Patient Rights and Privacy: Impact on Medical Staff KAMSS August 15, 2014 Stacy Harper, JD, MHSA, CPC Julie Roth, JD, MHSA, RHIA
Disclaimer The information provided is for educational purposes only and is not intended to be considered legal advice or create an attorney-client relationship. Opinions expressed are those of the speaker and do not represent the opinions or position of the KAMSS.
Overview Overview of HIPAA Overview of Medicare Conditions of Participation and Payment Medical Staff Structure Case Examples and Analysis Enforcement Strategies
HIPAA Statutory Background Health Insurance Portability and Accountability Act of 1996 (Administrative Simplification Provisions) August 21, 1996 Health Information Technology for Economic and Clinical Health Act of 2009 February 17, 2009 Regulatory Background HIPAA Electronic Transaction Standards August 17, 2000 HIPAA Privacy Standards December 28, 2000 and August 14, 2002 HIPAA Unique Employer Identifier Standard May 31, 2002 HIPAA Security Standards February 20, 2003 HIPAA/HITECH Breach Notification Standards August 24, 2009 Omnibus HIPAA Regulatory Modifications January 25, 2013
Basic Structure of HIPAA HIPAA Privacy Applies to all protected health information Determines when PHI can be used/disclosed Minimal Safeguard Requirements Provides Patients Rights to Information HIPAA Security Applies to electronic protected health information Additional layers of safeguards for ephi HIPAA Breach Notification Spans Privacy and Security Adds transparency to the process If state law differs from HIPAA, the more restrictive law applies
Basic Medicare Structure Statute Social Security Act August 14, 1935, amended multiple times Regulations and Guidance Survey and Certification Conditions of Participation State Operations Manual Payment Conditions of Payment Benefit Policy Manual Claims Processing Manual Other Manuals and Guidance
Medical Staff Structure Responsible to the Governing Body for medical care provided to patients at the hospital Governed by Medical Staff Bylaws Medical Staff Rules, Regulations, Policies and Procedures
Interactions with Medical Staff Under HIPAA Employees Workforce Treatment, Payment and Healthcare Operations Business Associates Organized Health Care Arrangement (OCHA) Individual (records describing the physician)
Case Examples
Treatment
Disclosures for Treatment Very broad, permissive exception under HIPAA Minimum necessary does not apply BUT must have a treatment relationship Consider: Physician is on-call for the weekend. Accesses the hospital EMR system remotely on Friday and reviews H&P for 1) all patients admitted to his group and 2) all surgical patients to determine if any have co-morbities that may need management.
Payment
Disclosures for Payment Allows sharing of PHI among healthcare providers for each provider s payment Minimum necessary applies This exception includes the claims and activities to get paid as well as audits and investigations post payment Consider: A physician admits a patient as an inpatient to the hospital. The hospital bills and is paid by Medicare for services. The hospital is subsequently audited for medical necessity of the hospitalization. Documentation describing the patient s condition are located in the physician s office records.
Healthcare Operations
Uses and Disclosures for Healthcare Operations Peer Review, Quality Assurance, Patient Safety are all included in healthcare operations Broad exception which allows sharing of information among providers if 1) they participate in an OCHA or 2) they both have treatment relationships with the patient Minimum necessary applies Consider: The hospital receives a complaint that a physician is performing medically unnecessary procedures. The hospital is sending records to a third party company for peer review. The hospital desires to include physician clinic records in the medical records disclosed to the reviewer.
Personal Representative/Individual Involved in Care
Interactions with Patient Representatives Three Categories Personal Representative Patient Representative Individual Involved in Care Variations in permissive/mandatory access Consider: The patient s physician discusses the patient s discharge from the hospital and transfer to a skilled nursing facility with the patient s daughter when the patient is not present. The patient is upset she was excluded from the conversation.
Research
Use and Disclosure for Research IRB approved study Patient Consent Potential Participation Consider: A medical staff member has been involved in the hospital s initiative to improve patient s post-surgical outcomes through the initiation of a new PACU procedure. The hospital learns that the physician submitted an article to a professional journal describing the outcomes from the initiative based on the review of hospital patient data.
Remote Access
Security Requirements for Remote Access HIPAA Security imposes a number of safeguard requirements, including: Unique user Access controls Integrity controls Monitoring Consider: The hospitals EMR system allows remote access for physicians and approved staff to view and download diagnostic test results. The hospital receives a complaint that the employee of one of its medical staff members is using the remote access to snoop on records of individuals who are not patients of the physician.
Physician Signature
Electronic Signature Requirements Medicare and other payors have limitations on who can document or order certain services Medicare has specific requirements for authentication/signatures, including electronic signatures HIPAA requires use of integrity controls, individual verification, and password security Consider: A busy physician desires to have the EMR documentation ready upon entering a patient room. He gives his password to his nurse so that she can pull up patient information on the screen in advance of each visit. The same password is used by the physician to authenticate medical record documentation and orders.
Impaired Physician
When the Physician is the Patient Treatment of the patient Access to records under HIPAA Access to records under 42 CFR Part 2 Protection of physician s medical records Consider: A physician on the medical staff seeks treatment from the outpatient substance abuse facility within the hospital. The medical staff is reviewing the physician s privileges to determine whether restrictions should be imposed during his treatment and desires access to her treatment records.
Enforcement
Enforcement Tier 1 Tier 2 Tier 3 Tier 4 Violation not known or reasonably known Violation due to reasonable cause, but not willful neglect Violation due to willful neglect, if corrected Violation due to willful neglect, if not corrected Old HIPAA None $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year New HIPAA At least $100 per violation, $25,000 max for identical violations in calendar year At least $1,000 per violation, $100,000 max for identical violations in calendar year At least $10,000 per violation, $250,000 max for identical violations in calendar year At least $50,000 per violation, $1.5 million max for identical violations in calendar year
Results of OCR Audit Demonstration Program 60% of deficiencies identified were related to HIPAA Security 58 of 59 providers audited had at least one HIPAA Security deficiency 47 out of 59 providers; 20 out of 35 health plans; and 2 of 7 clearing houses had not conducted a complete and accurate risk assessment Top three deficiencies were related to contingency planning and back-ups; audit controls and monitoring; and access management Most common cause of deficiency: entity was unaware of the requirement Next round of audits are expected to affect business associates and be scheduled following the September 23, 2013 effective date
Enforcement Activities Settlements may originate with complaint or breach report Primary breaches include Stolen or lost laptops or media Unsecured firewall Employee s access of information Disclosure of information Business Associates were responsible for more breaches than Covered Entitites Most frequent deficiencies mentioned include: Failure to perform risk assessment Inadequate training Insufficient policies and procedures Incomplete security measures Failure to safeguard media Most involve corrective action plan with ongoing monitoring in addition to penalties
Litigation Trends
Litigation Trends No private cause of action under HIPAA New Development of State Law Claims HIPAA is the standard of care Results vary by state Proof of actual disclosure/damage Automatic damages Punitive damages Vicarious liability
Data Breach University of California Case Encrypted hard drive stolen, but password may have been compromised Breach notification provided Could not prove actual disclosure Advocate Health Four unencrypted laptpos Breach notification provided Pending in Illinois Stanford Unencrypted information on internet Breach notification provided Pending in California
Vicarious Liability Walgreens Case Indiana Law Pharmacist looking at prescription history Disclosed to Others Accessed again after complaint Guthrie Clinic Case New York Law Nurse gossiping about patient s STD Employee was not a physician Outside scope of employment
Kansas Law Werner v. Kliewer 1985 Psychiatrist sent letter to court in child custody action No cause of action in tort or contract Zhu v. St. Francis Physician testified in Plaintiff action against third party Plaintiff claimed invasion of privacy because testimony was false Dismissed for no cause of action No vicarious liability of hospital under HCSF
Strategy for Improvement
The Key is COMMUNICATION Medical Staff Bylaws Align Hospital Policy with Medical Staff Policy Training and Education Confidentiality Statements
Questions? Stacy Harper sharper@lathropgage.com 913-451-5125 Julie Roth jroth@lathropgage.com 913-451-5118