KBA Presentation June 10 2006
Download
Report
Transcript KBA Presentation June 10 2006
Drafting HIPAA Compliant
Subpoenas & Discovery
Presented by: RACHEL B. RUBIN
Kansas Bar Association Annual Meeting
June 10, 2006
Rubin Law Firm, LLC
4601 College Blvd., Suite 280
Leawood, KS 66211
(913) 322-8950
[email protected]
www.rrubinlaw.com
Copyright 2006 Rubin Law Firm, LLC
Drafting HIPAA Compliant Subpoenas
HIPAA privacy regulations protect patient medical
information.
“Protected Health Information” or “PHI”
Definition of PHI:
Individually Identifiable Health
Information that is transmitted by or maintained in
electronic or any other form.
Copyright 2006 Rubin Law Firm, LLC
PROTECTED HEALTH INFORMATION
“Individually Identifiable Health Information”
45 CFR 160.103.
Very broad definition:
• Includes all types of medical information regarding an
individual’s past, present or future physical or mental health
or condition, the provision of health care, or payment for
health care, that identifies the individual.
Copyright 2006 Rubin Law Firm, LLC
GENERAL RULE UNDER HIPAA:
– A Covered Entity CANNOT use or disclose PHI
without obtaining a WRITTEN AUTHORIZATION
from the patient.
– “Covered Entity” includes a health care provider
(physician, dentist, hospital, ASC, etc); health
plan, or health care clearinghouse (e.g. a
hospital/physician billing company).
Copyright 2006 Rubin Law Firm, LLC
EXCEPTIONS
• Primary Exception: treatment, payment or healthcare
operations.
• Minimum Necessary Information: Disclose ONLY the
minimum necessary to accomplish the intended purpose
of the use, disclosure or request.
Copyright 2006 Rubin Law Firm, LLC
OTHER EXCEPTIONS
(45 CFR 164.512)
Additional exceptions allow Covered Entity to use or disclose PHI
without written patient authorization:
•
•
•
•
•
•
•
•
•
•
•
•
Required by law;
Public health activities;
Victims of abuse, neglect or domestic violence;
Health oversight activities (e.g., Board of Healing Arts)
Judicial or administrative proceedings;
Law Enforcement purposes;
Decedents;
Organ, eye or tissue donation at death;
Research purposes;
To avert a serious threat to health or safety;
Specialized government functions (e.g. military);
Worker’s Compensation
Copyright 2006 Rubin Law Firm, LLC
Worker’s Compensation
• Worker’s Comp treatment records may not
include all records you want.
– General treatment records are (or should be)
maintained separately from Worker’s Comp treatment
records.
– Should request specific authorization to obtain
patient’s general treatment records.
Copyright 2006 Rubin Law Firm, LLC
OTHER EXCEPTIONS (45 CFR 164.512)
• Always check the regulations--the
requirements to meet any of these
exceptions are hyper-technical.
Copyright 2006 Rubin Law Firm, LLC
REQUEST FOR PHI PURSUANT TO
SUBPOENA OR COURT ORDER
• HIPAA requires a Covered Entity to respond
differently to a subpoena or discovery request,
and an order of a court or administrative tribunal.
• Distinction between Subpoena (KSA 60-245 & 60-245a)
& Court Order
Copyright 2006 Rubin Law Firm, LLC
PURSUANT TO COURT ORDER
• Covered Entities MUST DISCLOSE PHI if it
receives a court order specifically ordering it to
release an individual’s PHI.
• Covered Entity may only disclose the PHI that is
expressly authorized under the court order, and not
more.
• Court order should demonstrate to the Covered
Entity that HIPAA was considered & that the
patient had opportunity to be heard & object to
disclosure.
Copyright 2006 Rubin Law Firm, LLC
PURSUANT TO SUBPOENA, DISCOVERY
OR OTHER LAWFUL PROCESS
Under HIPAA, Covered Entities should NOT provide PHI based
solely on receipt of a subpoena or discovery request.
Additional requirements must be met:
1.
Satisfactory assurance from the Requestor that reasonable
efforts have been made to ensure that the patient has been
given notice of the request;
OR
2.
Satisfactory assurance from the Requestor that a qualified
protective order has been obtained.
Copyright 2006 Rubin Law Firm, LLC
ALTERNATIVE 1:
NOTICE TO PATIENT
In addition to subpoena, Requestor must provide
Covered Entity with written statement and
documentation which demonstrates that:
– Good faith attempt to provide written notice to the individual;
– Notice included sufficient information to permit individual to raise
objection in court; &
– Time for individual to raise objections in court has expired & no
objections were filed; or all objections have been resolved by
court.
Copyright 2006 Rubin Law Firm, LLC
ALTERNATIVE 2: QUALIFIED
PROTECTIVE ORDER
Requestor must provide Covered Entity with written
statement and documentation which demonstrates that:
– The parties to the request for information have agreed to a
qualified protective order & have presented it to the court; or
– Requestor has sought a qualified protective order from the court.
Copyright 2006 Rubin Law Firm, LLC
DEFINITION OF “QUALIFIED
PROTECTIVE ORDER” 45 CFR 164.512(e)(1)(v)
– Prohibits parties from using or disclosing the PHI for any other
purpose;
– An order of a court or administrative tribunal, or a stipulation by
the parties; and
– Requires return of PHI to Covered Entity or destruction of PHI,
including all copies made, at end of litigation or proceeding.
Copyright 2006 Rubin Law Firm, LLC
HIPAA Enforcement
• Office for Civil Rights (Civil); DOJ (Criminal)
• Potential Civil & Criminal Penalties for Violations
of HIPAA
– Civil Money Penalties
– Criminal sanctions for individuals/entities whose
conduct is governed by HIPAA
– No private cause of action set forth in statute or
regulations
Copyright 2006 Rubin Law Firm, LLC
Other Applicable Privacy Laws:
• Alcohol & Drug Abuse Treatment Records
(42 U.S.C. 290dd; 42 U.S.C. 290ee, 42 C.F.R. 2.1 et seq.)
– Protects identity, diagnosis, prognosis or treatment of
patient
• Participation in Medicare/Medicaid subjects a
hospital or facility to this statute
Copyright 2006 Rubin Law Firm, LLC
Alcohol & Drug Abuse Treatment Records
• Such records may not be used in any civil, criminal,
administrative or legislative proceedings conducted by
federal, state or local authority.
• Disclosures limited to information necessary to carry out
purpose of disclosure.
• Answer to request for disclosure may not reveal patient’s
identity or whether they have sought treatment.
Copyright 2006 Rubin Law Firm, LLC
Alcohol & Drug Abuse Treatment Records
(See 42 U.S.C. 290dd-2(b) & 42 C.F.R. 2.31(a).
• Disclosure is permitted with prior written consent of patient.
• Consent must contain certain elements:
– Name of program & patient; purpose of disclosure; type of
information to be disclosed; signature of patient; expiration
date.
– Regulations contain model written consent form. (42 CFR
2.31).
Similar to HIPAA, but different statutory
scheme.
Protections continue regardless of
individual’s status as patient.
Copyright 2006 Rubin Law Firm, LLC
Alcohol & Drug Abuse Treatment Records
(See 42 USC 290dd-2(b) & 42 CFR 2.61)
• Provision in statute for Court Order:
– Must show good cause, including need to avert
substantial risk of death or serious bodily harm.
– Court to weigh public interest & need for disclosure
against injury to patient, the physician-patient
privilege, & treatment.
– Court must impose appropriate safeguards against
unauthorized disclosure.
Copyright 2006 Rubin Law Firm, LLC
Alcohol & Drug Abuse Treatment Records
(See 42 U.S.C. 290dd-2(b) & 42 C.F.R. 2.31(a).
• No preemption of state law, if state law
more restrictive. (42 CFR 2.20).
• Criminal penalty for violation of statute:
– Not more than $500 for 1st offense; Not more than
$5,000 for each subsequent offense. (42 CFR 2.4).
– Reports of violations made to U.S. Attorney where
violation occurred.
– No private cause of action set forth in statute or
regulations.
Copyright 2006 Rubin Law Firm, LLC
Other Applicable Privacy Laws
• No preemption of state law, so long as state law is more
stringent, e.g. state has more protections for patient
information. (See 45 CFR 160.201.)
HIV/AIDS STATUS UNDER KANSAS LAW:
– Confidential; no disclosure
– K.S.A. 65-6002 – no disclosure of HIV/AIDS status, upon
subpoena or otherwise, unless patient consents in writing
– No provision in statute for Court Order to disclose HIV/AIDS
status
Copyright 2006 Rubin Law Firm, LLC
Summary
Safest route for Covered Entity is to obtain patient’s written
authorization to use or disclose patient’s PHI.
Subpoena for PHI by itself will not satisfy requirements under
HIPAA; opens door to motion to quash.
Subpoena must be accompanied with written statement & supporting
documentation that:
1) patient has been notified of request for PHI & has not
objected to disclosure, OR
2) protective order has been obtained.
Attorney who wants PHI may need to obtain court order to
ensure compliance by Covered Entity.
Copyright 2006 Rubin Law Firm, LLC
Summary
• Other state and federal privacy laws may also
apply; HIPAA is NOT the end of inquiry
• Common law doctrines of privacy &
confidentiality; breach of fiduciary duty;
• Potential violation of Healing Arts Act for
“unprofessional conduct,” even if no private
cause of action exists.
Copyright 2006 Rubin Law Firm, LLC
Summary
Copyright 2006 Rubin Law Firm, LLC