hipaa and terrorism. prepared by cpt harry lawson, esq. of houston mrg, texas medical rangers...
TRANSCRIPT
HIPAA and Terrorism
HIPAA and Terrorism
• Prepared by CPT Harry Lawson, Esq. of Houston MRG, Texas Medical Rangers
• Disclaimer: This powerpoint does not constitute legal advice
What is HIPAA ?
• Health Insurance Portability and Accountability Act
• .Protects health insurance coverage if change or lose job
• .Requires national standards for electronic healthcare transactions
• .It established national rules about the security and privacy of health data
Why was it needed?
• No constitutional or other historic right to privacy for health information
• .Concern that electronic technology would destroy health information privacy
• .Standards needed for electronic healthcare transactions
Who is covered by HIPAA?
• .Covered entities: health plans, health care clearinghouses and health-care providers conducting transactions electronically.
• .Focused today on health care professionals
Are the Texas Medical Rangers covered by HIPAA?
• A definite maybe; Probably covered
• .Public health authority providing vaccinations are covered like a doctor
• .National Guard, volunteer organizations providing health care services to individuals trigger coverage of HIPAA, even during an emergency
HIPAA “Privacy Rule”
– .What information is covered?
• .Protected Health Information definition
• .Individually identifiable data
What does the privacy rule require?
• Notifying patients about their privacy rights, privacy policies, and how their Protected Health Information will be used or disclosed
What does the privacy rule require?
• .No disclosure of Protected Health Information unless exception applies:– to facilitate treatment or payment– As authorized by the patient– Disclosures required by law
What does the privacy rule require?
• Covered entity must take reasonable steps to ensure confidentiality by establishing internal privacy policies.
• Employees trained to understand privacy policies.
• Establishing safeguards to protect confidentiality• Account for disclosures of Protected Health
Information
HIPAA “Minimum Necessary” Standard
• .Limit Protected Health Information disclosed to only the information necessary
• .Limit access to people who need it
HIPAA Minimum Necessary Standard does not apply to:
• .Disclosures by health care provider for treatment purposes
• .Disclosures to the patient
• .Disclosures made pursuant to patient’s authorization
• .Disclosures required by law, or a disaster situation
Patients Rights
• .Health care provider must give notice of privacy practices– .Distinguish from, “ consent for treatment” and
authorization for release of medical records– .Notice given on first contact– .Notice posted in office– .Good-faith effort required to obtain written
acknowledgment of receipt of privacy practice notice
Patients Rights
– .Patient may request copies of health information
– .Patient may request correction of inaccurate health information
– .Patient’s right to be notified of disclosure of Protected Held Information
– .Patient’s right to file complaints with federal Department of Health and Human Services, Office for Civil rights for HIPAA rules violation.
HIPAA is the minimum required level of legal privacy protection
• .Federal law preempts state law unless state law provides more protection.
• .State and Federal Public Health laws, child abuse, birth or death records are not affected by HIPAA.
Incidental disclosure of Protected Health Information
• Impossible to guarantee no disclosures of Protected Health Information
• .Example : nurses station Whiteboard; overheard conversation about patient’s condition
Incidental disclosure of Protected Health Information
• .In “Incidental” use or disclosure is permitted if :– .Disclosure cannot be reasonably prevented– .Limited in nature, and– .Occurs as a result of another use or
disclosure permitted by the initial Privacy financial Rule
Incidental disclosure of Protected Health Information
• .Secondary disclosure arising from a disclosure that violates the Privacy Rule is not a permitted “Incidental” disclosure
– .Example: hospital employee having access to Protected Health Information, but access is not necessary to do her job; if someone overhears a hospital employee discussing a patient’s condition; that is not a permitted “Incidental” disclosure.
Administrative, technical, and physical safeguards to protect
privacy.
– .Reasonable safeguards are required
– .Extent of safeguards balanced against effect on patient care and financial and administrative burden
Administrative, technical, and physical safeguards to protect
privacy.
• .Safeguards include customary practices– .Speaking quietly when discussing patient’s
condition in a public area– .Avoid using patient’s name in elevators are
public places– .Physical security for written and electronic
records such as locks, firewalls and passwords
Disclosures to Parents
• .Parents are permitted access to children’s health information
• .Exception: when parent agrees that a minor and the health-care provider may have a confidential relationship
• .Exception: neglected or abused child
Disclosures to family, friends, “significant other”
• Disclosure to a family member, relative, close personal friend, or persons identified by the patient of medical information relevant to such persons involved with the patient’s care or payment related to the patient’s care.
• .If patient is present, health-care provider may disclose medical information if the patient does not object.
Disclosures to family, friends, “significant other”
• .If patient incapacitated, health professionals judgment call to disclose health information to these people.
• .Health-care provider must feel disclosure is in the best interest of patient
• .Hospital or health care provider may refuse to provide any medical information to family without patient’s consent, but HIPAA allows disclosure
Hospital / shelter patient directory information disclosed to the public
• .A hospital or shelter may maintain a public directory including patients name, location in the facility and condition in general terms and disclose such information to anyone who asked for the patient by name.
• .Patient must be informed of this practice and have the opportunity to opt out.
Hospital / shelter patient directory information disclosed to the public
– .If patient incapacitated, hospital/shelter may disclose directory information if no knowledge of patients objection and feel that in patient’s best interest.
– .Hospital/shelter is not required to have directory information disclosure and may require prior approval by the patient before allowing listing.
Patient will not sign receipt for the privacy notice
– .The health-care provider cannot refuse to provide services for this reason only.
– .Health-care provider is only required to make a “good faith” effort to obtain signed acknowledgment
Can the health-care providers be sued by a patient?
• .The HIPAA law does not give patients the right to sue. (But lawyers are creative)
• .Only recourse for a violation is to file a complaint with HHS Civil Rights Office
• .Possible Fines from $100 to $250,000 and prison terms for violations. but government relies upon voluntary compliance and no penalties have been issues for violations.
HIPAA in emergency situations - Hurricane Katrina
• .Government issued a bulletin to clarify HIPAA rules in an emergency
HIPAA in emergency situations - Hurricane Katrina
• .Treatment:- Health-care providers were permitted to share health information as necessary to provide treatment, defined as:
– sharing information with other health-care providers, shelters and clinics
– Referring patients for treatment to providers in areas where patients have relocated
– Coordinating patient care with emergency relief workers or others helping to find patients appropriate health care.
Hurricane Katrina
• .Notification. - Health care providers were permitted to share patient information to notify family members of patients’ location, general condition or death
– verbal permission to be obtained where the possible but if the patient is incapacitated the health-care providers judgment call to disclose, if felt in patient’s best interest.
– Sharing health information with a disaster relief organization, like American Red Cross does not require patient’s permission if doing so would interfere with the organization’s ability to respond to the emergency.
Hurricane Katrina
• Imminent danger.
– Patient’s health information could be shared with third parties to prevent a serious and imminent threat to health
Shelter patient directories
• Shelter facilities can tell the public who ask about patients; if they are at the shelter, their location in the facility and the patient’s general condition.
• the American Red Cross is not a “covered entity” subject to HIPAA and has no restriction from sharing patient information
HIPAA’s special rules in a public health emergency --Terrorism
.Health information disclosure without patient consent obviously necessary in public health emergency such as bioterrorism
– .Public-health officials, law enforcement, national security officials, in the health-care establishment must exchange healthcare information
– .Identifiable information for individuals, groups, families, people within defined geographic boundaries is required to be disclosed
Terrorism - requires balancing of society’s need for health data with the individual’s need for privacy
• . Personal privacy rights are still important in a public health emergency
• .Patients may fail to cooperate in public health programs, criminal investigations, or their own care if they have privacy concerns.
• .Widespread lack of cooperation with government in a bioterrorism event could be disastrous.
HIPAA disaster situation rules allow disclosure of health information
during a public health emergency
– .For treatment purposes by health-care providers
– .To avert serious threats to public health or safety
– .For public health purposes such as avoiding epidemics
– .To protect national security
– .Necessary for law enforcement investigations
– .Required by judicial or administrative proceedings
What does the public health emergency rule allow?
.Some confusion about the application of the privacy rule could limit the flow of health data for bioterrorism prevention.
• Example: some health-care providers were reluctant to release health data associated with recent flu outbreaks fearing violations of the privacy rule and concerns about record-keeping for disclosures of health information
What does the public health emergency rule allow?
• .Treatment. - After a terrorist attack medical care will be fragmented & chaotic under triage conditions. Do health care providers have to follow the normal privacy concerns in exchanging information about their patients?
• No. - Information may be exchanged when necessary for appropriate treatment
What does the public health emergency rule allow?
• .Imminent threat to public health and safety: - Health information may be disclosed to persons who are able to abate the threat. If the health care provider believes the disclosure is necessary to avoid an imminent threat, such as an unexplained disease outbreak suspected to be a Bioterrorist attack
What does the public health emergency rule allow?
• Public-health officials: - Health-care providers can disclose health information:
– when required by law, such as, statutory reporting requirements
– When requested by public health authorities– To individuals who may have been exposed to
infectious disease
What does the public health emergency rule allow?
• National security
– Disclosure is allowed to intelligence and national security agencies where a threat to national security is involved
What does the public health emergency rule allow?
• .Law enforcement:
– Disclosures of health information to law enforcement officials may be made in connection with reporting a possible crime, or to identify a suspect, fugitive or witness involved in a bioterrorist event
– Useful to report a terrorist who spilled his anthrax powder prematurely
What does the public health emergency rule allow?
• Judicial or administrative Proceedings
– Healthcare providers are permitted to disclose health information in response to a court order or a subpoena or discovery request
Conclusion
• To balance the government’s need for health information in a disaster situation with the individuals rights to privacy –
• HIPAA law will have to be understood and interpreted carefully
• to facilitate response efforts and avoid information delays
Texas Medical Rangers