Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Drafting HIPAA Compliant Subpoenas & Discovery Presented by: RACHEL B. RUBIN Kansas Bar Association Annual Meeting June 10, 2006 Rubin Law Firm, LLC 4601 College Blvd., Suite 280 Leawood, KS 66211 (913) 322-8950 [email protected] www.rrubinlaw.com Copyright 2006 Rubin Law Firm, LLC Drafting HIPAA Compliant Subpoenas HIPAA privacy regulations protect patient medical information. “Protected Health Information” or “PHI” Definition of PHI: Individually Identifiable Health Information that is transmitted by or maintained in electronic or any other form. Copyright 2006 Rubin Law Firm, LLC PROTECTED HEALTH INFORMATION “Individually Identifiable Health Information” 45 CFR 160.103. Very broad definition: • Includes all types of medical information regarding an individual’s past, present or future physical or mental health or condition, the provision of health care, or payment for health care, that identifies the individual. Copyright 2006 Rubin Law Firm, LLC GENERAL RULE UNDER HIPAA: – A Covered Entity CANNOT use or disclose PHI without obtaining a WRITTEN AUTHORIZATION from the patient. – “Covered Entity” includes a health care provider (physician, dentist, hospital, ASC, etc); health plan, or health care clearinghouse (e.g. a hospital/physician billing company). Copyright 2006 Rubin Law Firm, LLC EXCEPTIONS • Primary Exception: treatment, payment or healthcare operations. • Minimum Necessary Information: Disclose ONLY the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Copyright 2006 Rubin Law Firm, LLC OTHER EXCEPTIONS (45 CFR 164.512) Additional exceptions allow Covered Entity to use or disclose PHI without written patient authorization: • • • • • • • • • • • • Required by law; Public health activities; Victims of abuse, neglect or domestic violence; Health oversight activities (e.g., Board of Healing Arts) Judicial or administrative proceedings; Law Enforcement purposes; Decedents; Organ, eye or tissue donation at death; Research purposes; To avert a serious threat to health or safety; Specialized government functions (e.g. military); Worker’s Compensation Copyright 2006 Rubin Law Firm, LLC Worker’s Compensation • Worker’s Comp treatment records may not include all records you want. – General treatment records are (or should be) maintained separately from Worker’s Comp treatment records. – Should request specific authorization to obtain patient’s general treatment records. Copyright 2006 Rubin Law Firm, LLC OTHER EXCEPTIONS (45 CFR 164.512) • Always check the regulations--the requirements to meet any of these exceptions are hyper-technical. Copyright 2006 Rubin Law Firm, LLC REQUEST FOR PHI PURSUANT TO SUBPOENA OR COURT ORDER • HIPAA requires a Covered Entity to respond differently to a subpoena or discovery request, and an order of a court or administrative tribunal. • Distinction between Subpoena (KSA 60-245 & 60-245a) & Court Order Copyright 2006 Rubin Law Firm, LLC PURSUANT TO COURT ORDER • Covered Entities MUST DISCLOSE PHI if it receives a court order specifically ordering it to release an individual’s PHI. • Covered Entity may only disclose the PHI that is expressly authorized under the court order, and not more. • Court order should demonstrate to the Covered Entity that HIPAA was considered & that the patient had opportunity to be heard & object to disclosure. Copyright 2006 Rubin Law Firm, LLC PURSUANT TO SUBPOENA, DISCOVERY OR OTHER LAWFUL PROCESS Under HIPAA, Covered Entities should NOT provide PHI based solely on receipt of a subpoena or discovery request. Additional requirements must be met: 1. Satisfactory assurance from the Requestor that reasonable efforts have been made to ensure that the patient has been given notice of the request; OR 2. Satisfactory assurance from the Requestor that a qualified protective order has been obtained. Copyright 2006 Rubin Law Firm, LLC ALTERNATIVE 1: NOTICE TO PATIENT In addition to subpoena, Requestor must provide Covered Entity with written statement and documentation which demonstrates that: – Good faith attempt to provide written notice to the individual; – Notice included sufficient information to permit individual to raise objection in court; & – Time for individual to raise objections in court has expired & no objections were filed; or all objections have been resolved by court. Copyright 2006 Rubin Law Firm, LLC ALTERNATIVE 2: QUALIFIED PROTECTIVE ORDER Requestor must provide Covered Entity with written statement and documentation which demonstrates that: – The parties to the request for information have agreed to a qualified protective order & have presented it to the court; or – Requestor has sought a qualified protective order from the court. Copyright 2006 Rubin Law Firm, LLC DEFINITION OF “QUALIFIED PROTECTIVE ORDER” 45 CFR 164.512(e)(1)(v) – Prohibits parties from using or disclosing the PHI for any other purpose; – An order of a court or administrative tribunal, or a stipulation by the parties; and – Requires return of PHI to Covered Entity or destruction of PHI, including all copies made, at end of litigation or proceeding. Copyright 2006 Rubin Law Firm, LLC HIPAA Enforcement • Office for Civil Rights (Civil); DOJ (Criminal) • Potential Civil & Criminal Penalties for Violations of HIPAA – Civil Money Penalties – Criminal sanctions for individuals/entities whose conduct is governed by HIPAA – No private cause of action set forth in statute or regulations Copyright 2006 Rubin Law Firm, LLC Other Applicable Privacy Laws: • Alcohol & Drug Abuse Treatment Records (42 U.S.C. 290dd; 42 U.S.C. 290ee, 42 C.F.R. 2.1 et seq.) – Protects identity, diagnosis, prognosis or treatment of patient • Participation in Medicare/Medicaid subjects a hospital or facility to this statute Copyright 2006 Rubin Law Firm, LLC Alcohol & Drug Abuse Treatment Records • Such records may not be used in any civil, criminal, administrative or legislative proceedings conducted by federal, state or local authority. • Disclosures limited to information necessary to carry out purpose of disclosure. • Answer to request for disclosure may not reveal patient’s identity or whether they have sought treatment. Copyright 2006 Rubin Law Firm, LLC Alcohol & Drug Abuse Treatment Records (See 42 U.S.C. 290dd-2(b) & 42 C.F.R. 2.31(a). • Disclosure is permitted with prior written consent of patient. • Consent must contain certain elements: – Name of program & patient; purpose of disclosure; type of information to be disclosed; signature of patient; expiration date. – Regulations contain model written consent form. (42 CFR 2.31). Similar to HIPAA, but different statutory scheme. Protections continue regardless of individual’s status as patient. Copyright 2006 Rubin Law Firm, LLC Alcohol & Drug Abuse Treatment Records (See 42 USC 290dd-2(b) & 42 CFR 2.61) • Provision in statute for Court Order: – Must show good cause, including need to avert substantial risk of death or serious bodily harm. – Court to weigh public interest & need for disclosure against injury to patient, the physician-patient privilege, & treatment. – Court must impose appropriate safeguards against unauthorized disclosure. Copyright 2006 Rubin Law Firm, LLC Alcohol & Drug Abuse Treatment Records (See 42 U.S.C. 290dd-2(b) & 42 C.F.R. 2.31(a). • No preemption of state law, if state law more restrictive. (42 CFR 2.20). • Criminal penalty for violation of statute: – Not more than $500 for 1st offense; Not more than $5,000 for each subsequent offense. (42 CFR 2.4). – Reports of violations made to U.S. Attorney where violation occurred. – No private cause of action set forth in statute or regulations. Copyright 2006 Rubin Law Firm, LLC Other Applicable Privacy Laws • No preemption of state law, so long as state law is more stringent, e.g. state has more protections for patient information. (See 45 CFR 160.201.) HIV/AIDS STATUS UNDER KANSAS LAW: – Confidential; no disclosure – K.S.A. 65-6002 – no disclosure of HIV/AIDS status, upon subpoena or otherwise, unless patient consents in writing – No provision in statute for Court Order to disclose HIV/AIDS status Copyright 2006 Rubin Law Firm, LLC Summary Safest route for Covered Entity is to obtain patient’s written authorization to use or disclose patient’s PHI. Subpoena for PHI by itself will not satisfy requirements under HIPAA; opens door to motion to quash. Subpoena must be accompanied with written statement & supporting documentation that: 1) patient has been notified of request for PHI & has not objected to disclosure, OR 2) protective order has been obtained. Attorney who wants PHI may need to obtain court order to ensure compliance by Covered Entity. Copyright 2006 Rubin Law Firm, LLC Summary • Other state and federal privacy laws may also apply; HIPAA is NOT the end of inquiry • Common law doctrines of privacy & confidentiality; breach of fiduciary duty; • Potential violation of Healing Arts Act for “unprofessional conduct,” even if no private cause of action exists. Copyright 2006 Rubin Law Firm, LLC Summary Copyright 2006 Rubin Law Firm, LLC