Jason Anderman HIPPA and Health Privacy Summer 2013
Contrary- covered entity would find it impossible to comply with both federal and state law, the provision of the state law is the obstacle.
More stringent- with respect to disclosure, it restricts or prohibits disclosure, when disclosure is required by the secretary. Also when it affect the rights of an individual.
Class 2
Administrative Simplification (subtitle F)
Purpose- improve Medicare program, and the efficiency and effectiveness of the health care system, by encouraging the development of health information through the establishment of standards and requirements for electronic transmission of certain health information.
Code set- set of codes used for encoding data elements, such as table of terms, medical concepts, diagnosis codes, medical procedure codes.
Standards- data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary with respect to the data element or transaction
o Standards are applied to heath plan, health care clearinghouse, health care provider who transmits health information in electronic form in connection with a transaction.
o Standards adopted shall be consistent with the objective of reducing administrative costs of providing and paying for health care.
o Secretary should adopt different standards if they significantly reduce admin costs.
Secretary shall adopt standards for transactions and data elements for transactions, such as
o Health care claims, enrollment in health care plans, eligibility for health plans, health care payment, report of injury
Security standards- the secretary shall adopt security standards. They shall take into account technical capabilities of record systems used to maintain health info, and costs of security measures, need to train people, and leave audit trails.
o Health care clearing houses also need policies and security measures.
o People also need to maintain safeguards.
o Secretary needs to have procedures to maintain code sets.
General Penalty- EXAM
o Penalty for failure to comply with requirements and standards (penalty applies to the business associates and covered entities).
o There is a violation when they don’t know they violated, and using due diligence and still didn’t know. The penalty is in 3(A)
§ $100 for each violation, however the violation in a calendar year may not exceed $25,000
§ number of violations should be multiplied by $100, not exceed $25K, per individual provision. So even if you think you’re only violationg 1 provision, you can actually be violating more, so the fines add up very fast, and can be hundreds of thousands.
§ This got replaced in the HITECH Act, but in a complex scheme about violating HIPAA.
o There is also a violation for reasonable cause and not willful neglect, the violation is under 3(B)
§ Here, you knew there was a requirement, but you didn’t want to spend the money to comply. You have reasonable cause not to comply.
§ Amount is $1,000 for each violation, violation may not exceed $100,000.
§ The penalty can be reduced if penalty is excessive relative to the compliance failure involved.
§ Secretary shall formally investigate any complaint if preliminary investigation shows a willful neglect.
o If willful neglect
§ Amount is in 3(C), and if not corrected, penalty is under 3(D).
· The amount is $10,000 per violation, not to exceed $250,000
· Under 3(D), amount is $50,000, not to exceed $1,500,000.
o You did it under willful neglect, and you still didn’t correct it
§ To determine amount of penalty, nature and extent is considered.
o Ways to get out of penalty- if you nailed for the one penalty, the general penalty is out
§ Other way to get out, if you violate HIPAA, and you correct it within 30 days.
§ Or if you get HHS sign off and you can go over 30 days
§ HHS is required under omnibus rule to have policy to not nail you, and try to work with you, and provide technical assistance and help you comply.
· It can be waived by extent by the payment of such penalty would be excessive relative to the compliance failure involved- EXAM
§ if complaint of willful neglect, HHS needs to investigate. If they confirm willful neglect, they must impose one of the tiered penalties. To do this, complaint must indicate there’s possible willful neglect.
o General- except under subparagraph B, no penalty is imposed if violation is corrected within 30 days, beginning the first day the person liable knew, or would have known if exercised reasonable diligence, that the failure to comply occurred.
o Assistance
§ If person failed to comply cuz they were unable to comply, the Secretary can offer assistance during that time period.
o State attorney general can bring civil action and obtain damages.
o Reduction of damages- court can consider the same factors the secretary can to reduce damages (excessive relative to the compliance failure)
o Notice to secretary- state shall serve written notice to secretary, except if prior notice is not feasible. The secretary has the right not to intervene. Secretary has first dibs.
§ Action should be brought in District Court of the US. Any of the states can go after you. If they do, they can only impose the 100 tier, cant use any of the big ones.
Offense (1320(b)(2)- the serious penalty, when you cant use the tiered penalties.
o A person who knowingly violates this part
§ Uses unique health identifier
§ Obtains indiv identifiable health info relating to and indiv
§ Discloses indiv identifiable health info to another person
· Penalty
o Not more than $50,000, jail for not more than 1 year
o If under false pretenses, fined no more than $100,000, not more than 5 yrs in jail
o If intent to sell, transfer or use indiv identifiable health info for commercial advantage, personal gain, or malicious harm, fined no more than $250,000, jail for no more than 10 years.
General effect- standards shall supersede state law. However, shall not supersede contrary provisions to state law.
o Look if secretary determines its necessary to prevent fraud or abuse, and ensure state regulation of insurance plan.
o If entity involved in authorizing, processing , clearing, settling, billing, ect for financial institution, certain things don’t apply to them.
1320(b)(6)- specific penalty, serious mal feasance, you violate HIPAA and you can go to jail
Notes:
Class overview
o Review, statute and onimus rule, contract review, game
o Hybrid entity- when you have person, and corp entity or corp person. This corp person has own rights like an indiv.
o For hybrid, if you have health care component and non health care component (ex: if you have hospital and restaurant in hospital), hospital share personal health information.
o HIPAA omnibus rule has more penalties, elaborates on some. The statute has more requirements under this rule.
o HIPAA overview- penalties fall under statute and omnibus rule (the compliance review) focus on statute and page 503 that’s highlighted, HIPAA also has privacy rule, ways to communicate more effectively
Admin Simplification
o Make it easier to transfer and communicate, and if this were to occur, it would be cheaper.
o Applies to health plan and health care provider.
§ Applies to standard transactions, and established what constitutes transactions.
o At end, it said if cant come up with privacy rule in 3 yrs, HHS would make one up on their own.
o ACA has incentives to get health care providers to use certain EMRs (electronic medical records) and everyone will communicate better, and will reduce cost of health care.
§ Incentives come with a lot of string attached, often make u do a lot to get them, and makes u rely on 3rd parties.
o Want standards so everyone is talking the same way, privacy, transaction, security, penalties.
o Omnibus Rule- its 563 pages
§ it puts in a review process, seeks cooperation. HHS mission is to get people to comply.
§ Can try to get compliance through informal means. If you don’t comply, you have 30 days to give affirmative defenses, or ways to mitigate damages.
· Ultimately if you don’t do things, you could get monetary damages
· Look at compliance review section pg 503, its highlighted, under the HITECH act.
· This section is brand new under the omnibus rule.
Concepts of Contracts
Parties
o Baseball example- if you look at score, you have names, addresses, date, subject. This example is how you start out every contract.
o To start out, state what kind of agreement it is. We’re doing a business associate agreement
o Business associate K
§ Preamble- This agreement is between the names, the legal name of the entity, the address, the date (effective date)
§ What’s an enforceable promise?
· In K, crea
s
o Make sure work stations are protected, monitor electronic media to make sure they’re safe.
o Make sure there are procedures to properly dispose of personal identifiable health info.
· Organizational requirements
o CE and business associate K must meet certain requirements
§ The K says both will have technical safeguards to protect confidentiality, ect, and says the indep contractor who works on it will implement safe guards to protect it
· Permitted Uses and Disclosures 164.502
o Permitted to disclose to the individual, for treatment, payment, or health care operations
o Required disclosures:
§ To indiv when requested under 164.528
§ When required by secretary to investigate if covered entity is in compliance with this section.
§ For treatment, payment or health care operations
§ Authorization
· Not a lot of guidance with hipaa, doesn’t need to be too formal
· Recommend do it in writing, can be oral though
§ Opportunity to accept/reject
§ Other exceptions (not on exam)
o Standard: minimum necessary
§ Must make reasonable efforts to limit protected health info to min necessary to accomplish intended purpose of use
§ Does not apply to health care provider for treatment, to the indiv
o Can disclose de-identified info only to a business associate to create info that is not individually identifiable health info
o CE can disclose to business associate and business associate can receive the info only if proper assurances the business associate with use proper safe guards
o Disclose to deceased to person: must comply with
o Minor
§ Parent has authority to act on behalf of a minor, must treat that person as a personal representative
§ If minor consents, no other consent is required
§ Minor may lawfully obtain health care service without consent of a parent or guardian
· Uses and disclosures: organizational requirements 164.504
o Summary health info- summarizes claims history, claims expenses, type of claims experienced by indiv
o Business associate K must establish the permitted and required uses and disclosures of the info by business associate
§ BA will not use info in a way that doesn’t comply with law, and will maintain safe guards
o Implementation specification: group health plan may disclose protected health info to plan sponsor to carry out plan administration functions..
o If CE performs mult functions, must still comply with this subpart.
· Hybrids and affiliated entities
o Hybrid is org with HC component and other part of it has a non HC component. Only in HC component u are providing HC. PHI cannot go over to non HC component
§ Non- hc component is treated as a separate entity. Need to wall off. Also need to get written authorization.
§ Safeguards- no access to PHI. Needs to be segregated. No outside disclosures
o Affiliated covered entity
§ Designation as one covered entity
§ Common ownership or control- u can have multiple covered entities, and treat them as 1
· Since they are all under common ownership or control (have one parent entity), they can designate themselves as one covered entity
· HSS says one of the CE and be liable for the other ones in the ‘affiliated group’.
§ Designation documentation
§ Jointly and severally liable (pg 507-8 of omnibus rule)
o Key issue- analyze corporate personhood first
· Uses and disclosure to carry out treatment, payment, or health care ops- 164.506
o CE can disclose for these purposes
Can disclose if they get consent (consent wont be on
