R. Gregory Cochran, MD, JD

Similar documents
FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION WITHOUT AUTHORIZATION

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

Notice of HIPAA Privacy Practices Updates

NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

NOTICE OF PRIVACY PRACTICES

Types of Authorized Recipients Probation/Parole Officers or the Department of Corrections

CAPITAL SURGEONS GROUP, PLLC

Patient Privacy Requirements Beyond HIPAA

CHI Mercy Health. Definitions

Notice of Privacy Practices

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

HIPAA Policies and Procedures Manual

NOTICE OF PRIVACY PRACTICES

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

The HIPAA Privacy Rule and Research: An Overview

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

SUMMARY OF NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

DISCIPLINARY PROCEDURE

HIPAA PRIVACY NOTICE

DEPARTM PRACTICES. Effective: Tel: Fax: to protecting. Alice Gleghorn, Page 1

Mental Health. Notice of Privacy Practices

FERPA, CHALLENGES FACING SCHOOL NURSES & DISCIPLINARY ACTIONS FERPA. MELANIE BALESTRA, MN, NP, JD JD August May 4, 22, 2012

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Notice of Privacy Practices

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

OREGON HIPAA NOTICE FORM

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

42 CFR Part 2: Improvements and New Challenges with the Use and Disclosure of Substance Use Disorder Treatment Records

A general review of HIPAA standards and privacy practices 2016

Parental Consent For Minors to Receive Services

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

States that Allow Prescribers and/or Dispensers to Appoint a Delegate to Access the PMP

NOTICE OF PRIVACY PRACTICES

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

always legally required to follow the privacy practices described in this Notice.

For Payment. We will use and disclose your personal health information to obtain payment for health care services we have provided to you.

SUMMARY OF THE CIRCUMSTANCES AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

Southwest Acupuncture College /PWFNCFS

JOINT NOTICE OF PRIVACY PRACTICES

New Patient Information

HIPAA Notice of Privacy Practices

ADVANCED PLASTIC SURGERY, PLLC. NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

NOTICE OF PRIVACY PRACTICES Occupations, Inc. 15 Fortune Road West Middletown, NY 10941

NOTICE OF PRIVACY PRACTICES

HIPAA PRIVACY TRAINING

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

MSK Group, PC NOTICE O F PRIVACY PRACTICES Effective Date: December 30, 2015

Information Privacy and Security

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES UNIVERSITY OF CALIFORNIA RIVERSIDE CAMPUS HEALTH CENTER

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

States that Allow Prescribers and/or Dispensers to Appoint a Delegate to Access the PMP

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

Macon County Mental Health Court. Participant Handbook & Participation Agreement

Balance Fitness and Nutrition

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

To ensure proper disclosure and release of Protected Health Information (PHI) Division/Department: All HealthPoint Policy/Procedure #:

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

HIPAA Privacy Rule. Best PHI Privacy Practices

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

FERPA 101. December 4, Michael Hawes Director of Student Privacy Policy U.S. Department of Education

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Orthopedic Specialty Clinic, Ltd. Updated 05/2014

Psychological Services Agreement

NOTICE OF PRIVACY PRACTICES UNIVERSITY OF CALIFORNIA IRVINE HEALTHSYSTEM

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

New Mexico Statutes Annotated _Chapter 24. Health and Safety _Article 1. Public Health Act (Refs & Annos) N. M. S. A. 1978,

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

San Francisco Department of Public Health

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA-HITECH HELPBOOK NJ Physician Practices

PATIENT NOTICE OF PRIVACY PRACTICES Effective Date: June 1, 2012 Updated: May 9, 2017

HIPAA Notice of Privacy Practices DFD Russell Medical Center Effective April 14, 2003 Updated April 10, 2013

Compliance with Personal Health Information Protection Act

Health Information Privacy Policies and Procedures

Protecting Health Information: Health Data Security Training

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

I. Preamble: II. Parties:

VHA Privacy Policy Training FY VHA Privacy Office

COMPLAINT FORM CONSENT AND RELEASE

Patient Consent Form

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices


SANTA RITA CARE CENTER Notice of Information Practices

Transcription:

California Academy of Attorneys for Health Care Professionals October 19-21, 2012 Government Subpoenas (and other Requests) and Health Privacy Considerations R. Gregory Cochran, MD, JD

Overview Overview of HIPAA and California s Confidentiality of Medical Information Act (CMIA) Overview of government healthcare agencies that issue subpoenas 2

Overview When HIPAA and CMIA come into play How HIPAA and CMIA affect subpoena responses 3

Take Home CMIA trumps HIPAA re subpoena responses Err on de-identifying patients when responding 4

Take Home Be sure to enter into BAA with your health provider clients Be sure to enter into HIPAA-compliant subcontractor agreement with your experts/consultants 5

Subpoena Court or administrative order that requires the provider to testify at a specific time 6

Subpoena Duces Tecum Requires the provider to produce documents or other items at a specified time and place 7

HIPAA Health Insurance Portability and Accountability Act of 1996 protected health information (PHI): individually identifiable health information transmitted or maintained in any form or medium covered entity: a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form 8

CMIA California Confidentiality of Medical Information Act (1979) (Civ. Code 56 et seq) medical information: any individually identifiable information in possession of or derived from a health care provider, a health plan, or pharmaceutical company regarding a patient s medical history, mental or physical condition or treatment. provider of healthcare, healthcare service plan, or contractor 9

HIPAA v. CMIA California health providers must meet obligations under both schemes Preemption: HIPAA governs unless state provisions are more stringent more patient protection wins out 10

HIPAA v. CMIA HIPAA: business associate rules Attorneys who use PHI that their provider clients give them in the course of the representation are BAs of their clients. HIPAA: minimum necessary rule 11

HIPAA v. CMIA HIPAA: CEs must give individuals advanced notice about how they handle PHI HIPAA: CEs must obtain patient consent for use of PHI for treatment, payment and operations 12

HIPAA: Exceptions to Minimum Necessary Standard Disclosures to providers for treatment Disclosures to the individual/patient Uses & disclosures required by law Disclosures to DHHS/OCR for enforcement Uses and disclosures with authorization 13

HIPAA & CMIA: Penalties HIPAA No private right of action under HIPAA Cal. B&P 17200? ERISA CMIA Patients may bring actions for violations of CA law: compensatory damages, punitive damages ( 3,000), attorney fees ( 1,000) 14

HIPAA v. CMIA: Penalties (cont d) HIPAA CMIA Knowingly disclosing, obtaining or using is criminal offense 100/violation, not exceeding 25,000/year (civil fine) Any violation is misdemeanor Negligent disclosure: up to 2,500/violation (civil fine) 15

HIPAA v. CMIA: Penalties (cont d) HIPAA Knowingly disclosing, obtaining or using (up to 50,000 and/or 1 year) CMIA Knowingly and willfully obtaining, disclosing or using (up to 25,000/violation) False pretenses (up to 100,000 and/or 5 years) 16

HIPAA v. CMIA: Penalties (cont d) HIPAA CMIA For commercial or personal gain or malicious harm (up to 250,000 and/or 10 years) For financial gain (up to 250,000 per violation and disgorgement) 17

HIPAA v. CMIA HIPAA CMIA 120+ pages (1996) ~12 pages (1979) 18

Examples of Agencies that May Seek PHI Medical Board of California (MBC): for physician investigations California Department of Public Health (CDPH): for facility licensing proceedings U.S. Department of Justice: for False Claims Act investigations 19

HIPAA Exceptions Scheme Broad exception categories: Uses and disclosures for treatment, payment or operations (TPO) Authorization required Opportunity to object required (e.g., directories, individual s care) Opportunity to object not required (e.g., required by law; public health; abuse reporting; health oversight; judicial/admin; law enforcement; decedents; organ donation; research; etc.) 20

When Agencies Do Not Need Subpoenas to Obtain Medical Information (CMIA) Private or public bodies responsible for licensing or accreditation may review medical information on site, but may not remove or further disclose Medical information may be disclosed when otherwise specifically authorized by law 21

When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) Under HIPAA, a covered entity may disclose PHI to a health oversight agency for oversight activities (opportunity to object not required) 22

When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) health oversight agency: a federal or state agency (or person or entity acting under the agency s authority) authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is necessary 23

When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) health oversight agencies: Medical Board of California Board of Registered Nursing Department of Public Health CMS 24

When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) oversight activities include: audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or 25

When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) other activities necessary for appropriate oversight of: The health care system; Government benefit programs for which health information is relevant to beneficiary eligibility; Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or Entities subject to civil rights laws for which health information is necessary for determining compliance. 26

HIPAA and Subpoenas: Overview A court order or subpoena signed by a judge requires no assurances or notification to the patient (presumption of privacy protection) CE should strictly comply without disclosing more PHI than is ordered 27

HIPAA and Subpoenas: Overview A subpoena or discovery request signed an attorney requires either proof of notice to the patient (but no opportunity to object) or a qualified protective order 28

CMIA and Subpoenas: Overview CMIA also permits compliance with subpoenas, with no distinction as to signatories Cal. Code of Civil Procedure 1985.3(b) requires the subpoenaing party to also serve the consumer whose records are sought, and notify them how to object 29

CMIA and Subpoenas: Overview If Individual Objects (CCP 1985.3) he/she must file papers with the court if he/she is a party to the action, he/she may bring a motion to quash or modify the subpoena 30

CMIA and Subpoenas: Overview If Individual Objects (CCP 1985.3): any other consumer or nonparty may serve on the subpoenaing party a written objection that cites the specific grounds the subpoenaing party may bring a motion under Section 1987.1 to enforce the subpoena. accompanied by a declaration showing a reasonable and good faith attempt at informal resolution of the dispute with the consumer 31

De-identified PHI No notice or consent required if patient information de-identified. 32

De-identified PHI PHI is de-identified when it does not identify an individual and there is no reasonable basis to believe that it can be used to identify an individual De-identified PHI is neither PHI nor subject to HIPAA s restrictions 33

How to De-identify PHI Remove any of 18 different identifiers (listed in 45 CFR 164.512) (e.g., names, dates and SSNs), such that there is no reasonable basis to believe it can be used to identify an individual; or Statistical method: an expert certifies that the risk is very small that the information could lead to identification 34

How to De-identify PHI CMIA does not discuss de-identification Individually identifiable means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, e-mail address, telephone number, social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. 35

HIPAA Subpoena Exceptions 164.512(f): disclosure of PHI to law enforcement key concepts: investigational; cannot deidentify 164.512(e): disclosures for judicial and administrative proceedings key concepts: notice to patient; must deidentify to the extent allowed by the subpoena 36

HIPAA Subpoena Exceptions: Law Enforcement 164.512(f): disclosure of PHI to law enforcement in six circumstances one of which pertains to subpoenas. Core requirements: relevance and materiality to investigation cannot de-identify request is reasonable in scope 37

HIPAA Subpoena Exceptions: Law Enforcement Law enforcement official is a federal or state officer or employee of any agency who is empowered by law to: (1) Investigate or conduct an official inquiry into a potential violation of law; or (2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. 38

HIPAA Subpoena Exceptions: Law Enforcement CE may disclose PHI in response to an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: 1. The information sought is relevant and material to a legitimate law enforcement inquiry; 2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3. De-identified information could not reasonably be used. 39

Hypothetical A: Medical Board of California The MBC asks to see a hospital s patient records in connection with a complaint investigation (no subpoena). HIPAA: CE may disclose to a health oversight agency engaged in a licensure or disciplinary action 40

Hypothetical A: Medical Board of California CMIA: PHI may be reviewed by a private or public body responsible for licensing or accrediting the provider of health care or health care service plan. 41

Hypothetical A: Medical Board of California CMIA: However, no patient-identifying PHI may be removed from the premises except as expressly permitted or required elsewhere by law, Agency may not further disclosed it in a way that would violate CMIA. 42

Hypothetical A: Medical Board of California Which is more protective? CMIA 43

Hypothetical B: Medical Board of California The MBC subpoenas a hospital s patient records in connection with a complaint investigation. CMIA: hospital shall comply but must also provide notice to affected patients under Cal. Civ. Pro. 1985.3. 44

Hypothetical B: Medical Board of California If subpoenaed: HIPAA: CE may comply provided that: 1. The information sought is relevant and material to a legitimate law enforcement inquiry; 2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3. De-identified information could not reasonably be used. 45

Hypothetical B: Medical Board of California Which is more protective? CMIA 46

Hypothetical C: Medical Board of California The MBC requests a licensee s own patient records in connection with a complaint investigation or 805 report (no subpoena). E.g., Greg Abram s client situation. HIPAA: the provider may disclose to a health oversight agency engaged in a licensure or disciplinary action 47

Hypothetical C: Medical Board of California CMIA: PHI may be reviewed by a private or public body responsible for licensing or accrediting the provider of health care or health care service plan. without removing patient-identifying PHI without further disclosing it in a way that would violate CMIA (including in public documents e.g., an Accusation) 48

Hypothetical B: Medical Board of California Which is more protective? CMIA 49

Hypothetical C: Medical Board of California MBC subpoenas licensee s PHI: HIPAA: provider may comply if: 1. The information sought is relevant and material to a legitimate law enforcement inquiry; 2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3. De-identified information could not reasonably be used. 50

Hypothetical C: Medical Board of California MBC subpoenas licensee s PHI: CMIA: provider shall comply but must also provide notice to affected patient (here, the licensee) under Cal. Civ. Pro. 1985.3. 51

Hypothetical C: Medical Board of California Which is more protective? CMIA 52

Hypothetical D: California Department of Public Health The CDPH requests a hospital s patient records in connection with an immediate jeopardy accusation. under HIPAA, hospital may disclose to a health oversight agency engaged in a licensure or disciplinary action under CMIA, a hospital may allow a private or public body responsible for licensing or accreditation to review information, but the body may not remove the information 53

Hypothetical D: CDPH Which is more protective? CMIA 54

Hypothetical E: California Department of Public Health CDPH subpoenas a hospital s patient records in connection with an accusation against a hospital. hospital shall comply (per CMIA) but must also provide notice to patients affected under Cal. Civ. Pro. 1985.3 55

Hypothetical E: California Department of Public Health HIPAA: hospital may comply provided that: 1.The information sought is relevant and material to a legitimate law enforcement inquiry; 2.The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3.De-identified information could not reasonably be used. 56

Hypothetical E: Medical Board of California Which is more protective? CMIA 57

Questions? 58

Contact Info R. Gregory Cochran, MD, JD Nossaman, LLP 50 California Street, Ste. 3400 San Francisco, CA 94111 gcochran@nossaman.com 415-438-7822 59

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback