SlideShare a Scribd company logo

HIPAA

Download as PPTX, PDF
J
Jacob Harris
1 of 27
HIPAA: An Overview; Obtaining and Using your Client’s Mental Health, Drug, and Alcohol Treatment Records Presented by Steven D. Wolcott - Attorney At Law Contact Information: 104 W Kansas St. Liberty, Missouri 64068 Phone: (816) 792-4242 swolcott@kc.rr.com
Glossary of Terms - Business Associate (BA) : A person or organization that performs a function or activity on behalf of a covered entity, but is not part of a covered entity’s workforce. A business associate can also be a covered entity in its own right. - Covered Entity (CE) : Any business entity that must comply with HIPAA regulations, which includes healthcare providers, health plans and healthcare clearinghouses. For purposes of HIPAA, health care providers include hospitals, physicians, and other caregivers. - Electronic Health Record (EHR) : An Electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one healthcare organization. - Electronic Medical Record (EMR) : An electronic record of health-related information on an individual that can be created, gathered, managed, and consulted by authorized clinicians and staff within one healthcare organization.
HIPAA In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) which among other things: - Offers protection for personal health information, - Gives patients more control over their own health information, - Sets limits on the procurement, usage, and disclosure of a patient’s records, and - Establishes a series of privacy standards for healthcare providers, which provides penalties for those who do not follow these standards.
HIPAA Privacy Rules General: The HIPPA Privacy Rule (45 CFR Parts 160 and 164) provides the first comprehensive Federal protection for the privacy of health and mental health information. The rule is intended to provide strong legal protections to ensure the privacy of individual health information, without interfering with patient access to treatment, health care operations, or quality of care. The Privacy Rule applies to “covered entities” which generally includes health plans and health care providers who transmit health information in electronic form. “Covered entities” include almost all health and mental care providers, whether they are outpatient, residential, or inpatient providers, as well as other persons or organizations that bill and/or are paid for health care
HIPAA Privacy Rules Basic Principles of the Privacy Rule: 1. The Privacy Rule protects all “protected health information” (PHI), including individually identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements. 2. A major purpose of the Privacy Rule is to define and limit the circumstances under which an individual’s PHI may be used or disclosed by covered entities. Generally, a covered entity may not use or disclose PHI to others, except: a. as the Privacy Rule permits or requires; or b. as authorized by the person (or personal representative) who is the subject of the health information. A HIPPA-compliant Authorization must contain specific information required by the Privacy Rules 3. A covered entity must provide individuals (or their personal representatives) with access to their own PHI (unless there are permitted grounds for the denial), and must provide an accounting of the disclosures of their PHI to others, upon their request. 4. The Privacy Rule supersedes State law, but the State laws which provide greater privacy protections or which give individuals greater access to their own PHI remain in effect
Health Information Privacy When does the Privacy Rule Allow covered entities to disclose protected health information to law enforcement officials? Answer: The Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information to law enforcement officials, without the individual’s written authorization, under specific circumstances summarized further. Disclosures for law enforcement purposes are permitted as follows: To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. The Rule recognizes that a legal process in obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information (45 CFR 164.512(f)(1)(ii)(A)- (B)) To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request may be made without judicial involvement, the Rule requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material, specific and limited in-scope, and de-identified information cannot be used (45 CFR 164.512(f)(1)(ii)(C))
Health Information Privacy To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person; but the covered entity must limit disclosures of PHI to name and address, date and place of birth, SSN, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request (45 CFR 164.512(f)(2)) This Same limited information may be reported to Law Enforcement: About a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce (45 CFR 164.502(j)(2)); To identify or apprehend an individual who has admitted participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)- (3)).
Health Information Privacy To respond to a request for PHI about a victim of a crime, and the victim agrees. If, because of an emergency or the person’s incapacity, the individual cannot agree, the covered entity may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in its best interests of the individual whose information is requested (45 CFR 164.512(f)(3)). Where Child abuse victims or adult victims of abuse, neglect or domestic violence are concerned, other provisions of the Rule apply: Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports and the agreement of the individual is not required (45 CFR 164.512(b)(1)(ii)). Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports (45 CFR 164.512(c)): If the individual agrees; If the report is required by law; or If expressly authorized by law, and based on the exercise of professional judgment, the report is necessary to prevent serious harm to the individual or others, or in certain other emergency situations (see 45 CFR 164.512(c)(1)(iii)(B)). Notice to the individual of the report may be required (see 45 CFR 164.512(c)(2))
Health Information Privacy To report PHI into law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)). For example, state laws commonly require health care providers to report incidents of gunshot or stab wounds, or other violent injuries; and the rule permits disclosures of PHI as necessary to comply with these laws. To alert law enforcement to the death of an individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)) Information about a decedent may also be shared with medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties (45 CFR 164.512(g)(1)). To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).
Electronic Code of Federal Regulations §2.1 Statutory authority for confidentiality of drug and abuse patient records The restrictions of these regulations upon disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug and Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C 1175). That section as amended was transferred by Pub. L. 98-24 to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3. §2.2 Statutory authority for confidentiality of alcohol and abuse patient records The restrictions of these regulations upon the disclosure and use of alcohol abuse patient records were initially authorized by section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C 4582). The section as amended was transferred by Pub. L. 98-24 to section 523 of the Public Health Service Act which is codified at 42 U.S.C 290ee-3 Penalty for first and subsequent offenses:Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined not more than $500 in the case of the first offense, and not more than $5,000 in the case of each subsequent offense Confidentiality of Alcohol and Drug Abuse Patient Records Subpart A:
Electronic Code of Federal Regulations §2.11 Definitions: Alcohol Abuse means the use of an alcoholic beverage which impairs the physical, mental, emotional, or social well-being of the user Drug Abuse means the use of a psychoactive substance for other than medicinal purposes which impairs the physical, mental, emotional,or social well-being of the user Diagnosis means any reference to an individual’s alcohol or drug abuse or to an condition which is identified as having been caused by that abuse which is made for the purpose of treatment or referral of treatment Disclose or disclosure means a communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the record of a patient who has been identified Patient means any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an alcohol or drug abuser in order to determine that individual’s eligibility to participate in a program Records means any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program Subpart B-General Provisions
Penalties for Violation 1) Civil Monetary Penalties: The Department of Health and Human Services (HHS) may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement- not to exceed $25,000 per calendar year for multiple violations of the same Privacy Rule requirement. Generally, HHS may not impose civil monetary penalties when a violation is due to reasonable cause, there was no “willful neglect,” and the covered entity corrected the violation within 30 days of when it knew (or should have know) of the violation. 2) Criminal Penalties: A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA could face a fine of $50,000 and imprisonment for up to one year. If the wrongful conduct involves “false pretenses” the criminal penalties could increase up to a fine of $100,000 and up to five years imprisonment. A fine of up to $250,000 and up to ten years imprisonment could be imposed if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information “for commercial advantage, personal gain, or malicious harm”
24 S.W.3d 220 (2000) Judy FIERSTEIN, Respondent/Cross-Appellant v. DePAUL HEALTH CENTER, Appellant/Cross-Respondent Nos. ED 76518, ED 76544 Missouri Court of Appeals, Eastern District, Division Four. May 9, 2000. Motion for rehearing and/or Transfer Denied June 14, 2000 Application for Transfer Denied August 29, 2000
FIERSTEIN v. DHC Defendant, DePaul Health Center, appeals from the judgement, entered pursuant to jury verdicts, in favor of plaintiff, Judy L. Fierstein, in her action for breach of fiduciary duty for the wrongful release of her medical records. The jury awarded actual and punitive damages. Plaintiff brought an action against DePaul for the wrongful release of her medical records, alleging a breach of fiduciary duty owed to her under the physician-patient privilege. The jury returned verdicts in favor of plaintiff, awarding her $10,000.00 in actual damages and $375,000.00 in punitive damages. The trial entered judgment in accordance with the jury verdict for actual damages; but granted remittitur as to the punitive damages, reducing the punitive damage award to $25,000.00, and entered judgment on the punitive damage count in that amount. Both parties appeal from that judgment.
320 S.W.3d 145 (2010) STATE ex rel. Bobbie Jean PROCTOR and Vincent Proctor, Relators, v. The Honorable Edith L. MESSINA, Circuit Judge, Sixteenth Judicial Circuit, Jackson County, Missouri, Respondent. No. SC 90610. Supreme Court of Missouri, En Banc. August 31, 2010
State ex rel. Proctor v. Messina In State ex rel. Collins v. Roldan, 289 S.W.3d 780, 783 (Mo.App.2009), the court noted that pursuant to the Supremacy Clause of the United States Constitution, HIPAA may preempt Missouri law on the *148 issue of ex parte communications between an attorney and a treating physician. The court did not examine or decide the issue because the case was decided on other grounds. ld. at 784 n. 6. The issue of whether or not HIPAA preempts Missouri Law is an issue of first impression in Missouri Courts. Congress included an express preemption clause in HIPAA. See 42 U.S.C.A. § 1320d-7(a). Because HIPAA contains an express preemption clause, this Court’s task is to construe the plain language of the statute to determine the extent to which Congress intended for HIPAA to preempt state law. CSX Transp., 507 U.S. at 664, 113 S.Ct. 1732.
Preemption Clause - Proctor v. Messina HIPAA’s preemption clause is contained in 42 U.S.C.A § 1320d-7, which states: 1. General Rule: Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of state law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form. 2. Exceptions: A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall not supersede a contrary provision of State Law, if the provision of State Law- a. is a provision the Secretary determines- i. is necessary- 1. to prevent fraud and abuse; 2. To ensure appropriate State regulation of insurance and health plans; 3. for State reporting on health care delivery or costs; or 4. for other purposes; or a. addresses controlled substances
HIPAA Generally - Proctor v. MessinaThis Court’s examination of HIPAA’s privacy rule reviews the text of the regulations mindful of the intent of Congress in directing the Secretary to issue rules and regulations to implement the HIPAA Privacy Rule. In HIPAA, Congress directed the Secretary to promulgate rules and regulations designed to ensure the privacy of patients’ medical information. 42 U.S.C.A § 1320d-2(d)(2)(A); see also Crenshaw v. MONY Life Ins. Co., 318 F.Supp.2d 1015, 1028 (S.D.Ca;.2004); Moreland v. Austin, 284 Ga. 730, 670 S.E.2d 68, 70 (2008) . The HIPAA regulations draw no distinction between formal versus informal disclosures and, instead, broadly prohibit all disclosures in the absence of a specifically enumerated exception to this general rule of prohibition. Specifically, the Secretary defined protected “Health Information” as: [A]ny information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health-care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past. present, or future payment for the provision of health care to an individual.
Ex Parte Communications - Proctor v. Messina Missouri Law on the Issue of Ex Parte Communications: Missouri common law historically provides that a litigant patent in a personal injury lawsuit could not be compelled by court order to sign medical authorizations consenting to ex parte communications with treating physicians. State ex rel. Woytus v. Ryan, 776 S.W.2d 389, 395 (Mo. Banc 1989). Subsequently, this court issued a pair of companion opinions addressing voluntary and informal ex parte communications between plaintiff’s treating physician and defendant or defendant’s representatives in a medical malpractice case. Brandt v. Pelican, S.W.2d at 661 (Mo. banc 1993) (Brandt I) Brandt v. Med. Def. Assocs., 856 S.W.2d 667 (Mo. Banc 1993) (Brandt II)
Authorized Disclosure - Proctor v. Messina Under 45 C.F.R. § 164.512(e)(1), HIPAA authorizes disclosure in the course of any judicial or administrative proceeding: 1. Permitted Disclosures. A covered entity may disclose PHI in the course of any judicial or administrative proceeding: a. In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order; or b. In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: i. The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is subject of the PHI that has been requested has been given notice of the request; or ii. The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.
Conclusion - Proctor vs. Messina In the instant case, by issuing a purported formal order that was directed to non-party medical providers and, essentially, providing an advisory opinion to said non-party medical providers about the trial court’s understanding of the law on informal ex parte communications, the trial court exceeded its authority, and the preliminary writ of prohibition is made permanent. All concur.
How to File a Complaint If you believe that a covered entity or business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities and their business associates.
HIPAA Omnibus Rule As of January 17th, 2013, HIPAA regulations have had a massive update and overhaul to protect patients. The new laws more extensively hold second and third party businesses responsible to keep Patient Health Information (PHI) private. The OCR of the United States Department of Health and Human Services adopted the HIPAA Omnibus Rule as an overall and update to the USA’s existing volumes of the HIPAA Law and HI TECH Law. The Final Rule or the final HIPAA Omnibus Rule (78 Fed. Reg. 5566) has some important modifications to HIPAA as we know it. They are required to begin functioning within your workplace, beginning March 26, 2013. More Information at: (http://hipaaomnibusrule.com/)
HITECH Act The American Recovery and Reinvestment Act of 2015 includes the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act provides Medicare and Medicaid monetary incentives for hospitals and physicians to adopt electronic health records (EHRs) and also provides grants for the development of a health information exchange (HIE). These incentives and grants were created to stimulate health care providers to adopt technology necessary to improve the efficiency of patient healthcare. HITECH Act provides over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR). According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for “meaningful use” of a certified EHR system starting in 2015
How does HITECH Effect HIPAA? 1) Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates 2) Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates 3) Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing 4) Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods 5) Mandates that the new security requirements must be incorporated into all business associate contracts

Recommended

HIPAA Privacy Officers: Who Goes to Jail ?
HIPAA Privacy Officers: Who Goes to Jail ?HIPAA Privacy Officers: Who Goes to Jail ?
HIPAA Privacy Officers: Who Goes to Jail ?David Sweigert
 
HIPAA breach report submitted to Congress by DHHS OCR
HIPAA breach report submitted to Congress by DHHS OCRHIPAA breach report submitted to Congress by DHHS OCR
HIPAA breach report submitted to Congress by DHHS OCRDavid Sweigert
 
Notice of privacy rights
Notice of privacy rightsNotice of privacy rights
Notice of privacy rightsHeatherina
 
Fulton county dss aids policy and hiv confidentiality
Fulton county dss aids policy and hiv confidentialityFulton county dss aids policy and hiv confidentiality
Fulton county dss aids policy and hiv confidentialityKatherineWeber
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
Notice of privacy rights
Notice of privacy rightsNotice of privacy rights
Notice of privacy rightsHeatherina
 
Proposed Amendment to IROCC Rules
Proposed Amendment to IROCC RulesProposed Amendment to IROCC Rules
Proposed Amendment to IROCC RulesLucy Kirschinger
 
Medical jurisprudence - Siddha Medicine
Medical jurisprudence - Siddha MedicineMedical jurisprudence - Siddha Medicine
Medical jurisprudence - Siddha MedicineDr Merish S
 

Recommended

HIPAA Privacy Officers: Who Goes to Jail ?
HIPAA Privacy Officers: Who Goes to Jail ?HIPAA Privacy Officers: Who Goes to Jail ?
HIPAA Privacy Officers: Who Goes to Jail ?David Sweigert
 
HIPAA breach report submitted to Congress by DHHS OCR
HIPAA breach report submitted to Congress by DHHS OCRHIPAA breach report submitted to Congress by DHHS OCR
HIPAA breach report submitted to Congress by DHHS OCRDavid Sweigert
 
Notice of privacy rights
Notice of privacy rightsNotice of privacy rights
Notice of privacy rightsHeatherina
 
Fulton county dss aids policy and hiv confidentiality
Fulton county dss aids policy and hiv confidentialityFulton county dss aids policy and hiv confidentiality
Fulton county dss aids policy and hiv confidentialityKatherineWeber
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
Notice of privacy rights
Notice of privacy rightsNotice of privacy rights
Notice of privacy rightsHeatherina
 
Proposed Amendment to IROCC Rules
Proposed Amendment to IROCC RulesProposed Amendment to IROCC Rules
Proposed Amendment to IROCC RulesLucy Kirschinger
 
Medical jurisprudence - Siddha Medicine
Medical jurisprudence - Siddha MedicineMedical jurisprudence - Siddha Medicine
Medical jurisprudence - Siddha MedicineDr Merish S
 
Judgement
JudgementJudgement
JudgementMADAN PANDIA
 
Uae deportation what you must do in the process
Uae deportation what you must do in the processUae deportation what you must do in the process
Uae deportation what you must do in the processDr. Hassan Mohsen
 
Forensic or legal medicine
Forensic or legal medicineForensic or legal medicine
Forensic or legal medicineeast zone medico legal services pvt.ltd
 
Part II of the Mental Health Act 1983
Part II of the Mental Health Act 1983Part II of the Mental Health Act 1983
Part II of the Mental Health Act 1983Anselm Eldergill
 
Rudul shah judgement
Rudul shah judgementRudul shah judgement
Rudul shah judgementsabrangsabrang
 
Kerala civil service (c. c. a.) rules 1960
Kerala civil service (c. c. a.) rules 1960Kerala civil service (c. c. a.) rules 1960
Kerala civil service (c. c. a.) rules 1960RadhaKrishna PG
 
Domestic violence
Domestic violenceDomestic violence
Domestic violenceKhusbuLama
 
Liabilities of doctors under Indian Penal Code(IPC) ppt
Liabilities of doctors under Indian Penal Code(IPC) pptLiabilities of doctors under Indian Penal Code(IPC) ppt
Liabilities of doctors under Indian Penal Code(IPC) pptDr. Bhamini Thukral
 
Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...ParthSagdeo2
 
Artemenko lobbyist
Artemenko lobbyistArtemenko lobbyist
Artemenko lobbyistYevhenii Zharovskyi
 
Rokita Denies Shabazz Open Records Request
Rokita Denies Shabazz Open Records RequestRokita Denies Shabazz Open Records Request
Rokita Denies Shabazz Open Records RequestAbdul-Hakim Shabazz
 
Doctors and their criminal liability
Doctors and their criminal liability Doctors and their criminal liability
Doctors and their criminal liability Utkarsh Kumar
 
Ice response to requester (foia only)
Ice response to requester (foia only)Ice response to requester (foia only)
Ice response to requester (foia only)Bryan Johnson
 
Akta kesihatan mental 2001
Akta kesihatan mental 2001Akta kesihatan mental 2001
Akta kesihatan mental 2001shikinedin1
 
Notification inquiry-commission-397345
Notification inquiry-commission-397345Notification inquiry-commission-397345
Notification inquiry-commission-397345ZahidManiyar
 
Departmental inquiries (enforcement of attendance of witness
Departmental inquiries (enforcement of attendance of witnessDepartmental inquiries (enforcement of attendance of witness
Departmental inquiries (enforcement of attendance of witnessgururaj lulkarni
 
MPIA training powerpoint
MPIA training powerpointMPIA training powerpoint
MPIA training powerpointKyung Lee
 
Art 5 lp
Art 5 lpArt 5 lp
Art 5 lpLatifah Kaiyisah
 
The public-health-service-act-2075-2018
The public-health-service-act-2075-2018The public-health-service-act-2075-2018
The public-health-service-act-2075-2018Nabaraj Giri
 
Forensic ppt
Forensic pptForensic ppt
Forensic pptjayesh dabhi
 
Programas para publicar información
Programas para publicar informaciónProgramas para publicar información
Programas para publicar informaciónJose Cárdenas
 
CV of Sherlane Pearce New (2)
CV of Sherlane Pearce New (2)CV of Sherlane Pearce New (2)
CV of Sherlane Pearce New (2)Sherlane Pearce
 

More Related Content

What's hot

Uae deportation what you must do in the process
Uae deportation what you must do in the processUae deportation what you must do in the process
Uae deportation what you must do in the processDr. Hassan Mohsen
 
Part II of the Mental Health Act 1983
Part II of the Mental Health Act 1983Part II of the Mental Health Act 1983
Part II of the Mental Health Act 1983Anselm Eldergill
 
Kerala civil service (c. c. a.) rules 1960
Kerala civil service (c. c. a.) rules 1960Kerala civil service (c. c. a.) rules 1960
Kerala civil service (c. c. a.) rules 1960RadhaKrishna PG
 
Domestic violence
Domestic violenceDomestic violence
Domestic violenceKhusbuLama
 
Liabilities of doctors under Indian Penal Code(IPC) ppt
Liabilities of doctors under Indian Penal Code(IPC) pptLiabilities of doctors under Indian Penal Code(IPC) ppt
Liabilities of doctors under Indian Penal Code(IPC) pptDr. Bhamini Thukral
 
Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...ParthSagdeo2
 
Rokita Denies Shabazz Open Records Request
Rokita Denies Shabazz Open Records RequestRokita Denies Shabazz Open Records Request
Rokita Denies Shabazz Open Records RequestAbdul-Hakim Shabazz
 
Doctors and their criminal liability
Doctors and their criminal liability Doctors and their criminal liability
Doctors and their criminal liability Utkarsh Kumar
 
Ice response to requester (foia only)
Ice response to requester (foia only)Ice response to requester (foia only)
Ice response to requester (foia only)Bryan Johnson
 
Akta kesihatan mental 2001
Akta kesihatan mental 2001Akta kesihatan mental 2001
Akta kesihatan mental 2001shikinedin1
 
Notification inquiry-commission-397345
Notification inquiry-commission-397345Notification inquiry-commission-397345
Notification inquiry-commission-397345ZahidManiyar
 
Departmental inquiries (enforcement of attendance of witness
Departmental inquiries (enforcement of attendance of witnessDepartmental inquiries (enforcement of attendance of witness
Departmental inquiries (enforcement of attendance of witnessgururaj lulkarni
 
MPIA training powerpoint
MPIA training powerpointMPIA training powerpoint
MPIA training powerpointKyung Lee
 
The public-health-service-act-2075-2018
The public-health-service-act-2075-2018The public-health-service-act-2075-2018
The public-health-service-act-2075-2018Nabaraj Giri
 

What's hot (20)

Judgement
JudgementJudgement
Judgement
 
Uae deportation what you must do in the process
Uae deportation what you must do in the processUae deportation what you must do in the process
Uae deportation what you must do in the process
 
Forensic or legal medicine
Forensic or legal medicineForensic or legal medicine
Forensic or legal medicine
 
Part II of the Mental Health Act 1983
Part II of the Mental Health Act 1983Part II of the Mental Health Act 1983
Part II of the Mental Health Act 1983
 
Rudul shah judgement
Rudul shah judgementRudul shah judgement
Rudul shah judgement
 
Kerala civil service (c. c. a.) rules 1960
Kerala civil service (c. c. a.) rules 1960Kerala civil service (c. c. a.) rules 1960
Kerala civil service (c. c. a.) rules 1960
 
Domestic violence
Domestic violenceDomestic violence
Domestic violence
 
Liabilities of doctors under Indian Penal Code(IPC) ppt
Liabilities of doctors under Indian Penal Code(IPC) pptLiabilities of doctors under Indian Penal Code(IPC) ppt
Liabilities of doctors under Indian Penal Code(IPC) ppt
 
Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...Duites and Responsibilities of Public Information Officer under the Right To ...
Duites and Responsibilities of Public Information Officer under the Right To ...
 
Artemenko lobbyist
Artemenko lobbyistArtemenko lobbyist
Artemenko lobbyist
 
Rokita Denies Shabazz Open Records Request
Rokita Denies Shabazz Open Records RequestRokita Denies Shabazz Open Records Request
Rokita Denies Shabazz Open Records Request
 
Doctors and their criminal liability
Doctors and their criminal liability Doctors and their criminal liability
Doctors and their criminal liability
 
Ice response to requester (foia only)
Ice response to requester (foia only)Ice response to requester (foia only)
Ice response to requester (foia only)
 
Akta kesihatan mental 2001
Akta kesihatan mental 2001Akta kesihatan mental 2001
Akta kesihatan mental 2001
 
Notification inquiry-commission-397345
Notification inquiry-commission-397345Notification inquiry-commission-397345
Notification inquiry-commission-397345
 
Departmental inquiries (enforcement of attendance of witness
Departmental inquiries (enforcement of attendance of witnessDepartmental inquiries (enforcement of attendance of witness
Departmental inquiries (enforcement of attendance of witness
 
MPIA training powerpoint
MPIA training powerpointMPIA training powerpoint
MPIA training powerpoint
 
Art 5 lp
Art 5 lpArt 5 lp
Art 5 lp
 
The public-health-service-act-2075-2018
The public-health-service-act-2075-2018The public-health-service-act-2075-2018
The public-health-service-act-2075-2018
 
Forensic ppt
Forensic pptForensic ppt
Forensic ppt
 

Viewers also liked

Programas para publicar información
Programas para publicar informaciónProgramas para publicar información
Programas para publicar informaciónJose Cárdenas
 
CV of Sherlane Pearce New (2)
CV of Sherlane Pearce New (2)CV of Sherlane Pearce New (2)
CV of Sherlane Pearce New (2)Sherlane Pearce
 
Boca una pación
Boca una paciónBoca una pación
Boca una paciónluca osuna
 
учимся рисовать деда мороза залова
учимся рисовать деда мороза заловаучимся рисовать деда мороза залова
учимся рисовать деда мороза заловаБелла ������
 
Cómo hacer una búsqueda en la base de dialnet
Cómo hacer una búsqueda en la base de dialnetCómo hacer una búsqueda en la base de dialnet
Cómo hacer una búsqueda en la base de dialnetCarmen Cruz
 
Soft Selling Software
Soft Selling SoftwareSoft Selling Software
Soft Selling SoftwareLora Schrock
 
ie brochure 8 pagesHealthcare2
ie brochure 8 pagesHealthcare2ie brochure 8 pagesHealthcare2
ie brochure 8 pagesHealthcare2Krys Nowak
 
Práctica de publicación
Práctica de publicaciónPráctica de publicación
Práctica de publicaciónomarxim
 
Practica de publicacion
Practica de publicacionPractica de publicacion
Practica de publicacionccyporsiempre
 
Save the Church of the Future
Save the Church of the FutureSave the Church of the Future
Save the Church of the FutureLora Schrock
 

Viewers also liked (20)

Programas para publicar información
Programas para publicar informaciónProgramas para publicar información
Programas para publicar información
 
CV of Sherlane Pearce New (2)
CV of Sherlane Pearce New (2)CV of Sherlane Pearce New (2)
CV of Sherlane Pearce New (2)
 
Actividad 2.2
Actividad 2.2Actividad 2.2
Actividad 2.2
 
Boca una pación
Boca una paciónBoca una pación
Boca una pación
 
NHMA Symposium in Broomfield, Colorado
NHMA Symposium in Broomfield, ColoradoNHMA Symposium in Broomfield, Colorado
NHMA Symposium in Broomfield, Colorado
 
Brochure CBI Hiring Decisions-NEW
Brochure CBI Hiring Decisions-NEWBrochure CBI Hiring Decisions-NEW
Brochure CBI Hiring Decisions-NEW
 
учимся рисовать деда мороза залова
учимся рисовать деда мороза заловаучимся рисовать деда мороза залова
учимся рисовать деда мороза залова
 
Cómo hacer una búsqueda en la base de dialnet
Cómo hacer una búsqueda en la base de dialnetCómo hacer una búsqueda en la base de dialnet
Cómo hacer una búsqueda en la base de dialnet
 
Soft Selling Software
Soft Selling SoftwareSoft Selling Software
Soft Selling Software
 
Minería de datos
Minería de datosMinería de datos
Minería de datos
 
Grace akinlemibola july16
Grace akinlemibola july16Grace akinlemibola july16
Grace akinlemibola july16
 
ie brochure 8 pagesHealthcare2
ie brochure 8 pagesHealthcare2ie brochure 8 pagesHealthcare2
ie brochure 8 pagesHealthcare2
 
Soundcloud
SoundcloudSoundcloud
Soundcloud
 
sunil cv
sunil cvsunil cv
sunil cv
 
Media Evaluation
Media Evaluation Media Evaluation
Media Evaluation
 
Atom unsur
Atom unsurAtom unsur
Atom unsur
 
Práctica de publicación
Práctica de publicaciónPráctica de publicación
Práctica de publicación
 
Practica de publicacion
Practica de publicacionPractica de publicacion
Practica de publicacion
 
Save the Church of the Future
Save the Church of the FutureSave the Church of the Future
Save the Church of the Future
 
El aprendizaje 6
El aprendizaje 6El aprendizaje 6
El aprendizaje 6
 

Similar to HIPAA

HIPAA and RHIOs
HIPAA and RHIOsHIPAA and RHIOs
HIPAA and RHIOsnobumoto
 
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...data brackets
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
Privacy & confedentiality
Privacy & confedentialityPrivacy & confedentiality
Privacy & confedentialityHemang Patel
 
Hippa Powerpoint
Hippa PowerpointHippa Powerpoint
Hippa Powerpointkvanrandall
 
Hipa afor area2
Hipa afor area2Hipa afor area2
Hipa afor area2John Wible
 
Hipaa rahul thore 1
Hipaa rahul thore 1Hipaa rahul thore 1
Hipaa rahul thore 1RahulThore
 
TaylorWk1d2assignment
TaylorWk1d2assignmentTaylorWk1d2assignment
TaylorWk1d2assignmentmya1743
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
Hipaa 42 cfr review
Hipaa 42 cfr reviewHipaa 42 cfr review
Hipaa 42 cfr reviewrobint2125
 
HIPAA Guidance on Recruitment - NIH
HIPAA Guidance on Recruitment - NIHHIPAA Guidance on Recruitment - NIH
HIPAA Guidance on Recruitment - NIHdhainc
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitypraisehim1
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitypraisehim1
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitypraisehim1
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialitypraisehim1
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
 

Similar to HIPAA (20)

HIPAA and RHIOs
HIPAA and RHIOsHIPAA and RHIOs
HIPAA and RHIOs
 
HIPAA
HIPAAHIPAA
HIPAA
 
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and ...
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
Privacy & confedentiality
Privacy & confedentialityPrivacy & confedentiality
Privacy & confedentiality
 
Hippa Powerpoint
Hippa PowerpointHippa Powerpoint
Hippa Powerpoint
 
Hipa afor area2
Hipa afor area2Hipa afor area2
Hipa afor area2
 
Hipaa rahul thore 1
Hipaa rahul thore 1Hipaa rahul thore 1
Hipaa rahul thore 1
 
TaylorWk1d2assignment
TaylorWk1d2assignmentTaylorWk1d2assignment
TaylorWk1d2assignment
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
 
Hipaa 42 cfr review
Hipaa 42 cfr reviewHipaa 42 cfr review
Hipaa 42 cfr review
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
HIPAA Guidance on Recruitment - NIH
HIPAA Guidance on Recruitment - NIHHIPAA Guidance on Recruitment - NIH
HIPAA Guidance on Recruitment - NIH
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentiality
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentiality
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentiality
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentiality
 
Broome
BroomeBroome
Broome
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
 

HIPAA

  • 1. HIPAA: An Overview; Obtaining and Using your Client’s Mental Health, Drug, and Alcohol Treatment Records Presented by Steven D. Wolcott - Attorney At Law Contact Information: 104 W Kansas St. Liberty, Missouri 64068 Phone: (816) 792-4242 swolcott@kc.rr.com
  • 2. Glossary of Terms - Business Associate (BA) : A person or organization that performs a function or activity on behalf of a covered entity, but is not part of a covered entity’s workforce. A business associate can also be a covered entity in its own right. - Covered Entity (CE) : Any business entity that must comply with HIPAA regulations, which includes healthcare providers, health plans and healthcare clearinghouses. For purposes of HIPAA, health care providers include hospitals, physicians, and other caregivers. - Electronic Health Record (EHR) : An Electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one healthcare organization. - Electronic Medical Record (EMR) : An electronic record of health-related information on an individual that can be created, gathered, managed, and consulted by authorized clinicians and staff within one healthcare organization.
  • 3. HIPAA In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) which among other things: - Offers protection for personal health information, - Gives patients more control over their own health information, - Sets limits on the procurement, usage, and disclosure of a patient’s records, and - Establishes a series of privacy standards for healthcare providers, which provides penalties for those who do not follow these standards.
  • 4. HIPAA Privacy Rules General: The HIPPA Privacy Rule (45 CFR Parts 160 and 164) provides the first comprehensive Federal protection for the privacy of health and mental health information. The rule is intended to provide strong legal protections to ensure the privacy of individual health information, without interfering with patient access to treatment, health care operations, or quality of care. The Privacy Rule applies to “covered entities” which generally includes health plans and health care providers who transmit health information in electronic form. “Covered entities” include almost all health and mental care providers, whether they are outpatient, residential, or inpatient providers, as well as other persons or organizations that bill and/or are paid for health care
  • 5. HIPAA Privacy Rules Basic Principles of the Privacy Rule: 1. The Privacy Rule protects all “protected health information” (PHI), including individually identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements. 2. A major purpose of the Privacy Rule is to define and limit the circumstances under which an individual’s PHI may be used or disclosed by covered entities. Generally, a covered entity may not use or disclose PHI to others, except: a. as the Privacy Rule permits or requires; or b. as authorized by the person (or personal representative) who is the subject of the health information. A HIPPA-compliant Authorization must contain specific information required by the Privacy Rules 3. A covered entity must provide individuals (or their personal representatives) with access to their own PHI (unless there are permitted grounds for the denial), and must provide an accounting of the disclosures of their PHI to others, upon their request. 4. The Privacy Rule supersedes State law, but the State laws which provide greater privacy protections or which give individuals greater access to their own PHI remain in effect
  • 6. Health Information Privacy When does the Privacy Rule Allow covered entities to disclose protected health information to law enforcement officials? Answer: The Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information to law enforcement officials, without the individual’s written authorization, under specific circumstances summarized further. Disclosures for law enforcement purposes are permitted as follows: To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. The Rule recognizes that a legal process in obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information (45 CFR 164.512(f)(1)(ii)(A)- (B)) To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request may be made without judicial involvement, the Rule requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material, specific and limited in-scope, and de-identified information cannot be used (45 CFR 164.512(f)(1)(ii)(C))
  • 7. Health Information Privacy To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person; but the covered entity must limit disclosures of PHI to name and address, date and place of birth, SSN, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request (45 CFR 164.512(f)(2)) This Same limited information may be reported to Law Enforcement: About a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce (45 CFR 164.502(j)(2)); To identify or apprehend an individual who has admitted participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)- (3)).
  • 8. Health Information Privacy To respond to a request for PHI about a victim of a crime, and the victim agrees. If, because of an emergency or the person’s incapacity, the individual cannot agree, the covered entity may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in its best interests of the individual whose information is requested (45 CFR 164.512(f)(3)). Where Child abuse victims or adult victims of abuse, neglect or domestic violence are concerned, other provisions of the Rule apply: Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports and the agreement of the individual is not required (45 CFR 164.512(b)(1)(ii)). Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports (45 CFR 164.512(c)): If the individual agrees; If the report is required by law; or If expressly authorized by law, and based on the exercise of professional judgment, the report is necessary to prevent serious harm to the individual or others, or in certain other emergency situations (see 45 CFR 164.512(c)(1)(iii)(B)). Notice to the individual of the report may be required (see 45 CFR 164.512(c)(2))
  • 9. Health Information Privacy To report PHI into law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)). For example, state laws commonly require health care providers to report incidents of gunshot or stab wounds, or other violent injuries; and the rule permits disclosures of PHI as necessary to comply with these laws. To alert law enforcement to the death of an individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)) Information about a decedent may also be shared with medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties (45 CFR 164.512(g)(1)). To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).
  • 10. Electronic Code of Federal Regulations §2.1 Statutory authority for confidentiality of drug and abuse patient records The restrictions of these regulations upon disclosure and use of drug abuse patient records were initially authorized by section 408 of the Drug and Abuse Prevention, Treatment, and Rehabilitation Act (21 U.S.C 1175). That section as amended was transferred by Pub. L. 98-24 to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3. §2.2 Statutory authority for confidentiality of alcohol and abuse patient records The restrictions of these regulations upon the disclosure and use of alcohol abuse patient records were initially authorized by section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C 4582). The section as amended was transferred by Pub. L. 98-24 to section 523 of the Public Health Service Act which is codified at 42 U.S.C 290ee-3 Penalty for first and subsequent offenses:Any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined not more than $500 in the case of the first offense, and not more than $5,000 in the case of each subsequent offense Confidentiality of Alcohol and Drug Abuse Patient Records Subpart A:
  • 11. Electronic Code of Federal Regulations §2.11 Definitions: Alcohol Abuse means the use of an alcoholic beverage which impairs the physical, mental, emotional, or social well-being of the user Drug Abuse means the use of a psychoactive substance for other than medicinal purposes which impairs the physical, mental, emotional,or social well-being of the user Diagnosis means any reference to an individual’s alcohol or drug abuse or to an condition which is identified as having been caused by that abuse which is made for the purpose of treatment or referral of treatment Disclose or disclosure means a communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the record of a patient who has been identified Patient means any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an alcohol or drug abuser in order to determine that individual’s eligibility to participate in a program Records means any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program Subpart B-General Provisions
  • 12.
  • 13.
  • 14. Penalties for Violation 1) Civil Monetary Penalties: The Department of Health and Human Services (HHS) may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement- not to exceed $25,000 per calendar year for multiple violations of the same Privacy Rule requirement. Generally, HHS may not impose civil monetary penalties when a violation is due to reasonable cause, there was no “willful neglect,” and the covered entity corrected the violation within 30 days of when it knew (or should have know) of the violation. 2) Criminal Penalties: A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA could face a fine of $50,000 and imprisonment for up to one year. If the wrongful conduct involves “false pretenses” the criminal penalties could increase up to a fine of $100,000 and up to five years imprisonment. A fine of up to $250,000 and up to ten years imprisonment could be imposed if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information “for commercial advantage, personal gain, or malicious harm”
  • 15. 24 S.W.3d 220 (2000) Judy FIERSTEIN, Respondent/Cross-Appellant v. DePAUL HEALTH CENTER, Appellant/Cross-Respondent Nos. ED 76518, ED 76544 Missouri Court of Appeals, Eastern District, Division Four. May 9, 2000. Motion for rehearing and/or Transfer Denied June 14, 2000 Application for Transfer Denied August 29, 2000
  • 16. FIERSTEIN v. DHC Defendant, DePaul Health Center, appeals from the judgement, entered pursuant to jury verdicts, in favor of plaintiff, Judy L. Fierstein, in her action for breach of fiduciary duty for the wrongful release of her medical records. The jury awarded actual and punitive damages. Plaintiff brought an action against DePaul for the wrongful release of her medical records, alleging a breach of fiduciary duty owed to her under the physician-patient privilege. The jury returned verdicts in favor of plaintiff, awarding her $10,000.00 in actual damages and $375,000.00 in punitive damages. The trial entered judgment in accordance with the jury verdict for actual damages; but granted remittitur as to the punitive damages, reducing the punitive damage award to $25,000.00, and entered judgment on the punitive damage count in that amount. Both parties appeal from that judgment.
  • 17. 320 S.W.3d 145 (2010) STATE ex rel. Bobbie Jean PROCTOR and Vincent Proctor, Relators, v. The Honorable Edith L. MESSINA, Circuit Judge, Sixteenth Judicial Circuit, Jackson County, Missouri, Respondent. No. SC 90610. Supreme Court of Missouri, En Banc. August 31, 2010
  • 18. State ex rel. Proctor v. Messina In State ex rel. Collins v. Roldan, 289 S.W.3d 780, 783 (Mo.App.2009), the court noted that pursuant to the Supremacy Clause of the United States Constitution, HIPAA may preempt Missouri law on the *148 issue of ex parte communications between an attorney and a treating physician. The court did not examine or decide the issue because the case was decided on other grounds. ld. at 784 n. 6. The issue of whether or not HIPAA preempts Missouri Law is an issue of first impression in Missouri Courts. Congress included an express preemption clause in HIPAA. See 42 U.S.C.A. § 1320d-7(a). Because HIPAA contains an express preemption clause, this Court’s task is to construe the plain language of the statute to determine the extent to which Congress intended for HIPAA to preempt state law. CSX Transp., 507 U.S. at 664, 113 S.Ct. 1732.
  • 19. Preemption Clause - Proctor v. Messina HIPAA’s preemption clause is contained in 42 U.S.C.A § 1320d-7, which states: 1. General Rule: Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of state law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form. 2. Exceptions: A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall not supersede a contrary provision of State Law, if the provision of State Law- a. is a provision the Secretary determines- i. is necessary- 1. to prevent fraud and abuse; 2. To ensure appropriate State regulation of insurance and health plans; 3. for State reporting on health care delivery or costs; or 4. for other purposes; or a. addresses controlled substances
  • 20. HIPAA Generally - Proctor v. MessinaThis Court’s examination of HIPAA’s privacy rule reviews the text of the regulations mindful of the intent of Congress in directing the Secretary to issue rules and regulations to implement the HIPAA Privacy Rule. In HIPAA, Congress directed the Secretary to promulgate rules and regulations designed to ensure the privacy of patients’ medical information. 42 U.S.C.A § 1320d-2(d)(2)(A); see also Crenshaw v. MONY Life Ins. Co., 318 F.Supp.2d 1015, 1028 (S.D.Ca;.2004); Moreland v. Austin, 284 Ga. 730, 670 S.E.2d 68, 70 (2008) . The HIPAA regulations draw no distinction between formal versus informal disclosures and, instead, broadly prohibit all disclosures in the absence of a specifically enumerated exception to this general rule of prohibition. Specifically, the Secretary defined protected “Health Information” as: [A]ny information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health-care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past. present, or future payment for the provision of health care to an individual.
  • 21. Ex Parte Communications - Proctor v. Messina Missouri Law on the Issue of Ex Parte Communications: Missouri common law historically provides that a litigant patent in a personal injury lawsuit could not be compelled by court order to sign medical authorizations consenting to ex parte communications with treating physicians. State ex rel. Woytus v. Ryan, 776 S.W.2d 389, 395 (Mo. Banc 1989). Subsequently, this court issued a pair of companion opinions addressing voluntary and informal ex parte communications between plaintiff’s treating physician and defendant or defendant’s representatives in a medical malpractice case. Brandt v. Pelican, S.W.2d at 661 (Mo. banc 1993) (Brandt I) Brandt v. Med. Def. Assocs., 856 S.W.2d 667 (Mo. Banc 1993) (Brandt II)
  • 22. Authorized Disclosure - Proctor v. Messina Under 45 C.F.R. § 164.512(e)(1), HIPAA authorizes disclosure in the course of any judicial or administrative proceeding: 1. Permitted Disclosures. A covered entity may disclose PHI in the course of any judicial or administrative proceeding: a. In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order; or b. In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: i. The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is subject of the PHI that has been requested has been given notice of the request; or ii. The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.
  • 23. Conclusion - Proctor vs. Messina In the instant case, by issuing a purported formal order that was directed to non-party medical providers and, essentially, providing an advisory opinion to said non-party medical providers about the trial court’s understanding of the law on informal ex parte communications, the trial court exceeded its authority, and the preliminary writ of prohibition is made permanent. All concur.
  • 24. How to File a Complaint If you believe that a covered entity or business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities and their business associates.
  • 25. HIPAA Omnibus Rule As of January 17th, 2013, HIPAA regulations have had a massive update and overhaul to protect patients. The new laws more extensively hold second and third party businesses responsible to keep Patient Health Information (PHI) private. The OCR of the United States Department of Health and Human Services adopted the HIPAA Omnibus Rule as an overall and update to the USA’s existing volumes of the HIPAA Law and HI TECH Law. The Final Rule or the final HIPAA Omnibus Rule (78 Fed. Reg. 5566) has some important modifications to HIPAA as we know it. They are required to begin functioning within your workplace, beginning March 26, 2013. More Information at: (http://hipaaomnibusrule.com/)
  • 26. HITECH Act The American Recovery and Reinvestment Act of 2015 includes the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act provides Medicare and Medicaid monetary incentives for hospitals and physicians to adopt electronic health records (EHRs) and also provides grants for the development of a health information exchange (HIE). These incentives and grants were created to stimulate health care providers to adopt technology necessary to improve the efficiency of patient healthcare. HITECH Act provides over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR). According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for “meaningful use” of a certified EHR system starting in 2015
  • 27. How does HITECH Effect HIPAA? 1) Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates 2) Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates 3) Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing 4) Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods 5) Mandates that the new security requirements must be incorporated into all business associate contracts