1 / 19

“HIPAA In Relation to Other Federal Laws”

“HIPAA In Relation to Other Federal Laws” . Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference October 23, 2002 . Overview. Basics of HIPAA and other laws Other federal laws: FERPA, Privacy Act, etc.

adsila
Download Presentation

“HIPAA In Relation to Other Federal Laws”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “HIPAA In Relation to Other Federal Laws” Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference October 23, 2002

  2. Overview • Basics of HIPAA and other laws • Other federal laws: • FERPA, Privacy Act, etc. • HIPAA and Financial Services • Conclusion

  3. I. Basics of HIPAA and Other Laws • When are you required to disclose medical data? • Much confusion on this during drafting period • Basic HIPAA approach -- HIPAA itself never requires disclosure • Exactly two exceptions • Access to patient records, Sec. 164.524 • HHS enforcement of the rule, Sec. 160.310(c)

  4. “Required by Law” • Many situations where other law requires you to disclose medical data • Most clearly for a court order • Not a HIPAA violation to comply • Sec. 164.512(a): “A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.”

  5. Basics on required disclosures • HIPAA (almost) never requires disclosure • HIPAA generally creates new legal limitations on using and disclosing PHI • HIPAA says you may disclose where required by other law • It’s your call what you are required to do -- HIPAA doesn’t give the answer • Both HIPAA and other law apply

  6. The Privacy Act as Example • Law applies to federal agencies, with fair information practices limiting disclosure and providing access • As of April, 2003 federal agencies will comply with both laws, where applicable • HIPAA enforcement for HIPAA violations • Privacy Act enforcement for Privacy Act violations

  7. EMTALA as Example • Requires treatment on site where patient arrives in emergency situation • HIPAA applies -- must protect PHI but can use & disclose it more broadly for treatment, payment & health care operations • EMTALA applies -- a separate, ongoing legal requirement

  8. Public Health & Health Oversight • Public health, Sec. 164.512(b) • Health oversight, Sec. 164.512(d) • Both say covered entity “may” disclose • No new compulsion from HIPAA to require the disclosure • If a covered entity believes disclosure is not appropriate, and disclosure is permitted by HIPAA, then the other law governs

  9. II. HIPAA Provisions about Other Law • Some provisions in HIPAA specifically point to other statutes as supplying the applicable law • Workers’ Comp, Sec. 164.512(l) • May disclose “as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault” • Required vs. permissive disclosure the key

  10. FERPA -- Educational Records • In HIPAA: • Definition of “protected health information” excludes • “educational records” covered by • the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g • Therefore, if records covered by FERPA, no HIPAA obligations

  11. FERPA • “Educational records” are: • “those records, files, documents, and other materials which • contain information directly related to a student; and • are maintained by an educational agency or institution or by a person acting for such agency or institution”

  12. What Does this Mean for Schools • K-12 nurses -- clearly only have FERPA and not HIPAA • Universities and schools serving over 18 years old -- right to the student instead • What if student health services also serve non-students? Spouses, employees? • Legally, HIPAA applies to those • Practically, keep separate?

  13. HIPAA and the End of College Athletics! • Will we learn that the quarterback is hurt? Will sports gamblers be able to pursue their chosen profession? • FERPA -- governs school athletes, authorizations required as today • Pro sports -- authorization can be required by the employer • Will union contracts limit that?

  14. III. HIPAA & Financial Services • Gramm-Leach-Bliley & HIPAA • 2 statutes, comply with both • Does that mean 2 notices for covered entities? • GLB came first • GLB agencies contemplated that compliance with HIPAA would count for GLB notice • I am not aware of any follow-up clarification by GLB agencies

  15. GLB & HIPAA • HHS comments, Dec. 2000 • agencies consult to avoid duplication • insurers covered by GLB would be subject to states, not FTC • The upshot: • Health insurers or other dual covered entities likely can give only HIPAA notice • No definitive word from GLB agencies, though

  16. HIPAA and Financial Services • The “payment” exception in HIPAA Sec. 1179 • Easy case • Check, credit card and the basic routing information • Name, account numbers, what is needed to process the payment itself • That data entirely outside of HIPAA

  17. Payments and HIPAA • “Back office” • As financial institution goes deeper, and does back office for a covered entity, HIPAA risk grows • At some point, become business associate • Clearinghouse • Convert standard/nonstandard transactions • Specialized financial services entity, can become a covered entity

  18. Conclusion on Other Fed. Laws • Disclosure required by other law, then at least may disclose PHI • Disclosure permitted by other law, then HIPAA limits apply • Disclosure forbidden by other law, then HIPAA does not authorize the disclosure (with tiny possible exceptions)

  19. Contact Information • Web: www.peterswire.net • Email: pswire@mofo.com • Phone: (240) 994-4142

More Related