AROC 2015 HIPAA PRIVACY AND SECURITY RULES
Presented by: Robert A. Paster, Esq. Brach Eichler L.L.C. 101 Eisenhower Parkway Roseland, NJ 07068 973-403-3144 rpaster@bracheichler.com www.bracheichler.com 2
PART I: BACKGROUND 3
Health Insurance Portability & Accountability Act Enacted by Congress and signed by Pres. Clinton in 1996 Title I protects health insurance coverage for workers and their families when they change jobs Title II, known as the Administrative Simplification provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers 4
Health Insurance Portability & Accountability Act Administrative Simplification Provisions Address privacy and security of health data Intended to improve the efficiency and effectiveness of our health care system by encouraging the widespread use of electronic data interchange 5
Key Dates 8/21/1996 HIPAA enacted into law 11/3/1999 HHS Published Notice of Proposed Rulemaking for Privacy Rule 12/28/2000 Privacy Final Rule Published 8/14/2002 Final Modifications to Privacy Rule Published 2/20/2003 Security Standards Published 4/14/2003 Privacy Compliance Deadline 4/21/2005 Security Compliance Deadline 2/17/2009 Health Information Technology for Economic and Clinical Health (HITECH) Act Enacted modified certain provisions of the SSA related to the HIPAA Rules 10/30/2009 Interim Final Rule Published 1/25/2013 HIPAA Omnibus Rule Published 9/23/2013 Compliance Deadline HIPAA Omnibus Rule 6
APPLICABILITY & OVERVIEW Privacy Rule Applies to Covered Entities Many, not all, provisions apply to Business Associates Regulates the use and disclosure of Protected Health Information or PHI held by Covered Entities and their Business Associates Security Rule Applies to Covered Entities and Business Associates Complements Privacy Rule Requires administrative, physical and technical safeguards for electronic PHI, or e-phi (PHI stored in electronic media or transmitted in electronic format) 7
HIPAA Covered Entities (CEs) Covered Entities Health Plans Health Care Clearinghouses Providers if they engage in electronic transactions 8
HIPAA Business Associates (BAs) Expanded definition under Omnibus Rule: On behalf of a CE or of an organized health care arrangement (OHCA), other than in the capacity of a member of the CE s workforce, creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy Rule, including claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management and repricing Provides, other than in the capacity of a member of the CE s workforce, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the CE, or to an OHCA in which the CE participates 9
Business Associates Under the Omnibus Rule Ask the Question: Is the person or company the covered entity is engaging: creating, receiving, maintaining or transmitting PHI in order to provide the service for which engaged? 10
Business Associates Under the Omnibus Rule Common examples of BAs Billing Companies Management and Consulting Companies Audit Companies Lawyers, Accountants, Consultants Note: Your Cleaning Service is not a BA! Point: Your cleaning service does not create, receive, maintain or transmit PHI in order to clean your offices. 11
12 PART II: PREEMPTION ENFORCEMENT & PENALTIES
PREEMPTION FEDERAL HIPAA v. STATE LAW Generally speaking: If any standard, requirement or implementation specification adopted under HIPAA is contrary to state law, HIPAA will control and preempt (or supersede) the state law provision contrary the CE or BA would find it impossible to comply with both the federal and state requirement the state law impedes the purposes and objectives of health information privacy If a state law is more stringent, the state law will control 13
ENFORCEMENT Right to Complain: Individuals have the right to complain to the OCR OCR will investigate any complaint when a review of the facts indicates a possible violation due to willful neglect OCR may investigate any other complaints OCR will conduct compliance reviews when a preliminary review of the facts indicates a possible violation due to willful neglect OCR may conduct compliance reviews to determine compliance in any other circumstance 14
15 Conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA provision violated
ENHANCED PENALTIES AND ENFORCEMENT UNDER HITECH Tiered Penalty Structure VIOLATION TYPE EACH VIOLATION REPEAT SAME/YR Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 16
PART III: HIPAA PRIVACY RULE 17
Information Covered by Privacy Rule Protected Health Information (PHI) Individually identifiable information in all forms: electronic, written, oral Information is individually identifiable if: It identifies the individual or offers a reasonable basis for identification It is created or received by a CE or an employer AND It relates to the past, present, or future physical or mental condition, the provision of health care, or the payment for health care De-identified information is not PHI 18
Minimum Necessary Standard The Privacy Rule contains minimum necessary standards related to the collection, maintenance, access, use and disclosure of PHI Minimum Necessary Standard A CE must make reasonable efforts to limit its uses and disclosures of and requests for PHI to the minimum necessary to accomplish the intended purpose Standard also applies to BAs 19
Exceptions to Minimum Necessary Standard Disclosures for treatment Most uses and disclosures made to the individual Disclosures pursuant to valid authorization Uses and disclosures required by law Disclosures made to the Secretary of the DHHS Uses and disclosures required for compliance w/hipaa 20
Permitted Disclosures of PHI Incidental uses and disclosures uses and disclosures that cannot reasonably be prevented, are limited in nature, and occur as a by-product of a use or disclosure otherwise permitted under the rule e.g., calling a patient s name in the waiting room; sign-in sheets; office discussions Incidental uses and disclosures are permitted only to the extent that the CE or BA has applied reasonable safeguards, including the minimum necessary standard 21
Permitted Disclosures of PHI Treatment, Payment & Health Care Operations (TPO) CEs may use or disclose PHI for TPO CE may obtain consent of the individual to use or disclose PHI to carry out TPO For the CEs own TPO For the TPO of another CE with a relationship to the individual, so long as the recipient is that CE For purposes of health care operations between CEs participating in a group health plan or other joint arrangement, including an organized health care arrangement Best practice: Have patients sign a general consent for TPO disclosures (as part of registration process) 22
Exceptions to Permitted Disclosures of PHI Need patient authorization to release: genetic information PHI received from a federally-funded drug and alcohol treatment program psychotherapy notes HIV/AIDS information may release for treatment of the individual may release for other limited reasons under AIDS Assistance Act PHI for marketing purposes PHI for sale 23
Other Permitted Disclosures Uses and disclosures permitted by regulation without authorization: Uses and disclosures required by law Uses and disclosures for public health activities Disclosures about victims of abuse, neglect or domestic violence Disclosures for judicial and administrative proceedings Disclosures for law enforcement purposes Uses and disclosures for cadaveric organ, eye and tissue donation Uses and disclosures for research purposes Uses and disclosures to avert a serious threat to health or safety Uses and disclosures for specialized government functions Disclosures for Workers Compensation 24
USES AND DISCLOSURES REQUIRING OPPORTUNITY TO AGREE OR OBJECT CE may disclose PHI to a relative or close personal friend of the individual, or any other person identified by the individual, PHI directly related to such person s involvement with the individual s care or related payment CE may also disclose to such persons the individual s PHI regarding the individual s location, general condition or death If the individual is present, CE may only use or disclose with individual s agreement (or if can infer from circumstances that may disclose) If individual not present or cannot agree or object due to incapacity or emergency circumstances, CE may determine whether disclosure is in individual s best interests 25
Patient Authorization Written patient authorization must contain: a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion the name or other specific identification of the person(s), or class of persons, to whom the CE may make the requested use or disclosure a description of each purpose of the requested use or disclosure ( at the request of the individual is sufficient) an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure signature of the individual (or authorized representative) and date (and authority of authorized rep, e.g., guardian) 26
Patient Authorization Must also contain statements: adequate to put the individual on notice that he/she may revoke the authorization (and circumstances when cannot revoke) describing when the CE may condition treatment or payment on the receipt of an authorization alerting the individual of the potential for information to be subject to re-disclosure by the recipient 27
Individual Rights Notice of Privacy Practices CE must provide patients with the CE s Notice of Privacy Practices must provide no later than the same date on which health care services are first provided to the individual must post the notice in a clear and prominent location at the CE, and make available upon request if the CE has a website, must post on the website 28
Individual Rights Notice of Privacy Practices Omnibus Rule: CE must update/revise its NPP include a description of the types of uses and disclosures that require an authorization explain that the individual may opt out of fundraising communications explain that the CE must notify individuals of a breach of their unsecured PHI 29
Individual Rights Requesting Restrictions on Uses and Disclosures General Rule: CE does not have to agree if an individual requests restrictions relating to a use or disclosure of his/her PHI that is otherwise allowed under HIPAA Omnibus Rule Exception: CE must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan if: the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, AND the PHI pertains solely to a health care item or service for which the individual, or a person other than the health plan on behalf of the individual, has paid the CE in full 30
Individual Rights Confidential Communications for PHI CE must ensure individuals can receive communications regarding their PHI in a manner and location that feel is safe from unauthorized disclosure e.g., whether or not the patient will accept voice mail messages; sending PHI to alternate address, etc. 31
Individual Rights Right to Inspect and Get Copies of PHI General Rule: With some exceptions, an individual has a right of access to inspect and obtain a copy of his/her PHI Omnibus Rule Changes: If the PHI is maintained electronically and if the individual requests an electronic copy, the CE must provide the PHI in the electronic form and format requested by the individual, if it is readily producible (or, if not, in a readable electronic format as agreed by the CE and individual) If an individual s request for access directs the CE to send the copy of PHI to another person designated by the person, the CE must do so the request must be in writing, signed by the individual, and include the address 32
Individual Rights Requests for Amendment to PHI General Rule: An individuals has a right to request the CE to amend PHI about the individual Denial: CE may deny request if it determines that the PHI: is accurate and complete as stated in the CE s record would not otherwise be made available to the individual for inspecting and copying was not created by the CE, unless the individual provides a reasonable basis to believe the originator is no longer available to act on the request for amendment 33
Individual Rights Requests for Accounting of Disclosures of PHI General Rule: Individual has the right to request an accounting of disclosures made by the CE this includes disclosures by BAs Exceptions: The CE need not account for: Disclosures made for TPO Disclosures to the individual Disclosures made pursuant to valid authorization Disclosures to responsible individuals to notify of location, condition or death Disclosures for national security or intelligence purposes Disclosures to correctional facilities and law enforcement 34
Individual Rights Privacy Complaints Individuals must be given information about their right to complain (contained in Notice of Privacy Practices) Individuals may complain to CE or to Secretary of DHHS if believe privacy rights have been violated 35
Omnibus Rule: Changes to Individual Rights Limits on Fundraising A CE may use, or disclose to its BA or to an institutionally-related foundation, certain PHI for fundraising for its own benefit, w/o authorization demographic information, including name, address, other contact information, age, gender, date of birth dates of health care provided to an individual department of service information, treating physician, outcome information, health insurance status 36
Omnibus Rule: Changes to Individual Rights, Etc. Limits on Fundraising CE must include in NPP information about disclosures for fundraising purposes With each fundraising communication, the CE must provide the individual with a clear and conspicuous opportunity to elect an opt-out for future fundraising communications The method for opting out must not be burdensome The CE may also include information about how to opt back in CE may not condition treatment or payment on the individual s choice with respect to fundraising communications 37
Omnibus Rule: Changes to Individual Rights, Etc. Limits on Marketing CEs must obtain a written authorization from the individual for any use or disclosure of PHI for marketing purposes, except if the communication is in the form of: A face-to-face communication by the CE to the individual A promotional gift of nominal value provided by the CE Marketing Defined: To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service 38
Omnibus Rule: Changes to Individual Rights, Etc. Limits on Marketing Marketing does not include a communication made: To provide refill reminders or otherwise communicate about a drug or biologic currently being prescribed, if the remuneration received is reasonably related to the CE s cost of making the communication For treatment and health care operations, if the CE does not receive financial remuneration in exchange for making the communication e.g. for treatment of the individual by a health care provider, including case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual for case management or care coordination, contacting of individuals with information about treatment alternatives 39
Omnibus Rule: Changes to Individual Rights, Etc. Sale of PHI CE (or BA on behalf of CE) must obtain authorization for any disclosure of PHI that constitutes a sale the authorization must indicate that the CE will receive remuneration 40
Omnibus Rule: Changes to Individual Rights, Etc. Sale of PHI does not include disclosure of PHI: for public health purposes for research purposes for treatment and payment purposes for the sale, transfer, merger, etc. of the CE s business, including due diligence activities to or by a BA pursuant to its BA agreement to an individual required by law as otherwise allowed under HIPAA 41
Omnibus Rule: Changes to Individual Rights, Etc. Decedents The Omnibus Rule amends the definition of PHI to exclude individually identifiable information regarding a person who has been deceased for more than 50 years The Omnibus Rule allows CEs to disclose information about a decedent to a family member, other relative, or a close personal friend of the individual, who was involved in the individual s care prior to death, if the information is relevant to that person s involvement and disclosure is not inconsistent with prior written preferences of the individual 42
Omnibus Rule: Changes to Individual Rights, Etc. Compound Authorizations and Research General Rule: An authorization for use or disclosure of PHI may not be combined with any other document to create a compound authorization Exception: An authorization for the use or disclosure of PHI for a research study may now be combined with any other type of written permission for the same or another research study this includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research 43
Omnibus Rule: Changes to Individual Rights, Etc. Immunization Records CEs may disclose PHI to a school about a student or prospective student, if the PHI disclosed is limited to proof of immunization the school is required by State or other law to have such proof of immunization prior to admitting the student the CE obtains and documents the agreement to the disclosure from either the parent (if the student is a minor) or the adult student 44
Omnibus Rule: Changes to Individual Rights, Etc. Changes Related to GINA The Omnibus Rule prohibits most health plans from using or disclosing genetic information for underwriting purposes 45
Business Associates Omnibus Rule Security Rule and select provisions of the Privacy Rule now extend directly to Business Associates Subcontractors of Business Associates Subcontractors of Subcontractors And so on. chain of trust upstream and downstream almost infinite liability 46
Business Associates Under the Omnibus Rule Covered Entities cannot disclose PHI to a Business Associate without a written agreement in place BAs must enter into Business Associate Agreements with their Subcontractors Subcontractor: a person or entity to whom a BA delegates a function, activity or service, other than in the capacity of a member of the workforce of such BA Subcontractors must enter into Business Associate Agreements with their Subcontractors 47
BAA Contractual Requirements BA s are required to comply with the Security Rule and parts of the Privacy Rule Required elements in BA Agreements: BA must comply with the Security Rule requirements regarding e-phi BA must comply with minimum necessary standard BA must report to CE any breaches of unsecured PHI, plus any use or disclosure of PHI in violation of HIPAA If BA will carry out functions of CE (e.g., providing access or copies of PHI to the individual), BA must perform these functions in accordance with HIPAA Subcontractor agreements must contain same restrictions as BAA 48
Safeguarding PHI Privacy and Workstation Use Policy CE/BA must develop protocols for safeguarding PHI kept in workstations Privacy and Telephone Use Policy CE/BA must develop protocols for safeguarding PHI when making disclosures over the telephone Computer Use Policy CE/BA must develop protocols for acceptable computer use by workforce members Facsimile Policy CE/BA must develop protocols for safeguarding PHI when making and receiving health information via facsimile 49
50 PART IV: HIPAA SECURITY RULE
The Security Rule requires CEs and BAs to have in place safeguards for protecting e- PHI to: Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit Identify and protect against reasonably anticipated threats to the information Protect against reasonably anticipated, impermissible uses or disclosures Ensure compliance by their workforce Security Rule 51
Security Rule confidentiality means that e-phi is not available or disclosed to unauthorized persons integrity means that e-phi is not altered or destroyed in an unauthorized manner availability means that e-phi is accessible and usable on demand by an authorized person 52
Flexibility of Approach Security Rule Rule intended to be flexible and scalable so each CE and BA can implement policies, procedures and technologies that are appropriate for the entity s particular size, organizational structure and risks to PHI Each CE and BA must consider: Its size, complexity and capabilities Its technical, hardware and software infrastructure The costs of security measures The likelihood and possible impact of potential risks to e-phi CEs and BAs must review and modify their security measures to continue protecting e-phi in a changing environment 53
Security Rule: Standards vs. Specifications Standards CEs and BAs must comply with every Security Rule Standard Implementation Specifications the nuts and bolts Required must be implemented Addressable does not mean optional; must determine whether reasonable and appropriate for the CE or BA If it is not, the Security Rule allows the CE or BA to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate If an implementation specification is not reasonable and appropriate in light of the CE/BA s security framework, and there is no reasonable alternative, don t adopt Document decision 54
Security Rule: Administrative Safeguards Security Management Process CE/BA must perform a risk analysis process, to include at least the following activities: evaluate the likelihood and impact of potential risks to e-phi implement appropriate security measures to address the risks identified in the risk analysis document the chosen security measures and, where required, the rationale for adopting those measures maintain continuous, reasonable and appropriate security measures 55
Security Rule: Administrative Safeguards Security Management Process Risk management security measures to reduce risk Sanction Policy address failure to comply with policy Information System Activity Review e.g., audit logs, access reports, security incident tracking Assigned Security Responsibility Identify the security official responsible for developing and implementing policies and procedures Workforce Security Implement measures to ensure members of the workforce have appropriate access to e-phi; prevent those who should not have access from gaining access (role-based access) 56
Security Rule: Administrative Safeguards Workforce Training and Management Workforce members must be granted appropriate authorization and must be appropriately supervised CE/BA must train workforce members Security Incident Procedures CE/BE must implement policies to address security incidents Contingency Plan CE/BA must have backup plans in event of emergency/disaster Evaluation CE/BA must perform periodic assessment of security policies and procedures 57
Security Rule: Physical Safeguards Facility Access and Control CE/BA must implement policies and procedures to limit physical access to its facilities while ensuring that authorized access is allowed Workstation and Device Security CE/BA must implement policies and procedures to specify proper use of and access to workstations and electronic media and devices Must also have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media or devices, to ensure appropriate protection of e-phi 58
Security Rule: Technical Safeguards Access Control CE/BA must implement technical policies and procedures that allow only authorized persons to access e-phi Audit Control CE/BA must implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi 59
Security Rule: Technical Safeguards Integrity Controls CE/BA must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed, and to confirm same Person or Entity Authentication CE/BA must implement procedures to verify that the person or entity seeking access to e-phi is the one claimed Transmission Security CE/BA must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network 60
PART V: HIPAA BREACHES 61
Breach BREACH OF UNSECURED PHI the acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI Unsecured PHI PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary of DHHS DHHS Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html 62
DEFINITION OF BREACH EXCLUDES Unintentional acquisition or use of PHI by a workforce member when made in good faith, and no further use or disclosure is made Inadvertent disclosure by authorized person to other authorized person, and no further use or disclosure is made A disclosure of PHI where the CE or the BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information 63
DISCOVERY OF A BREACH Breach is deemed discovered by the CE as of the first day on which the breach is known to the CE/BA, or, by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the CE/BA BAs must report breaches to the CE CE responsible for breaches by its agents 64
Upon discovery of a breach HIPAA Privacy Officer must initiate and/or oversee an investigation INVESTIGATION Governing body or upper management may need to become involved, depending upon the size of the organization, governance structure, etc., and the nature and extent of the PHI and breach involved 65
RISK ASSESSMENT Any impermissible acquisition, access, use or disclosure of unsecured PHI is presumed to be a breach, unless the CE can, through a risk assessment, demonstrate that there is a low probability that the PHI has been compromised Omnibus Rule does not define compromise Must utilize four-factor test must analyze all four factors may analyze additional factors 66
RISK ASSESSMENT FACTOR #1 The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification 67
RISK ASSESSMENT FACTOR #2 The unauthorized person who used the PHI or to whom the disclosure was made 68
RISK ASSESSMENT FACTOR #3 Whether the PHI was actually acquired or viewed 69
RISK ASSESSMENT FACTOR #4 The extent to which the risk to the PHI has been mitigated 70
RESULTS OF RISK ASSESSMENT Must be documented If, after risk analysis, the CE determines there is a low risk that the PHI has been compromised, then no notification to individual(s) is required BA assist CE in investigation and determination Otherwise, the CE must notify the affected individuals of the breach 71
BREACH NOTIFICATION Notice to affected individuals must be made without unreasonable delay, but in no case later than sixty (60) calendar days after the discovery Caveat: If law enforcement officials inform the CE that notice to the affected individuals will impede a criminal investigation or cause damage to national security, the CE must delay 72
BREACH NOTIFICATION Additional Notices To the media if a single breach event affects > 500 residents of the same state or jurisdiction (without unreasonable delay; but no later than 60 calendar days from discovery) To the Secretary of DHHS if a single breach event affects 500 individuals, regardless of the state or jurisdiction (without unreasonable delay; but no later than 60 days from discovery) if a single breach event affects < 500 individuals, on an annual basis (within 60 days of the end of the calendar year) CE must maintain a breach log 73
BREACH NOT IF, BUT WHEN In the words of Leon Rodriguez, the former Director of the Office of Civil Rights in the DHHS: Breaches and enforcement by the OCR is a little like middle school math You must show your work It s all about the process 74
BREACH HYPOTHETICAL #1 A medical provider mails a patient s written record to the patient. The patient s name is clearly on the envelope, and the envelope is sealed. However, the address is an old address for the patient. The recipient at the address calls the provider and states that she received the mail intended for the other individual, that she opened it and saw it was not for her and who it was from, and thereafter discarded the mail. She states she is just calling to let the provider know of the error. 75
BREACH HYPOTHETICAL #2 A medical provider mails a CD containing patient information. The envelope is addressed to Jane Doe at her proper address, and includes the provider s return address on the outside of the envelope. Jane stops home during her lunch break one day, and receives the mail. When Jane opens the envelope and pulls out the CD, the label on the CD says Patient John Smith. There is nothing else in the envelope. Jane immediately drives to the provider on her way back to work and hands the CD to the front desk personnel. She states she just received it, noted it was not intended for her, and is returning it to the provider. 76
BREACH HYPOTHETICAL #3 A physician carries a laptop computer from one office location to another office location, which is password protected, and contains PHI of more than 500 patients. The encrypted PHI includes names, dates of birth, Social Security numbers, patient ID numbers, dates of service, descriptions of services and other related information. The physician normally keeps the laptop in the trunk of the car when she is not using it, so as to safeguard the computer and information in it. However, one day she is careless and leaves it on the passenger seat and forgets to lock the car when running an errand. When she returns to the car, the laptop is missing. 77
78 PART VI: Disclosures Required by Law
Release of PHI when Required by Law CE/BA may release PHI as required by law a mandate contained in law that compels the CE/BA to make a use or disclosure of PHI and that is enforceable in a court of law includes court orders and subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information The release of information pursuant to such order, subpoena or summons must be limited to and only in compliance with the exact requirements contained in such document 79
Release of PHI when Required by Law Administrative Request (administrative agency subpoena or summons, civil demand or similar process) May release the requested records, provided that: the information sought is relevant and material to a legitimate law enforcement inquiry the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought de-identified information could not reasonably be used 80
Subpoena v. Court Order A subpoena or discovery request issued/signed by someone other than a judge, such as a court clerk or an attorney in litigation, is different from a court order CE/BA may disclose information to a party issuing a subpoena only if the HIPAA notification requirements are met Often best to seek legal counsel before releasing records or information 81
Disclaimer: This presentation and outline are designed to provide accurate and authoritative information regarding the subject matter covered. This presentation and outline should not be construed as legal advice or as pertaining to specific, factual situations. If legal advice or other expert assistance is required, the services of a competent professional should be sought. 82
83 QUESTIONS