2016-04-21 HIPAA

HIPAA
and Related Issues
May 13, 2016
OACB Spring Conference
Columbus, OH

WHY SHOULD I
CARE ABOUT
HIPAA?
ENFORCEMENT AND
SANCTIONS

Ethical and Moral Obligation
• We serve a vulnerable population and have an
obligation to protect their security, privacy,
and civil rights
© Hickman & Lowder Co. L.P.A.

Loss of Public Trust
• HIPAA violations will be newsworthy
• The loss of public trust will erode community
support for your organization
• Levy campaigns will be negatively affected

Enforcement of HIPAA
• The Department of Health and Human
Services (DHHS) is responsible for
developing and establishing the
Privacy Rule standards
• Office of Civil Rights (OCR) is
responsible for implementing and
enforcing the Privacy & Security Rules

Civil Penalties
• Penalties apply equally to CE and BA
• Prior to revisions, penalty was $100 per
violation up to $25,000 for identical violation
per year

Penalties: Did not know
Each violation $100 - $50,000
Max. per year for
identical violations
$1,500,000

Penalties:
Reasonable Cause
Each violation $1,000 - $50,000
Max. per year for
$1,500,000

Penalties: Willful Neglect
Corrected
Max. per year for
$1,500,000
Max. per year for
$1,500,000

Penalties: Willful Neglect Not
Corrected
Each violation $50,000
Max. per year for
$1,500,000

Affirmative Defenses
• On or after 2/18/11: No civil penalty if
criminal already imposed
• Prior to 2/18/11: No civil penalty if violation
subject to criminal penalty
• On or after 2/18/09: HHS may not impose if
CA/BA establishes -
– No willful neglect; and
– Corrected w/in 30 days

Criminal: when imposed
• Knowingly violates HIPAA:
– Uses or causes to be used a unique health
identifier OR
– Obtains individual PHI OR
– Discloses PHI

Criminal: when imposed
• Applicable to a CE and specific individuals
– This can include administrators, employees, or
officers of the CE

Criminal: penalties
• General: 50K or 1 yr
• Under false pretenses: 100K or 5 yr
• Intent gain or harm: 250K or 10 yr

HIPAA Complaints by Year
2006 2007 2008 2009 2010 2011 2012 2013 2014
7,362
8,221 8,729
7,586
8,763 9,018
10,457
12,974
17,779
Complaints

Top Five Issues in Corrective
Action Cases
Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5
2014 Impermissible Uses
& Disclosures
Safeguards Administrative
Safeguards
Access Technical
Safeguards
& Disclosures
Safeguards Access Administrative
Safeguards
Minimum
Necessary
& Disclosures
Safeguards Administrative
Safeguards
Access Minimum
Necessary
& Disclosures
Safeguards Access Minimum
Necessary
Complaints
& Disclosures
Safeguards Access Minimum
Necessary
Complaints

Recent Penalties
• Skagit County, Washington: $215,000
• New York Presbyterian & Columbia
University: $4,800,000
• University of Washington Medicine: $750,000
• North Memorial Health Care: $1,550,000

Skagit County, Washington
• First settlement with a county government
– “Sends a strong message about the importance of HIPAA compliance to
local and county governments, regardless of size”
• ePHI was inadvertently moved to a publicly accessible
server
• Did not
– Have appropriate procedures and policies
– Document their HIPAA requirements or training
• OCR discovered general and widespread non-compliance by
the county

New York and Presbyterian Hospital
(NYP) and Columbia University (CU)
• NYP and CU operate a shared data network that is linked to
systems containing ePHI
• A doctor deactivated a server which resulted in ePHI being
accessible on public search engines
• Did not
– Make efforts prior to the breach to assure that the server was secure
and that it contained appropriate software protections
– Conduct a thorough risk analysis
– Implement appropriate policies and procedures for authorizing access to
its databases
– Comply with its own policies on information access management

New York and Presbyterian Hospital
AGAIN
• NYP allowed ABC to film patients for “NY Med” without
consent
• In particular, the crew filmed someone who was dying and
another person in significant distress, even after a medical
professional urged the crew to stop
• Did not
– Safeguard PHI and allowed ABC film crews virtually unfettered access
to their health care facility
• In addition to the HIPAA settlement, NYP is being sued for
breach of physician-patient privilege

The University of Washington
Medicine (UWM)
• An employee downloaded malware from an email
which compromised the data of 90,000 patients
• UWM polices required its affiliates to have up-to-date,
documented system-level risk assessments
• Did not
– Follow up to ensure that affiliates were properly conducting risk
assessments and appropriately responding to the potential risks
and vulnerabilities in their respective environments

North Memorial Health Care of
Minnesota
• Unencrypted laptop was stolen from a BA
employee’s car
• Did not
– Have a BA agreement in place, despite the BA having
access to a database with ePHI for almost 300,000
patients
– Complete a risk analysis

HHS Resolutions and Penalties
• http://www.hhs.gov/hipaa/for-
professionals/compliance-
enforcement/agreements/index.html
• Updated as new settlements are reached

Audits
• Audits, unlike complaint investigations or
compliance reviews, are reviews of covered
entities and business associates that are
initiated not because of any particular event
or incident indicating possible noncompliance
on the part of the covered entity or business
associate, but rather based on application of
a set of objective selection criteria.

2011-2013 Audit
• The last audit process began in November,
2011 and went into 2013
• 115 covered entities were audited including:
– 47 health plans, 61 health care providers, and 7
health care clearinghouses.
• The smallest providers had highest rate of
deficiencies in Privacy, Security and Breach
Notification

Primary Areas of Deficiency
Privacy
Notice of Privacy Practices
Access of Individuals
Minimum Necessary
Authorizations
Security
Risk Analysis
Media Movement and Disposal
Audit Controls and Monitoring

2014 HHS Annual Report to
Congress

Phase 2 HIPAA Audit Program
• Began in 2016
• OCR currently requesting address and
contact information verification

Sample Letter

Who is affected by HIPAA?
• COVERED ENTITIES:
– Health Care Providers
– Health Plans
– Health Care Clearinghouses
• BUSINESS ASSOCIATES

Privacy Rule
Standards
• Applies to health
information in all
forms:
– Written
– Spoken
– Electronic
• Health
information
includes:
– Medical records
– Claims information
– Payment information

What is PHI?
•P---PROTECTED
•H---HEALTH
•I---INFORMATION
• PHI is any health information that could
identify an individual patient

Individually Identifiable
Health Information
• Name
• Address
• Drivers license #
• Dates
– Birth date
– Admission date
– Discharge date
– Date of death
• Telephone numbers
• FAX number
• E-mail address
• Social Security
Number
• Medical record
number
• Web URL
• Finger or voice
prints
• Photographic
images
• Account number

Use and Disclosure of PHI
• Use-Sharing protected health information
within the entity that maintains the
information
• Disclosure-Release or transfer of PHI by an
entity to persons or organizations outside of
that entity
– Another facility
– Nursing home

Permitted Uses and Disclosures
• A CE is permitted to use and disclose
protected health information without an
individual’s authorization for the following:
– Treatment, Payment, and Health Care Operations
– Opportunity to Agree or Object
• Facility directory
– Incidental disclosures are permitted
– Public Interest

Disclosures not requiring
patient Authorization
• Required by Federal or State Law
– Workers compensation
– Birth reporting
– Child abuse
• Required for public health reasons
– Sexually transmitted disease
• Required for national security reasons
– Prevent a serious threat of harm to the individual or
others

Disclosures with Authorization
• Authorization is required for certain
disclosures to:
– Attorneys
• Disclosures to a patient’s attorney for purposes of
a malpractice lawsuit
• Disclosures to a life insurance company, when the
individual is seeking to obtain coverage

Minimum Necessary Req.
Use, disclosure or request of records
must be limited to the minimum
which is reasonably necessary to
accomplish the purpose of the use,
disclosure or request

a/k/a “NEED TO KNOW” Rule
“Do I need to know this to do my
job?”
You should NOT access any information that
you do not need to know in order to provide
patient care or to complete your job.

Minimum Necessary Exceptions
• Treatment
• Requests by the individual
• Authorization
• Required for compliance with HIPAA
• To HHS/OCR for
investigation/enforcement
• When required by other law

Minimum Necessary Reqs
CE must establish policies that address scope of use by
employees, disclosures and requests for info to ensure
minimum necessary requirements are met.
Guidance from HHS on minimum necessary requirements:
• http://www.hhs.gov/ocr/privacy/hipaa/understanding/
coveredentities/minimumnecessary.html

How do you protect PHI?
• Do NOT talk about individuals in public places
• Do not leave PHI on voicemail or with
someone other than individual – ONLY NAME
AND NUMBER
• Avoid paging individual using identifying info
• Computer screens
• Access info
• Open charts or files
• Paper with PHI in trash vs. shredder

Get Authorizations/Releases
When Possible
• Allows release of reports and other info under
Ohio law
• Avoids need for accounting
• Minimum necessary compliance

Scope of
Authorizations/Releases
• Avoid compound releases
• Cannot make release a condition for services
• Include release for BAs
• Specify Duration

Notice of Privacy Practices
(NPP)
• Right to notice of breach
• Right to restrict disclosures of PHI when self-
paid in full
• Fundraising communications and right to opt-
out
• Right to have disclosures of psychotherapy
notes, sale of PHI and marketing disclosures
only pursuant to authorization
• If Health Plan, no genetic info for
underwriting

Individuals cannot prevent or
limit disclosure
With narrow exceptions

Exceptions
• Psychotherapy notes
– Individual, family or group sessions
– Separate from main file
• Agreed-upon restrictions by covered entity
• Information to health plan/payer when
consumer has paid for services privately and
in full

Exceptions (cont’d)
• Drug/alcohol treatment (42 CFR Part 2)
• Valid Court Order
• Subpoena if HIPAA requirements met

Readability of PPN and
Authorizations
• CEs are required to provide PPNs in “plain
language”
• HHS has model PPNs with simplified language
and made them available on their website
• Authorizations must be written in “plain
language”, but they still must contain core
elements and statements
– Due to these requirements, authorizations may not be
understood by certain individuals
– DD Board employees should make all efforts to ensure
that the authorization is understood and informed consent
is obtained

Translation of PPN or
Authorizations
• Nothing explicitly in HIPAA requires
translation of documents
• However, the Civil Rights Act of 1964 applies
to DD Boards since they receive federal
funding
– “No person in the United States shall, on the ground
of race, color, or national origin, be excluded from
participation in, be denied the benefits of, or be
subjected to discrimination under any program or
activity receiving Federal financial assistance.”

Translation of PPN or
Authorizations
• HHS guidance on Limited English Proficient
persons (LEP) recommends an individualized
assessment that balances the following four
factors:
– The number or proportion of LEP persons eligible to be
served or likely to be encountered by the program;
– The frequency with which LEP individuals come in contact
with the program;
– The nature and importance of the program, activity, or
service provided by the program to people's lives; and
– The resources available to the grantee/recipient and costs

Safe Harbor
• The CE should provide written translations of
vital documents for each LEP group that
constitutes five percent or 1,000, whichever
is less, of the population of persons eligible to
be served or likely to be affected

Demographic Information
• Current state and county-level data is
accessible at:
– http://www.lep.gov/demog_data/demog_data.html
– http://www.lep.gov/maps/

Comprehensive Data

What is a breach?
• Acquisition, Access, Use, Disclosure of PHI
• Unauthorized manner
• Compromises PHI security or privacy

Exception 1:
• Unintentional acquisition, access, use;
• By CE or BA workforce member;
• In Good Faith;
• Within scope of Authority; and
• No further unpermitted use or disclosure.

Exception 2:
• Inadvertent disclosure
• By CE/BA employee with access authorization
• To another employee with access
authorization of SAME CE/BA (or organized
healthcare arrangement)
• No further unpermitted use or disclosure

Exception 3:
• Disclosure by CE/BA
• Good faith belief that
• Unauthorized person not reasonably able to
retain PHI

Time of breach
• Covered Entity
– When discovered or should have been discovered
• When BA acts as agent, when BA discovers
• If BA not an agent, when reported to Covered
Entity

Notice of Breach
• Covered entity must provide notice of breach
• Applicable to unsecured PHI only
• Secured v. Unsecured PHI

When notice of breach is
required
Secured No notice
Unsecured - exception No notice
Unsecured - no exception Notice

Secured PHI
• Defined in guidance issued by Secretary of
HHS
– Encryption
– Destruction
• www.hhs.gov/ocr/privacy

Risk Assessment
• Whether low probability that data has been
compromised
• Examine and document factors:
• Nature, extent of PHI, type of identifiers,
and likelihood of re-identification
• unauthorized person who used/accessed
• Whether PHI actually acquired/viewed
• Extent risk to PHI mitigated

Who Gets Notice
• Individual
• Media if >500
• HHS
– Promptly if >500
– Annually if <500
• CE if BA breached

Timing of Notice
• Without unreasonable delay
• No later than 60 days after discovery of
breach
• Delay if notice would:
– Impede criminal investigation
– Affect national security

Content of Notice
• What happened and when
• PHI involved in breach
• Steps to protect from potential harm
• Corrective steps by CE
• Contact information

Method of Notice
• Written
– First class mail
– E-mail with consent
• Substitute
– <10 – written, phone, other
– >=10 Web site 90 days or media with toll free number
for 90 days

Method of Notice (cont’d)
• Urgent – imminent misuse of unsecured PHI
• CE may contact by phone or other means

Accountings
• Ohio law removes blanket requirement for all
disclosures
• HIPAA: accounting required:
– TPO stored electronically: 3 years
– Other covered disclosures: 6 years
• BA agreement must define procedure for
accountings

Accounting Exceptions
• Disclosures:
– To carry out treatment, payment and health care operations;
– To individuals of protected health information about them;
– Incident to a use or disclosure otherwise permitted or required by
the HIPAA Privacy Rules;
– Pursuant to an authorization;
– For the facility’s directory or to persons involved in the
individual’s care or other notification purposes;
– For national security or intelligence purposes;
– To correctional institutions or law enforcement officials;
– As part of a limited data set; or
– That occurred prior to the compliance date for the Board

What’s Left to Account?
• Disclosures to a Public Health Entity
• Disclosures made during the course of litigation
– Disclosures made by a CE that is not a party to the litigation or
proceeding and that are made:
• as required by law (under § 164.512(a) and (e)(1)(i));
• for a proceeding before a health oversight agency
(164.512(d)); or
• in response to a subpoena, discovery request, or other lawful
process
• Certain Disclosures to Business Associates
– Where the BA discloses information described above

Implementation dates
• Jan. 1, 2011
– For disclosures of records in existence
after 1/1/09
• Jan. 1, 2014
– For disclosures of records in existence on
or before 1/1/09
• Secretary may delay implementation dates;
accounting rules still under construction

Accounting Recommendation
• Use authorizations to eliminate need
for accounting
• Bring prior accounting requirement in
line with HIPAA standards
• Consider continuing prior accounting
procedures if in line with HIPAA

Other Privacy Changes
• Ability to get electronic versions of records
• Ability to restrict disclosure
• Immunizations
• Access to decedent information (50 yrs)

UPDATE YOUR NOTICES
Sample HIPAA Privacy Forms & Policies:
www.socialworkers.org/hipaa/sample.asp

Case Study #1

BA Definition
• Performs functions or activities on behalf of a
covered entity
• Involves use or disclosure of PHI
• Includes subcontractors of BA if PHI involved

BA Definition (cont’d)
• Agreement required
• Absence of agreement does not change
status

BA Compliance
• All security requirements
• Privacy rules applicable to PHI activities
• Same requirements for subcontractors

BA notice of Breach
• Report to covered entity
• Without unreasonable delay
– 60 day max
• Must provice CE with identity of each
individual affected by breach

BA as agent – significance
• If Agent
– CE liable for actions of BA
– date of discovery by BA is date of discovery for CE
• If not Agent
– No direct liability
– date of notice by BA is date of discovery for CE

When is BA an Agent
• Main issue is the right or authority of a CE to
control BA’s conduct in course of service on
behalf of CE
• Issue is the RIGHT to control, regardless of
actual exercise
• Clarify in Agreement

Direct Liability of BA
• Impermissible use or disclosure
• Failure to provide notice of breach
• Failure to provide access if required
• Failure to provide info to HHS
• Failure to provide accounting
• Failure to implement security rules

SECURITY RULES
45 CFR Part 160 and
Part 164, Subparts A and C.

SECURITY 101
PRIVACY v s. SECURITY
 ALL PHI  ONLY e-PHI
 electronic, paper or oral PHI  PHI created, received,
maintained or transmitted in
electronic media
 Standards for who may
access PHI
 Standards to ensure only
authorized persons have
access
 Overseen and enforced
by OCR
 Overseen and enforced
by OCR

SECURITY 101:
Who Must Comply?
Since 2005-2006:
Covered Entities
By September 23, 2013:
Business Associates
BA Subcontractors

SECURITY 101: General Rules
Maintain reasonable, appropriate
safeguards for protecting e-PHI’s:
1) Confidentiality
 e-PHI accessible only by authorized people and
processes
2) Integrity
 e-PHI is not altered or destroyed in unauthorized
manner
3) Availability
 e-PHI can be accessed as needed by authorized
person

 Identify and protect against threats to
security or integrity;
 Protect against impermissible uses or
disclosures;
and
 Ensure compliance by workforce

Safeguards
Standards
Implementation Specifications
Required Addressable

“Addressable”
Implementation Specifications
For each addressable Imp. Spec. MUST:
 Implement the Spec. if reasonable and
appropriate; or
 If not reasonable and appropriate –
• Document rationale supporting decision;
and
• Implement equivalent measure that would
accomplish same purpose

Administrative Safeguards
Security Management Process:
Implement policies and procedures to
prevent, detect, contain, and correct security
violations.
1. Risk Analysis (R)
2. Risk Management (R)
3. Sanction Policy (R)
4. Information System Activity Review (R)

Risk analysis:
• Conduct accurate thorough
assessment of risks, vulnerabilities,
and threats to confidentiality, integrity,
and availability of e-PHI
Risk Management:
• Implement security measures to
reduce risks and vulnerabilities to
reasonable and appropriate level

IMPORTANT DEFINITIONS
VULNERABILITY: A flaw or weakness in system security
procedures, design, implementation, or internal controls that could
be [accidentally triggered or intentionally exploited] and result in a
security breach or a violation of security policy.
THREAT: The potential for a person or thing to [accidentally trigger
or intentionally exploit] a specific vulnerability.
RISK: A Vulnerability triggered or exploited by a Threat:
1. Unauthorized disclosure, modification, or destruction of info
2. Unintentional errors or omissions
3. IT disruptions due to natural or man-made disasters
4. Failure to exercise due care and diligence in the implementation and
operation of IT system
Definitions from CMS HIPAA Security Series / NIST SP 800-30

Security Management Process
EXAMPLE RISK ANALYSIS:
1. Identify the scope of analysis
2. Gather Data
3. Identify and document potential threats and
vulnerabilities
4. Assess current security measures
5. Determine likelihood of threat occurrence
6. Determine level of risk
7. Identify security measures and finalize
documentation

Security Management Process
EXAMPLE RISK MANAGMENT:
1. Develop and implement risk management plan
– Purpose to evaluate, prioritize, and implement risk-reducing
security measures
2. Implement security measures
– Scope, timeline and budget for each project
3. Evaluate and maintain security measures
– Ongoing : periodic or in response to changes in environment

• Security Officer
• Workforce Security: “Need to Know” (A)
• Information Access Management (R/A)
• Security Awareness and Training (A)
• Security Incident Procedures (R)

Contingency Plan: Response to
emergency (fire, vandalism, system failure,
etc.).
1. Data Backup (R)
2. Disaster Recovery (R)
3. Emergency Mode Operation Plan (R)
4. Periodic testing & Revision (A)
5. Prioritize software/data for backup (A)

Evaluation: Periodic assessment of system –
environment and operational changes (R)
BA Contracts & Other Arrangements:
CE may permit a BA to create, receive,
maintain, or transmit e-PHI but ONLY with
satisfactory assurances:
- BA Agreement (contract)
- MOU if CE/BA are both government agencies

Physical Safeguards
Facility Access and Control:
- Limit physical access while ensuring
authorized access
Workstation & Device Security:
- Specify proper use of and access
- Policies/procedures to address transfer,
removal, disposal, and re-use of e-media

Technical Safeguards
Access Control: Only authorized persons can
access
Audit Control: Implement hardware, software,
procedural mechanisms to record/examine
access and activity on systems
Integrity Control: Electronic measures to
ensure e-PHI is not improperly altered/destroyed
Transmission Security: technical measures to
guard against unauthorized access to e-PHI
transmitted over network

Case Study #2
• As more documents migrate to electronic
storage, data integrity is increasingly
important.
• Data can be altered/destroyed by user error,
or by electronic media errors or failures.
• If data integrity is not monitored, these errors
can propagate into data backup systems and
the “clean” data can be lost forever.
• A CE is REQUIRED to implement policies and
procedures to protect ePHI from improper
alteration or destruction.

Documentation
• BA Agreements & Other Arrangements
• Policies and Procedures
• Action, activity or assessment required
by Standard or Imp. Spec.
– Retain 6 yrs from date of creation or date last in
effect, whichever later
– Make available to persons responsible for
implementation
– Review, update periodically

Overview of Security Process
1. Assess current security, risks, gaps.
2. Develop implementation plan.
• Read Security Rule and review standards
and Imp. Specs.
• Review “addressable” Imp. Specs. –
determine if reasonable and appropriate
• Determine security measures
3. Implement solutions.
4. Document decisions.
5. Reassess periodically

General Resources on HIPAA
• www.cms.gov under “Regulations and
Guidance” for latest Security papers and
checklists
• http://www.hhs.gov/hipaa/index.html for latest
guidance, FAQs, and other info on Privacy
Rule
• http://www.hhs.gov/hipaa/for-professionals/faq
for FAQs about HIPAA

Resources on HIPAA
for Social Workers
• *Sample HIPAA Privacy Forms and Policies:
www.socialworkers.org/hipaa/sample.asp
• NASW HIPAA Security Rule Online
Compliance Workbook
https://www.socialworkers.org/hipaa/workboo
k.asp
• HIPAAprof.com Awareness and Compliance
Training
http://www.hipaaprof.com/nasw

TEXTING
Case Study #3

Is Texting Allowed?
• HIPAA does not explicitly prohibit texting
ePHI.
• However, the Security Rule still applies.
– Text messages are generally not secure because
they lack encryption during transmission, they may be
stored on a wireless provider’s servers for a period of
time, and it is difficult to verify the text recipient with
certainty.

Encryption
• Text encryption is addressable under the
security rule
 Implement if reasonable and appropriate; or
 If not reasonable and appropriate –
• Document rationale supporting decision;
and
• Implement equivalent measure that would
accomplish same purpose

HealthIT.gov Suggestions
• https://www.healthit.gov/providers-
professionals/five-steps-organizations-can-
take-manage-mobile-devices-used-health-
care-pro
• Detailed explanations for DD Boards who are
thinking about implementing texting or
mobile device management in general

1. Decide
• Decide whether mobile devices will be used to access,
receive, transmit, or store PHI or used as part of your
organization’s internal networks or systems
• Understand the risks to your organization before you
decide to allow the use of mobile devices. Risks can
vary based on the mobile device and its use. Some
risks may be:
– A lost mobile device
– A stolen mobile device
– Inadvertently downloading viruses or other malware
– Unintentional disclosure to unauthorized users when sharing
mobile devices with friends, family and/or coworkers
– Using an unsecured Wi-Fi network.

2. Assess
• Consider how mobile devices affect the risks to
the PHI your organization holds.
– Conduct a risk analysis to identify the risks to your
organization.
• After conducting a risk analysis, document:
– Which mobile devices are being used to communicate with
your organization’s internal networks or system (e.g., the
EHR system or Health Information Exchange (HIE)),
– What information is accessed, received, stored, and
transmitted by or with the mobile device

3. Identify
• Identify your organization’s mobile device risk
management strategy, including privacy and
security safeguards.
– The purpose of a mobile device risk management
strategy is to develop and implement mobile device
safeguards to reduce risks identified in the risk
analysis. The risk management strategy should
include evaluation and maintenance of the mobile
device safeguards you put in place

4. Develop, Document,
Implement
• Develop, document, and implement the
organization’s mobile device policies and
procedures to safeguard PHI.

5. Train
• Conduct mobile device privacy and security
awareness and training
• Safeguards will not protect PHI unless the
workforce is aware of its role in following and
enforcing those safeguards. Privacy and security
awareness and training should be ongoing and
include a discussion of the following topics:
– Risks when using mobile devices for work
– How to secure mobile devices
– How to protect and secure health information
– How to avoid mistakes when using mobile devices

Are Texts Records?
• The content of a record is more important
than the medium in which it is conveyed.
• If a DD Board decides to use text messaging
as an official method of communicating,
messages should be retained in accordance
with the DD Board’s existing RC-2 Records
Retention Schedule.

SUBPOENAS
Case Study #4

SUBPOENAS (Ohio Civ. R. 45)
• Hearing
– Clerk
• Deposition
– Court reporter
– Counsel
• Text of Rule 45 (C) and (D)

Types of Subpoena
• Appearance
• Documents

Serving Subpoenas
• Personal
• Residence
• Express or Certified mail

Site for Appearance
• Hearing
– Anywhere in state
• Deposition
– County of residence or
– County of place of work or
– “other convenient place fixed by the court”
• Documents – no appearance
– Appearance not necessary

Prepayment of costs
• In county - on request
• Out of county - automatic

Response
• Within 14 days or before time for compliance
(if <14 days)
• Objection
• Motion to Quash

Response (cont’d)
• Improper service
• Undue Burden/Expense
• Violation of HIPAA/AoD requirements

HIPAA: Response to Subpoena
requires:
• Satisfactory assurance from requestor that reasonable
efforts have been made to ensure that the individual
involved has been given NOTICE OF THE REQUEST; OR
• Satisfactory assurance from requestor that reasonable
efforts have been made to SECURE A QUALIFIED
PROTECTIVE ORDER.
• Covered Entity makes reasonable efforts to give notice
or obtain protective order
• Terms defined in 45 CFR 164.512(e)(1)

HIPAA: Assurances for notice
• Written statement with documentation showing:
• Good faith attempt to provide written notice
• Reasonable summary about litigation which
allows consumer to object
• No objection made/time elapsed or
• Objections overruled

HIPAA: Assurances for
Protective Order
• Written statement with documentation
showing:
• Parties presented an agreed protective order
to court OR
• The party seeking PHI requested a qualified
protective order from court

HIPAA: Elements of Protective
Order
• Prohibits the parties from using or disclosing
PHI for any purpose other than legal
proceedings for which information was
requested; and
• Requires that PHI be returned to the covered
entity or destruction of PHI (including all
copies made) at the end of the litigation or
proceeding.

Scope of AoD rules
• AoD service
• Federal connection

General AoD rules
• Strict confidentiality
• Minors must consent
• Condition of probation/parole

AoD Exceptions
• Emergency
• Crime on premises
• Child abuse
• Subpoena AND Court Order

AoD Proceedings
42 CFR 2.61-65
• Subpoena AND
• Court order
• Not required if disclosure is for research,
audit or evaluation

AoD Court Order:
Required Findings
• Disclosure is necessary to protect against an
existing threat to life or of serious bodily
injury,
• including circumstances which constitute
suspected child abuse and neglect and
• verbal threats against third parties
• OR

AoD Court Order Required
Findings (cont’d)
• Disclosure is necessary in connection with
investigation or prosecution of an extremely
serious crime,
• such as one which directly threatens loss of
life or serious bodily injury, including
homicide, rape, kidnapping, armed robbery,
assault with a deadly weapon, or child abuse
and neglect
• OR

AoD Court Order: Required
Findings (cont’d)
• Disclosure connected to litigation or an
administrative proceeding in which the
patient offers testimony or other evidence
pertaining to the content of the confidential
communications.

AoD Court Order: Application
(Civil)
• By person with legal interest
– Not part of criminal investigation or prosecution
• Must use fictitious name
• May not use identifying data unless
– Patient consents
– Court seals record

AoD Court Order: Notice (Civil)
• Given to patient and person holding records
• Adequate without disclosing identity of
person to others
• Notify of right to appear to respond or to
show that criteria are not being met

AoD Court Order: Hearing
(Civil)
• In Judge’s chambers or otherwise protected
from public disclosure
• Patient may consent to open hearing
– Consent requirements must be met

AoD Court Order: Criteria (Civil)
• Standard for disclosure met
• Good Cause, which means that
• Other means of obtaining info are not
available or ineffective
• Public interest outweighs value of
confidentiality

AoD Court Order: Content
(Civil)
• Limit disclosure to essential parts of record
• Limit disclosure to persons in need of info
• Other methods restricting access to info –
e.g. sealing record from public

AoD Court Order: Application
(Criminal)
• By person holding record or
investigator/prosecutor
• Must use fictitious name
• Cannot disclose personal information unless
record is sealed

AoD Court Order: Notice and
Hearing (Criminal)
• Person must be given adequate notice
without revealing patient identifying data
• Opportunity to appear to challenge basis for
request
• Right to be represented by counsel
• Hearing in judge’s chambers or otherwise
protected from public scrutiny

AoD Court Order: Criteria
(Criminal)
• Crime is “extremely serious”
• Reasonable likelihood that info is of
“substantial value” to
investigation/prosecution
• Other means of obtaining info unavailable or
ineffective
• Injury to patient/confidentiality outweighed by
public interest/need for disclosure

AoD Court Order: Criteria
(cont’d)
• If applicant for court order does law
enforcement function:
– Person holding records has had opportunity to obtain
independent counsel
– If record holder is in Federal, State, Local
government, entity has in fact obtained counsel

AoD Court Order: Elements
(Criminal)
• Findings on requirements for order
• Limit disclosure to essential parts of record
• Limit disclosure to investigators/prosecutors
to extent needed for serious crime
• Other methods restricting access to info –
e.g. sealing record from public

AoD Court Order: Action against
program or person holding
records
• No notice required
• Follow standards for civil proceedings
• Delete patient ID data from documents
available to public
• info can’t be used for investigation or
prosecution of a patient, or be used as the
basis for an application for an order under
AoD rules applicable to criminal
investigations/proceedings.© Hickman & Lowder Co. L.P.A.

AoD Court Order: Undercover
agent
• Application: suspicion of criminal conduct by
program employees/agents
• Notice to director unless
– Director implicated
– Director likely to disclose info on investigation

AoD Court Order: Undercover
Agent (cont’d)
• Order requires good cause
• 6 months maximum
• Steps to protect confidentiality of patients
and program disruption
• Info from undercover agent cannot be use to
prosecute patients

Sanctions
45 CFR 164.530(e)
• A CE must have and apply appropriate
sanctions against members of its workforce
who fail to comply with the privacy policies
and procedures of the CE or applicable
requirements
• A CE must document the sanctions that are
applied, if any

Exemptions
• A CE shall not impose sanctions against a
workforce member or BA who believes in
good faith that the CE has engaged in
conduct that is unlawful or otherwise violates
professional or clinical standards, or that the
care, services, or conditions provided by the
CE potentially endangers one or more
patients, workers, or the public

Only if the Disclosure is to:
• A health oversight agency or public health authority
authorized by law to investigate or otherwise oversee
the relevant conduct or conditions of the CE or to an
appropriate health care accreditation organization for
the purpose of reporting the allegation of failure to
meet professional standards or misconduct by the CE;
or
• An attorney retained by or on behalf of the workforce
member or business associate for the purpose of
determining the legal options of the workforce member
or business associate.

Victim of a Crime
• The CE may not impose sanctions for
disclosure of PHI against a member of its
workforce who is the victim of a criminal act
if the victim discloses PHI to a law
enforcement official

Provided That:
• The PHI disclosed is about the suspected perpetrator of the
criminal act; and
• The PHI disclosed is limited to the following information:
– Name and address;
– Date and place of birth;
– Social security number;
– ABO blood type and Rh factor;
– Type of injury;
– Date and time of treatment;
– Date and time of death, if applicable; and
– A description of distinguishing physical characteristics, including height,
weight, gender, race, hair and eye color, presence or absence of facial
hair (beard or moustache), scars, and tattoos

Intimidation/Retaliation
• Sanctions may not be applied in a manner
which would be reasonably construed as
intimidation or retaliation

Best Practices
• The type of sanction should vary depending
on factors such as:
– the severity of the violation,
– whether the violation was intentional or unintentional
– whether the violation indicated a pattern of improper
use or disclosure of PHI.
• Sanctions could range from warning to
termination and should be in line with
existing progressive discipline policies.

Training
• Training should be provided and expectations
should be clear so individuals are not
sanctioned for doing things that they did not
know were inappropriate or wrong
• Sanctions should be applied consistently and
equitably to all staff

Sanction Categories
• A CE should have enough sanction categories
to cover privacy and security incidents of
varying severity
• Risk analysis and the scale/scope of the
incident should also be taken into
consideration
– Accidentally sending out PHI to the wrong email
address vs accidentally sending out PHI to an entire
email distribution list.

Sample Sanction Policy
• The following list outlines some of violations
that may occur at a DD Board, but it is not
exclusive.

Group I
• Accidental violations of privacy and security
policies caused by carelessness, lack of
training, or other minor errors.
– Employee accidentally sends out PHI to the wrong
email address or fax number. Employee forgets to
apply encryption to an email. Employee turns in a
release authorization missing a component.

Group II
• More meaningful or repeated violations of
privacy and security policies caused by a
disregard of procedure.
– Employee releases information without an appropriate
authorization form. Employee deliberately transmits
PHI via unsecure methods to save time.

Group III
• Deliberate violation of policies without
harmful intent.
– Employee alters existing release authorization form to
avoid meeting with the individual/guardian again.
Employee accesses PHI about a coworker’s family
member without a need to do so.

Group IV
• Malicious violation of policies with harmful
intent.
– Employee discloses PHI for criminal purposes or with
malicious/harmful intent. (e.g. Identity theft, extortion,
posting PHI to social media to mock an individual).

Record Retention
• In General
– six years from the date of receipt of payment or until
an initiated audit is resolved
• Determination of Ineligibility
– Five years after determination is made
• UI, MUI
– seven years after date of the incident

ICF Records
• 7 years after cost report filed or
• Six years after appeal rights exhausted

Local Government Records
Program (LGRP)
• Local government records can only be
destroyed or transferred after approval of the
County Records Commission
• Such action involves the preparation of either
a schedule of records retention and
disposition (RC-2) or an application for one-
time records disposal (RC-1).

RC-1 Forms
• RC-1 forms are used for a ‘One Time Disposal
of Obsolete Records’ that are no longer
created or maintained
• Since your DD Board is no longer creating
these records, there is no need to include
them on a retention schedule (RC-2 form)
– However, if you wish to dispose of these records, it
will still need to be documented with an RC-1 form.

RC-2 Forms
• The RC-2 form is your DD Board’s Retention
Schedule. It tells the state how long each
record series will be retained.
• RC-1 and RC-2 forms are signed off first by
the Records Commission, then submitted to
the State Archives
– Once reviewed and signed by the State Archives,
they are sent over to the Auditor of State’s office for
review and signature.

RC-3 Forms
• An RC-3 form is a Certificate of Disposal for
records identified on a RC-2 form. These
forms do not require the signature of the
Records Commission. The certificate of
records disposal serves as the official record
of the disposition of the records.

RC-3 Exceptions
• RC-2 forms dated after September 29th, 2011
have check boxes for the LGRP to mark. RC-3
forms will only be required for records series
that have been checked by the LGRP
• Generally, the LGRP is unable to review or
select for its custody any records protected
by HIPAA or FERPA
– This should be clearly indicated on the RC-2 form and
be enforced by the DD Board’s records custodian.

RC-2 Best Practices
• The LGRP website has detailed instructions
on how to fill out an RC-2 Retention schedule.
• The LGRP also provides a draft copy of a
suggested Retention Schedule for DD Boards
with sample records series and retention
windows.
– www.ohiohistory.org/lgrforms
– https://www.ohiohistory.org/OHC/media/OHC-
Media/Learn/Archives-
Library%20Documents/Developmental-Disabilities-
Draft.pdf

Multiple Media Types
• If you are keeping both paper and electronic
records for the same length time, they can be
listed together with both media types listed.
If you are only keeping one type until it is
converted to the other type (paper scanned to
electronic), you should use two separate
lines.

Keeping Paper AND Electronic
Records
Schedule Number Record Title and
Description
Retention Period Media Type
SSA-01 Client Records Permanent Paper/Electronic

Keeping Paper OR Electronic
Records
Schedule Number Record Title and
Description
Retention Period Media Type
SSA-01 Client Records Retain until scanned Paper
SSA-02 Client Records Permanent Electronic

Digital vs Physical Record
Retention
• The Ohio History Connection strongly
recommends maintaining an eye-readable
backup for records deemed of permanent
value or that will be maintained for greater
than ten years.
• It is our opinion that this is directed towards
government records with historical value as
opposed to DD Board records.

Digital vs Physical Record
Retention
• ORC 9.01 generally states that electronic
copies of a document have the same
authority as a paper copy as long as they are
certified or authenticated.
• The State is concerned with the record itself
more than the medium in which it is retained.

State Guidelines for Long-Term
Imaging
• Originals should be scanned at a minimum of
300 DPI and saved in Group 4 TIFF format.
This will be the master image/archival copy.
– Quality control should be intensive if the agency is
retaining ONLY a digital image.
• Images should be periodically copied to new
media to address any degradation or
impermanence, and the data should be
reformatted from obsolete storage devices.

State Guidelines for Long-Term
Imaging
• Images should be reformatted into newly
emerging archival formats if applicable, and
components of your electronic document
management system should be migrated to
new software or hardware as technology
changes.
• All changes should be exhaustively tested
and documented to preserve the integrity of
your digital images and/or metadata.

Jonathan Zuhosky
• Jonathan has been the Records Manager at
the Franklin County Board of Developmental
Disabilities for the past six and a half years.
He has a Masters Degree in Library and
Information Science from Kent State
University.

www.hickman-lowder.com
216-861-0360 440-323-1111 614-879-4143
Cuyahoga County Lorain County Dublin, Ohio
Turning Your Obstacles Into Opportunities

2016-04-21 HIPAA

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (9)

Similar to 2016-04-21 HIPAA

Similar to 2016-04-21 HIPAA (20)

2016-04-21 HIPAA

Editor's Notes