California Academy of Attorneys for Health Care Professionals October 19-21, 2012 Government Subpoenas (and other Requests) and Health Privacy Considerations R. Gregory Cochran, MD, JD
Overview Overview of HIPAA and California s Confidentiality of Medical Information Act (CMIA) Overview of government healthcare agencies that issue subpoenas 2
Overview When HIPAA and CMIA come into play How HIPAA and CMIA affect subpoena responses 3
Take Home CMIA trumps HIPAA re subpoena responses Err on de-identifying patients when responding 4
Take Home Be sure to enter into BAA with your health provider clients Be sure to enter into HIPAA-compliant subcontractor agreement with your experts/consultants 5
Subpoena Court or administrative order that requires the provider to testify at a specific time 6
Subpoena Duces Tecum Requires the provider to produce documents or other items at a specified time and place 7
HIPAA Health Insurance Portability and Accountability Act of 1996 protected health information (PHI): individually identifiable health information transmitted or maintained in any form or medium covered entity: a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form 8
CMIA California Confidentiality of Medical Information Act (1979) (Civ. Code 56 et seq) medical information: any individually identifiable information in possession of or derived from a health care provider, a health plan, or pharmaceutical company regarding a patient s medical history, mental or physical condition or treatment. provider of healthcare, healthcare service plan, or contractor 9
HIPAA v. CMIA California health providers must meet obligations under both schemes Preemption: HIPAA governs unless state provisions are more stringent more patient protection wins out 10
HIPAA v. CMIA HIPAA: business associate rules Attorneys who use PHI that their provider clients give them in the course of the representation are BAs of their clients. HIPAA: minimum necessary rule 11
HIPAA v. CMIA HIPAA: CEs must give individuals advanced notice about how they handle PHI HIPAA: CEs must obtain patient consent for use of PHI for treatment, payment and operations 12
HIPAA: Exceptions to Minimum Necessary Standard Disclosures to providers for treatment Disclosures to the individual/patient Uses & disclosures required by law Disclosures to DHHS/OCR for enforcement Uses and disclosures with authorization 13
HIPAA & CMIA: Penalties HIPAA No private right of action under HIPAA Cal. B&P 17200? ERISA CMIA Patients may bring actions for violations of CA law: compensatory damages, punitive damages ( 3,000), attorney fees ( 1,000) 14
HIPAA v. CMIA: Penalties (cont d) HIPAA CMIA Knowingly disclosing, obtaining or using is criminal offense 100/violation, not exceeding 25,000/year (civil fine) Any violation is misdemeanor Negligent disclosure: up to 2,500/violation (civil fine) 15
HIPAA v. CMIA: Penalties (cont d) HIPAA Knowingly disclosing, obtaining or using (up to 50,000 and/or 1 year) CMIA Knowingly and willfully obtaining, disclosing or using (up to 25,000/violation) False pretenses (up to 100,000 and/or 5 years) 16
HIPAA v. CMIA: Penalties (cont d) HIPAA CMIA For commercial or personal gain or malicious harm (up to 250,000 and/or 10 years) For financial gain (up to 250,000 per violation and disgorgement) 17
HIPAA v. CMIA HIPAA CMIA 120+ pages (1996) ~12 pages (1979) 18
Examples of Agencies that May Seek PHI Medical Board of California (MBC): for physician investigations California Department of Public Health (CDPH): for facility licensing proceedings U.S. Department of Justice: for False Claims Act investigations 19
HIPAA Exceptions Scheme Broad exception categories: Uses and disclosures for treatment, payment or operations (TPO) Authorization required Opportunity to object required (e.g., directories, individual s care) Opportunity to object not required (e.g., required by law; public health; abuse reporting; health oversight; judicial/admin; law enforcement; decedents; organ donation; research; etc.) 20
When Agencies Do Not Need Subpoenas to Obtain Medical Information (CMIA) Private or public bodies responsible for licensing or accreditation may review medical information on site, but may not remove or further disclose Medical information may be disclosed when otherwise specifically authorized by law 21
When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) Under HIPAA, a covered entity may disclose PHI to a health oversight agency for oversight activities (opportunity to object not required) 22
When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) health oversight agency: a federal or state agency (or person or entity acting under the agency s authority) authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is necessary 23
When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) health oversight agencies: Medical Board of California Board of Registered Nursing Department of Public Health CMS 24
When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) oversight activities include: audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or 25
When Agencies Do Not Need Subpoenas to Obtain PHI (HIPAA) other activities necessary for appropriate oversight of: The health care system; Government benefit programs for which health information is relevant to beneficiary eligibility; Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or Entities subject to civil rights laws for which health information is necessary for determining compliance. 26
HIPAA and Subpoenas: Overview A court order or subpoena signed by a judge requires no assurances or notification to the patient (presumption of privacy protection) CE should strictly comply without disclosing more PHI than is ordered 27
HIPAA and Subpoenas: Overview A subpoena or discovery request signed an attorney requires either proof of notice to the patient (but no opportunity to object) or a qualified protective order 28
CMIA and Subpoenas: Overview CMIA also permits compliance with subpoenas, with no distinction as to signatories Cal. Code of Civil Procedure 1985.3(b) requires the subpoenaing party to also serve the consumer whose records are sought, and notify them how to object 29
CMIA and Subpoenas: Overview If Individual Objects (CCP 1985.3) he/she must file papers with the court if he/she is a party to the action, he/she may bring a motion to quash or modify the subpoena 30
CMIA and Subpoenas: Overview If Individual Objects (CCP 1985.3): any other consumer or nonparty may serve on the subpoenaing party a written objection that cites the specific grounds the subpoenaing party may bring a motion under Section 1987.1 to enforce the subpoena. accompanied by a declaration showing a reasonable and good faith attempt at informal resolution of the dispute with the consumer 31
De-identified PHI No notice or consent required if patient information de-identified. 32
De-identified PHI PHI is de-identified when it does not identify an individual and there is no reasonable basis to believe that it can be used to identify an individual De-identified PHI is neither PHI nor subject to HIPAA s restrictions 33
How to De-identify PHI Remove any of 18 different identifiers (listed in 45 CFR 164.512) (e.g., names, dates and SSNs), such that there is no reasonable basis to believe it can be used to identify an individual; or Statistical method: an expert certifies that the risk is very small that the information could lead to identification 34
How to De-identify PHI CMIA does not discuss de-identification Individually identifiable means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, e-mail address, telephone number, social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. 35
HIPAA Subpoena Exceptions 164.512(f): disclosure of PHI to law enforcement key concepts: investigational; cannot deidentify 164.512(e): disclosures for judicial and administrative proceedings key concepts: notice to patient; must deidentify to the extent allowed by the subpoena 36
HIPAA Subpoena Exceptions: Law Enforcement 164.512(f): disclosure of PHI to law enforcement in six circumstances one of which pertains to subpoenas. Core requirements: relevance and materiality to investigation cannot de-identify request is reasonable in scope 37
HIPAA Subpoena Exceptions: Law Enforcement Law enforcement official is a federal or state officer or employee of any agency who is empowered by law to: (1) Investigate or conduct an official inquiry into a potential violation of law; or (2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. 38
HIPAA Subpoena Exceptions: Law Enforcement CE may disclose PHI in response to an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: 1. The information sought is relevant and material to a legitimate law enforcement inquiry; 2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3. De-identified information could not reasonably be used. 39
Hypothetical A: Medical Board of California The MBC asks to see a hospital s patient records in connection with a complaint investigation (no subpoena). HIPAA: CE may disclose to a health oversight agency engaged in a licensure or disciplinary action 40
Hypothetical A: Medical Board of California CMIA: PHI may be reviewed by a private or public body responsible for licensing or accrediting the provider of health care or health care service plan. 41
Hypothetical A: Medical Board of California CMIA: However, no patient-identifying PHI may be removed from the premises except as expressly permitted or required elsewhere by law, Agency may not further disclosed it in a way that would violate CMIA. 42
Hypothetical A: Medical Board of California Which is more protective? CMIA 43
Hypothetical B: Medical Board of California The MBC subpoenas a hospital s patient records in connection with a complaint investigation. CMIA: hospital shall comply but must also provide notice to affected patients under Cal. Civ. Pro. 1985.3. 44
Hypothetical B: Medical Board of California If subpoenaed: HIPAA: CE may comply provided that: 1. The information sought is relevant and material to a legitimate law enforcement inquiry; 2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3. De-identified information could not reasonably be used. 45
Hypothetical B: Medical Board of California Which is more protective? CMIA 46
Hypothetical C: Medical Board of California The MBC requests a licensee s own patient records in connection with a complaint investigation or 805 report (no subpoena). E.g., Greg Abram s client situation. HIPAA: the provider may disclose to a health oversight agency engaged in a licensure or disciplinary action 47
Hypothetical C: Medical Board of California CMIA: PHI may be reviewed by a private or public body responsible for licensing or accrediting the provider of health care or health care service plan. without removing patient-identifying PHI without further disclosing it in a way that would violate CMIA (including in public documents e.g., an Accusation) 48
Hypothetical B: Medical Board of California Which is more protective? CMIA 49
Hypothetical C: Medical Board of California MBC subpoenas licensee s PHI: HIPAA: provider may comply if: 1. The information sought is relevant and material to a legitimate law enforcement inquiry; 2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3. De-identified information could not reasonably be used. 50
Hypothetical C: Medical Board of California MBC subpoenas licensee s PHI: CMIA: provider shall comply but must also provide notice to affected patient (here, the licensee) under Cal. Civ. Pro. 1985.3. 51
Hypothetical C: Medical Board of California Which is more protective? CMIA 52
Hypothetical D: California Department of Public Health The CDPH requests a hospital s patient records in connection with an immediate jeopardy accusation. under HIPAA, hospital may disclose to a health oversight agency engaged in a licensure or disciplinary action under CMIA, a hospital may allow a private or public body responsible for licensing or accreditation to review information, but the body may not remove the information 53
Hypothetical D: CDPH Which is more protective? CMIA 54
Hypothetical E: California Department of Public Health CDPH subpoenas a hospital s patient records in connection with an accusation against a hospital. hospital shall comply (per CMIA) but must also provide notice to patients affected under Cal. Civ. Pro. 1985.3 55
Hypothetical E: California Department of Public Health HIPAA: hospital may comply provided that: 1.The information sought is relevant and material to a legitimate law enforcement inquiry; 2.The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and 3.De-identified information could not reasonably be used. 56
Hypothetical E: Medical Board of California Which is more protective? CMIA 57
Questions? 58
Contact Info R. Gregory Cochran, MD, JD Nossaman, LLP 50 California Street, Ste. 3400 San Francisco, CA 94111 gcochran@nossaman.com 415-438-7822 59