Embed Size (px)
Citation preview
HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When Responding to Subpoenas and Discovery Requests
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
THURSDAY, OCTOBER 16, 2014
Presenting a live 90-minute webinar with interactive Q&A
Nathan A. Kottkamp, Partner, McGuireWoods, Richmond, Va.
Philip H. Lebowitz, Partner, Duane Morris, Philadelphia
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-927-5568 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form).
You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
HIPAA Compliance During Litigation and Discovery
Thursday, October 16, 2014
1 – 2:30 p.m. (ET) | Noon – 1: 30 p.m. (CT) | 10 – 11:30 a.m. (PT)
Presented by:
Nathan A. Kottkamp, McGuireWoods LLP [email protected]
Philip H. Lebowitz, Duane Morris LLP [email protected]
6
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
7
What Kind of Information is Protected?
Protected Health Information (PHI) is any information, including genetic information, whether oral or recorded in any form or medium, that: • Is created or received by a health care provider, health plan, or health
care clearinghouse; and • Relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
8
• On January 17, 2013, HHS released the Omnibus Final Rule (“Final Rule”) interpreting and implementing provisions of the HITECH Act
• Effective date: March 26, 2013 • Compliance date: September 23, 2013 • Revision date for certain existing business
associate agreements: September 22, 2014
Omnibus Final Rule
9
Core Elements of HIPAA—Unchanged
• The Privacy Rule – establishes individuals’ privacy rights and addresses the use and disclosure of protected health information (“PHI”) by covered entities and business associates
• The Security Rule – establishes requirements for protecting electronic PHI
• The Breach Notification Rule – requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI
• The Enforcement Rule – establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA
10
Key Changes to HIPAA Under Omnibus Final Rule
• Breach “risk of harm” standard replaced with more objective test • Definition of “business associate” expanded to include entities that maintain or store
PHI even if they do not view the PHI • Subcontractors of business associates that use or disclose PHI are directly subject to
HIPAA (regardless of if there is a BAA) • Expansion of liability of business associates (and subcontractors, as applicable) under
the Privacy Rule and the Security Rule • Individuals have a right to obtain electronic copies of PHI upon request if the PHI is
maintained electronically • Individuals may restrict disclosures regarding treatment paid out-of-pocket, in full • Notices of Privacy Practices must include additional information • Easing of rules for PHI with respect to research, fundraising, and decedents • Tightening of rules for marketing and sale of PHI • GINA (Genetic Information Non-Disclosure Act of 2008) incorporated • Enforcement rule expanded
11
What’s Next?
• MORE, MORE, MORE
– Education – Policies – Monitoring – Documentation – Scrutiny – Enforcement
12
Primary Methods of Obtaining Medical Records Pursuant to HIPAA
• Patient request – 45 C.F.R. 164.502(a)(1)(i) – 45 C.F.R. 164.524
• Patient authorization of third party – 45 C.F.R. 164.502(a)(1)(iv) – 45 C.F.R. 164.508
• Subpoena or other discovery order • Court or administrative order Reminder: In all cases, must follow the more restrictive of
HIPAA or applicable state law.
13
Patient Request for Medical Records
• Patients have the right to request copies of most medical records, whether in paper or electronic form
• Requestor must be patient, patient’s parent or guardian, or caregiver (with patient’s permission)
• Request must be made in writing • Providers required to keep HIPAA records for six years
(state law may require longer) • In limited cases the provider may refuse the request
(e.g., mentally ill patient at risk of self-harm) • Potential more rigorous accounting of disclosures may be
requested in future
15
Cignet Health of Prince George’s County, MD-Landmark HIPAA Civil Monetary Penalty, February 4, 2011
• The first-ever civil money penalty of $4.3 million • Cignet violated 41 patients’ rights by denying them access to
their medical records when requested between September 2008 and October 2009. – The HIPAA Privacy Rule requires that a Covered Entity provide a
patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request.
– The CMP for these violations is $1.3 million. • Cignet failed to cooperate with OCR’s investigations of the
complaints and produce the records in response to OCR’s subpoena. – Covered Entities are required under law to cooperate with the
Department’s investigations. – The CMP for these violations is $3 million.
16
HIPAA and Litigation
• HIPAA permits disclosure for judicial or administrative proceedings
• In response to – A court order or order of an administrative tribunal – “a subpoena, discovery request, or other lawful process”
• Without court order, provider must receive “satisfactory assurance” that “reasonable efforts” have been made to – “ensure” that the affected patient has been given notice; or – Secure a “qualified protective order”
• Provider may disclose without court order by itself making reasonable efforts to provide notice to patient
Citation: 45 C.F.R. 164.512(e) (“Disclosures for Judicial and Administrative Proceedings”)
17
When patient is a party
• Patient is plaintiff and requests own records • Patient and provider both parties
– Patient has placed medical condition in question – waiver
– Still may need and can obtain authorization for provider to use records
18
Patient is a party but provider is not
• Opposing party seeks patient’s medical records from non-party provider – Typically through subpoena – Provider should insist on patient authorization – If not, inform patient of subpoena and obligation
to produce records if subpoena not quashed – Move to quash subpoena
19
HIPAA Authorization
• Describe information to be disclosed • Who authorized to disclose • Who authorized to receive • Purpose of disclosure • Expiration date or event • Signed and dated by patient • Must include statement re right to revoke,
potential for disclosure by recipient
20
Statements Required for Effective Authorization
The patient must affirm knowledge of: • The right to revoke the authorization • No conditioning of care, payment, or coverage on the
authorization • The potential for redisclosure
Citation: 45 C.F.R. 164.508(c)(2)
21
When patient(s) not a party
• Most difficult case • May arise in variety of contexts
– Malpractice (records of all other patients who had this procedure)
– Business torts (records of all patients who were told disparaging comments)
– Contract claims (list of all patients treated in violation of non-competition agreement)
– Records of others bitten by neighbor’s dog
22
Patient not a party
• If provider is a party – Request for Production of Documents from
adverse party – Court Order
• If provider not a party – Subpoena – Court Order
• Could be seeking records of multiple patients
24
Qualified Protective Orders
Order of court or administrative tribunal OR stipulation that: • No other disclosure or use for any purpose other than the
litigation or proceeding for which the information was requested
• Return or destroy disclosed protected health information at the conclusion of the litigation or proceeding
Citation: 45 C.F.R. 164.512(e)(1)(ii)&(v)
25
“Satisfactory Assurance” regarding qualified protective order
• Provider must: – Written statement from requesting party and
documentation demonstrating • Parties to dispute have agreed to a qualified protective
order and have presented it to court OR • The requesting party has requested a qualified
protective order from the court – Loophole? QPO is requested but not yet received. Best
to get the order.
– Make its own reasonable efforts to notify patient or seek qualified protective order
26
Preparing Draft Qualified Protective Orders
• Be narrow or expansive depending on purpose • Define who may review or have access to documents • Specify that documents be labeled “Confidential” or
similar – If PHI is in electronic form, specify encryption requirement
• Include non-disclosure requirement • Require Receiving Party to certify in writing the return or
secure destruction at the conclusion of litigation of all proprietary information (including PHI)
• Seal the record
27
Subpoenas
Provider needs “satisfactory assurance” of: • Written notice to the patient • Information about the case sufficient for raising an
objection • Time period for objection elapses (follow state law or court
rules)
Citation: 45 C.F.R. 164.512(e)(1)(ii)(A)&(e)(1)(iii)
28
“Satisfactory Assurance” regarding providing notice to patient
• Written statement from requesting party and documentation demonstrating – Requesting party made good faith attempt to
provide written notice to patient – The notice included sufficient information to
permit patient to object – The time for patient to raise objections
29
“Satisfactory Assurance” – How do you know?
• Provider must: – Receive satisfactory assurance from requesting
party that reasonable efforts have been made to ensure that patient has been given notice of request
– Make its own reasonable efforts to notify patient or seek qualified protective order
30
And then you wait…
• Patient must have time to object. – Timing not set forth in HIPAA – May be:
• State statute • Court rules • Case law
• Provider must obtain confirmation that: – No objections filed OR – All objections resolved in favor of disclosure
31
Various Exceptions
• Workers’ compensation cases – HIPAA exception, see 45 C.F.R. 164.512(1)
• HIV/AIDS information – HIPAA silent but take note of applicable state law
• Mental health records – Redisclosure limitations
• Psychotherapy notes – Patient authorization required per 42 C.F.R. 165.508(a)(2)
• Patient Safety – 42 C.F.R. 164.524(a)(3)
32
Drug and Alcohol Treatment Records
• Super strict requirements – Patient’s Express Written Authorization
• 42 C.F.R. 2.31 • Name of program making disclosure • Name of recipient • Patient’s name • Purpose of disclosure • How much and what kind of information • Signature • Date • NOTE: Providers need to include redisclosure warning
statement per 42 C.F.R. 2.32 – Court order required after showing good cause
• 42 U.S.C. 290dd-2 and 42 C.F.R. Part 2, Subpart E (2.61 et seq.)
33
American Psychological Association Position
• APA position statement for psychologists (2006) • Only two options for disclosure of records:
– Patient authorization – Court order
• Under this rule, subpoena is not enough • This is an ethics rule, not a legal rule
34
HIPAA – Without Authorization
• “Required by law” (45 C.F.R. 164.512 (a)) • Involving victims of abuse, neglect or domestic violence (45
C.F.R. 164.512(c)) • Law enforcement purposes (45 C.F.R. 164.512(f))
• NOTE: These disclosures must comply with and are limited by
requirements of law
36
Court Orders
• Caution: Provider must release only the patient records or information “expressly authorized” by the court order
• Court order may be used to obtain additional protection
• Ability to review and redact portions not relevant to litigation
• Right to attend deposition and object to use of portions of medical records
• Notice and review of records to be filed with Court to permit objection or redaction
37
Appeals of Discovery Orders
• Federal Court only • Perlman doctrine
– Perlman v. U.S., 247 U.S. 7 (1918) – “a discovery order directed at a disinterested third
party is treated as an immediately appealable because the third party presumably lacks a sufficient stake in the proceeding to risk contempt by refusing compliance”
– Permits 3rd parties to litigation opportunity for appeal before producing PHI records
38
HIPAA Loopholes
• “Satisfactory assurance” – Not required to actually notify patient – just make
good faith effort – Not required to obtain a qualified protective order
– just have presented to or requested from court • And what about disclosure to requesting
party?
39
HIPAA Preemption
• HIPAA supersedes contrary provisions of state law
• BUT state law providing “more stringent” protection of privacy not preempted – Prohibits or restricts use or disclosure that would
otherwise be permitted under HIPAA – Narrows scope or duration, increases privacy
protections OR – Provides greater privacy protection
40
State Laws
• Physician-patient privilege • Laws regarding confidentiality of medical
records • Patient’s Bill of Rights • State constitutional law
41
Physician-Patient Privilege
• May vary by state • Information acquired in attending the patient
– Information communicated to physician by patient – Information gathered by physician through
examination • Communications are privileged (i.e., exempt)
from discovery, even if HIPAA would permit • Physician-patient privilege often applies to
hospital
42
State Laws Regarding Confidentiality of Medical Records • Independent regulatory duty of hospital to
maintain the confidentiality of medical records • Reports and records of health authorities • HIV-related information • Records of mental health facilities • Drug and alcohol abuse records • Applicable to particular facilities
– Birth Centers – Home health care agencies – Long-term care facilities AND others
43
Patient’s Bill of Rights
• Adopted by individual states • Patient has right to have records treated as
confidential except as otherwise provided by law
• Person admitted to hospital has right to privacy and confidentiality of records pertaining to treatment except as otherwise provided by law
• Records not to be released without patient’s approval
44
Constitutional Right of Privacy
• Right of privacy of medical records • Right “to be let alone” • May be superseded by compelling state
interest in information – Such as non-identifying information regarding
donor of tainted blood
45
Serious Consequences
• Rost v. State Board of Psychology (1995) • Psychologist subject to disciplinary action for
releasing records per subpoena • “At the time Rost released … records…, she
did not seek the consent of her client, professional legal advice or the imprimatur of a judge”
• Compares privilege with code of ethics
46
Responding to Authorization or Subpoena
• Know state law requirements • Confirm jurisdiction
– State law applies to federal court subpoenas – Out-of-state subpoena may be honored under the Uniform
Foreign Depositions Act – but check state law • Be a stickler for the rules • Follow the time requirements
– These will be determined by state law • Even when a request is proper, provide only the minimum
necessary amount of information to satisfy the request or subpoena
47
Virginia’s “Magic” Language
NOTICE TO HEALTH CARE ENTITIES A COPY OF THIS SUBPOENA DUCES TECUM HAS BEEN PROVIDED TO THE INDIVIDUAL
WHOSE HEALTH RECORDS ARE BEING REQUESTED OR HIS COUNSEL. YOU OR THAT INDIVIDUAL HAS THE RIGHT TO FILE A MOTION TO QUASH (OBJECT TO) THE ATTACHED SUBPOENA. IF YOU ELECT TO FILE A MOTION TO QUASH, YOU MUST FILE THE MOTION WITHIN 15 DAYS OF THE DATE OF THIS SUBPOENA.
YOU MUST NOT RESPOND TO THIS SUBPOENA UNTIL YOU HAVE RECEIVED WRITTEN CERTIFICATION FROM THE PARTY ON WHOSE BEHALF THE SUBPOENA WAS ISSUED THAT THE TIME FOR FILING A MOTION TO QUASH HAS ELAPSED AND THAT:
NO MOTION TO QUASH WAS FILED; OR ANY MOTION TO QUASH HAS BEEN RESOLVED BY THE COURT OR THE ADMINISTRATIVE
AGENCY AND THE DISCLOSURES SOUGHT ARE CONSISTENT WITH SUCH RESOLUTION. IF YOU RECEIVE NOTICE THAT THE INDIVIDUAL WHOSE HEALTH RECORDS ARE BEING
REQUESTED HAS FILED A MOTION TO QUASH THIS SUBPOENA, OR IF YOU FILE A MOTION TO QUASH THIS SUBPOENA, YOU MUST SEND THE HEALTH RECORDS ONLY TO THE CLERK OF THE COURT OR ADMINISTRATIVE AGENCY THAT ISSUED THE SUBPOENA OR IN WHICH THE ACTION IS PENDING AS SHOWN ON THE SUBPOENA USING THE FOLLOWING PROCEDURE:
PLACE THE HEALTH RECORDS IN A SEALED ENVELOPE AND ATTACH TO THE SEALED ENVELOPE A COVER LETTER TO THE CLERK OF COURT OR ADMINISTRATIVE AGENCY WHICH STATES THAT CONFIDENTIAL HEALTH RECORDS ARE ENCLOSED AND ARE TO BE HELD UNDER SEAL PENDING A RULING ON THE MOTION TO QUASH THE SUBPOENA. THE SEALED ENVELOPE AND THE COVER LETTER SHALL BE PLACED IN AN OUTER ENVELOPE OR PACKAGE FOR TRANSMITTAL TO THE COURT OR ADMINISTRATIVE AGENCY.
Citation: Va. Code 32.1-127.1:03
48
Tips
• Know your state statutes and local rules, and follow the more restrictive rule
• Careful drafting is crucial • HIPAA requires minimum necessary disclosure • Do not have paralegal sign requests or other subpoena
documents • Do not allow Business Associates to respond to
subpoenas without at least providing notice – Ensure your Business Associate Agreement contains appropriate
language regarding the process to be followed when they receive a subpoena or Court Order
49
E-Government Act of 2002
• Pleadings and court documents are going online • Remove “personal identifiers” such as:
– Social security numbers – Financial account numbers – Dates of birth – Names of minor children
• Check local rules for standards and compliance dates
Citation: 42 U.S.C. 3500 et seq.
50
Local Court Rules
• Be careful of local court rules about e-filings
52
When HIPAA Does NOT Apply
• When PHI is received as a result of an authorization or subpoena
• But . . . – State law may apply – Common law liability principles may apply – Professional ethics rules may apply
