patricia tooley vice president, privacy compliance...
TRANSCRIPT
Patricia TooleyVice President, Privacy Compliance, Memorial Hermann Health System
Monique AllenAssociate General Counsel Clinical Operations, Memorial Hermann
Health System
Jesse M. ColemanSenior Associate, Norton Rose Fulbright US, LLP
3
The Office for Civil Rights' crackdown on HIPAA violations over the past year will "pale in comparison" to the next 12 months, a U.S. Department of Health and Human Services attorney recently told an American Bar Association conference.
The Office for Civil Rights has been levying fines to make healthcare entities take notice: nine settlements since June 1, 2013, have totaled more than $10 million. That includes a record $4.8 million fine announced in May against New York-Presbyterian Hospital and Columbia University.
FierceHealthIT: “OCR predicts spike in HIPAA fines”June 16, 2014
4
1. How to satisfy HIPAA and Texas privacy laws when requesting protected health information;
2. Cases in which satisfying HIPAA and Texas Privacy laws is only the first step; and
3. What steps a family law practitioner needs to take before issuing a subpoena for protected health information.
5
6
• HIPAA Privacy Rule (45 C.F.R. pts. 160, 164) prohibits disclosure of “protected health information” by “covered entities” except under specific circumstances.
• Texas Health and Safety Code Chapter 241governs the disclosure of Health Care Information by Hospitals in Texas.
• Texas Health and Safety Code Chapter 181governs the privacy of medical records in Texas.
• Both federal and state privacy laws may apply to any given situation.
• Federal and State laws are not always written to make sense when applied together.
• If federal law applies, it has supremacy over any given state law and therefore controls. 45 C.F.R. § 160.203.
• Federal rules permitting disclosure often allow States to enforce greater restrictions and protections than federal law. 45 C.F.R. § 160.202.
• Federal laws restricting disclosure will often state, “as permitted by law,” which may provide a State-law exception from the federal restriction.
7
Is the information protected?
Yes
Has there been proper
authorization?
Yes
Is the disclosure permitted or
required?
Permitted
Consult Policies/Protocols
Required
Produce
No
Do not produce
No
Is the disclosure permitted or
required?
Permitted
Consult Policies/Protocols
Required
Produce
8
9
Protected health information (PHI) means individually identifiable health information that [subject to certain exceptions] is:
i. Transmitted by electronic media;ii. Maintained in electronic media; oriii. Transmitted or maintained in any other form or
medium.
45 C.F.R. § 160.103
10
HIPAA Privacy Rule: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. 45 C.F.R. § 160.103.
Texas “Covered Entity”: “any person who … comes into possession of protected health information.” Tex. Health & Safety Code § 181.001.
11
Written authorization. Tex. Health & Safety Code § 241.152.A patient's health care information may be disclosed without the patient's authorization [under specific circumstances] if the disclosure is …
(1) for directory information;(2) to a health care provider who is rendering health care to the patient when the request for the disclosure is made;(3) to a transporting emergency medical services provider for the purpose of:(4) to a member of the clergy specifically designated by the patient; (5) to a procurement organization;(6) to a prospective health care provider;(7) to a person authorized to consent to medical treatment;(8) to an employee or agent of the hospital;(9) to a federal, state, or local government agency or authority to the extent authorized or required by law;(10) to a hospital that is the successor in interest to the hospital maintaining the health care information;(11) to the American Red Cross for the specific purpose;(12) to a regional poison control center;(13) to a health care utilization review agent;(14) for use in a research project authorized by an institutional review board under federal law;(15) to health care personnel of a penal or other custodial institution;(16) to facilitate reimbursement;(17) to a health maintenance;(18) to satisfy a request for medical records of a deceased or incompetent person;(19) to comply with a court order(20) related to a judicial proceeding in which the patient is a party and the disclosure is requested under a subpoena issued under … the Texas Rules of Civil Procedure or Code of Criminal Procedure.
Tex. Health & Safety Code § 241.153(20).
12
Authorization by individual or personal representative. 45 C.F.R. §§ 164.508(a) (authorization required), 164.512(a)(1)(right of access).
Court order. 45 C.F.R. § 164.512(e)(1)(i).
Subpoena accompanied by “satisfactory assurances” that:◦ The PHI Individual has been given proper notice of the request;
or◦ Reasonable efforts have been made to secure a qualified
protective order. 45 C.F.R. § 164.512(e)(1)(ii), (iv)-(v).
13
For an authorization to be valid under federal law, it must contain the following elements:
1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
4. A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.
6. Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.
45 C.F.R. § 164.508(c)(1).
14
An authorization to a hospital is valid only if it:1. is in writing;
2. is dated and signed by the patient or the patient's legally authorized representative;
3. identifies the information to be disclosed;
4. identifies the person or entity to whom the information is to be disclosed; and
5. is not contained in the same document that contains the consent to medical treatment obtained from the patient.
Tex. Health & Safety Code § 241.152(b)
15
Go to www.memorialhermann.org
Type “Medical Records Authorization” in the search box.
Choose the applicable authorization.
OR…
Go to
www.memorialhermann.org/patients-caregivers/release-of-medical-records/
NOTE: Memorial Hermann will recognize any authorization (not justits own) containing all the necessary elements.
• “Personal Representative” is defined under federal law as an individual with authority to act on behalf of individual “under applicable law.” 45 C.F.R. 164.502(g). Includes but is not restricted to a Texas “Legally Authorized Representative.”
• If an authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. 45 C.F.R. § 164.508(c)(vi).
• Restrictions exist on a personal representative’s authority when a licensed health care professional has determined, in the exercise of professional judgment, that access to PHI is reasonably likely to cause substantial harm to the individual or another person. See, e.g. 45 C.F.R. §§ 164.502(g)(5); 164.524(a)(3).
16
• “Legally authorized representative” means:– a parent or legal guardian if the patient is a minor;– a legal guardian if the patient has been adjudicated incapacitated to manage the
patient's personal affairs;– an agent of the patient authorized under a durable power of attorney for health care;– an attorney ad litem appointed for the patient;– a person authorized to consent to medical treatment on behalf of the patient under
Chapter 313;– a guardian ad litem appointed for the patient;– a personal representative or heir of the patient, as defined by Section 3, Texas
Probate Code, if the patient is deceased;– an attorney retained by the patient or by the patient's legally authorized
representative; or– a person exercising a power granted to the person in the person's capacity as an
attorney-in-fact or agent of the patient by a statutory durable power of attorney that is signed by the patient as principal.
Tex. Health & Safety Code § 241.151(5).
17
18
“Satisfactory assurances” regarding a qualified protective order requires “a written statement and accompanying documentation” demonstrating that:a) The parties to the dispute giving rise to the request for information have agreed to a
qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or
b) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.
A “qualified protective order” means, “an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding” that:a) Prohibits the parties from using or disclosing the protected health information for any
purpose other than the litigation or proceeding for which such information was requested; and
b) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.
See Template Handout
19
“[T]he hospital or its agent may charge a reasonable fee for providing the health care information except payment information and is not required to permit the examination, copying, or release of the information requested until the fee is paid unless there is a medical emergency.” Tex. Health & Safety Code § 241.154(b).
Memorial Hermann is authorized take up to fifteen days from receiving a proper request and payment to make the information available. TEX. HEALTH & SAFETY CODE § 241.154(a).
20
21
42 U.S.C. § 290dd-2 allows for production of substance-abuse treatment records only by
• Written consent of treated individual, or
• an appropriate order of a court of competent jurisdiction granted after application showing good cause therefor, including the need to avert a substantial risk of death or serious bodily harm.
22
Tex. Family Code § 261.201 – makes records associated with child abuse investigations confidential.A court may order the disclosure of information that is confidential under this section if:
(1) a motion has been filed with the court requesting the release of the information;(2) a notice of hearing has been served on the investigating agency and all other interested parties; and(3) after hearing and an in camera review of the requested information, the court determines that the disclosure of the requested information is:
(A) essential to the administration of justice; and(B) not likely to endanger the life or safety of:
(i) a child who is the subject of the report of alleged or suspected abuse or neglect;(ii) a person who makes a report of alleged or suspected abuse or neglect; or(iii) any other person who participates in an investigation of reported abuse or neglect or who provides care for the child.
23
Texas Gov’t Code § 420.001 et seq. governs the production of Sexual Assault Nurse Examination reports and investigation materials. ◦ Requires consent from personal representative, or◦ Criminal subpoena.
45 C.F.R. § 164.502(g)(5) – allows a covered entity to withhold PHI from personal representative even with “satisfactory assurances” if it believes individual subject to abuse and disclosing would endanger individual.
24
Psychotherapy Notes (not subject to review); and Information compiled in reasonable anticipation of,
or for use in, a civil, criminal, or administrative action or proceeding.
45 C.F.R. § 164.524(a)(2)
Covered entity may also deny access if a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person (subject to review).
45 C.F.R. § 164.524(a)(3)
25
26
Do I have a court order to obtain the PHI?
If I do not have a court order, do I have a valid authorization?◦ Does my authorization meet Texas and federal law requirements?◦ Is my authorization from the individual for whom I am seeking PHI?◦ If not, does my client have the authority to request the PHI?
If I do not have a court order or authorization, does my subpoena contain all the necessary information?◦ can I provide satisfactory assurances that notice has been given, or◦ can I provide satisfactory assurances that a qualified protective order has been requested?
Is the information I am seeking subject to additional protections (substance abuse, child abuse, psychotherapy, SANE)?
Have I requested an invoice and paid the necessary fees for the records under Texas Health & Safety Code?
27
For substance abuse records, have I previous obtained an order showing good cause containing the elements in 42 U.S.C. § 290dd-2?
For records associated with a child abuse investigation, have I previously obtained an order showing good cause to obtaining the requested materials containing the elements of Tex. Family Code § 261.201(b)?
For records associated with SANE kits, do I have consent from personal representative or a criminal subpoena? SeeTex. Gov’t Code § 420.0735
28
Please request your records so that they can be provided to you with a business records affidavit more than 14 days before you have any hearing, so you can serve them on other parties, pursuant to Tex. R. Evid. 902(10)(A).
For cases filed after September 1, 2014, the court may order (for good cause shown) that a business record be treated as presumptively authentic, even if the proponent fails to comply with the 14-day service rule.
29
Patricia TooleyVice President, Privacy Compliance, Memorial Hermann Health [email protected]
Monique AllenAssociate General Counsel Clinical Operations Memorial Hermann Health [email protected]
Jesse M. ColemanSenior Associate, Norton Rose [email protected]