1 / 39

Homeless Integrated Delivery System: The Impact of HIPAA and State Privacy Laws

Homeless Integrated Delivery System: The Impact of HIPAA and State Privacy Laws. Patrick J. Webster, Esq. pwebster@kl.com 412.355.8387. What is HIPAA?. Rationale for Regulations. Inconsistent or nonexistent state laws regarding standards of privacy for patient data

atara
Download Presentation

Homeless Integrated Delivery System: The Impact of HIPAA and State Privacy Laws

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Homeless Integrated Delivery System: The Impact of HIPAA and State Privacy Laws Patrick J. Webster, Esq. pwebster@kl.com 412.355.8387

  2. What is HIPAA?

  3. Rationale for Regulations • Inconsistent or nonexistent state laws regarding standards of privacy for patient data • Inconsistent or nonexistent state laws protecting patient’s rights regarding their data • Exponential increase in availability and scope of patient data

  4. Who Is Covered? • “Covered Entities” • Health Plans • Health Care Clearinghouses • Health Care Providers

  5. Health Care Providers Providers who conduct financial and administrative transactions electronically - electronic billing - fund transfers

  6. What Is Covered? • Protected Health Information (PHI) Generally, “Individually Identifiable Health Information” that is: (i) Transmitted by electronic media; or (ii) Maintained in any electronic medium; or (iii) Transmitted or stored in any other form or medium.

  7. Protected Health Information • Individually Identifiable Health Information (i) Information created or received by the Covered Entity; (ii) Relates to past, present, or future physical/mental health condition, treatment or payment for care of the individual; (iii) Identifies the individual or provides a reasonable basis to identify the individual; and (iv) Is used in connection with treatment, payment or “Health Care Operations”

  8. Health Care Operations • Quality assurance activities • Credentialing • Accreditation • Peer review • Case management • Training • Business planning • Certain marketing and fund raising

  9. Definition of “Use” • Defined as “the sharing, employment, application, utilization, examination or analysis of” Individually Identifiable Health Information. • Simply put, regulations concerning uses govern the internal transmission of information.

  10. Definition of “Disclosure” • HIPAA regulations define “disclosure” to mean “the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.” • Disclosures are releases of information to entities outside the transferor entity

  11. General Rule • Covered entities may not use or disclose protected health information unless the Privacy Regulations permit or require them to do so

  12. Permitted Uses & Disclosures 1. To the individual patient 2. For treatment, payment or Health Care Operations 3. “Incident to” a permitted or required use or disclosure • minimum amount necessary, unless for treatment purposes; • must be in compliance with permitted use or disclosure; • must have adequate safeguards

  13. Permitted Uses & Disclosures CONTINUED 4. Pursuant to a validAuthorization (i) Required when use and disclosure is not otherwise allowed under the Privacy Rule (ii) Required for psychotherapy notes

  14. Permitted Uses & Disclosures CONTINUED 5. Pursuant to agreement of patient, which requires… (i) Patient be informed in advance of the use or disclosure, and (ii) Patient is given the opportunity to agree, prohibit, or restrict the disclosure (with exceptions for emergency situations).

  15. Permitted Uses & Disclosures CONTINUED 6. For involvement in the patient’s care and notification purposes 7. The patient agrees and is present 8. Pursuant to the best interests of the patient as determined by the professional judgment of the provider 9. Pursuant to disaster relief efforts

  16. Permitted Uses & Disclosures CONTINUED 10. When required by law (i) victims of abuse, neglect or domestic violence (ii) for judicial and administrative proceedings (iii) law enforcement purposes 11. For public health & oversight purposes 12. To coroner & funeral director

  17. Permitted Uses & Disclosures CONTINUED 13. To organ procurement organizations 14. For research, subject to restrictions 15. To avert a serious threat to health or safety of the person or the public 16. For specialized government functions

  18. Required Disclosures 1. To an individual, when requested 2. When required by HHS to investigate or determine the covered entity’s compliance with HIPAA

  19. Privacy Policies 1. Must set forth rights of access and inspection, duties of covered entity, grievance procedures, right to accounting of disclosures 2. Must ensure that uses and disclosures are limited to “Minimum Necessary” information for purpose

  20. Minimum Necessary Standard:Exceptions • Requests by a health care provider for treatment purposes • To the individual • To HHS when required for enforcement • Otherwise required by law

  21. Notice of Privacy Practices • Covered entities are required to provide notice detailing privacy practices • The Notice of Privacy Practices must: • Be written in plain language • Contain sufficient detail to put reader on notice of practices • Contain specific content relating to: rights of access and inspection, duties of covered entity, grievance procedures and contacts

  22. Notice of Privacy Practices CONTINUED Procedures to be followed: (i) Notice to be Posted (ii) “Good faith effort” to obtain written acknowledgment (iii) Form of acknowledgment to be determined by the covered entity (iv) Documentation of refusals (v) Not prerequisite to treatment

  23. Disclosures to Business Associates • Covered Entities must obtain “Satisfactory Assurances” from other entities that are not themselves Covered Entities prior to disclosing Protected Health Information. • Such other entities are generally referred to as “Business Associates”.

  24. Business Associates 1. Generally speaking, a Business Associate is a person or organization that: (i) Performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information on behalf of a covered entity, or

  25. Business Associates CONTINUED (ii) Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, where the provision of services involves the disclosure of individually identifiable health information

  26. Business Associates CONTINUED • Privacy Rule conditions disclosure of Protected Health Information upon “satisfactory assurances” from Business Associate to safeguard the information • “Satisfactory assurances” means business associate will: • Use information for intended purpose • Safeguard information from misuse • Assist with providing individuals with access to Protected Health Information

  27. Business Associates CONTINUED • Covered Entity is not required to actively monitor its Business Associates, but… • If Covered Entity has actual knowledge of pattern of activity or practice that constitutes breach of a Business Associate’s assurances, the Covered Entity must: • Take reasonable steps to cure; and • If unsuccessful, must terminate (if feasible) or report to HHS

  28. HIPAA Summary • Comprehensive set of regulations that governs who has access to information, what information is disclosed, and how that information is released

  29. General Requirements • HHS recommends that “average” provider or health plan: • Adopt clear privacy procedures • Provide notice to patients about privacy rights and how information can be used • Train employees so that they understand the privacy procedures • Designate a Privacy Officer • Secure Patient Records • When necessary, enter into Business Associate Agreements • Size of Provider dictates Level of Compliance

  30. Issues Arising from HIPAA & Other Privacy Laws for the Homeless Integrated Delivery System • Prior to HIPAA, confidentiality was addressed (if at all) through a variety of State Laws • Similarities among State approaches, but no uniformity • State Laws often have specific provisions on “Ultra-Sensitive Data” - mental health, drug and alcohol, HIV information

  31. Pennsylvania Laws Relating to Sensitive Data • Mental Health Records • Mental Health Procedures Act • DPW Implementing Regulations • Privileged Communications to Psychiatrists and Licensed Psychologists

  32. Laws Relating to Sensitive Data • Drug and Alcohol Records • Pennsylvania Drug and Alcohol Abuse Control Act • DOH Implementing Regulations • Privileged Communications to Psychiatrists and Licensed Psychologists • Federal confidentiality regulations – 42 C.F.R. Part 2

  33. Pennsylvania Laws Relating to Sensitive Data • HIV Records • Confidentiality of HIV-Related Information Act

  34. HIPAA’s Preemption Provisions – State Privacy Laws Federal privacy law does not preempt a conflicting State law provision that relates to the privacy of health-related information.

  35. HIPAA’s Preemption Provisions – State Privacy Laws THUS --- • State Privacy Laws are not superceded if there is no conflict with Federal law AND • State Privacy Laws are not superceded if they are more stringent than Federal law

  36. State Law and Integration • Because HIPAA is a new law, there has not been an opportunity for the legal system to determine which state privacy laws will be preempted by HIPAA, and which will continue to be enforceable by the individual states.

  37. State Law and Integration • Because the purpose of the Homeless Integrated Delivery System is to allow providers of medical health, mental health and substance abuse services to better serve the homeless population, compliance with Pennsylvania’s laws as well as the new HIPAA regulations is crucial to the smooth functioning of the System

  38. State Law and Integration • Working with Health Care for the Homeless, we have been developing the necessary agreements, forms and policies necessary to allow the wide array of providers serving this population to participate in the Integration System while complying with all relevant laws, at both the Pennsylvania and Federal levels

  39. Integrated Delivery System • Necessary documents and legal analysis for compliance with HIPAA & State privacy laws • Standard Sub-Recipient Agreement • Authorizations compliant with all applicable laws • Consultation on Business Associate issues

More Related