spending accounts” which allow employees to select certain health care benefits (or other kinds of employee benefits) are included. E Q U A LIT Self Insured Plans 8 Y R EQ O U IP F An employer that retains some administrative functions concerning the administration of an employee health plan may fall within the HIPAA Privacy Rule. The Privacy Rule will also apply to an employer that receives private health information from a covered entity. E Q U A LIT Business Associates 9 Y R EQ O U IP F Business associates are those companies/employers that conduct business with covered entities (i.e., health plans, health care providers and clearinghouses), and who provide assistance to covered entities. Y R EQ O E Q U IP F U A LIT Business Associate Contracts 10 In allowing health care providers and plans to give PHI to “business associates,” the Privacy Rule conditions such disclosures on the provider or plan obtaining by contract, assurance that the business associate will use the information only for the purposes for which they were engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them and a history of certain disclosures. 11 Y EQ R American Recovery and Reinvestment Act of 2009 (ARRA) O E Q U IP F U A LIT Another part of ARRA, the Health Information Technology for Economic and Clinical Health Act (“HITECH”), as of February 10, 2010, imposes significant new privacy and security requirements on group health plans and other covered entities subject to HIPAA. HITECH primarily affects group health plans in two areas for 2010: breach notification and the business associate rules. E Q Y R EQ O U IP F U A LIT Business Associates under HITECH 12 Business associates are directly subject to most of the security and privacy rules of HIPAA. As a result, group health plans will wish to amend their business associate agreements to incorporate these new responsibilities, including the business associate's duty to notify the plan of any breach of unsecured PHI, and to allocate the risks associated with the costs of compliance in the event of a breach. E Q U A LIT Enforcement 13 Y R EQ O U IP F No private right of action under HIPAA. Complaints can be filed with the Office of Civil Rights at the Department of Health & Human Services. Y R EQ O E Q U IP F U A LIT Penalties 14 Civil monetary penalty is based on the offender's scienter. An unknowing violation is subject to a minimum penalty of $100 per violation, and a maximum of $50,000 per violation, with a yearly cap of $1.5 million. Violations resulting from willful neglect are subject to a minimum penalty of $10,000 per violation and a maximum penalty of $50,000 per violation, with a yearly cap of $1.5 million. E Q Y R EQ O U IP F U A LIT Cooney v. Chicago Public Schools, 943 N.E.2d 23 (Ill. App. 1st Dist. 2010) All Printing & Graphics, Inc., was retained by the Board of Education of the City of Chicago (Board) to print, package and mail a “Chicago Public Schools–COBRA Open Enrollment List” to over 1,700 former CPS employees. The mailing, sent sometime between November 23, 2006, and November 27, 2006, informed the former employees that as COBRA participants, they could change their insurance benefit plans. The list sent to each plaintiff contained the names of all 1,750 plaintiffs, along with their addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information (COBRA list). 15 Are they violating HIPAA? E Q U A LIT Cooney v. Chicago Public Schools Holding: HIPAA prohibits the disclosure of 16 Y R EQ O U IP F “individually identifiable health information to another person.” 42 U.S.C. 1320d–6(a)(3) (2006). But, “employment records held by a covered entity in its role as employer” are specifically excluded from HIPAA protection. 45 C.F.R. § 160.103 (2006). Because the Board held plaintiffs' health insurance elections in its role as an employer, the Board's disclosure falls outside HIPAA's coverage. E Q Y R EQ O U IP F U A LIT Illinois Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA) Designed to protect the confidentiality of patients to ensure that no information about their treatment, or the fact that they are being treated at all, is released without the patient's consent. Therapists and mental health providers cannot disclose records to anyone without consent of patient except for narrow exceptions 17 Y R EQ O E Q U IP F U A LIT Consensual Disclosure 18 The Act provides for the consensual disclosure of information by a recipient. 740 ILCS 110/5. Section 5 makes it clear that a recipient may consent to disclosure of information for a limited purpose and that any agency or person who obtains confidential and privileged information may not redisclose the information without the recipient's specific consent. Y R EQ O E Q U IP F U A LIT Employers Employer must get permission to redisclose even for application of benefits. MHDDCA is stricter than HIPAA and therefore has precedence. 19 E Q Y R EQ O U IP F U A LIT Remedies Actual Damages. – Injunctive or Affirmative Relief. – 20 Reimbursed for any monetary loss suffered or other losses incurred as a result of the violation of the Act. This may include compensation for emotional pain and suffering. Court may requiring the person to do something or to prohibit that person from doing something Fees and costs. Y R EQ O E Q U IP F U A LIT Karraker v. Rent-a-Center, 315 F.Supp. 2d 675 (C.D. Ill. 2005) 21 Plaintiffs, current and former employees of Rent-a-Center (RAC), alleged that RAC required all employees or outside applicants seeking management positions to take a battery of written tests, collectively referred to as the Management Test. Several tests included in the Management Test were personality inventories that inquired about personal information including sexual preferences and orientation, religious beliefs and practices, and medical conditions. Y R EQ O E Q U IP F U A LIT Karraker v. Rent-a-Center 22 APT scored and interpreted the Management Test for RAC, creating a two-page psychological profile about the individuals. RAC distributed this report to the employees' immediate supervisor and placed a copy of it in the employees' personnel file. RAC used the test results in deciding which employees to promote and what additional training to require. Plaintiffs assert that RAC formulated no policy or procedure for keeping the test results confidential. E Q Y R EQ O U IP F U A LIT Karraker v. Rent-a-Center Claim: Specifically, Plaintiffs claim that the Management Tests were “psychological tests” and that the profiles APT provided to RAC prescribed personal growth exercises that the employee must undergo if he wanted a management job. The profiles summarized psychological characteristics of the individual employees and then recommended corrective action, a function of the tests that constituted mental health services. 23 E Q U A LIT Karraker v. Rent-a-Center 24 Y R EQ O U IP F Holding: Although Plaintiffs' characterization of the tests and the MHDDCA are indeed novel, it is perhaps possible for them to develop facts that would establish a claim under the Act. It is, therefore, inappropriate to dismiss their claims at this stage in the proceedings. (7th Circuit subsequently ruled that the MMPI was a psychological test and the defendant’s use of it was a violation of the ADA – see, Karraker, 411 F.3d 831 (7th Cir. 2005) 25 Y EQ QUESTIONS? R CONFIDENTIALITY IN THE WORKPLACE UNDER HIPAA & ILLINOIS MHDDCA O E Q U IP F U A LIT