Chapter 7

Question 1

Reasons for medical data privacy

Answer 1

1. Inner workings of one’s body, is highly sensitive and personal
2. Patients more open about their condition if privacy respected.
3. Protect employees from unequal treatment.
4. Protect health insurance consumers from discrimination.

Question 2

Confidentiality of Substance Use Disorder Patient Records Rule: Scope

Answer 2

• Covers disclosure and use of PI by treatment programs for alcohol and substance abuse.
• Covers PI that could identify one diagnosed with or undergone treatment for.
• Also covers any info - written or verbal - that could lead/substantiate criminal charges.

Question 3

Confidentiality of Substance Use Disorder Patient Records Rule: Applicability

Answer 3

• Any program that receives federal funding.
• Program means:
  1. provider of alc/sub abuse diagnosis, treatment, referral
  2. unit within med facility doing same.
  3. staff whose primary function is provision of same.
  4. required by state licensing agency to comply
  5. clinician uses contr sub for detox and must be DEA licensed.

-

Question 4

Confidentiality of Substance Use Disorder Patient Records Rule: Disclosure and Re-disclosure

Answer 4

• Program must obtain written consent before disclosing info subject to Rule.
• Can include general consent to those with provider relationship with patient.
• No redisclosure if would identify one as having been diagnosed, treated, or referred.

Question 5

Confidentiality of Substance Use Disorder Patient Records Rule: Exceptions to Consent

Answer 5

• Medical emergencies
• Scientific research
• Audits and evaluations
• Communications with a qualified service organization (QSO) related to information needed by the organization to provide services to the program
• Crimes on program premises or against program personnel
• Child abuse reporting
• Court order

Question 6

Confidentiality of Substance Use Disorder Patient Records Rule: Security and Enforcement

Answer 6

• Program and entity disclose to lawfully must have formal policies/procs to protect security.

Violations of Rule are criminal. first violation a finde not more than 500, each subsequent not more than 5k.

Question 7

Confidentiality of Substance Use Disorder Patient Records Rule: Convergence and Pre-emption

Answer 7

• Not pre-empt.

- Like HIPAA and is lots of overlap, but not completely.

Question 8

HIPAA: PHI Definition

Answer 8

Protected health information (PHI) is defined as any individually identifiable health information that: is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of health care or payment for health care to that individual.30

Question 9

HIPAA: Covered entities

Answer 9

• Directly covered by HIPAA.
• Covers 3 types of entities:
• Healthcare providers (e.g., a doctors’ offices, hospitals) that conduct certain transactions in electronic form (if not bill for insurance, not covered)
• Health plans (e.g., health insurers)
• Healthcare clearinghouses (e.g., third-party organizations that host, handle or process medical information)

Question 10

HIPAA: Business associates covered

Answer 10

• Business associate = any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI.
• Privacy Rule and Security Rule apply directly to BAs, thanks to HITECH

Question 11

HIPAA Privacy Rule: Authorizations for uses and disclosures

Answer 11

• Authorizes use and disclosure of PHI for essential healthcare purposes. Others require opt-in authorization.
• Authorization must
  1. be independent document
  2. specific identifies into to be disclosed, purpose, person to which disclosed.
• Can’t require consent to provide treatment.
• Rules for opt-in marketing and strict rules for psychotherapy notes.

Question 12

HIPAA Privacy Rule: Minimum necessary use or disclosure

Answer 12

• other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the min necessary to accomplish intended purpose.

Question 13

HIPAA Privacy Rule: Access and accounting of disclosures

Answer 13

• Have right to access and copy their PHI from CE or BA kept in a “designated record set” i.e. med and billing records, or other records used (by CE) to make decisions.
• Right to an accounting of certain disclosures by CE.
• Right to amend PHI held by CE.

Question 14

HIPAA Privacy Rule: Safeguards

Answer 14

• Privacy rule requires implement admin, physical, tech measures.
• Security Rule covers only PHI

Question 15

HIPAA Privacy Rule: Accountability

Answer 15

• CEs must designate a privacy official.
• Personnel must be trained
• procedures must be in place.

Question 16

HIPAA Privacy Rule: Enforcement

Answer 16

• Primary enforcer is OCR at HHS. Process complaints, can assess civil fines up to $1.6M per year per type of violation.
• OCR regularly audits select CEs
• DOJ has criminal enforcement - up to 10 years in prison.
• FTC can bring unfair and deceptive even if covered by HIPAA.
• State AGs for state privacy laws.

Question 17

Limits/Exceptions on Privacy Rule

Answer 17

• No consent required for treatment, payment and healthcare operations.
• Also, de-id is exempted from PR. 2 methods (expert and removal of specific elements).
• Also exempted is research - no consent necessary if IRB approves as consistent with PR and human subjects rules.
• Other exceptions:
  Secy of HHS for compliance

information used for public health activities;

to report victims of abuse, neglect or domestic violence;

in judicial and administrative proceedings;

for certain law enforcement activities;

for certain specialized governmental functions

Question 18

HIPAA Security Rule: Basics and Goal

Answer 18

• Admin, tech, physical measures for protecting ePHI in a tech neutral manner.
• Goal is for CEs to implement policies/procs to prevent, detect, contain, and correct security violations.

Question 19

HIPAA Security Rule: Addressable vs. Required, for CEs

Answer 19

• Rule has standards and implementation specifications.
• Some impl. specs are required, others “addressable” meaning have to determine if appropriate. if so, must adopt and if not, must say why not reasonable and if appropriate, adopt an alternative measure.

Question 20

HIPAA Security Rule: Requirements for CE and BA

Answer 20

Requirements:

1. Ensure the confidentiality, integrity and availability of all ePHI the covered entity creates, receives, maintains or transmits
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule
4. Ensure compliance with the Security Rule by its workforce

Question 21

HIPAA Security Rule: Factors must take not consideration

Answer 21

CEs and BAs take factors into consideration:

1. The size, complexity and capabilities of the covered entity
2. The covered entity’s technical infrastructure, hardware and software security capabilities
3. The costs of security measures
4. The probability and criticality of potential risks to electronic protected health information

Question 22

HIPAA Security Rule: Misc requirements for CEs

Answer 22

• identify responsible official
• conduct ongoing risk assessments.
• implement security awareness and training program, and discipline failure to comply.

Question 23

GINA: Health insurance restrictions

Answer 23

• prohibits health insurance companies from discriminating on the basis of genetic predispositions in the absence of manifest symptoms,
• prohibits health insurance companies from requesting that applicants receive genetic testing

-

Question 24

GINA: Employer restrictions

Answer 24

Prohibits employers from

• using genetic information in making employment decisions, in absence of manifestation.
• discrim against individuals who have family members who has manifested a disease
• requiring or requesting or purchasing genetic info about employees or family members unless an express exception applies

Question 25

GINA: Group Health Plan restrictions

Answer 25

Per ERISA amendments, prohibits group health plan providers from –

• adjusting premiums or other contribs on basis of genetic info, absent manifestation of disease/disorder.
• requesting or requiring genetic testing in connection with offering of group health plans (except voluntary research).
• enforcement - penalty of $100 each day of noncompliance per person - can rise to $15k in some circs.

Question 26

GINA - Individual health plan market

Answer 26

Per amendments to Public Health Service Act, prohibits insurers in indiv. market from

• adjustment of premiums/contribs on basis of genetic info absent manifestation.
• using genetic predisposition to find excludable pre-existing condition.

Also note amendments to Social Security Act extend these protections to providers of Medicare supplemental insurance policies.

Question 27

GINA - Exceptions to prohibition on employers from requiring, requesting, purchasing genetic info about employees or their family members

Answer 27

(1) such a request is inadvertent,
(2) the request is part of an employer-offered wellness program that the employee voluntarily participates in with written authorization,
(3) the request is made to comply with the Family and Medical Leave Act of 1993,
(4) an employer purchases commercially and publicly available materials that include the information,
(5) the information is used for legally required genetic monitoring for toxin exposure in the workplace if the employee voluntarily participates with written authorization or
(6) the employer conducts DNA analysis for law enforcement purposes and requests the information for quality-control purposes (i.e., to identify contamination).

Question 28

GINA Enforcement

Answer 28

• No PROA under GINA itself, but perhaps under statute that GINA amends (ERISA, Social Security, etc - maybe)
• Commission to review developments in genetic science and make reccs. re. disparate impact cause of action under GINA.

Question 29

21st Century Cures Act: Privacy Provisions

Answer 29

The purpose of the 21st Century Cures Act (“Cures Act”) is to expedite the research process for new medical devices and prescription drugs, quicken the process for drug approval, and reform mental health treatment.

Privacy Provisions:

• Certain individual biomedical research information exempted from disclosure under Freedom of Information Act.
• Researchers permitted to remotely view PHI.
• P.
• Prohibits providers, health information technology (HIT) providers, health information exchanges (HIEs), or networks from information blocking, a term meant to describe unreasonable conduct that is likely to interfere with the exchange of electronic health information. This requirement must be balanced with HIPAA’s requirements concerning PHI.
• The Cures Act requires certificates of confidentiality to be issued by the National Institutes of Health (NIH) for any federally funded research, and permits the NIH to issue such certificates at its discretion for research that is not federally funded. These certificates ensure that the research material cannot be used in any legal or administrative proceeding without the consent of the individual involved.
• “Compassionate” sharing of mental health or substance abuse information with family or caregivers. The Cures Act requires HHS to issue guidance to HIPAA regarding the circumstances under which a health care provider or a covered entity is permitted to discuss with family members or caregivers the treatment of an adult with a mental health disorder or an alcohol or substance abuse disorder