HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When Responding to Subpoenas and Discovery Requests Today’s faculty features: 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10. THURSDAY, OCTOBER 16, 2014 Presenting a live 90-minute webinar with interactive Q&A Nathan A. Kottkamp, Partner, McGuireWoods, Richmond, Va. Philip H. Lebowitz, Partner, Duane Morris, Philadelphia
52
Embed
HIPAA Compliance During Litigation and Discoverymedia.straffordpub.com/products/hipaa-compliance-during-litigation-and... · HIPAA Compliance During Litigation and Discovery Safeguarding
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When Responding to Subpoenas and Discovery Requests
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
THURSDAY, OCTOBER 16, 2014
Presenting a live 90-minute webinar with interactive Q&A
Nathan A. Kottkamp, Partner, McGuireWoods, Richmond, Va.
Philip H. Lebowitz, Partner, Duane Morris, Philadelphia
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-927-5568 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form).
You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
Protected Health Information (PHI) is any information, including genetic information, whether oral or recorded in any form or medium, that: • Is created or received by a health care provider, health plan, or health
care clearinghouse; and • Relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
• The Privacy Rule – establishes individuals’ privacy rights and addresses the use and disclosure of protected health information (“PHI”) by covered entities and business associates
• The Security Rule – establishes requirements for protecting electronic PHI
• The Breach Notification Rule – requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI
• The Enforcement Rule – establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA
• Breach “risk of harm” standard replaced with more objective test • Definition of “business associate” expanded to include entities that maintain or store
PHI even if they do not view the PHI • Subcontractors of business associates that use or disclose PHI are directly subject to
HIPAA (regardless of if there is a BAA) • Expansion of liability of business associates (and subcontractors, as applicable) under
the Privacy Rule and the Security Rule • Individuals have a right to obtain electronic copies of PHI upon request if the PHI is
maintained electronically • Individuals may restrict disclosures regarding treatment paid out-of-pocket, in full • Notices of Privacy Practices must include additional information • Easing of rules for PHI with respect to research, fundraising, and decedents • Tightening of rules for marketing and sale of PHI • GINA (Genetic Information Non-Disclosure Act of 2008) incorporated • Enforcement rule expanded
• HIPAA permits disclosure for judicial or administrative proceedings
• In response to – A court order or order of an administrative tribunal – “a subpoena, discovery request, or other lawful process”
• Without court order, provider must receive “satisfactory assurance” that “reasonable efforts” have been made to – “ensure” that the affected patient has been given notice; or – Secure a “qualified protective order”
• Provider may disclose without court order by itself making reasonable efforts to provide notice to patient
Citation: 45 C.F.R. 164.512(e) (“Disclosures for Judicial and Administrative Proceedings”)
• Opposing party seeks patient’s medical records from non-party provider – Typically through subpoena – Provider should insist on patient authorization – If not, inform patient of subpoena and obligation
to produce records if subpoena not quashed – Move to quash subpoena
• Describe information to be disclosed • Who authorized to disclose • Who authorized to receive • Purpose of disclosure • Expiration date or event • Signed and dated by patient • Must include statement re right to revoke,
• Be narrow or expansive depending on purpose • Define who may review or have access to documents • Specify that documents be labeled “Confidential” or
similar – If PHI is in electronic form, specify encryption requirement
• Include non-disclosure requirement • Require Receiving Party to certify in writing the return or
secure destruction at the conclusion of litigation of all proprietary information (including PHI)
• Super strict requirements – Patient’s Express Written Authorization
• 42 C.F.R. 2.31 • Name of program making disclosure • Name of recipient • Patient’s name • Purpose of disclosure • How much and what kind of information • Signature • Date • NOTE: Providers need to include redisclosure warning
statement per 42 C.F.R. 2.32 – Court order required after showing good cause
• 42 U.S.C. 290dd-2 and 42 C.F.R. Part 2, Subpart E (2.61 et seq.)
– Perlman v. U.S., 247 U.S. 7 (1918) – “a discovery order directed at a disinterested third
party is treated as an immediately appealable because the third party presumably lacks a sufficient stake in the proceeding to risk contempt by refusing compliance”
– Permits 3rd parties to litigation opportunity for appeal before producing PHI records
State Laws Regarding Confidentiality of Medical Records • Independent regulatory duty of hospital to
maintain the confidentiality of medical records • Reports and records of health authorities • HIV-related information • Records of mental health facilities • Drug and alcohol abuse records • Applicable to particular facilities
– Birth Centers – Home health care agencies – Long-term care facilities AND others
NOTICE TO HEALTH CARE ENTITIES A COPY OF THIS SUBPOENA DUCES TECUM HAS BEEN PROVIDED TO THE INDIVIDUAL
WHOSE HEALTH RECORDS ARE BEING REQUESTED OR HIS COUNSEL. YOU OR THAT INDIVIDUAL HAS THE RIGHT TO FILE A MOTION TO QUASH (OBJECT TO) THE ATTACHED SUBPOENA. IF YOU ELECT TO FILE A MOTION TO QUASH, YOU MUST FILE THE MOTION WITHIN 15 DAYS OF THE DATE OF THIS SUBPOENA.
YOU MUST NOT RESPOND TO THIS SUBPOENA UNTIL YOU HAVE RECEIVED WRITTEN CERTIFICATION FROM THE PARTY ON WHOSE BEHALF THE SUBPOENA WAS ISSUED THAT THE TIME FOR FILING A MOTION TO QUASH HAS ELAPSED AND THAT:
NO MOTION TO QUASH WAS FILED; OR ANY MOTION TO QUASH HAS BEEN RESOLVED BY THE COURT OR THE ADMINISTRATIVE
AGENCY AND THE DISCLOSURES SOUGHT ARE CONSISTENT WITH SUCH RESOLUTION. IF YOU RECEIVE NOTICE THAT THE INDIVIDUAL WHOSE HEALTH RECORDS ARE BEING
REQUESTED HAS FILED A MOTION TO QUASH THIS SUBPOENA, OR IF YOU FILE A MOTION TO QUASH THIS SUBPOENA, YOU MUST SEND THE HEALTH RECORDS ONLY TO THE CLERK OF THE COURT OR ADMINISTRATIVE AGENCY THAT ISSUED THE SUBPOENA OR IN WHICH THE ACTION IS PENDING AS SHOWN ON THE SUBPOENA USING THE FOLLOWING PROCEDURE:
PLACE THE HEALTH RECORDS IN A SEALED ENVELOPE AND ATTACH TO THE SEALED ENVELOPE A COVER LETTER TO THE CLERK OF COURT OR ADMINISTRATIVE AGENCY WHICH STATES THAT CONFIDENTIAL HEALTH RECORDS ARE ENCLOSED AND ARE TO BE HELD UNDER SEAL PENDING A RULING ON THE MOTION TO QUASH THE SUBPOENA. THE SEALED ENVELOPE AND THE COVER LETTER SHALL BE PLACED IN AN OUTER ENVELOPE OR PACKAGE FOR TRANSMITTAL TO THE COURT OR ADMINISTRATIVE AGENCY.