Responding to Requests for Information - PowerPoint PPT Presentation

About This Presentation

Title:

Responding to Requests for Information

Description:

Responding to Requests for Information Kimberly J. Ruppel Billee Lightvoet Ward Dickinson Wright PLLC – PowerPoint PPT presentation

Number of Views:109

Avg rating:3.0/5.0

Slides: 27

Provided by: dickinson2

Category:

more less

Transcript and Presenter's Notes

Title: Responding to Requests for Information

1
Responding to Requests for Information

Kimberly J. Ruppel
Billee Lightvoet Ward
Dickinson Wright PLLC

2
REQUESTS FOR PHI

Requests for protected health information (PHI)
can come from a variety of sources
Patients
Family and friends
Other healthcare providers
Other third parties
Requests for PHI can come in a variety of forms
Focus on requests through legal or
administrative processes

3
REQUESTS FOR PHI

Facts and circumstances dictate HIPAA obligations
HIPAA requires disclosure in response to certain
requests
Individuals
Secretary of the Department of Health and Human
Services (DHHS)
HIPAA permits disclosure in other situations

4
What Form of Requests Can I Expect?

Court Order or Grand Jury Subpoena (issued by the
Court)
HIPAA recognizes that the legal process for
obtaining a court order and the secrecy of the
grand jury process provides protections for the
individuals private information.
Administrative Request or Civil Investigative
Demand (issued by a governmental agency)

5
What Form Of Requests Can I Expect?

Discovery request from a party to a litigation
Request for the Production of Documents
Interrogatories
Notice for a Deposition
Subpoena
These are issued by lawyers without the Courts
involvement.
Before responding, look for a protective order or
an authorization form signed by the individual.

6
Request Scenarios

Personal injury lawsuit
Malpractice lawsuit
Employment litigation breach of covenant not to
compete
Federal or state agency investigation
Consumer protection
Anti-kickback violations
Stark violations
Antitrust violations
Criminal law enforcement
Public health concerns

7
DISCLOSURES REQUIRED BY LAW

A Covered Entity may disclose PHI to the extent
required by law if the disclosure complies with
and is limited to the requirements of such law
Additional provisions apply to disclosures
About victims of abuse, neglect or domestic
violence
For judicial and administrative proceedings
For law enforcement purposes

8
DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE
PROCEEDINGS

A Covered Entity may disclose PHI expressly
authorized by an order of a Court or
administrative tribunal
In response to a subpoena, discovery request or
other process not accompanied by a Court order, a
Covered Entity may disclose PHI only if
Satisfactory assurances
the individual has been given notice of the
request and has not objected or all objections
have been resolved to allow for disclosure or
Reasonable efforts have been made to secure a
qualified protective order that (i) prohibits use
of the PHI other than for the litigation at
issue, and (ii) requires return or destruction of
the PHI at the end of the litigation

9
DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE
PROCEEDINGS

Corrective actions imposed by the DHHS Office for
Civil Rights
What did the hospital do wrong?
Responded to a subpoena unaccompanied by a court
order
Satisfactory Assurances
Failed to determine that reasonable efforts were
made to notify the individual of the request
Failed to receive satisfactory assurances that
reasonable efforts were made to secure a
qualified protective order
What corrective actions were imposed?
Improved staff awareness through training
Revised internal subpoena processing steps

10
DISCLOSURES FOR LAW ENFORCEMENT PURPOSES

A CE may disclose PHI to a law enforcement
official for a law enforcement purpose
As required by law
In compliance with and as limited by a grand jury
subpoena, Court order, Court-ordered warrant, or
a subpoena or summons issued by a judicial
officer or
Limited information to identify or locate a
suspect, fugitive, material witness or missing
person
Information about an individual suspected to be a
victim of a crime
Individual agrees to the disclosure or
Individual cant agree due to incapacity or other
emergency, but certain representations are made
by official
CE determines that disclosure is in the best
interest of the patient

11
DISCLOSURES FOR LAW ENFORCEMENT PURPOSES

Information about a decedent to alert law
enforcement of the individuals death if the CE
has a suspicion that such death may have resulted
from criminal conduct
Information the CE believes in good faith is
evidence of criminal conduct on the CEs premises
Information relating to a medical emergency
(off-premises) if necessary to alert law
enforcement to the commission, nature, location
and victim(s) of a crime and the identity,
description and location of the perpetrator of
the crime.

12
DISCLOSURES FORHEALTH OVERSIGHT ACTIVITIES

A CE may disclose PHI to a health oversight
agency for oversight activities authorized by
law
Audits
Civil, administrative or criminal investigations
or proceedings
Inspections
Licensure/disciplinary actions
For oversight of the health care system and other
programs, laws and entities where health
information is relevant to eligibility or
compliance

13
DISCLOSURES FOR PUBLIC HEALTH ACTIVITIES

HIPAA permits covered entities to disclose PHI to
public health authorities, governmental
authorities, and other persons in relation to
Controlling/preventing disease, injury or
disability
Child abuse/neglect reporting
Quality, safety and effectiveness of
FDA-regulated products/activities
Notification of exposure or risk relating to
communicable disease
Reporting work-related illness or
workplace-related medical surveillance
Providing proof of student immunization to schools

14
WHICH LAW APPLIES?

If a request for information potentially involves
PHI, HIPAA must be considered at the forefront
HIPAA is a floor state privacy laws may offer
greater protection
General Rule HIPAA applies (preemption) unless
state law relates to the privacy of individually
identifiable health information AND
is more stringent than HIPAA
If HIPAA and state law dont conflict, comply
with both

15
WHICH LAW APPLIES?

Consider provider-patient privilege laws
Applies to physicians, dentists, counselors,
optometrists, social workers
PHI may not be disclosed without authorization
except in the case of a personal injury or
malpractice lawsuit by the patient against the
provider
Parental access
Michigan law allows parents to access their
childrens medical records in most, but not all,
instances

16
WHEN YOU RECEIVE A REQUEST

Initial Assessment
Evaluate potential sources of responsive
information
Medical Records and EMR
Billing, Scheduling, Administration
Policies/Procedures
Email and other correspondence
Laptops, smart phones or other mobile devices
Involve appropriate personnel
Privacy/Security Officer or other compliance
personnel
Risk Management
Internal and/or External Legal Counsel

17
WHEN YOU RECEIVE A REQUEST

Preservation Steps
Determine who has possession, custody or
control
Issue a legal hold notice to employees and any
third parties who may have relevant information
Maintain documentation in its original form
Suspend routine document and data destruction
Proactively implement a document retention
procedure
Document preservation steps
Involve administrative or technology staff to
ensure that electronic information is not deleted
or destroyed

18
Why Is Preservation Critical?

Legal obligation to preserve potentially relevant
evidence
Spoliation of Evidence
Destruction (inadvertent or intentional) of
information that is relevant to litigation or
governmental investigation after you become aware
of, or reasonably anticipate, the litigation or
investigation
Penalties
Monetary damages
Presumption that destroyed information would
support the opposing partys case

19
RESPONDING TO A REQUEST FOR INFORMATION

Evaluate the Scope and Burden of the Request
Practical Considerations
Is the time frame objectionable?
Is the volume of information overly burdensome?
What is the nature of the lawsuit or
investigation?
What information is relevant?

20
RESPONDING TO A REQUEST FOR INFORMATION

HIPAA Considerations
Is PHI responsive and, even if not, is it
included in potentially relevant data?
Would de-identified information satisfy the
request?
Determine what HIPAA provision(s) apply
Involve your Privacy and Security Officers
Consult legal counsel as necessary

21
RESPONDING TO A REQUEST FOR INFORMATION

Attempt to negotiate with the opposing party to
narrow the request
Timeframe (Federal Court Rules approve limiting
to 5 years)
Use of search terms for electronic information
Identify and agree on employees who are the most
likely custodians
De-duplication
Make reasonable efforts to limit disclosure to
minimum necessary
Exception for disclosures to the individual,
required by law or pursuant to authorization

22
RESPONDING TO A REQUEST FOR INFORMATION

Protective Measures
Consider obtaining the individuals authorization
even if not required
Court Involvement may be an option (Motion to
Quash) or may be required (Qualified Protective
Order)
Ask the Court to shift search costs to the
requesting party

23
WHY IS THIS IMPORTANT?

Renewed governmental focus
New regulations
Expanded liability new players
Increased penalties (up to 1.5 Million per
violation)
Media attention
Patient sensitivity/awareness

24
WHY IS THIS IMPORTANT?

Beginning in 2011 first civil money penalty
imposed by OCR 4.3 million fine for health
plans denial of access to patients own medical
records
Must provide patient a copy of medical records
within 30 days and no later than 60 days of the
patients request
Probably exacerbated by the health plans failure
to cooperate with OCRs investigation
Inadvertent disclosures can be expensive (more
next session)
Stolen unencrypted thumb drive resulted in
150,000 settlement
Stolen unencrypted laptop resulted in 1.5
million settlement
Leased photocopier returned without erasing data
resulted in 1.2 million settlement