Page 1 © Copyright 2013, All Rights Reserved.

HIPAA and HITECH Everything a Lawyer Needs

to Know

eminar Topic: HIPPA and HITECH Everything a Lawyer Needs Know covers all

essential basic information on HIPPA and the impact the HITECH Act had on

it. HIPPA and what it does is clearly defined and sanctions for HIPAA violations,

including new federal private right of action and state court litigation, are

discussed. Also, how to obtain HIPAA-protected individually identifiable health

information is described in detail. In addition, an overview of security

requirements and patent privacy requirements is included.

This material is intended to be a guide in general. As always, if you have any

specific question regarding the state of the law in any particular jurisdiction, we

recommend that you seek legal guidance relating to your particular fact

situation.

The course materials will provide the attendee with the knowledge and tools

necessary to identify the current legal trends with respect to these issues. The

course materials are designed to provide the attendee with current law,

impending issues and future trends that can be applied in practical situations.

S

Page 2 © Copyright 2013, All Rights Reserved.

Copyright © 2013 Printed in the United States of America. All rights reserved. No part of this

monograph may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, except for citation within legal documents filed with a tribunal, without permission in writing from the publisher.

Disclaimer: The views expressed herein are not a legal opinion. Every fact situation is different and the reader is encouraged to seek legal advice for their particular situation.

The Apex Jurist, www.ApexJurst.com is Published by ApexCLE, Inc.

www.ApexCLE.com

Ordering Information: Copies of this monograph may be ordered direct from the publisher for $24.95 plus

$4.25 shipping and handling. Please enclose your check or money order and shipping information. For educational, government or multiple copy pricing, please contact the publisher.

Library of Congress Cataloging-in-Publication Data

ApexCLE, Inc.

1. ApexCLE, Inc. 2. Law-United States – Guide-books. 3. Legal Guide 4. Legal Education.

119 South Emerson St., Suite 248 Mount Prospect, Illinois 60056 Toll Free 8666572004

920 South Spring Street Springfield, Illinois 62704

Toll Free 8666572004

Page 3 © Copyright 2013, All Rights Reserved.

Author’s Email Address: Jon@tomesdvorak.com

Author’s Website: veteranspress.com

Author’s Mailing Address:

Tomes & Dvorak, Chartered, 7111 West 98th Terrace, Overland Park, KS 66212

Author’s Phone Number: (913) 385-7990, ext. 306

About The Author Jonathan P. Tomes is admitted in Illinois, Kansas, Missouri, and

Oklahoma, Federal District Court for the Northern District of Illinois (Trial Bar), Western District of Missouri, District of Kansas, U.S. Courts of Appeal for the 5th, 7th, 8th, 10th, and Federal Circuits, and the U.S. Supreme Court.

Tomes is the president of EMR Legal, a nationwide HIPAA consulting firm. His past clients include U.S. Public Health Service, Indian Health Services; Alabama Department of Mental Health and Mental Retardation; Missouri Department of Mental Health; Wayne County, Michigan (Detroit); Johnson, Sedgwick, and Lyon Counties, Kansas; St. Croix County, Wisconsin; and hundreds of hospitals, long-term care facilities, hospices, and physician practices; and business associates of covered entities, such as transcription services, billing services, and medical marketing services, among others. Tomes frequently presents HIPAA seminars around the country for health care professionals.

Tomes is also an author of more than 50 nonfiction books and dozens of professional articles, mostly on HIPAA and some on military law (as a retired U.S. Army JAG officer and military judge), available at veteranspress.com, as well as more recently several novels and short stories available on Amazon Kindle.

Page 4 © Copyright 2013, All Rights Reserved.

Overview

How can attorneys become involved with HIPAA?

What is HIPAA, and what does it do?

Overview of security requirements.

Overview of patient privacy requirements.

How has the HITECH Act tightened up HIPAA?

Sanctions for HIPAA violations, including the new federal private right of action and state court litigation.

Lawyers as business associates of health plans and providers.

HIPAA and discovery: How to obtain HIPAA-protected individually identifiable health information.

Questions and answers.

Attorney Involvement with HIPAA

Other uses in litigation.

Representing health care clients.

As business associates.

HIPAA lawsuits.

Criminal prosecutions.

Subpoenaing medical records.

What Is HIPAA?

Multiple choice test (select one or more):

Page 5 © Copyright 2013, All Rights Reserved.

o The Health Insurance Portability and Accountability Act of 1996.

o A distant relative of a HIPPO.

o The cover name for the Health Lawyer’s Full-Employment Act of 1996.

o The law passed by Congress that gave the Department of Health and Human Services the authority to regulate health information security and privacy.

o One and four only.

o One, three, and four only.

What Is HIPAA, and What Does It Do?

HIPAA—short for the Health Insurance Portability and Accountability Act of 1996.

Its Administrative Simplification provisions specify the rules for individually identifiable health information.

Violation of HIPAA carries both civil and criminal penalties.

It also specifies rules for conducting electronic transactions, security, and privacy.

What Is Health Information?

Any information, whether oral or recorded, in any form or medium that is created or received by a:

o Health care provider, health plan,

o Public health authority, employer,

o Life insurer, school or university, or

Page 6 © Copyright 2013, All Rights Reserved.

o Health care clearinghouse; and

The information relates to the:

o Past, present or future physical or mental health or condition of an individual,

o The provision of health care to an individual, or,

o To the past, present, or future payment for the provision of health care to an individual.

What Is Protected Health Information (“PHI”)?

Individually identifiable health information maintained in a system of records by a covered entity. Paradise

The clearest example would be a patient’s chart, but billing and other records usually will qualify as a system of records.

HIPAA has several methods of de-identifying this information so that it is no longer PHI and thus HIPAA’s rules do not apply.

HIPAA’s Criminal Penalties 42 U.S.C. §1320d-6

Knowingly obtaining or disclosing individually identifiable health information: $50,000 fine and imprisonment for one year.

Doing same under false pretenses: $100,000 fine and imprisonment for five years.

Obtaining or disclosing individually identifiable health information with the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm: A maximum fine of $250,000 and/or up to 10 years’ imprisonment.

Page 7 © Copyright 2013, All Rights Reserved.

More Than 30 Criminal Convictions to Date

Majority involve using health information for identity theft.

Several simply involve improperly accessing celebrity charts out of curiosity.

Most involve a prison sentence.

Only one acquittal. Easy crime to prove.

“Knowingly” means knowing what you are doing, not knowing that it is a HIPAA crime.

Clarification of Who Is a Possible Defendant

SEC. 13409. CLARIFICATION OF APPLICATION OF WRONGFUL DISCLOSURES CRIMINAL PENALTIES.

o Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy

regulation described in section 1180(b)(3)) and the

individual obtained or disclosed such information without

authorization.”

Expanded Criminal Liability under the HITECH Act

Application of Civil and Criminal Penalties—In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) shall apply to

Page 8 © Copyright 2013, All Rights Reserved.

the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.

HIPAA Civil Money Penalties

Before the HITECH Act, maximum civil money penalty was $100.

This $100 amount increases to $1,000 per violation for a violation due to “reasonable cause and not to willful neglect” (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year).

Note that DHHS cannot waive a penalty imposed for willful neglect.

Settlements and CMPs to Date

Civil money penalties and settlements to date range from $100,000 to $4.3 million with most of them $1 million or more.

Covered entities involved include large hospital chains, non-for-profits, and small physician practices.

DHHS has said that small size is no defense.

Most infractions include not having done a risk analysis, not conducting required training, and/or not having policies and procedures in place.

Settlements usually include a corrective action plan.

Page 9 © Copyright 2013, All Rights Reserved.

New Federal Lawsuit

Before the HITECH Act: No federal private right of action—that is, no federal lawsuit.

Now with the HITECH Act: State attorneys general may bring a HIPAA violation case on behalf of an individual in federal court and may recover damages, attorney’s fees, and costs.

Such cases have been filed in Connecticut, Indiana, Minnesota, and Oklahoma.

State Court Litigation

HIPAA regulations may be used to demonstrate the standard of care in common law claims involving the privacy of medical information, according to a December 2006 decision of the North Carolina Court of Appeals.

Heather Acosta was a patient and an employee of Psychiatric Associates of Eastern Carolina, which was owned by Dr. David R. Faber and managed by Robin Byrum.

Byrum improperly disclosed psychiatric information about her to third parties, causing her emotional distress for which she sued.

The trial court dismissed the case because HIPAA did not, at that time, have a private right of action.

The Court of Appeals noted that it wasn’t a HIPAA case, but rather, it was an infliction of emotional distress case and reversed and remanded for trial.

Acosta v. Faber, 638 S.E.2d 246 (N.C. App., Dec. 19, 2006).

Other Penalties

Page 10 © Copyright 2013, All Rights Reserved.

Reporting of breaches to DHHS.

Reporting of breaches to the media.

Reporting of breaches to the subject(s) of the breach.

Loss of accreditation or licensure or other professional discipline.

Cost of required mitigation.

Bad publicity/loss of patients.

Business Associate Liability

A business associate is a person or entity that provides services for, or on the behalf of, a covered entity that involves the use of PHI.

Most common examples are outside transcription services and billing services.

A lawyer or law firm may be a business associate.

Business associates face the same criminal and civil liability as do covered entities and may be audited by the Office of the Inspector General of DHHS.

Would the attorney-client privilege bar such an audit?

HIPAA’s Security Requirements

Health plans, health care clearinghouses, health care providers who maintain or transmit health information in connection with a standard transaction, and Medicare prescription drug card sponsors (covered entities) . . . must maintain reasonable and appropriate administrative, technical, and physical safeguards:

Page 11 © Copyright 2013, All Rights Reserved.

o To ensure integrity and confidentiality of the information.

o To protect against reasonably anticipated:

Threats or hazards to the security or integrity of the information.

Unauthorized uses or disclosures of the information.

Key Points When Representing Health Care Clients

Must perform risk analysis and update it as conditions change and periodically.

Must train workforce members initially and with periodic updates.

Must implement and enforce policies and procedures.

The Security Rule applies only to electronic PHI, but the Privacy Rule, which applies to all PHI regardless of form or format, requires “appropriate safeguards” to protect PHI.

HIPAA Myths

A provider cannot call a patient by name in the waiting room.

A provider cannot place a chart in a box outside the clinician’s office.

All electronic data must be encrypted.

Privacy Rule in General

Don’t use or disclose except as the rule provides!

Page 12 © Copyright 2013, All Rights Reserved.

Under the modified regulations, covered entities may use protected information:

o With individual authorization (of course) and without authorization:

For treatment, payment, and health care operations, or,

For specific public and public policy purposes, or,

When required by law.

Disclosures Not Requiring a Consent, an Authorization, or an Opportunity to Object.

When required by law, e.g., mandatory child abuse reporting.

To prevent a serious and imminent threat to a named individual or the public.

For public health activities.

Health oversight activities.

For judicial and administrative proceedings.

For law enforcement activities.

Workers’ compensation.

Three Types of Patient “Consent”

A consent—permission to use or disclose PHI to treat the patient, to get reimbursed, or for health care operations. This ground is called TPO—treatment, payment, and health care operations.

An authorization—permission to use or disclose the PHI for purposes other than TPO.

Page 13 © Copyright 2013, All Rights Reserved.

Opportunity to object—no consent or authorization is necessary but may not so use or disclose if the patient objects if used for marketing, for facility directories, and for disclosures to family members involved in the patient’s care.

Disclosures for Judicial and Administrative Proceedings 45 C.F.R. § 164.512(e)

Discovery pursuant to a subpoena accompanied by an authorization.

Discovery pursuant to a qualified protective order.

Discovery pursuant to satisfactory assurances.

Subpoena Accompanied by an Authorization

A valid authorization must contain in plain language at least the following elements:

o Description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

o Name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure.

o Name or other specific identification of the person(s) or class of persons to whom the covered entity may make the requested use or disclosure.

o Description of each purpose of the requested use or disclosure. A statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does, or elects not to, provide a statement of the purpose.

Page 14 © Copyright 2013, All Rights Reserved.

o Expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.

Authorization Elements (continued)

Statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization. Exceptions to the right to revoke are either of the following:

o If the covered entity has taken action in reliance thereon.

o If the authorization was obtained as a condition of obtaining insurance and a law provides the insurer the right to contest a claim under the policy.

Statement that the information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and may then no longer be protected by the privacy regulations.

Signature of the individual and date.

If the authorization is signed by a personal representative, a description of the representative’s authority to act.

Discovery Pursuant to Court Order

A covered entity may disclose PHI in the course of any judicial or administrative proceeding in response to an order of the court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order.

A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties that

Page 15 © Copyright 2013, All Rights Reserved.

prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and requires the return to the covered entity or destruction of the protected health information (including any copies) at the end of the litigation or proceeding.

The party requesting the information must provide a written statement and accompanying documentation that demonstrates the following: The parties to the dispute have agreed to a qualified protective order and have presented it to the court or administrative tribunal; or the party seeking the protected health information has requested a qualified protective order from the court or administrative tribunal.

Discovery Pursuant to Satisfactory Assurances

A covered entity may disclose protected health information in response to a subpoena, discovery request, or other lawful process, that is not accompanied by a court order, provided that the covered entity:

o Receives a written statement and accompanying documentation from the party seeking the information that reasonable efforts have been made either (1) to ensure that the individual(s) who are the subject of the information have been notified of the request, or (2) to secure a qualified protective order for the information; or

o Itself makes reasonable efforts either (1) to provide notice to the individual(s) that meets the same requirements as set forth below for sufficient notice by the party making the request, or (2) to seek a qualified protective order as defined below. See 45 CFR 164.512(e).

Page 16 © Copyright 2013, All Rights Reserved.

The covered entity must make reasonable efforts to limit the protected health information used or disclosed to the minimum necessary to respond to the request.

The requirement to provide sufficient notice to the individual(s) is met when a party provides a written statement and accompanying documentation that demonstrates:

o A good faith attempt was made to notify the individual (or if the individual’s location is unknown, to mail a notice to the individual’s last known address);

o The notice included sufficient detail to permit the individual to raise an objection with the court or administrative tribunal; and

o The time for the individual to raise objections under the rules of the court or tribunal has lapsed and no objections were filed or all objections filed by the individual have been resolved by the court and the disclosures being sought are consistent with the resolution.

Conclusion

Lawyers must know HIPAA to do the following:

o Effectively represent health care clients.

o Avoid liability as business associates of health care clients.

o Represent criminal defendants.

o Become involved in civil litigation involving HIPAA.

o Effectively obtain access to PHI.