HIPAA LAWS, HIPAA Federal Statutes, HIPAA Information
HIPAA Subpoena Services
HIPAA Delivery and Retrieval Services
Health Insurance Portability & Accountability Act of 1996
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates significant changes in the legal and regulatory environments governing the provision of health benefits, the delivery and payment of healthcare services, and the security and confidentiality of individually identifiable, protected health information.
The law is composed of two major legislative actions: provisions for health insurance reform and requirements for administrative simplification. Complying with all aspects of HIPAA will require providers and virtually all entities within the healthcare industry (including clinical research) to make significant changes to their information systems, operations policies and procedures and business practices.
Failure to comply with any of the electronic data, security or privacy standards can result in civil monetary penalties up to $25,000 per standard per year. Violation of the privacy regulations for commercial or malicious purposes can result in criminal penalties of $50,000 to $250,000 in fines and one to ten years of imprisonment. The Civil Rights Division of the DHHS is charged with enforcement and is recognized as a stringent "enforcer." Providers who fail to comply also run the risk of violating public trust which can have untold public relations impacts.
The HIPAA Privacy Rule
The Privacy Rule took effect on April 14, 2003, with a one-year extension for certain "small plans." It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual.This is interpreted rather broadly and includes any part of a patients medical record or payment history.
Covered entities must disclose PHI to the individual within 30 days upon request.They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.
A covered entity may disclose PHI to facilitate treatment, payment, or health care operations or if the covered entity has obtained authorization from the individual. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. For example, an individual can ask to be called at his or her work number, instead of home or cell phone number.
The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.
An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).
Authorization of disclosures, and exceptions (Florida)
In general, a records owner may not furnish a patient's medical records to, or discuss the medical condition of a patient with, any person other than the patient or the patient's legal representative, or other health care practitioners and providers involved in the care or treatment of the patient, except upon written authorization of the patient. However, medical records may be furnished without written authorization under the following circumstances. (Note that "consent" is used as a synonym for "authorization" here, even though these terms refer to two very different sets of processes and requirements under HIPAA.)
to "any person, firm, or corporation that has procured or furnished such examination or treatment" with the patient's consent;
when a "compulsory physical examination is made" pursuant to the Florida Rules of Civil Procedure, "in which case copies of the medical records shall be furnished to both the defendant and the plaintiff";
upon "the issuance of a subpoena from a court of competent jurisdiction" in a civil or criminal action, "and proper notice to the patient or the patient's legal representative" is made by the person seeking the records;
for "statistical and scientific research, provided the information is abstracted in such a way as to protect the identity of the patient, or provided written permission is received from the patient or the patient's legal representative";
when "compelled by subpoena at a deposition, evidentiary hearing, or trial for which proper notice has been given" related to a medical negligence action or administrative proceeding. (FL Stat 456.067)
Further, the state may, via one of its agencies or departments, obtain patient records pursuant to a subpoena if there is "reasonable cause to believe" that a health care practitioner has:
excessively or inappropriately prescribed any controlled substance;
practiced "below that level of care, skill, and treatment required" by professional practice acts;
given inadequate care due to a patient's termination of insurance; or
engaged in some kind of fraud (e.g., mis-billing, fraudulent solicitation of patient, kickbacks).
In such circumstances, "reasonable attempts" must be made to obtain a patient authorization for release of records.
All medical records obtained by state agencies and any other documents maintained by them which identify the patient by name are confidential and exempt from Florida public records access provisions (e.g., FL Stat 119.07). Such records many be used solely for investigation, prosecution, and other disciplinary proceedings for which the materials were obtained.
Strictly speaking, the above does not apply to hospitals, ambulatory surgical centers and similar licensed facilities, which are subject to their own separate, but nonetheless very similar, statutory specification of disclosure rules (in Chapter 395).
Such facilities must keep patient records confidential, and generally may not disclose the information in them "without the consent of the person to whom they pertain." Exceptions to the consent (authorization) requirement in this case are disclosures:
to "licensed facility personnel and attending physicians for use in connection with the treatment of the patient";
to "licensed facility personnel only for administrative purposes or risk management and quality assurance functions";
to state agencies, "for purposes of health care cost containment";
upon "the issuance of a subpoena from a court of competent jurisdiction" in a civil or criminal action, with "proper notice by the party seeking such records to the patient or his or her legal representative";
or in response to a subpoena issued for the purpose of investigating or prosecuting some kind of practitioner misconduct (see list above);
by state agencies such as the Department of Health, "for the purpose of establishing and maintaining a trauma registry and for the purpose of ensuring that hospitals and trauma centers are in compliance" with applicable standards and rules;
by the Department of Children and Family Services or its agent, "for the purpose of investigations of cases of abuse, neglect, or exploitation of children or vulnerable adults";
by the State Long-Term Care Ombudsman Council and the local long-term care ombudsman councils, "with respect to the records of a patient who has been admitted from a nursing home or long-term care facility, when the councils are conducting an investigation" involving a patient at such a facility";
by a local trauma agency or a regional trauma agency "that performs quality assurance activities, or a panel or committee assembled to assist a local trauma agency or a regional trauma agency in performing quality assurance activities";
by organ procurement organizations, tissue banks, and eye banks required to conduct death records reviews; or
by the Medicaid Fraud Control Unit in the Department of Legal Affairs pursuant to an investigation. (395.3025)
The recipients of such disclosures, if other than the patient or the patient's representative, may use such information "only for the purpose provided and may not further disclose any information to any other person or entity, unless expressly permitted by the written consent of the patient." Note also that a "general authorization for the release of medical information is not sufficient for this purpose."
As before, any medical records obtained by state agencies are confidential, and exempt from Florida public records access provisions.
Employers who provide or administer health insurance benefits or life insurance benefits to their employees must maintain the confidentiality of information relating to the medical condition or status of any person covered by such benefits. Information in the possession of a public employer is exempt from the public records access provisions. Employers are liable for damages to persons damaged by a failure to implement procedures to maintain confidentiality. (760.50(5)).
|
