Module 2: HIPAA Privacy Fundamentals

Iliana Peters
Length: 108:42 | Format: Video with PowerPoint
Related Content: Module 2 HIPAA Privacy Fundamentals.pdf

Loading the player ...

I'm going to do module two which is the HIPAA privacy fundamentals and really the purpose of this module is to set out the important definitions if you haven't already gathered the rules are very definition driven so it's very important not to just guess that definition. Always know where the definitions are in the rules so you can go to it and look at it very specifically. The same is true of the standards, the regulations are very specific so it's very important to keep in mind that while we're giving you a general overview even still I never think just off the top of my head I always to make sure that I have my rules so that way I can go to my rules and look to the specific section because they are very specific driven. So again as I go through this, this is really a reference for you so when you have time you can go back and look at the specific provisions of the rule. So what I want to do is lay out the definitions for you very broadly, and then lay out the sections of the rules so then you can know where to go to when you have a specific question. So again I think I met most of you, if not all of you, my name is Ileana Peters and I am a specialist with the headquarters office in Washington DC, I started as an investigator, worked in private practice for a while, started as an investigator with the government in the Dallas regional office and then moved up to Washington DC to do work at headquarters. I have actually done investigatory work as well and policy work now I work particularly on writing regulations and guidance. So I am a team lead for drafting the regulations pursuant to the HITECH act and other pieces that were working on. So that writing about the regulations is really my bread and butter and I enjoy so I hopefully know these pretty well. If you do have questions you should always feel free to contact me with any questions that you do have. Let me see if I can find my slides right here. Okay, so module two the privacy fundamentals as I said, we hope to familiarize you with the major areas of the privacy rule. The privacy rule is divided into three main parts: uses and disclosures, and were going to get into the weeds and all of these, the first part of the rules that discuss usage and disclosures, the second part of the rule talks about individual rights, and the third part of the rule discusses the responsibilities of covered entities and business associates. So we are going to talk about all these in depth and break them down for you. We're also going talk about definitions and terms and the HITECH act and techniques to identify potential privacy rule violations. After this module we hope you will feel comfortable with the definitions and the requirements and understand were things in the rules are so you can develop your own investigations. So before we can talk about uses and disclosures and individual rights and administrative responsibilities, we really have to get into the definitions. So initially we are going to talk about the definitions so you'll feel more comfortable applying them. Use of information happens inside an entity, so anything that is going on within the four walls of the entity or with regards to its business associates is what we talked about a little bit earlier and more later, that is a use. So when you think use think inside the entity. When we talk about disclosure, we are talking about the release or transfer or provision to divulging of PHI. That means outside the entity so when you think about disclosure think about going outside the entity. So when you look at the requirements of the rule is very specific to use or disclosure, use is within the entity, disclosure is the movement of information to outside the entity. So we talked about covered entities you will remember they are health plans, health care clearing houses and health care providers who transmit that health information electronically in connection with a covered transaction. And again when we say covered transactions we're talking about transactions within the rules. However, there are a lot of different ways in which covered entities form themselves. A lot of times they are complex legal entities with lots of different roles and responsibilities so these are very interesting and complicated concepts within the rule and they are complicated but we wanted to give you a background on the various types of legal entities that covered entities may take shape in so that when you were looking at an investigation you can say okay well is this type of legal entity or is this, this type of legal entity and you can go back to the rule and look at those. So there are different organizational structures, and there are three specific types in the rule: there are hybrid entities, there are affiliated covered entities which are called ACES, as Val mentioned, we have to have acronyms for everything, we have hybrid entities and affiliated covered entities which are ACES and we have organized health care arrangements which are called OHCAs. So three types: Hybrids, ACES, OHCAs. So hybrid entities help covered entities to focus their compliance. Hybrid entities are about how to focus compliance with the rules. ACES and OHCAs help entities established the relationships and apply the rules where it make sense so that it's not duplicative for them. Now the thing to remember with these three types of entities, organizational structures are that they all require documentation of some sort. So they go to a covered entity and they say were hybrid entity, you just can't say I am a hybrid entity they have to have some indication on paper that they've done the analysis that they've done the provisions required by the rule and how they're going to talk about that organization is going to work within that entity. So talking more about hybrid entities, hybrid entities are generally covered entities some part of the covered entity performs covered functions, there could be a health care provider, and some of them don't. So you have within one legal organization, lots of different functions going on. Under the rule, the organizations can separate the activities or divisions to conduct the HIPAA related functions, the covered functions, by designating that part of their organization as the health care component. So you have a very large covered entity and they take the piece that does the covered functions and they call it the health care component. And I'm saying call it, but as I said there is documentation that displays the designation required. For example, the state police department could have copies of medical records but we don't think that Congress intended the state police department to be covered but because the state itself may be a covered entity because it has a covered health care department that provides services, that state can hybridize its health care component, the health care provider piece, Medicaid piece into a piece that complies with the privacy rule and the security rule. And then it can push those other functions that don't do or have HIPAA covered functions into another piece. So you have one legal entity that has different pieces inside. If the covered entity designates part of itself as a health care component that component has to comply with the rules. And it has to treat all disclosures of information as disclosures. So if you have a disclosure from the health care provider piece, from the Medicaid piece to any other part of that state legal entity they have to treat it as a disclosure which disclosures usually require more hoops to jump through within the rules. So once they hybridize, once they create this little bubble around their health care component that becomes the covered entity and anything that moves outside that bubble is a disclosure with its own requirements. So here are some examples of a hybrid entities, that we see most frequently, state health departments, correctional facilities with health care clinics, data processing centers and universities, universities are a good example as you can see there are parts of universities that do academic, purely academic functions and then there are parts of universities that that do provide health care so what they usually do is hybridize out the portion that does the health care. So moving on to ACES, affiliated covered entities are legally separated covered entities, this is different because they are not one legal entity they are legally separated covered entities. But they may be owned or controlled by the same business organization or individuals. If they are, they can document their status so that we can participate in a joint compliance program so this is really about making compliance easier for entities that are separate legally but are owned by the same entity, individuals or organizations. An example of this is hospital chains, or a chain of clinics. When we talk about OHCAs we are talking about two or more separate legal entities, so again they are separate legal entities that provide health care together jointly. So they're not owned by the same company but they work together to provide health care. If they do that, they can document their status as an organized health care arrangement and participate in things like a utilization review or quality measurement together. So as I said the OHCA can look like one organization to consumers, they sort of hold themselves up or out as one organization to consumers even though they are separate legal entities. And they can document their status so they could disclose PHI to each other for joint practices like health care operations. They can use a joint notice of privacy practice which we'll talk about later and they can have common business associates so again it's about joint compliance. So for example, if a patient goes to hospital for a surgery the doctor, the pharmacy and the hospital all working together may be an OHCA even though they are separate legal entities, they are holding themselves out sort is one functioning health care provider. So as an investigator if you're coming into a covered entity situation, and you're not quite sure what the legal relationships are, you may need to clarify is this a hybrid entity is this an affiliated covered entity or an ACE or is this an OHCA. What exactly is going on? In order to determine what are the responsibilities of the entities are moving forward. Okay, we talked about the three different types of organizational structures now let's talk about a couple of the major terms and concepts used in the privacy rule. The first major concept in the privacy rule is significant standard is the minimum necessary standard. So what does this mean? What a covered entity or business associate uses, discloses PHI or requests PHI this is a new concept this is one of the few places in the rule that the term requests comes in. So we talk about use and disclosure all the time, with minimum necessary we also have to consider requests. The covered entity can only use, disclose or request the minimum necessary PHI to accomplish the intended purpose, so what does that mean? That means I can only ask for, I can only use, I can only disclose the limited amount of protected health information that I really need to do whatever I am doing. So if I'm billing and insurance company, I am a provider billing an insurance company and I have to disclose the information that they need to get that claim paid, I can't disclose the entire medical record. I need to only disclose the information that, the plan specifically needs to pay that claim. And a lot of times you could look to state laws, there are a lot of state laws as you know that talk about what a clean claim is what has to be included, that would give you a good idea of what the minimum necessary in a particular situation is. There are some exceptions to minimum necessary, the most the most important exception is for treatment purposes, as Val said earlier, the rules are not designed to interfere with treatment. There is little to no constraints on entities providing treatment because we don't want to have someone stop and say, okay am I my compliant with HIPAA when I am treating someone because there could be a situation that you don't have time for that. So one of the important exceptions with minimum necessary is treatment. If someone says I need the medical records because I had to figure out how to treat this person you can say okay, you can have it. Because it really is important to have all of that information for treatment purposes. Disclosures to HHS, to federal government for compliance aren't subject to minimum necessary. Disclosures required by law are not necessarily subject to minimum necessary because you'd be confining the information to what is required by the law and disclosures for compliance to the rules. So the only other place that minimum necessary does not apply is with regards to authorizations, and we'll talk to authorizations later, but basically the individual authorizes the disclosure, if they say specifically said they can disclose that information then you have the right to disclose information that you said you will. So another interest interesting twist on minimum necessary is what we call the role-based access. And this is something that you really will look for when you're looking for things for your investigations to come when it comes to covered entities. The minimum necessary standard also means that when PHIs are, I'm sorry when covered entities are implementing their policies and procedures, with regards to PHI's, and who has access to that PHI in their organization. They need to think about what type of information that that person actually needs to get their job done. So for example, a nurse will have different needs than the biller who will have different needs than the dietitian who will have different needs than hospital administrator with regards to information. It is not a free-for-all for anybody that works in a hospital to any and all information. So this is what we call role based access, depending on your role in the organization you have to make sure, you covered entity would have to make sure that that person only gets access to the information that they actually need to do their job. And we'll talk about this more we talk about the security rule. So this also means that for routine disclosures and requests covered entities have to implement policies and procedures or standard protocols so if you have a routine request for information about something that happens all the time within an entity you have to have a policy and procedure to deal with that. For non-routine requests, the entity has to review each one of those requests individually and really has to determine what is the minimum necessary information for that specific request is. So if you have things that happen every day, they come in and out, claims, disclosures those kinds of things you really need to have a standard set of procedures that talk about how you are going to deal with minimum required necessary at all those routine disclosures. If you have something weird out of the blue, maybe a request pursuant to law enforcement or some of the other permitted disclosures that were going to get to in the rule a lot of time the covered entity doesn't get those every day so they do not have a policy or procedure so they get that request and they have to look very closely at it to determine what the minimum necessary required information for that purposes is. Okay, moving on let's finish up lesson one, so getting back to minimum necessary now that we've talked about a little bit more. The HITECH act, to put this on your radar, did modify the minimum necessary standard to require that a covered entity must limit PHI uses and disclosures to the limited data set as currently defined in the HIPAA privacy rule. So I will talk about limited data sets in just a second. But the way this works is that the covered entity basically now has to default to a limited data set, that would be the default, and if they say okay for some reason, that's not enough information, and again I'll you what a limited data set is, then they would go back to the normal standard. And figure out what other information besides the limited data information do they need to use or disclose for that particular purpose. So we are working on guidance on this. So look for our guidance when it comes out more on this. But let's talk about the continuum of information under the privacy rule. So first you have PHI, we have talked about PHI, PHI is completely protected and is individually identifiable information that is maintained by a covered entity or its business associate, and it is completely protected by the rules. So on this one side of the spectrum you have PHI, completely protected. In the middle you sort of have limited data sets, limited data sets are also protected, but they are stripped of certain identifiers. And we'll talk about this a little bit more but basically limited data sets can be used for research and public health purposes so it's protected health information it is individually identifiable, it can identify a person but it's been stripped away of some of the identifiers and the rules specifically lays out what those identifiers are. So you take this PHI that is protected, you strip out some of that identifying information and then you get a limited data set and you can disclose that limited data set for other purposes like research and public health. So moving beyond the limited data set, you have what we call de-identified information. And de-identified is no longer protected by the rule, so is protected health information that has been stripped out in a method prescribed by the rule and it can no longer be used to identify an individual. So if you have all this information has been stripped of all this identifying information you can't actually use it to identify an individual anymore, even if it's held by covered entity, it is no longer protected, the can disclose it for other purposes. So again, the spectrum sort of moves from protected health information, which is completely protected, to limited data sets which are also protected but have less identifying information and then you have the de-identified information on this other end. So when you're thinking about the provisions of the rule it's important to think in that way when you're looking at the requirements. So as I said limited data sets are of real value for research and public health or health care operations purposes. And if a person wants to use a limited data set they have to sign a data use agreement so it's just not a free-for-all to have a researcher that comes to a covered entity and says I really need this information to do my research, there are other provisions that are involved, but they would have to sign a data use agreement. They would have to sign an agreement that says we are only going to use this information for these purposes and were going to protect it. So if you have a limited data set, also look for a data use agreement. And it basically says that the information is only going to be used for specific purposes, no attempts are going to be made to re-identify it and then it will not be re-disclosed. When we talk about de-identified information, the protections no longer apply as I said, this is no longer protected health information anymore. Some situations that make the news, you have to be careful when you look to news reports because a lot of times what you find out in the news actually turns out to be data aggregators and that information is de-identified information. So when you're talking about de-identified information, it makes the news, you know someone bought and sold information it's very important to look to that information to make sure that it actually contains identifiers, that it is actually is identifiable information. Because it is not a privacy rule violation if it is de-identified information and information can be de-identified in two ways: first there is expert determination method, and this basically means that the covered entity hires an expert, this is what they do, they do statistical analysis they remove identifiers and they figure out the likelihood of re-identifying an individual from the information that is left over. So, it's very complicated I don't do this, I'm not a statistical analysis person, but basically you would go to someone who does this every day and pay them figure out what the information is that will not re-identify an individual. Some covered entities do use this method. The other method that is available what we call the safe harbor method. The rule list 18 specific identifiers that you have to remove from PHI to de-identified something. So once you have removed those 18 specific identifiers from the information it is no longer protected information and can be disclosed because it's de-identified. It cannot be reasonably used to re-identify an individual. So okay we have talked about the differences between uses and disclosures, remember uses within an identity disclosure is outside an entity, use and disclosure. We have talked about the three types of organizational structures and covered entities, we talked about hybrid entities, we talked about ACES and we talked about OHCAs. And we talked about the minimum necessary standard and role-based access. Finally we talked about limited data sets and de-identified information. So does anybody have any quick questions on this we have a couple of minutes, if you have questions now and if not we will take a break and then move on to lesson two. Questions? Okay great let's reconvene at 10:40 and then we'll get started on lesson two. Now let's get to the first to be two main sections of the rule. The first two sections of the rule are permitted required authorized uses and disclosures, so uses and disclosures fall into three categories, permitted, required and authorized. And then second section of the rule talks about individual rights and what rights individuals have under the rule. So after this lesson you should really have a better idea of what uses and disclosures are permitted and required and what rights individuals have. So just by way of background, the privacy rule establishes what we refer to really as a federal floor of protection, it's kind of your baseline, so there are a lot of different states, there are a lot of different entities that that go above that baseline, the privacy rule is designed to provide a level playing field on which the states and entities can build upon if they would like to. So the privacy rule doesn't prevent covered entities from establishing internal policies that provide greater protections or that offer consumers greater rights. And the privacy rule explicitly states that state laws may require covered entities to provide greater protections. So a state law is consistent with HIPAA, if the state law is more stringent for example it provides more rights to individuals or more protections for information, it would not be preempted if it was more stringent. So again, the privacy rule is just a baseline covered entities can provide more protection, states can provide more protection. And it's an interesting concept because a lot of times you hear from employees HIPAA won't let us do that, it may not actually be the rule that is actually interfering with whatever they want to do it maybe the covered entity's actual policies and procedures. There are a lot of permissions under the rule as you'll find out a lot covered entities just don't want to deal with it, they do not to deal with finding out when they can do X when they can do Y, they are just going to say, we are not going to do it at all. And that's okay from a privacy rule stand point because they are providing more protection for that information. So remember that uses and disclosures fall into two categories: there are required uses and disclosures and there are permitted uses and disclosures. So that's how the rule generally works. You have required uses and disclosures and you have permitted. If you don't have a provision in the rule that provides either a requirement to disclose or a permission to disclose then you either can't do it or you have to get an individual's authorization to do it. So if there's not a requirement to disclose under the rule or not a specific permission to disclose under the rule than you have to get the individual's authorization to make that disclosure. There are two required uses and disclosures under the rule, just two, two required uses and disclosures to the individual when they are exercising their right of access, and we'll get into that a little bit more, but there is a required disclosure to the individual and to the federal government when we are investigating, to HHS, the secretary of HHS. So you only have two required disclosures: individual and HHS. There are generally six areas of permitted uses and disclosures, so six permitted uses and disclosures, general areas of permitted the uses and disclosures. Let us talk about treatment, payment, health care operations, incident to uses and disclosures, with the opportunity to agree or object, and for public policy. So six areas: treatment, payment, health care operations, incident to with the opportunity to agree or object and for public policy. Any other use or disclosure, whether it's not one of those two required or six general areas of permissions, requires an authorization from the individual. Okay so let's get into the weeds for a little bit on this stuff. So as I said the two required uses and disclosures are the first to the individual whether exercising their right of access to their protected health information either to copy and inspect, or for accounting. And we'll talk about those individual rights provisions more, but if it is the individual trying to exercise an individual right for access or accounting than that is a required disclosure. The other required disclosure, as I said, is to the secretary of HHS when we're doing an investigation. So as I also said the rule has a few more broad categories of disclosures, CEs, covered entities, I will refer to them as CEs and business associates or BAs they can always disclose information to the individual, always, it is always is a permitted disclosure. And they can use PHI user disclosed PHI for treatment, payment, and health care operations which I talked about for a little bit. Those are also broad categories that will discuss further. When we are talking about all this again it's important to remember that the rule is specifically designed not to interfere with treatment. So as I said before, there are no limitations on uses and disclosures for treatment purposes. Treatment is a very broad category of uses and disclosures. It's really important that health care providers get the information they need so that they can provide treatment to individuals. There are a few limitations on payment, because payment is also very important we want providers to get paid for what they're doing but there are a few limitations on payment. Mostly, minimum necessary and safeguards which we've talked about a little bit. When we talk about health care operations this is sort of an interesting concept that might be a little bit hard to wrap your brain around. But they are the administrative, financial, legal and quality improvement activities of an entity that are necessary to run the business or to support the core functions of treatment and payment. These are generally a use because when we are talking about health care operations we are talking about the business of health care the business of providing treatment the business of making payment. So those health care operations are all of those things that the business has to do to get treatment and payment done. And because there really business functions they happen within the entity, they are not involving disclosures outside of the entity. So some examples of this are, evaluating the competence of health care professionals if you're health care professionals were to provide treatment you want to make sure that they can do that. That's a business function to provide treatment. Evaluating provider and health plan performance, training, accreditation and certification, licensing credentialing, business planning and development, cost management, planning and analyses all of those business like functions are health care operations. When we talk about incident to disclosures, that's exactly what it sounds like it's a user disclosure that happens because you're making another permitted disclosure under the rule. So for example, if you have a treatment disclosure, you have a nurse and a doctor that are in a hallway and they are talking about a patient having and they are having a discussion about a patient's treatment and someone walks by and they hear that discussion. That disclosure to that third person who is not involved in the treatment discussion is incident to the treatment discussion, and that's okay. We realize that there is a leakage of information when you're doing things like treatment payment and health care operations. Other things that happened in the rule as long as you have safeguards in place for example the nurse and the doctor cannot be screaming at each other and it is the minimum necessary amount of information. Not if this is a treatment discussion than minimum necessary would not apply, to the treatment discussion, but it would apply to the incident to. So it is important to remember that on these incident to discussions, but this is really the leakage of information these are permitted disclosures because they have to happen because you have other permitted disclosures going on. You have to have minimum necessary information and you have to have appropriate safeguards in place. So as I said, for example a hospital patient in a shared room over hears two doctors discussing the other patients information, that's incident to disclosure because there is a treatment discussion going on and someone over hears it. If there are safeguards in place that's okay, hospital staff and other patients hear a patient's name when an ambulatory patient is paged, again that is okay, sign in sheets in your doctor's office, if there are reasonable safeguards i.e. after 10 patients they cross them out, or they use a different sheet or something you're so going to have some leakage of information. And that's okay as long as they have, they have the safeguards in place and they've done the analysis. Okay, so when we talk about the opportunity to agree or object, and I think we had a question about this earlier there are a category of permitted uses and disclosures that are that the user disclosure is permitted if the individual has the opportunity to agree or object. In a lot of cases this agreement can be inferred from the particular situation, so I know we had one example earlier, can anybody think of another example that might be one of these permitted disclosures with an opportunity to agree or object? I think the most common example in my mind is when I sent my sister to go pick up my prescription at the drugstore. Obviously from that situation, I have agreed that, the pharmacy can infer that I agreed to the disclosure of limited information because I sent her to pick up my prescription. If I didn't want her to know I wouldn't have sent her. So she is a person that is involved in my care and the payment for my care and I have had the opportunity to agree or object to her involvement. There are some other examples here, covered entities can provide lists of disaster survivors to the Red Cross, that would be the disaster release purposes. A hospital can include a hospital patient on a hospital directory again we talked about that earlier the individual has to have the opportunity to object to that and some patients do. A lot of celebrity patients obviously don't want to have their names listed in facility directories. Health plans assisting plan members on the phone with billing questions can talk to the plan member spouse if the plan member asks them to do so those types of things. Family and friends involvement is okay. If the individual agrees or objects or has the opportunity to agree or object. So this is that public health public policy area that I talked about earlier this is that last general area of permitted disclosures. There are required by law disclosures and those are exactly how they sound its disclosure that is required by some other law. And we are not talking you may here, you may disclose, we are talking you shall disclose or you must disclose. It is required you have to do it. Public health activities, that's a general category but the rules are specific about how that works. Abuse, neglect, domestic violence situations obviously we want to make sure that those people are protected but the rule does provide for disclosures in certain situations to people who can get that person help. So we don't want you to not tell if something is going on we want to do it the way the rule provides for you to do it. Health oversight is another one, judicial and administrative proceedings that's an important area to look at where you guys are there are specific requirements about court orders and subpoenas so it is important to look at that provision, and for law enforcement purposes the rule does permit disclosure for certain law enforcement purposes but they are very specific purposes and there are specific requirements involved with those law enforcement disclosures. So what I'm trying to do here, give you a sense of the broad categories of the rule so that when you are looking at any particular situation you can go to the rule and say okay I have a subpoena how does that work? A subpoena is not sufficient on its face so what else do I need to figure out about what is going on here so you would look to 164 512 and you try and figure out whether or not the requirements of the rule were met in any kind of any particular situation. So here are some more, these are again those public policy, public health areas: decedents, in specific situations when we are talking about tissue donation, research purposes, research is very important and we work very closely with the research community to develop these rules and were making some changes that I'll talk about later. We don't want to stop our health research from happening but again if someone wants to do research they have to do it in a way that complies with the rule, with the requirements of the rule. To avert a very serious threat to health and safety this is a very specific, very small permission of the rule which is specifically based on a case called Tarasoff which I think you are all familiar with back from your law school days. So again if you're looking to this provision you have to look to the very specific requirements that provision. Specialized governmental functions, these are things like you have a national emergency the President is involved there are provisions in the rules that talk about those and workers compensation we also talk about workers compensation. So again if you don't have one of these broad permitted to use or disclosures, any other disclosure, two required, six broad areas of permitted if you don't, if it doesn't fall into two required or six broad areas than you'd need an authorization. So marketing and psych notes are little bit sticky because they almost always need an authorization. When we are talking about getting authorizations, if you have a situation that involves marketing or if you have a situation that involves psychotherapy notes. And I'll talk about psych notes a little later when we talk about individual rights but it is a specific defined area in the rule and it is its own little category of information so just to put that in your brain if you have a case that talks about psychotherapy notes remember that is a specific area of the rule that you need to look at. So again you need an authorization for marketing and psych notes and you'll be for everything else if it is not required or permitted. Okay, so we have decided that it's not required, you have a case study required use or disclosure, it's not to the individual and it's not to HHS, okay it's not required. It's not a permitted disclosure, it's not treatment is not payment of health care operations it's not an opportunity to agree or object case is not incident to and it is not one of those public-policy disclosures, you have ruled all those out, you need an authorization. What does that mean? What does an authorization look like? An authorization is specifically spelled out by the rule. It's not an informed consent if you're looking at a case it's very important not to realize that it is not an informed consent. So, it has to be written as I said the elements are specifically prescribed by the rule. And it is only valid for HIPAA purposes if it contains those element as specified by the rule as I said and informed consent is insufficient. So once the information leaves a covered entity, pursuant to an authorization, it's not protected anymore so the point of the authorization is really to get the individual to understand the disclosure. Because once that information leaves that entity pursuant to the authorization is not protected anymore so we want to make sure the individual has the opportunity to understand what the disclosures is going to involve and that their information is not going to be protected once the disclosures made. So an example of this is a nurse can authorize the disclosure of a pre-employment drug test to her employer, a hospital, since it's part of her employment record and Val touched on this earlier about the difference between an employment record and the records that a covered entity keeps, it wouldn't be protected anymore. So it's important for that nurse to know that once she discloses that information it is not protected anymore. So obviously if you have a case involving an authorization you need to see a copy of the authorization, if they say it is an authorized disclosure. The next question is all right let me see a copy of that. If there isn't one, then that is an obvious violation. Because you need one. Once you do get a copy then you want to look at it so that the required elements of the rule have been fulfilled. And this is one of those where you sit with the authorization and you sit with the rule and you make sure okay yes, yes, no, no. And I don't want to get into in every single element of the authorization but it is things like what information is going to be disclosed you want the patient know what information is going to disclose. It has to have a time period on it. It can't be till perpetuity, that is not okay, it has to be limited in scope and things like that you want the individual to have all the information they need to make an informed judgment about this disclosure. Other questions, as I said it has a time scope element so if you're looking at the authorization was the authorization actually in effect when the disclosure was made? So if you have an authorization that is good for a 30 period. And the disclosure was made 60 days later, than although it may be a valid authorization on its face, it was not actually in effect when the disclosure was made. Was it revoked? The individual has the right to revoke the authorization. It is a compound authorization which is kind of a complex idea but looked to the rule is it one that's permitted by the rule specifically talks about compound authorizations a lot of times for research purposes. Was the agreement to provide treatment conditioned on the execution of the authorization? That's not okay. You can't say I'm not going to give you treatment unless you sign this authorization. And to the best of the entities knowledge is all the information correct and true and not false. Okay, so back to lesson two. We talked about earlier the first two major parts of the rule are, uses and disclosures which we just covered and again those are required, permitted or authorized uses and disclosure two required six general permissions and authorizations so if it's not one of those required it is not falling into one of those six general permissions as outlined by the rules you would need the authorization. Now we're going to move on, to the second area of the rule which is individual rights, so if you look at the rule it's actually sort of in these three categories: uses and disclosures, individual rights, and administrative responsibilities. So when you are thinking about where to go in the rule first section would be uses and disclosures, middle section is really individual rights and the end is administrative responsibilities. Although the administrative responsibilities is sprinkled in as well. When we talk about individual rights there are really seven areas of individual rights: notice, access, accounting, amendment, restrictions, confidential communications and complaints. Okay, so we're looking at seven general areas of individual rights, notice, accounting, access amendment, restrictions, confidential communications and complaints. Okay, so what's notice about? Your notice of privacy practices is required by the rule because we want individuals to have the opportunity to learn about how their information is going to be used and disclosed pursuant to the rule. Every single one of you has gotten one of these when you go to your health care provider and chances are you didn't even read it. Or if you read it you did not know what you were looking for so I would encourage you the next time you go to not only read it but now that you know what you're talking about to look for the required elements. See if they are there, they should include a description of these uses and disclosures, rights. So the rule has the different requirements for the distribution of, the acknowledgement of, and the posting of for health care provider and health plans. The requirement for health care providers and the requirements for health care plans are different because they interact with the patient differently as you can imagine. A health care provider sees a patient episodically to provide treatment and the health plan has different contact with a patient so they provide this notice in a different way. So again just to go over it in plain language it should contain the required header to language, how the individuals information is going to be used and disclosed generally we want to know how that is going to happen what their individual rights are and what the covered entities duties are and again like an authorization this form is spelled out in the rule so if you have an authorization case or a notice case you want to go to the specific piece of the rule make sure all the elements are there. It should also talk about how the individual could file a complaint both with the entity and with HHS and we'll talk about this a little bit more. Contact information, effective dates and like I said before health care providers have to get acknowledgment of this they should have to attempt to get acknowledgment I should rephrase. And health plans are required to send it out with plan documents the rules spells that out. Okay so we covered notice, the individual has a right to a notice, so they know what their rights are what the uses and disclosures the entity is going to be making. They have a right to inspect and copy which is generally what we call access that's our access permission. And as I said that is the right to inspect, so the individual actually has the right to go to the covered entity and to inspect their records they actually also have a right to a copy of the information in what we call the designated record set so let's talk a little bit about what a designated record set is. A lot of people think that this right only extends to their medical records, that's not correct, the designated record set, is the group of records that is used by the covered entity to make decisions about individuals. And that includes pretty much all the information that the CE maintains, medical records, billing records, electronic health records it's all part of the designated record set. So as you will see up there, it includes all of this information and the individual has the right to inspect all that information and they have a right to copy of all that information. Now the right to access does not include psychotherapy notes, as I said earlier psychotherapy notes is a special part of the rule. Psychotherapy notes are the notes that a psychotherapy provider takes during a session with individual they are hand written they are the jottings of the psychotherapist and in order to qualify as psych notes they have to be kept separately from the designated record set so if they are thrown in the medical records with everything else the protection doesn't apply but if they are kept separately, if they are designated psychotherapy notes than the right to inspect or copy does not apply to them and the authorization provisions that would spoke about earlier would not apply to them either. The right to inspect and to copy also does not apply to information that is being compiled for a legal proceeding which is a very specific area of the rule if you have a question about that I would refer you to the rule to figure out if that's the situation that you're dealing with and for example, information that is subject to CLIA, the Clinical Laboratories Improvement Amendments of 1988. CLIA is a very specific exception and only applies to certain laboratories and essentially the provision was meant designed to make it so that an individual, if they were to go to their lab, if you have ever seen a lab test its mumbo-jumbo very difficult figure out what that means so CLIA was designed to make sure the lab report went to the physician who could then interpret the lab results to the individual to the patient and talk about that with them so the individual still has a right to get that information from their health care provider it should be in their charts from the health care provider they just do not necessarily have the right to get it from the lab itself. There are certain other very limited exception on the individuals right to inspect or copy as Val said earlier the covered entity can charge reasonable costs for copying and postage, copying and postage, that is it. So retrieval fees are not allowed some state laws provide for retrieval fees but you cannot charge for retrieval fees, you can charge for copying and postage. The covered entity has to act on a request for access no later than 30 days after the receipt of the request so not only does the individual have a right to this information they have a right to the information within a certain time period. And this is really important to people we have a lot of complaints coming from military families, they are moving around a lot, they got to get their kids enrolled in schools they have to figure out where the information is and if the covered entity doesn't act request within 30 days it puts them in a really bad spot because they do not have that new information to take to their new health care provider, this is an important right for people it's very important. It's very important for people to access their medical records. So, they have to act on the request no later than 30 days they could have an additional 30 days so a total of 60 days if that information is not kept on site it's not immediately accessible it is in a storage facility somewhere than they have 60 days to get that, to act on that request. And there is only one 30 day extension. So if you have questions the timing look to the rule but again the point is to get these records to people as soon as possible so that they can facilitate their health care. Okay so we talked about notice, talked about access now let's talk about accounting. An accounting of disclosures is basically a list of the disclosures that the covered entity has made outside the covered entity and it doesn't include treatment payment or health care operations but it does include things like public health, health care oversight and public policy disclosures that we were talking about with some exceptions. So essentially if an individual goes to a covered entity and says I want to know who you sent my information to, who did it disclose more information to, they are asking for an accounting. And obviously we wouldn't it's very cumbersome for that entity to provide an accounting of every treatment disclosure they have made, every payment disclosure they made, every operations disclosure they have made but the individual does have a right to know about other things, was there a public policy disclosure for some reason, did they release information pursuant to a court order, stuff like that. So again there are certain law enforcement exceptions and this will change under HITECH we are promulgating we are required to promulgate regulations that deal with an accounting from a certified electronic health record. So just keep that on your radar, this accounting requirement will change a little bit in the near future. Okay, so notice, access, accounting, now we're going to talk about amendment, the right to request an amendment and again this is not a right to an amendment this is the right to request an amendment. An individual has to be able to go to their covered health care provider and requests of their covered plan and request an amendment to their records so if they find out something in their medical records, they have exercise a right to access, or they have had a conversation with their physician and they found something in the records of is wrong and they want to amend it. They have the right to request the covered entity amend that particular health information in their designated record set. The covered entity can require that the individual make the request in writing, so the covered entity can require that you write this down and submit it to them. The covered entity can also deny the request if the information that the individual seeks to correct or amend was not created by the covered entity, so they are a hospital and they got that information from a lab, sorry that is a bad example, they got that information from another health care provider when you came to the hospital, they did not created, they are not the owner of that original information they can deny that request for access as it's not part of the designated record set for some reason or it would not otherwise be available under the right to inspect and copy, these don't sort happen all whole lot. The one that happens a lot is that the information is accurate and complete. Let me give you an example of this, a lot of times individual feel things like weight in their record is incorrect, so you can imagine sensitive subject, they feel like that information is not correct and that does have some implication on treatment because there are different guidelines about what's considered obesity and has implications for health coverage so I say that this is a real example so if an individual were to go to their provider and say the weight that you have documented in my medical record is incorrect I want to amend that record the health provider actually says sorry that is correct information we took your weight on this date on a calibrated scale, whatever, and that information is correct we are denying your amendment or your request for amendment. Okay, they have denied the request for amendment. At that point the individual has the right to submit a statement of disagreement to their record. So this is an important right because not only does the covered entity have to analyze whether the request is a valid request and going to have to change information, if it's not, and they deny the request and then they have to let the individual submit a statement of disagreement. So the denial is not the end of the discussion. So when you're looking at a request amendment case remember to look and make sure that provided the individual the right to submit a statement of disagreement. Okay so we talked about notice, access, accounting, amendment now let's talk about restrictions. Like the request for an amendment individuals have rights to request a restriction on certain uses and disclosure of their PHI but covered entity doesn't have to agree with to it so again this is a right to request. If the covered entity does agree to the restriction, we'll talk more about what that means in a minute, then covered entity has to document the request and the agreement and they have to abide by it. If they say yes then they have to stick to what they say. The covered entity can actually break that agreement in emergency situations, but those don't happen very often. Again to put on your radar HITECH changes this dynamic just a little bit. We're working to change the provisions of requesting restrictions because Congress decided that individuals should have the right to request a restriction on payment information that goes to their health plan. So let's say I go to pick up the HIV and Aids antiviral drugs at my pharmacy and I don't want my health plan to know about that, I request the pharmacy to restrict the disclosure of that information and I pay cash, I pay cash for my drugs. Under HITECH that dynamic will change a little bit the pharmacy has to honor my request that that information does not go to the health plan. But again that will be in future rule making so that is something in the back of your brain. Right now the entity doesn't have to abide by the request for a restriction but if they do agree to a restriction then they have to make sure they stick to that request. So right to confidential to communications, like the right to restrictions, individuals have the right to request that the covered entity communicate with them about their PHI through an alternative communication channel. For example, a work phone number, please do not call my home, call me at work, I don't know why you would want to do that but, don't call me at work call me at home, whatever it is. I only want mail, please don't call me, I want you to mail me I want you to communicate with me by mail. Health care providers have to accommodate reasonable requests to receive PHI through alternative means or at alternative locations. Again they can require this request may be in writing and that the individual specifies, so they say, I do not like you calling me on the phone, don't call me on the phone anymore that's not okay the covered entity still have to figure out how they can talk to you. So if you are going to request confidential communications, you have to tell the covered entity how they can contact you. So they can require it in writing and they can request that you provide an alternative communication means, they cannot require you to explain why. So they can't require you to say my mother lives with me and I don't want her to know, that's not okay, it's none of their business. It's just so they can require in writing and they can also request the alternative means. So there are other legal requirements that may dictate what is considered reasonable, for example 508 compliant requests what that reasonable request is, something to keep in mind. And the health plan has to accommodate these requests if the individual clearly states that disclosure can endanger an individual. Again, they can require that this request has to be in writing. So let's get to complaints, under the rule individuals have a right to file a complaint with the entity and this is an area of concern, they have the right to file the complaint with the entity and with the federal government. It's not just a right to file with the federal government, it's a right to file with the entity as well. This is actually the fifth most alleged violation of the rule right now that we get. Individuals trying to complain to covered entities and they cannot, the covered entity does not have a form, a process, they does not have a contact or something and they cannot complain to the entity and they have a right to do that under the rule. And people are getting more informed about what their rights are and trying to exercise them and they cannot. So when I talk to covered entities I make sure and emphasize this is a risk management strategy, you need to make sure that the individual can complain you because if they don't they are going to complain to us, and they will. So it's important to remember when you're looking at a covered entity they have to be able to provide the individual with the way to make a complaint. Covered entities and business associates are also prohibited from retaliation. So if they get a complaint from an individual they cannot retaliate because of that complaint. Okay so we have covered seven areas of individual rights, we talked about notice, talked about access, accounting, amendment, restrictions, confidential communications and complaints. Okay we talked about two required disclosures, six permitted disclosures, six general areas. Does anyone want a crack at all six? One or two? Treatment, payment, health care operations, TP&O: treatment, payment and health care operations, okay we got three, incident to, public policy, one more, agree or object. Individual is always permitted so that is really not part of the rule, these are the six areas in the rule. TP&O, treatment, payment and health care operations, incident to, public policy, agree or object. Seven individual rights, seven individual rights, anyone? Right to file a complaint, yes you get to complain, access to inspect and copy, amendment, request amendment, confidential communications, restrictions, file a complaint, we got complaint, that's okay, accounting and notice, right very good. Okay, so we're going to move on to the responsibilities of covered entities and business associates, but I think we have a little bit of times so if you want to take a really quick break, 10 minute break, and come back in 10 minutes. Grab some beverages and take a bathroom break and then we will be back and do administrative responsibilities. Okay I think everybody's back hopefully a little refreshed. Ok, so we've talked about the first two main sections of the rule, and like I said those are the uses and disclosures section we talked about earlier and then we just covered individual rights. So now we are going to hit the administrative responsibilities of covered entities and business associates. Just FYI, this stuff isn't quite as interesting. I know it's all very exciting and informative but it's a little bit dryer but it is important that you know this stuff because this is a good place to look when you're dealing with specific investigations because the covered entities don't do have responsibilities under the rule besides just providing access, or besides just making sure they don't impermissibly disclose. So after this lesson you should really be able to understand a little bit better the relationships between covered entities and business associates and their administrative duties. So as a lawyer, I sort of think in categories and there are really sort of nine areas of general administrative responsibilities: there is business associates, which we'll talk about here in a minute, policies and procedures, all they should make sense to you, to what they are, business associates, policies and procedures, privacy officers, safeguards, we talked a little bit about safeguards will talk more about safeguards, administrative responsibilities with regards to complaints, so we had complaints covering the individual rights we also have administrative responsibilities with regards to complaints, workforce requirements, these are things like training sanctions, mitigation and we will talk about more about that obviously, retaliation which we've touched on a little bit and documentation. So general overview nine areas: business associates, policies and procedures, privacy officers, safeguards, complaints, workforce requirements, mitigation, retaliation and documentation. Okay, so business associates, we talked a little about business associates, Val did, business associates are entities or individuals that use protected health information to perform some service on behalf of a covered entity. Business associates are really important and they become increasingly important after HITECH and the changes that we are going to make to the rule pursuant to HITECH. So I am going to talk more about HITECH this afternoon but something keep in the back of your mind business associates are big part of HITECH so when you are looking at a covered entity their business associates are those entities that do things for them that they would otherwise do themselves and they use PHI to do that. So some good examples of this are attorneys, your legal services people you have a covered entity their legal team is a business associate if they are doing all those legal functions that the covered entity would otherwise have to do itself and they are using protected health information to do it. Accounting, claims processing, a big one is document shredding companies any companies that perform document shredding they come in, Intermountain, those types of companies that come in and work with a covered entity to properly dispose of their protected health information they have access to that protected health information and they are performing a service on behalf of the covered entity, that's a business associate. So originally when HIPAA was passed, HHS didn't have jurisdiction over business associates and we were very concerned about the fact that there were entities out there that were not covered by the rule because they're not covered health care providers, they're not health care clearing houses and they are not health care plans, they were not specifically outlined in the statute. But they get the information too, they use the information, they disclose the information on behalf of these covered entities. What do we do about them, how do we make sure they protect that information? So the way that we originally wrote the rule, we did it through contract liability so the rule says that covered entities can use business associates to perform these functions on their behalf but only if they obtain satisfactory assurance that the business associates will safeguard the protected health care information and satisfactory assurances under the rule have to be in the form of a business contract, those satisfactory assurances have to documented in a contract. We generally refer to them as business associate agreements. The agreements have to specify, they have to spell out how that business associate is permitted to use and disclose that protected health information that the covered entity gives them. If the business associate violates the contract then the covered entity can end the contract so in a case with the business associate like a case with an authorization you look at the authorization, case amount of notice you look at the notice, in the case about a business associates you want to look at the business associate agreements. You want to make sure that they have one, and that it specifies the uses and disclosures that the business associate is performing for the covered entity and how they can do that. Really to determine whether or not the business associate was acting within the scope of their contract is a little bit more complicated analysis. And I said HITECH changes this dynamic and I will get to that in the HITECH presentation this afternoon just to keep that in your radar, currently under the rule except with regards to breach notification again I'll talk about that more business associates liability is based on contract liability and that will change. Okay, so now that we have talk business associates let us talk about policies and procedures. Policies and procedures as you have probably figured out from our case studies to this point are a very important part of any investigation because they really indicate how the covered entity has implemented compliance within its organization so if you call them and say I have an access case, how do you deal with access, what is your access policy and they say what do you mean, we don't have an access policy, than that really gives you a good idea about the compliance strategy within that organization. So it's really important to covered entities have these policies and procedures that they train employees on those policies and procedures and that they update them as needed. So we really don't want to see these sit on a shelf we really want to make sure that they actually use them, employees know where they are, things like legal requests we do not expect employees to know that off the top of their heads but we expect them to know where to go to get that information. How do I deal with this issue, we have a policy on that, let us go look at the policy. In areas where they have a lot of activity they should know those policies and procedures. So privacy officers covered entities have to appoint a privacy officer and again this is something that a lot of covered entities don't realize they have to do. The privacy officers should be someone designated to handle questions and receive complaints for the covered entity. So not only external questions, not only from people who are asking about their rights or how their information is being used but also internal questions. The privacy office should be a good resource for employees to understand what their roles are what their responsibilities are within the organization. Now depending on the size of the entity the rules are designed to be flexible and scalable so in a large hospital chain my friend is the privacy officer for a large hospital research facility and that's all he does, he is a privacy officer, he is the point of contact not only for within the entity but for outside the entity on all these HIPAA related issues and that's what his 9-to-5 job is. It is a very, very large facility they do a lot of research he has to know these research requirements he has to work with individuals on a day-to-day basis to get authorizations, that's what he does. Now if you have a one-Doc shop down the street the privacy officer may also be the billing manager they may also be a nurse they may also been to the wife of the doctor. This necessarily does not have to be a designated role that one person all they do is that it has to be a person who is designated to do that and they may do that along with their other responsibilities. So your first contact in a lot of cases may be the privacy officer in a lot of cases the first person that we conduct is a privacy officer because they're really supposed to be the person to talk to you to get these questions sorted out. Safeguards, safeguards is a really important standard under the rule and covered entities under the rule are required to have safeguards in place to protect against the unauthorized intentional or unintentional use or disclosure of violations of the rule. Val talked about security rule a little bit earlier requires Kurt is going to talk about it after lunch requires administrative technical and physical safeguards that piece that security rule is built on this piece in the privacy rule so there's a safeguard standard in the privacy rule is well and it applies to everything but treatment so you really have to make sure that everything that the covered entities is doing has appropriate safeguards in place for example during the investigation of an unauthorized disclosure so you have a case of an unauthorized disclosure you might want to see what the entity considered and implemented appropriate access controls, Kurt is going to talk more about the security rule and access controls. For example other locks on the medical records room can anyone go into that room. Does the covered entity safely discard PHI, is it protected when they discarded it. If you look at some of the cases that we've moved to settlements with money amounts they have to do with the safeguarding of this information when it's being disposed of. It is a very powerful piece of the tool and almost in every case that you look at may have safeguards implications. So it is important to keep in mind that covered entities have to safeguard this information. So as I said the privacy rule has this safeguards piece and it requires, it applies to all protected health care information, electronic or paper, the security rule specifically requires safeguards specifically to electronic protected health care information so Kurt will talk about that a little bit more but like I said the privacy rule safeguards provision is expansive and the security rule is a little more specific with regards to electronic information. So and established complaint process, covered entities we have talked about this a little bit more, have to have an established complaint process so as I said the individual has the right to complain to the entity and the entities administrative responsibility with regard to that complaint is they have to be able to respond to it they have to have a process where they document the complaints there has to be someone designated to receive the complaints and they have to document resolution they just can't take this complaint and say we got we will take care of it, how did you resolve it, how did you deal with it so when we go to covered entity were going to ask them if the individual complained to you what did you do about it how did you handle it, did you document the complaint, how did you resolve the complaint did you communicate with the individual about the resolution of the complaint. And as I said this whole area is one of the most complained about provisions of the rule. So all of these workforce requirements, one of the requirements as far as a covered entity's workforce is training so obviously you have to let your employees know what their duties are with regards to protecting this information with regards to providing individuals with rights so the covered entity have to provide their training to the workforce within a specified time frame and again these are spelled out in the rule and they also have to document that the training was provided. So again when we do our investigations we ask the covered entities for a lot of documentation because the rule requires it. We want to make sure they've done the analysis, we want to make sure they have the policies we want to make sure they've done the training. Also something you will want to look for. Work force sanctions, so if the covered entity has an employee that does something that they're not supposed to do, they have to have a policy that says how they're going to handle that. And they have to follow it so if they say it's three strikes you're out, first strike to get a note in your employment record, second strike you get counseling, third strike you are fired. If they don't do that then you have a privacy rule problem. So it's not okay for an employee who violates the rule for them not to follow their own sanctions policy. So they have to follow their policy and they have to document the fact that they follow their policy. So the for example, one of the cases that we got was a hospital nurse looking into the record of a former friend, and as you can imagine temptation for some people is just too great, in these cases are fairly common, especially in small communities. So a hospital nurse looked into the record of her former friend and then talked about what she found to family and friends. The covered entity knew what was going on they learned about her repeated activities but they didn't do anything about. The OCR investigator obtained the sanction records of all similar cases and determined that the sanctions policy was not followed for well-liked employees. That is not okay. The hospital then fired several employees per their sanctions policy after OCR's investigation. And the hospital CEO also wrote a column for the local paper about the matter and his commitment to full compliance. So it's a good indicator, and you can ask for the information. Figure out how they're implementing their sanctions policy because they're required to have it, they are required to document, they are required implement it. So mitigation and mitigation I know all of you are lawyers out there sort of have in your brains an idea of mitigation. Like everything else in the privacy rule mitigation is something that is specific to the privacy rule or this piece of mitigation so if you have a question about mitigation again, go to the rule where it talks about mitigation and how it is supposed to work. In the privacy rule covered entities have to mitigate to the extent practicable any harmful effect by the improper use or disclosure of PHI. So sometimes it's hard to figure out whether there has been a harmful effect as a result of an impermissible use or disclosure but the investigators a lot of times work with covered entities to consider what is appropriate for the situation. We have had covered entities in cases where there's been disclosures of information they might pay for credit monitoring, because the individual is worried about identity theft. Sometimes they will write an apology letter because there's been sort of a harmful effect that is bit more intangible and the apology letter is a good way to mitigate those harmful effects. Sometimes just notifying the individual and say look this happened and we fixed it. So prohibition against retaliatory acts, as you would imagine the covered entity cannot intimidate, threaten, coheres or discriminate against or take any other retaliatory action against an individual in response to the individual having filed a complaint. And when we say individual this can be employees too. Exercising our right you can't retaliate for exercising her right or participating in a process that is established by rule. So can like mitigation this is sometimes hard to find a logical nexus between the events and the retaliation but we do work to find that in cases where it is alleged. Another administrative responsibility of covered entities is that covered entities can't require individuals to waive their rights as a condition of payment, treatment, eligibility or enrollment this is kind of a complicated issue but covered entities can't say I'm not going to treat you, unless you, I am not going to treat you unless you waive your HIPAA rights that's not okay so covered entities can't require individuals to wave their HIPAA rights in exchange for treatment. The documentation requirement this is actually a little interesting requirement covered entities have to maintain either electronic or paper documentation for six years this is not medical records retention requirements, medical record retention is generally dictated by state law so this is not about the medical records this is not, you have to maintain medical records for six years this is you have to maintain documentation required by the rule for six years. So a lot of covered entities get confused and they say that my state law says that I am only required to maintain medical records for four years are you saying I have to maintain my medical records for six years, that is expensive etc. That's not what this says, this says that if you have a documentation requirement under the rules under the HIPAA rules that you have to maintain that documentation for six years. So you have documentation about complaints, you have policies and procedures, you have documentation for requests confidential communications you have to maintain those documentations pieces for six years. So as I said, everything pretty much has to be in writing and as you're doing an investigation you can point to this responsibility and say you have a responsibility to do this you have a responsibility to document this and you have a responsibility to maintain the documentation and we need to see the documentation. Okay so let's do a quick case study so take a couple minutes maybe five minutes to read the case study and then we'll discuss the questions. Okay let's get to it. So a physician's practice requested that patients sign an agreement that they called a consent and mutual agreement to maintain privacy and the agreement prohibited the patients from directly or indirectly publishing or airing public commentary about the physician, his expertise and or treatment they received in exchange for the physician's compliance with the privacy rule. So the agreement basically says you can't talk about me on Facebook cannot talk about me on the Internet to you cannot tell your friends how your treatment went and in exchange for your agreement to do that I will comply with the rules. Is that okay? I'm glad we all reach a place where people go no! What are the issues that you saw here anyone want to hit the main issues, yes we know that this is not okay, but do we know why it is not okay. Audience member 1: The doctor has an obligation to comply with the privacy rule. Speaker: Right, yes that is correct. Audience member 2: This may be a very naive question but could the doctor condition treatment of all on this secrecy requirement for instance I only treat patients who agree to keep the entire interaction confidential. Speaker: That is a good question for me is probably something that's outside the scope of the rule if you're conditioning treatment, if your conditioning treatment on the individuals silence essentially conditioning treatment is something that generally not, the only place we are concerned with conditioning treatment is with regard to the privacy rule you can't do but in terms of that specific question I'm not sure I think that would probably a state law issue. Audience Member 3: So from our perspective here the issue is you can't link HIPAA to this. Speaker: Exactly, yes. Audience Member 3: I guess my reading of it to me it strikes me more initially as a First Amendment or a contract issue rather than a HIPAA issue because even if the doctor has to comply with privacy rule regardless that would be consideration for the contract as opposed to you giving up some HIPAA rights as to entering into this agreement what you need to look for are what HIPAA rights you might be waiving how broad this is and how it is drafted. Speaker: This really about the fact that the physician hasn't an independent right or an independent duty pursuant to federal law he cannot be contracted away. Audience Member 3: So OCR is going to pursue this violation what would the rule site be? Speaker: The rule site, John? Co-presenter in back: I think it would site it would be 1645 520, it's in the 20s, I think, you have. Speaker: It is the administrator responsibilities pieces at the end the covered entities duty is to comply with the requirements of the rule. Co-presenter in back: That is 164534 so it is the last provision in the privacy rule. Speaker: 164534, thanks John. Yes? Audience Member 3: Sorry but I guess even though he has the requirement to comply with privacy rule is a violation come up until I put something up on Facebook and then the doctor chose not to comply with the privacy rule if it just an agreement and I cannot do anything until I break my end of it. Is that still a violation or does the violation come after he does something? Speaker: The individual always has the right to disclose information, we are not concerned with that piece, so if I want to put on Facebook that I have MS and my doctor is horrible but he is not treating me that is not a privacy rule issue, the privacy issue rule again is that the covered entity the physician has an independent legal duty pursuant to the privacy rule to comply with the privacy rule so he can't attempt to contract that right away. He cannot attempt to contract against that right. Audience Member 3: So the problem is that he cannot say, if you post this on Facebook I am no longer going to comply with the privacy rule. Speaker: What he is saying is actually little different he is saying you have to agree not to do any of this or I won't comply or I do not have to comply. Audience Member 4: I was just going to say that the issue would come up even before they post on Facebook because the patient would have some sort of chilling effect on whether or not they would badmouth the doctor thinking this is the only way I can protect my medical information. Speaker: That's a good point, yes I think that all those are implicated so this was an actual case and we do have the information on our website about this but OCR basically required the covered entity to cease using this agreement. And we required the entity to revise us notice of privacy practices so notice was involved here too so we look for sites you would be looking for 164534, which is the covered entities responsibilities you would also be looking to 520 notice. Co-presenter in back: It is actually 164 530. Speaker: Thank you, sorry 530. As I said, these administrator responsibilities at the back we generally do not know of the top of her head and where we can point uses and disclosures and individual rights a lot more immediately because those are the ones that we use every day. Okay so just to recap our administrative responsibilities hopefully you have a better idea what covered entities and business associates have to do to comply with the privacy rule and again we talked in nine general areas so try and remember that there are nine general areas of administrative responsibilities: you have your business associates, so remember what business associates are, they are entities that are using PHI to perform services on behalf of a covered entity and the covered entity has to have a contract in place with them, a business associate agreement, policies and procedures they have to be, they have to be trained on them, they use them, the privacy officer designated to answer questions and receive complaints, safeguards is a big part of the rule and as you do more of these fact patterns you will see that safeguards are implicated more often, complaints a process to deal with complaints, workforce requirements those are things like training and sanctions we talked about sanctions and policies and implementing sanctions policies. Mitigation, which like I said is a mitigation of any know harmful effects of an impermissible use or disclosure, things like identity monitoring, identity theft monitoring, apology letters. Retaliation covered entity can retaliate, and those documentation requirements. Okay so that is the end of lesson three so the lesson four is really little bit more from a privacy rule perspective how to identify and investigate potential violations so the next few slides just really hits some of the major points in complaint situations that you want to look to when you are investigating complaints whatever the situation is that has prompted you to start an investigation. So, some of the points here things that I would look for when I'm thinking about privacy rule questions for these investigations someone asked me earlier if we use a checklist at all and I think that's very helpful concept even if it is just a mental checklist when you're looking to make sure that you hit all the high points the first high point for me would be ask is there a covered entity is there a covered entity or is there a business associate involved and again remember from the beginning we been saying that covered entities are a specific group of entities so you really need to rule that out and it may seem a little bit elementary but it's not a lot of times because as we said there are those organizational structures hybrids, ACEs and OHCAs that might put you in a spot where you didn't think you would be starting out just looking at the facts so you make sure that you know that there is in fact a covered entity that you have a health care provider that is in fact billing in connection with a covered transactions or whether or not you have one of these organizational structures in play. The second thing you want to start thinking about is whether or not there were uses and disclosures impermissible uses and disclosures and which category those fell into so if it was not one of those required uses and disclosures that we talked about was it a use or disclosure for treatment, payment or health care operations, we generally call TP&O those of the big areas that covered entities use and disclose information for treatment payment and health care operations so was it one of those three situations permitted disclosure under one of those three situations. If it wasn't and it wasn't one of those other permitted disclosures that we talked those other three general areas of permitted disclosures. Was there valid authorization, so again when you are looking for a valid authorization you want to see the form and you want to compare to what's in the rule so you can make sure as we didn't exercise that all the required elements are there timeframe was right. So when we are looking at sort of individual rights questions we want to looked these other uses and disclosures permitted uses and disclosures under the rule and we have talked about some of these, for example opportunity to object but a big one is there an adequate notice of privacy practices so when you are looking to the covered entity you want to make sure that they actually do have a notice of privacy practices again like authorization notices something that is spelled out very specifically in the rule so you want to look to the rule to make sure all required elements of the notice are there and then depending on whether was a health care provider or health plan that the entity provided the notice in accordance with the rule distributed the notice as required by the rule. So when we talk about access, accounting those type of things again with regards to access the right to inspect and copy was that right when you are talking about access was that request for access denied. If it was denied then you probably have a problem because in very few situations is as an individual is a covered entity allowed to deny access. Access is a pretty broad right so you need to make sure that if you have an access request that you look to the rule again for the timeframe to make sure the covered entity fulfilled their obligations within the timeframe and that they actually provided all the information that the individual was looking for a talk. When you talk about a request for accounting, again look to the rule make sure that the request, if it was in writing, that is fine if the covered entity required it to be in writing that's okay. Was it provided to the individual within the confines of the rule. When you're looking for business associate agreements again like authorizations of notice business associates, when you hear a business associate you know that a business associate was involved this is another one we really want to see the documentation, immediately. Because you want to make sure that there was an agreement in place with that business associate and then you want to make sure the agreement has the appropriate satisfactory assurances on those uses and disclosures. So one other thing to remember is that every time you're looking at an impermissible use and disclosure you also want to look for minimum necessary and safeguards. So because these two standards are within play in so many areas in the rule especially when you have impermissible uses and disclosure you also want to look to safeguards and minimum necessary to make sure that those have been implemented correctly. So as I said before we have some issues this is an example of some of the issues that we have the past specifically with regard to dumpsters. And in this case the workforce member of a covered entity simply disposed of PHI an unsecured easily accessible dumpster. So not only is there possible impermissible use and disclosure issues i.e. someone who should not have a right to get this information gets it but there are also safeguard issues because it's not being disposed of properly. So again, just continue thinking about how you would go about this, when you start an investigation again you always want to start with that covered entity or business associate. Once you have established that there is the covered entity or business associate you want to determine whether the alleged violation involved in permissible user or disclosure or whether they involve individual rights. Then look for the minimum necessary safeguards, policies and procedures, documentation look to the rule to make sure the specific requirements of whatever specific piece of the rule implicated were met. So this is a bit longer of an activity and what I would like you to do is to take about almost ten minutes, eight minutes to work in your table groups so work with your group there at the table and identify a list of the piracy rules violations based on your review of section 4 of the state Connecticut complaint which is located on page 2 of the appendix and then we are going to discuss and then when we are done we will look at what the state actually identified in that case. So again, take a few minutes about eight minutes or so and identify a list of possible violations that you see based on your review of section 4 of the complaint in Connecticut and that's on page 2 in your appendix. Okay so looking at the complaint what are some of the privacy rule issues that you identify possible allegations that if you were looking at this fact pattern you might want to try and flush out some more find out what the circumstances actually were. Does anyone want to volunteer? Okay, right so obviously you want to, once you got into the facts you look and see if there was an impermissible uses or disclosure. So that would be the second thing I would look, what would be the first thing that you would look at if you looking at this case. Audience Member 2: Are they a covered entity. Speaker: Right, so do you have a covered entity here, could anyone identify what the covered entity was? Audience Member 3: Health Plan of the Northeast. Speaker: Right, it is a health plan. So you have a covered entity, you have an impermissible use and disclosure, possible impermissible use and disclosure, anyone else? Audience Member 4: Did they have any policies and procedures at all. Speaker: Policies and procedures, yes, right you want to look for their policies and procedures. Back from over here, anybody over here, I say some very earnest discussion going here. Audience Member 5: Safeguards. Speaker: Good point. Yes. Audience Member 6: Failure to mitigate. Speaker: Yes, that could be an issue absolutely any case where you have harm alleged you want to look to see if there was a need to mitigate. Audience Member 6: It is more than 500 individuals, it is not encrypted, and there is now proper notification of the breach. Speaker: Okay so we have not gotten to breach yet breach was actually after the HITECH act so there's a certain time period that you want to look at to a breach. These fact patterns came in before HITECH act. Audience Member 6: This is pre-breach? Speaker: This is pre-breach, right, he is referring to breach notification rule we will talk about some more this afternoon so you will definitely get more information that but it is a good point because when you're looking for breach facts would want to make sure that they happen after the passage of the rule and again we will get to that some more later this afternoon we have not touched on breach yet. Audience Member 7: Workforce training and sanctions. Speaker: Very good point, workforce training and sanctions that was also a big part of this. Okay, so Taya has the answers he going to hand to you what the Connecticut AG actually stated so they stated that they violated HIPAA by failing to comply with the standard requirements and implementation specifications with part 160 and 164 which is the privacy rule. A, defendants impermissibly improperly used and disclosed PHI in violation of 502. B, the defendants failed to effectively train all members of its workforce on policies and procedures with respect to PHI as necessary and appropriate for members to carry out their functions maintain security. That's 530 and 308 which is the security rule. Defendants policies of procedures safeguards were not adequate designed to appropriately and reasonably safeguard protected health information 530. Defendants did not maintain an effective and appropriate sanctions policy for workforce members again 530. So all these that you came to identify were also issues identified by Connecticut. Okay, so let's do a quick recap of module two. Module two has been a lot of information and I appreciate your attention and participation. Privacy rule was a big piece and we've just done a really quick, quick and dirty run-through of the privacy I hope that you will remember that in lesson one we talked about definitions, we talked about covered entities in their organizational structures, hybrids, ACEs and OHCAs, and we talked about de-identification and limited data sets of PHI. In lesson two we talked about required, permitted and authorized disclosures and individual rights. And then in lesson three we described the administrative responsibilities of business associates and covered entities and then in lesson four we talked about some of the questions that you might want to ask as you work through any or particular investigation with your office. So I hope you feel like you have a good handle on the privacy rule because we are going to move on to more of these rules. Thanks very much and if you have questions on the privacy rule we have about two minutes if anyone has any burning questions right now, okay obviously were available to answer questions at the end of the day and then also off-line if you have any particular questions, okay thank you.
(To use allow video to load completely)
  • Module 2: Introduction, Objectives and Overview
  • Lesson 1: HIPAA Privacy Rule Concepts and Definitions
  • Lesson 1: Recap
  • Lesson 2: HIPAA Privacy Rule
  • Lesson 2: Recap
  • Lesson 3: Admin. Responsibilities
  • Activity 5: Private Practice Changes Patient Consent Form Case Study – Class Discussion
  • Lesson 3: Recap
  • Lesson 4: Identifying Potential Privacy Rule Violations
  • Lesson 4: Recap
  • Module 2 Activity: State of Connecticut Privacy Rule Violations
  • Module 2: Recap and Summary

Tell a friend: