See - National CLE Conference

advertisement
Handling Electronic Medical
Records for Trial Lawyers
Sidney S. Welch, JD, MPH
404.815.6036
swelch@kilpatricktownsend.com
www.kilpatricktownsend.com
Presented to:
National CLE Conference on January 11, 2014
Vail, Colorado
© 2013 Kilpatrick Townsend
Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”)
2
Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”)
• In 1996, Congress passed HIPAA, which among
other things offers protection for “protected health
information,” including electronic medical records.
HIPAA requirements and security rules give patients
more control over their health information, set limits
on the use and release of their medical records, and
establishes a series of privacy standards for health
care providers which provides penalties for those
who do not follow these standards.
3
HIPAA Provisions
• HIPAA is made up of certain key sections and works
in conjunction with state law to govern the use,
disclosure, privacy and security of “protected health
information” by “covered entities” and their respective
“business associates”
–
–
–
–
Privacy Rule
Security Rule
Enforcement Rule
Breach Notification Rule
4
HIPAA Provisions
• Privacy Rule
– The HIPAA Privacy Rule provides federal protections for
individually identifiable health information held by “covered entities”
and their “business associates” and gives patients an array of rights
with respect to that information. At the same time, the Privacy Rule
is balanced so that it permits the disclosure of health information
needed for patient care and other important purposes. The Privacy
Rule is located at 45 CFR Part 160 and Subparts A and E of Part
164.
• Security Rule
– The Security Rule specifies a series of administrative, physical, and
technical safeguards for covered entities and their business
associates to use to assure the confidentiality, integrity, and
availability of electronic PHI. The Security Rule is located at 45
CFR Part 160 and Subparts A and C of Part 164.
5
HIPAA Provisions
• Enforcement Rule
– The Enforcement Rule contains provisions relating to compliance
and investigations, the imposition of civil money penalties for
violations of the HIPAA Administrative Simplification Rules, and
procedures for hearings. The HIPAA Enforcement Rule is codified
at 45 CFR Part 160, Subparts C, D, and E.
• Breach Notification Rule
– Interim final breach notification regulations, issued in August 2009,
implement section 13402 of the Health Information Technology for
Economic and Clinical Health (HITECH) Act by requiring HIPAA
covered entities and their business associates to provide
notification following a breach of unsecured PHI. Similar breach
notification provisions implemented and enforced by the Federal
Trade Commission, apply to vendors of personal health records
and their third party service providers, pursuant to section 13407 of
the HITECH Act. (See, e.g., 45 C.F.R. 164.400)
6
Protected Health Information
• Under the HIPAA Privacy Rule, protected health
information (“PHI”) refers to individually identifiable
health information. Individually identifiable health
information is that which can be linked to a particular
person. Specifically, this information can relate to:
– The individual's past, present or future physical or mental health or
condition,
– The provision of health care to the individual, or,
– The past, present, or future payment for the provision of health care
to the individual. See
• Common identifiers of health information include
names, social security numbers, addresses, and birth
dates. (See 45 C.F.R. 160.103; 45 C.F.R. 164.501)
7
Covered Entity
• The term “covered entity” is defined as:
– A health plan
– A health care clearinghouse
– A health care provider who transmits any health information
in electronic form in connection with a transaction covered
by this subchapter (See 45 C.F.R. 160.103)
8
“Business Associate”
•
The term “business associate” is defined as, with respect to a covered
entity, a person who:
–
–
–
“On behalf of such covered entity or of an organized health care arrangement (as
defined in this section) in which the covered entity participates, but other than in the
capacity of a member of the workforce of such covered entity or arrangement, creates,
receives, maintains, or transmits PHI for a function or activity regulated by this
subchapter, including claims processing or administration, data analysis, processing or
administration, utilization review, quality assurance, patient safety activities listed at 42
CFR 3.20, billing, benefit management, practice management, and repricing; or
Provides, other than in the capacity of a member of the workforce of such covered
entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §
164.501 of this subchapter), management, administrative, accreditation, or financial
services to or for such covered entity, or to or for an organized health care
arrangement in which the covered entity participates, where the provision of the service
involves the disclosure of PHI from such covered entity or arrangement, or from
another business associate of such covered entity or arrangement, to the person.
A covered entity may be a business associate of another covered entity.”
9
“Business Associate”
• Business associates include:
– A Health Information Organization, E-prescribing Gateway, or other
person that provides data transmission services with respect to PHI
to a covered entity and that requires access on a routine basis to
such PHI.
– A person that offers a personal health record to one or more
individuals on behalf of a covered entity.
– A subcontractor that creates, receives, maintains, or transmits PHI
on behalf of the business associate. See 45 C.F.R. 160.103
10
The Health Information Technology for
Economic and Clinical Health of 2009 (the
“HITECH Act”)
• The HITECH Act of 2009 expanded the scope of the privacy and
security provisions of the HIPAA and its enabling
regulations. Some of the significant changes for health care
providers include:
– Applying privacy and security provisions and penalties to business
associates
– Imposing new notification requirements in the event of a breach of PHI.
– Creating stricter disclosure requirements, such as: Restricting the disclosure
of PHI by a health care provider at the request of a patient if it is for
purposes other than treatment and the health care service or item has been
paid out-of-pocket and in full (except as otherwise required by law); Limiting
the disclosure of PHI to a limited data set or to the minimum necessary to
accomplish the intended purpose; and Requiring health care providers to
make available an accounting of certain disclosures of PHI that occurred
over the past three years at the patient's request
– Strengthening enforcement procedures and penalties
11
Final Omnibus Rule Implementing HITECH
•
•
January 25, 2013, the Office for Civil Rights (“OCR”) of the U.S.
Department of Health and Human Services (“HHS”) published the longawaited final rule, entitled “Modifications to the HIPAA Privacy,
Security, Enforcement, and Breach Notification Rules under the Health
Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act; Other Modifications to the
HIPAA Rules” (Omnibus Rule), 78 Fed. Reg. 5566 (Jan. 25, 2013).
The Omnibus Rule:
– Finalizes modifications to the Privacy, Security, and Enforcement Rules to
implement the HITECH Act
– Finalizes modifications to the Privacy Rule, proposed in July 2010, to
increase the workability of the Privacy Rule;
– Modifies the Breach Notification Rule, adopted by interim final rule in August
2009; and
– Finalizes modifications to the Privacy Rule to implement the Genetic
Information Nondiscrimination Act of 2008 (GINA), proposed in October
2009
12
Disclosures under HIPAA
13
Methods for Obtaining Patient Records
Under HIPAA
• There are various methods for obtaining patient
records under HIPAA
– Patient requests (subject to certain restrictions)
• 45 C.F.R. 164.502(a)(i); 45 C.F.R. 164.524
– Disclosure upon “valid authorization”
• 45 C.F.R. 164.502(a)(iv); 45 C.F.R. 164.508
– Subpoena, discovery order, court or administrative order
• 45 C.F.R. 164.512(e)
14
Patient Requests
15
Patient Requests
•
•
•
•
HIPAA permits patients to request copies of their medical records (in either
paper or electronic format). See 45 C.F.R. 164.502(a)(i); 45 C.F.R. 164.524
– “An individual has a right of access to inspect and obtain a copy of
protected health information about the individual in a designated record set,
for as long as the protected health information is maintained in the
designated record set, except for (i) Psychotherapy notes; (ii) Information
compiled in reasonable anticipation of, or for use in, a civil, criminal, or
administrative action or proceeding; and (iii) PHI maintained by a covered
entity that is: (A) Subject to the Clinical Laboratory Improvements
Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access
to the individual would be prohibited by law; or (B) Exempt from the Clinical
Laboratory Improvements Amendments of 1988, pursuant to 42
CFR 493.3(a)(2).
The request must be made in writing and the requestor must be the patient, the
patient’s parent, guardian or caregiver
Subject to state law which may impose stricter requirements, providers are
required to keep HIPAA patient records for six (6) years
Providers must provide a patient with a copy of their medical records within 30
(and no later than 60) days of the patient’s request.
16
Cignet Health (Feb. 4, 2011); Civil
Monetary Penalty of $4.3 Million
•
•
Failure to provide a patient with access to their medical records may lead to severe
penalties, including civil monetary penalties.
See Cignet Health of Prince George’s County, Notice of Final Determination
(February 4, 2011): OCR imposed a civil monetary penalty of $4,351,600 against
Cignet Health d/b/a Uplift Medical, P.C., Cignet Health Center, Cignet Health Plan,
and/or Cignet Healthcare (referred to collectively as “Cignet”) for failure to produce
the medical records of 41 patients when requested by such patients between
September 2008 and October 2009. The civil monetary penalties for these violations
is $1.3 million.
–
–
During the investigations, Cignet refused to respond to OCR’s demands to produce the
records. Additionally, Cignet failed to cooperate with OCR’s investigations of the
complaints and produce the records in response to OCR’s subpoena. OCR filed a
petition to enforce its subpoena in United States District Court and obtained a default
judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the
medical records to OCR, but otherwise made no efforts to resolve the complaints
through informal means.
OCR also found that Cignet failed to cooperate with OCR’s investigations on a
continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to
cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered
entities are required under law to cooperate with the Department’s investigations. The
CMP for these violations is $3 million.
17
Disclosure in Response to a Subpoena
or Court Order
• The HIPAA Privacy Rule permits the disclosure of PHI for
judicial and administrative proceedings by covered entities if
certain conditions are met (See 45 C.F.R. 164.512(e))
– A covered entity may disclose PHI in the course of any judicial or administrative
proceeding: (i) In response to an order of a court or administrative tribunal,
provided that the covered entity discloses only the PHI expressly authorized by
such order; or (ii) In response to a subpoena, discovery request, or other lawful
process, that is not accompanied by an order of a court or administrative tribunal,
if:
• (A) The covered entity receives satisfactory assurance from the party
seeking the information that reasonable efforts have been made by such
party to ensure that the individual who is the subject of the PHI that has
been requested has been given notice of the request; or
• (B) The covered entity receives satisfactory assurance from the party
seeking the information that reasonable efforts have been made by such
party to secure a qualified protective order that meets certain requirements.
18
Disclosure in Response to a Subpoena
or Court Order
•
For purposes of paragraph (A) above, a covered entity receives “satisfactory
assurances” from a party seeking PHI if the covered entity receives from such party a
written statement and accompanying documentation demonstrating that:
–
–
–
•
(A) The party requesting such information has made a good faith attempt to provide written
notice to the individual (or, if the individual's location is unknown, to mail a notice to the
individual's last known address);
(B) The notice included sufficient information about the litigation or proceeding in which the
protected health information is requested to permit the individual to raise an objection to the
court or administrative tribunal; and
(C) The time for the individual to raise objections to the court or administrative tribunal has
elapsed, and (1) No objections were filed; or (2) All objections filed by the individual have
been resolved by the court or the administrative tribunal and the disclosures being sought are
consistent with such resolution.
For the purposes of paragraph (B) above, a covered entity receives “satisfactory
assurances” from a party seeking protected health information, if the covered entity
receives from such party a written statement and accompanying documentation
demonstrating that:
–
–
(A) The parties to the dispute giving rise to the request for information have agreed to a
qualified protective order and have presented it to the court or administrative tribunal with
jurisdiction over the dispute; or
(B) The party seeking the protected health information has requested a qualified protective
order from such court or administrative tribunal.
19
Disclosure in Response to a Subpoena
or Court Order
• A “qualified protective order” means an order of a court or of
an administrative tribunal or a stipulation by the parties to the
litigation or administrative proceeding that:
– (A) Prohibits the parties from using or disclosing the protected
health information for any purpose other than the litigation or
proceeding for which such information was requested; and
– (B) Requires the return to the covered entity or destruction of the
protected health information (including all copies made) at the end
of the litigation or proceeding
• A covered entity may disclose PHI in response to lawful
process without receiving satisfactory assurance if the
covered entity makes reasonable efforts to provide notice to
the individual or secures a qualified protective order
20
Recent Action where State Law Trumps
HIPAA Disclosure
•
•
Although HIPAA permits disclosure in connection with a discovery
request or court order, state laws may impose stricter restrictions
HIPAA is the “floor”
21
Turk v. Oiler, No. 09-CV-381 (N.D.
Ohio Feb. 1, 2010).
•
Rejecting a defense based on compliance with HIPAA, a federal court in Ohio
denied a medical clinic’s motion to dismiss invasion of privacy claims following
the clinic’s disclosure of medical records to a grand jury: “As a general rule, an
individual’s medical records are confidential. [… ] Under [HIPAA], a hospital’s
release of medical records to law enforcement is permitted under certain
circumstances. Indeed, HIPAA specifically authorizes a hospital to release a
patient’s medical records in response to a grand jury subpoena. 45 C.F.R.
§164.512(f)(1)(ii)(B). Ohio’s physician-patient privilege, however, codified in
O.R.C. § 2317.02(B)(1), provides that a physician shall not testify as to “a
communication made to the physician . . . by a patient in that relation or the
physician’s . . . advice to a patient.” […] Ohio courts have found that O.R.C.
§ 2317.02(B) is more stringent than HIPAA, and therefore is not
preempted, because it “prohibits use or disclosure of health information
when such use or disclosure would be allowed under HIPAA.” Grove v.
Northeast Ohio Nephrology Assocs., 844 10 N.E.2d 400, 406-07 (Ohio Ct. App.
2005) […] Thus, while HIPAA allows disclosure of protected health
information in response to a grand jury subpoena, O.R.C. § 2317.02(B)
permits disclosure only in certain limited circumstances.
22
Disclosure upon Valid Authorization
•
•
HIPAA permits the disclosure of medical records upon “valid
authorization” (See 45 C.F.R. 164.502(a)(iv); 45 C.F.R. 164.508)
A valid authorization under this section must contain at least the
following elements:
– (i) A description of the information to be used or disclosed that identifies the
information in a specific and meaningful fashion;
– (ii) The name or other specific identification of the person(s), or class of
persons, authorized to make the requested use or disclosure;
– (iii) The name or other specific identification of the person(s), or class of
persons, to whom the covered entity may make the requested use or
disclosure;
– (iv) A description of each purpose of the requested use or disclosure. The
statement “at the request of the individual” is a sufficient description of the
purpose when an individual initiates the authorization and does not, or
elects not to, provide a statement of the purpose;
– (v) An expiration date or an expiration event that relates to the individual or
the purpose of the use or disclosure;
– (vi) Signature of the individual and date
23
Disclosure upon Valid Authorization
•
•
•
In addition to the core elements, the authorization must contain
statements adequate to place the individual on notice.
The authorization must be written in plain language.
If a covered entity seeks an authorization from an individual for a use or
disclosure of protected health information, the covered entity must
provide the individual with a copy of the signed authorization
24
Disclosure Without Authorization
• HIPAA Privacy Rule permits disclosure without
authorization in certain limited cases which must
nonetheless comply with required laws (See 45
C.F.R. 164.512)
– Instances involving victims of abuse, neglect or domestic violence
(See 45 C.F.R. 164.512(c)): “A covered entity may disclose [PHI]
about an individual whom the covered entity reasonably believes to
be a victim of abuse, neglect, or domestic violence to a government
authority, including a social service or protective services agency,
authorized by law to receive reports of such abuse, neglect, or
domestic violence […]”
– Certain law enforcement purposes (See 45 C.F.R. 164.512(f)),
including the reporting of certain types of wounds or other physical
injuries, for purposes of locating a suspect, fugitive, material
witness or missing person, and where a person may be a victim to
a crime
25
Specific Orders
26
Specific Orders
• Qualified protective orders
– 45 C.F.R. 164.512(e)(1)(ii), (v)
– An order of a court or of an administrative tribunal or a stipulation
by the parties to the litigation or administrative proceeding that:
• (A) Prohibits the parties from using or disclosing the PHI for any
purpose other than the litigation or proceeding for which such
information was requested; and
• (B) Requires the return to the covered entity or destruction of
the protected health information (including all copies made) at
the end of the litigation or proceeding.
27
Specific Orders
• Subpoenas and discovery requests not accompanied
by a court or administrative tribunal order
– 45 C.F.R. 164.512(e)(1)(ii) (A), (iii)
– A covered entity may disclose PHI in response to a subpoena if it
receives “satisfactory assurance” from the party seeking the
information that reasonable efforts have been made by such party
to ensure that the individual who is the subject of the PHI protected
health information that has been requested has been given notice
of the request
28
Specific Orders
• “Satisfactory Assurance”
– A covered entity receives “satisfactory assurance” if it receives from
such party a written statement and accompanying documentation
demonstrating that: (A) The party requesting such information has
made a good faith attempt to provide written notice to the individual
(or, if the individual's location is unknown, to mail a notice to the
individual's last known address); (B) The notice included sufficient
information about the litigation or proceeding in which the PHI is
requested to permit the individual to raise an objection to the court
or administrative tribunal; and (C) The time for the individual to
raise objections to the court or administrative tribunal has elapsed,
and (1) No objections were filed; or (2) All objections filed by the
individual have been resolved by the court or the administrative
tribunal and the disclosures being sought are consistent with such
resolution.
29
Specific Orders
• Court or Administrative Tribunal Order
– 45 C.F.R. 164.512(e)(1)(i)
– A covered health care provider or health plan may disclose
protected health information required by a court order, including the
order of an administrative tribunal. However, the provider or plan
may only disclose the information “expressly authorized by such
order.
• Due to the foregoing, it is necessary to be as specific as
possible when drafting orders for medical records depending on
the purpose
30
Other Laws Impacting Disclosure of
Certain Types of Medical Records
• Drug and Alcohol Treatment Records
– Limits disclosure, redisclosure and use of drug and alcohol
treatment records and requires a court order after showing good
cause (See 45 U.S.C. 290dd-2(b)(2)(c))
– In assessing “good cause,” the court shall weight the public interest
and the need for disclosure against the injury to the patient, to the
physician-patient relationship, and to the treatment services
– No records may be used to initiate or substantiate criminal charges
against a person or to conduct any investigation of a patient
• HIV/AIDS Information
– HIPAA is silent on this issue but state laws apply
31
Other Laws Impacting Disclosure of
Certain Types of Medical Records
• Mental Health Records/ Psychotherapy Notes
– Patient authorization is required prior to disclosure (See 45 C.F.R.
165.508(a)(2))
• Workers Compensation
– Permits the disclosure of PHI as authorized by and to the extent
necessary to comply with laws relating to workers’ compensation or
other similar programs, established by law, that provide benefits for
work-related injuries or illness (See 45 C.F.R. 164.512(l))
32
Patient Safety
• In light of recent current events, the OCR has taken
steps to publicly address the disclosure of necessary
information to law enforcement agencies, family
members of a patient, or others, if the patient’s safety
is threatened or the patient is a threat to others
• See, e.g. OCR, Message to our Nation’s Health Care
Providers (January 15, 2013). Available at
http://www.hhs.gov/ocr/office/lettertonationhcp.pdf
33
Remember
• Familiarize yourself with state law requirements
concerning patient records and use, disclosure or
redisclosure of such records
– HIPAA is the “floor”
• Monitor business associate responses to subpoenas
and other court orders and requests
• Carefully draft orders to describe with sufficient
specificity the patient records that are being
requested and for what purpose
34
Questions?
35
Download