HIPAA HIPAA

and and

Disaster SituationsDisaster Situations

By

LYNDA M. JOHNSON

Friday, Eldredge & Clark

Protects “individually identifiable health information” held by “covered entities”

HIPAA - “The Health Insurance Portability and Accountability Act of 1996.”

Individually identifiable health information is information that is subset of health information, including demographic information collected from an individual and:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

i. That identifies the individual; or

ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Covered Entities are:

Health Care Providers

Health Plans

Health Care Clearinghouses

Information Protected by HIPAA is called “Protected Health Information”

or “PHI”

WHAT INFORMATIONIS COVERED?

ANY HEALTH INFORMATION RELATING TO:

Past, present or future physical or mental health or condition

Provision of healthcare or

Past, present or future payment for healthcare

Created/received by provider, plan, or clearinghouse

Individually identifiable or presents reasonable basis to believe the information can be used to identify the individual

Includes demographic information

In any medium:

Written Verbal Electronic

“Protected Health Information” (PHI)

Covered Entities may use and disclose PHI fro purposes of treatment, payment,

and healthcare operations.

“TREATMENT” generally means the provision, coordination or management of healthcare and related services among healthcare providers or by a healthcare provider with a third party, consultation between healthcare providers regarding a patient, or the referral of a patient from one healthcare provider to another.

TREATMENT

“PAYMENT” encompasses the various activities of healthcare providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of healthcare.

PAYMENT

“HEALTHCARE OPERATIONS” are defined to include the business, management and operational activities of a healthcare entity.

HEALTHCARE OPERATIONS

AUTHORIZATION

Written permission from patient to “use” or “disclose” PHI for a purpose OTHER THAN treatment, payment or healthcare operations.

Privacy Regulations allow Covered Entities to disclose PHI for a variety of purposes including:

Treating patients

Identifying, locating and notifying family members, guardians or those responsible for an individuals care

Obtaining the services of disaster relief agencies

Conducting public health activities

Preventing or lessening serious and imminent threats to health or safety

A “covered entity” may use or disclose PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts.

Covered Entity may exercise its “professional judgment” in making disclosures to disaster relief agencies.

After Hurricane Katrina, OCR issued a special bulletin addressing HIPAA Privacy and Disclosures in Emergency Situations. This bulletin clarified the definition of treatment in an Emergency Situation to include:

Sharing information with other providers

Referring patients for treatment (including linking patients with available providers in areas where patients had relocated)

Coordinating patient care with others (such as emergency relief workers or others) that can help patients find appropriate health services

This Bulletin also clarified that when a provider is sharing PHI with a disaster relief organization, it is not necessary to obtain the patient’s permission (or authorization) to share PHI if doing so would interfere with the organization’s ability to respond to the emergency.

President and HHS Secretary also have the authority to temporarily waive HIPAA requirements in an emergency. This was done with Hurricane Sandy.

The requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to “opt out” of the facility directory

The requirement to distribute a notice of privacy practices

The patient’s right to request privacy restrictions or to request confidential communications.

(Only if President AND Secretary declare a public health emergency.)

This “waiver” waives the imposition of sanctions and penalties for noncompliance with the following HIPAA requirements:

If only HHS Secretary issues the waiver, it If only HHS Secretary issues the waiver, it only applies: only applies:

To the area designated and for the period specified in the waiver

To hospitals that have instituted a disaster protocol

For up to 72 hours after hospital has implemented its disaster protocol

Penalties for violating Penalties for violating HIPAA RegulationsHIPAA Regulations

Prior to 2009, fines ranged from $100-$25,000 per violation and were capped at $25,000 for any calendar year.

Beginning in February of 2009, new tiered structure for penalties went into effect.

New maximum penalty for violation of the same HIPAA provision is $1.5 million per year. Prior to HITECH, the maximum was $25,000 per year.

Violation Category Each Violation Total CMP for Violations of an

Identical Provision in a Calendar Year

Unknowing $100 - $50,000 $1,500,000

Reasonable Cause $1,000 - $50,000 $1,500,000

Willful Neglect – Corrected

$10,000 - $50,000 $1,500,000

Willful Neglect – Not Corrected

At least $50,000 $1,500,000

There are also criminal penalties that can be imposed. In Arkansas, we have more criminal indictments for HIPAA violations than any other state!

QUESTIONSQUESTIONS

Lynda M. JohnsonLynda M. JohnsonFriday, Eldredge & Clark, LLPFriday, Eldredge & Clark, LLP

Ljohnson@fridayfirm.comLjohnson@fridayfirm.com

501-370-1553501-370-1553