HIPAA PRIVACY AND SECURITY FOR ACADEMIC INSTITUTIONS. Presented by Brian D. Gradle, Esq. Hogan & Hartson L.L.P. Washington, D.C. [email protected] December 15, 2005. HIPAA BACKGROUND.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Brian D. Gradle, Esq.
Hogan & Hartson L.L.P.
December 15, 2005
The first federal law to govern, among other things, the privacy and security of health information (Protected Health Information, or “PHI”)
August 1996 - The Health Insurance Portability and
Accountability Act of 1996 becomes law
April 14, 2003 - HIPAA Privacy Rule compliance date
April 20, 2005 - HIPAA Security Rule compliance date
“Covered Entities” are health plans (including group health plans), clearinghouses, and providers that engage in one of the HIPAA standard electronic transactions (e.g., claims filing)
Entities that have both a covered entity and a non-covered entity function, and designate the health care components. Academic institutions frequently designate their medical center and health sciences operations in this fashion.
Tip: Many hybrids will include IT Departments and personnel within the health care component. IT cannot disclose PHI to the non-health care component unless permitted under HIPAA.
“BAs” are persons that perform functions or activities on behalf of covered entities, and receive or use PHI in the process.
Examples: Consultants Attorneys
Accountants IT Vendors (with access to PHI) Billing Companies
Not BAs: Custodians (despite access to PHI)
IT Vendors (without access to PHI)
Required: Business Associate Agreement
Tip: IT consultants working alongside employees can be treated as part of the “workforce” for purposes of HIPAA. This will require HIPAA training.
Your Role: Help identify those parties that qualify as business associates. Help identify any particular privacy/security issues associated with the PHI.
“Protected Health Information” can be electronic, paper, oral, or other form (e.g., a photograph), so long as it is individually identifiable and relates to the individual’s health, the provision of care, or the payment for care.
Tip: Records subject to the Family Education Rights and Privacy Act (FERPA) are not subject to HIPAA. Interpretation of the precise scope and nature of the HIPAA/FERPA overlap may differ between institutions; your institution’s privacy officer should be able to address this for your specific situation.
A covered entity may use and disclose PHI without patient authorization:
Even if the PHI use or disclosure is permitted, HIPAA requires CEs to take reasonable steps to limit it to the “minimum necessary” to accomplish the purpose.
Uses and disclosures of PHI not expressly permitted by HIPAA require patient authorization.
Authorizations must be “HIPAA compliant”
In addition, any additional state requirements (e.g., California’s 14-point font requirement, or disease-specific authorizations) must be met.
Tip: “Authorizations” you receive should be scrutinized for compliance with HIPAA, per your institution’s policies and procedures.
Health plans and providers are obligated to provide their members/patients with a Notice of Privacy Practices.
Notices set forth the CE’s obligations and the member/patient’s rights regarding PHI.
NOTE: CEs that establish standards that exceed HIPAA requirements must comply with those enhanced standards.
HIPAA does not regulate health information
that has been “de-identified.”
1. “Safe Harbor” method. Removal of all identifiers listed in Privacy Rule, plus no actual knowledge that the remaining information could be used to identify the individual (e.g., job title).
2. “Statistician” method. Statistician opinion that the risk is “very small” that the information could be used, alone or in combination with other reasonably available information, to identify the individual.
HIPAA permits Limited Data Sets, which contain limited amounts of PHI (dates, town, city, state, and zip code) to be used and disclosed for research, public health, or health care operations, pursuant to a written agreement.
7. Role-Based Access
Simply because a person can access PHI does not mean he/she should access PHI. HIPAA’s role-based access principle means that persons should use/disclose PHI only in the scope/ context of their role at the organization.
Tip: For IT professionals, with sometimes unrestricted access, this is a critical concept to understand and follow.
All members of the CE workforce must be trained on the HIPAA policies and procedures as necessary and appropriate to carry out their functions.
Tip: The format and style of training (e.g., by department, in person, on-line) is up to the CE to decide.
9. HIPAA provides individuals with certain rights regarding their health information, including:
1. Unintended Consequence: Disrupting the flow of PHI between providers for treatment.
HIPAA expressly permits the flow of PHI between providers for treatment purposes, and without the “minimum necessary” requirement.
2. Key Challenge: Dealing with “Representatives” of Patients
HIPAA defines “personal representatives” as those persons that under applicable law (usually state law) have the authority to make healthcare decisions for the patient.
Adult children of elderly patients, parents of teenage patients, patient friends or companions, may not necessarily be “personal representatives” under applicable law.
Many CEs continue to negotiate with BAs regarding the terms and conditions of BA Agreements, particularly “business points” (liability, indemnification, insurance).
4. Key Challenge: Mitigation
HIPAA requires CEs to mitigate the harmful effects of an improper use/disclosure of PHI, to the extent practicable.
What does this mean, particularly in terms of patient notification?
Tip: Do not forget state law in this situation.
5. Key Challenge: Preemption
Most state laws are not preempted by HIPAA, including those that are more protective of individuals than HIPAA.
Frequently, states will create heightened protection for certain conditions/diseases, such as HIV/AIDS, STDs, pregnancy, genetic testing.
HIPAA generally requires patent authorization, or IRB/privacy board waiver, for PHI to be used/disclosed for research.
Conflict between Common Rule, which permits non-study specific informed consent, and HIPAA, which requires study-specific authorizations.
“A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” The “mini Security Rule” under the HIPAA Privacy Rule.
The Security Rule includes 22 standards, along with 19 required implementation specifications and 20 addressable specifications under its physical, administrative, and technical safeguard categories.
This includes an overall “risk analysis” that must be conducted.
Tip: Even among academic institutions with HIPAA compliance obligations, standards for compliance will vary significantly
2. Building a team (IT, Compliance, Legal) that can evaluate security risks, develop and implement safeguards, and appropriately document policies, procedures, and the overall decision-making process.
3. Balancing competing interests between confidentiality, integrity, and availability. Data that is “too secure” and not readily available to a provider upon request can be just as problematic as non-secure data.
4. What are the expectations for business associates? The Security Rule does not prescribe the safeguards for BAs – only that they be reasonable and appropriate.
Tip: IT may be asked to participate in an evaluation by the CE of a BA’s security safeguards.
Medical devices that utilize COTS may be impacted by software security patches and enhancements.
The Security Rule does not require e-mail containing PHI to be encrypted. What it does require is a covered entity to address whether or not it is going to encrypt e-mail, as part of its security evaluation.
Tip: This assessment is often a key role for IT.
The level of security that a CE should establish is affected by a number of factors, including the CE’s size, costs, and the probability and criticality of risks. These are unique to CEs, and software, hardware, and devices’ security features typically do not take these factors into consideration.
While the use of outside consultants and vendors can be useful, no outside party has been vested with the authority to deem a CE as HIPAA compliant.
HHS Office for Civil Rights: Privacy Rule (civil)
HHS Office of E-Health Standards and Services: Security Rule (civil)
DOJ for criminal enforcement (over 200 cases under review)
For Covered Entities:
$100 per violation, up to $25,000/year for multiple violations of same standard (civil penalties).
Criminal penalties go up to $250,000 fine, 10 years in jail for wrongful receipt or disclosure of PHI with intent to use for commercial advantage, personal gain, or malicious harm.
For Any Person:
June 2005 DOJ memorandum stated that any person could be prosecuted for aiding and betting or conspiring to commit a HIPAA violation.
Finally, enforcement is essentially complaint-driven at this time.
Privacy: Since April 2003, 15,000 complaints
Security: Since April 2005, 20 complaints
Criminal Prosecution: U.S. v. Gibson, resulted in $9,000 fine and 16-month jail sentence for healthcare worker that used cancer patient records to obtain credit cards.