Health Insurance Portability and Accountability Acts Privacy Rule What is the Privacy Rule The Standards for Privacy of Individually Identifiable Health Information Privacy Rule governs the use and disclosure of individuals health information referred to as protected health i ID: 481651
Download Presentation The PPT/PDF document "HIPAA" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
HIPAAHealth Insurance Portability and Accountability Act’s Privacy RuleSlide2
What is the Privacy Rule?The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) governs the use and disclosure of individuals’ health information (referred to as “protected health information” or “PHI”), by “covered entities.”
Reference:
45
C.F.R. 164.104(a)(1)-(3)(2012).Slide3
HIPAA Provides Guidance The HIPAA Privacy Rule provides guidance on:• What information needs to be protected (PHI)
• Who must protect PHI (covered entities, business associates
)
• Responsibilities in protecting PHISlide4
Terms & Concepts Used in the HIPAA Privacy RuleUse and Disclosure of PHICovered entities may only use or disclose PHI as permitted or required by the Privacy Rule.
Use is the sharing, employment, application, utilization, examination, or analysis of …information within the entity…
Disclosure is the release, transfer, provision of access to, or divulging
in any other manner of information outside the entity.
References: 45 CFR §§ 160.103, 164.502Slide5
Terms & Concepts Used in the HIPAA Privacy RuleCovered EntitiesA
covered entity is:
•
A health plan
• A health care clearinghouse
• A health care provider who
transmits any
health information
in electronic form in connection with a covered
transaction—one for which the Secretary has
adopted standards
.Slide6
Requirements for Uses and Disclosures of PHIA covered entity must not use or disclose PHI, except as specificallypermitted or required by the
HIPAA Privacy
Rule.
References:
45 CFR § 164.502(a)Slide7
Requirements for Uses and Disclosures of PHIThe HIPAA Privacy Rule requires disclosure to the individual when the individual exercises
the right to access PHI
in designated
record sets or the right to
an accounting
of disclosures
Reference
:
45 CFR § 164.502(a)(2)Slide8
Requirements for Uses and Disclosures of PHIRequired disclosures to the individual:
The
individual may be the patient, or in the case
of
an unemancipated minor, the “
personal representative” of
the individual
. Thus parents,
guardians or other people acting in loco parentis
can
exercise the right of the individual to
obtain medical information.
Reference: 45
C.F.R. 164.502(g)(3).Slide9
RecapThe HIPAA Privacy Rule:• “Federal Floor” of Privacy Protections• First set of comprehensive federal health privacy protections
• Restricts uses and disclosures of PHI
• Provides rights for individuals who are
the subject
of PHISlide10
Preemption of State LawWhat is Preemption?The judicial principle asserting the supremacy of federal over state law
.
Two kinds:
• Field Preemption
• Conflict PreemptionSlide11
Definition of State LawDefinition of State Law from 45 CFR § 160.202State law for HIPAA preemption purposes means provisions in:
• State constitution
• State statutes
• State regulations
• State rules
• State common law
• Any other state action having the force and effect of lawSlide12
Definition of ContraryDefinition of “Contrary”Contrary, as it relates to the preemption of state law by HIPAArequirements, means:• It would be impossible for
a covered
entity to comply
with both
the state and
federal requirements (the impossibility test)
OR
• The provision of state law is an obstacle to
accomplishing the full purposes and objectives of the Administrative Simplification
provisions of HIPAA (the obstacle test)
Reference:
45 CFR. § 160.202Slide13
Preemption of State Law – General RulePreemption of State Law – General RuleUnder 45 CFR § 160.203, a HIPAA Rule provision that is contrary to a
provision of
state law preempts the state law
,
unless one
of the specified exceptions applies.Slide14
Preemption of State Law – Child Abuse and Public HealthImportant to dependency proceedings is the exemption contained within § 160.203(c), which provides:
(c) The provision of State law, including State
procedures established
under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.Slide15
Preemption of State Law – Child Abuse and Public Health…HIPAA expressly carved out state laws on child abuse and neglect from preemption or any other interference…. State laws continue to apply with respect to child abuse, and the final rule does not in any way interfere with a covered entity’s ability to comply with these laws.
Reference:
Standards
for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,527 (Dec. 28, 2000.)Slide16
Conflict Minimization and the HIPAA Privacy RuleThe HIPAA Privacy Rule is designed to minimize conflicts between its
requirements and
state law
.
Generally, state laws are not contrary
.
HIPAA Privacy Rule provides a
federal floor
and state laws that provide greater protection for PHI and more expansive privacy rights will not be affected.Slide17
Conflict Minimization and the HIPAA Privacy Rule45 CFR § 164.512 provides permission to covered entities to make the uses and disclosures listed
in the statute.
Other
uses/disclosures that do not require an authorization:
•
Required by law
• Public health activities
•
About victims of abuse, neglect, or domestic violence
• Health oversight activities
•
Judicial and administrative proceedings
• Law enforcement purposesSlide18
Conflict Minimization and the HIPAA Privacy RuleTo date, OCR has not been presented with any state law that is contrary to a
HIPAA provision
. In each case, it
has been
possible to comply with
both.
If a state law were contrary,
it would
be preempted by HIPAA unless an exception applied
.Slide19
RecapState laws that are contrary to the regulations are preempted by the federal requirements unless a specific exception applies
.
The Privacy Rule provides a federal floor of privacy protections
for individuals’ PHI
.
State laws that provide greater protections for PHI and
greater privacy
rights for individuals are generally not contrary to
the federal requirements and will not be preempted
.
Where HIPAA permits disclosures that are required
or permitted
under state law, there is no conflict and so no preemption.Slide20
Practice PointersDisclosure to the GAL is required by HIPAAThe State of Florida stands
in loco parentis
with an abused, abandoned or neglected child. Accordingly, the State is a personal representative of the child for HIPAA purposes and should be treated as an individual for purposes of determining whether the disclosure is authorized under §164.502(g)(3). As the court-appointed representative of the State, i.e., the child’s personal representative, the GALP’s access to the information is permitted by §164.502(g).Slide21
Practice PointersChild abuse and neglect laws are exempt from HIPAA’s provisions.There are exemptions and exclusions from
HIPAA.
The child abuse exemption provision of the statute should be read broadly to allow record sharing of information concerning children:
“Although
not generally thought of as public health related functions, investigative and intervention responses to child maltreatment clearly are
public health matters,
even if government social services or law enforcement agencies play the lead roles
.”
References:
Howard
Davidson,
The Impact of HIPAA on Child Abuse and Neglect Cases
(2003); 45
CFR § 160.203Slide22
Practice Pointers3. Disclosure is excluded from HIPAA under § 164.512(a)’s public benefits exception, because it is required by § 39.822:(3) Upon presentation by a guardian ad litem of a court order appointing the guardian ad litem:
(
b) A person or organization, other than an agency under paragraph (a), shall allow the guardian ad litem to inspect and copy any records related to the best interests of the child who is the subject of the appointment, including, but not limited to, confidential records
.
For the purposes of this subsection, the term “records related to the best interests of the child” includes, but is not limited to, medical, mental health, substance abuse, child care, education, law enforcement, court, social services, and financial records.Slide23
N
o
notice for the
order… why
do they keep talking about drugs and alcohol?Slide24
Practice PointersCAUTION:Do not get caught in the
§ 164.512(e
)
trap
Do not
confuse HIPAA with 42 USC §§290dd - 2 Slide25
Presented by Thomasina Moore, Esq. Phone: (407) 649-0107
Email: tmoore@knowmoorelaw.com
Website: www.knowmoorelaw.com