CONFIDENTIALITY IN THE WORKPLACE UNDER HIPAA & ILLINOIS MHDDCA

P

A

1

CONFIDENTIALITY IN THE WORKPLACE UNDER HIPAA &

ILLINOIS MHDDCAPresentation to theDisability Rights Consortium April 27, 2011

By John W. WhitcombSenior AttorneyEquip for Equality

P

A

Health Insurance Portability and Accountability Act (HIPAA)

The purpose of this Act was “to improve portability and continuity of health insurance coverage . . . to combat waste, fraud, and abuse in health insurance and health care delivery . . . and for other purposes.”

The Act was later amended to add Security and Privacy Regulations. The Security and Privacy Regulations address the privacy and disclosure of protected health information.

2

P

A

What is Protected?

Protected Health Information (PHI) An individual's PHI encompasses individually

identifiable information, whether oral or written, that is created or received by a health care provider, health plan or health care clearinghouse which relates to a person's physical or mental health, to the provision of health care to that person, or to the payment for that person's health care.

3

P

A

4

Covered Entities

Covered entities under HIPAA are health plans (which include health insurance companies, company health plans, HMOs and government health programs such as Medicare), health care providers and health care clearinghouses.

“Health care clearinghouses” are entities that convert health care information from nonstandard formats into HIPAA standard formats, and vice versa.

P

A

5

EMPLOYERS

Employers are specifically exempted from coverage under HIPAA.

Employment records are excluded from the definition of PHI, and so not subject to the protections of HIPAA. 45 C.F.R. § 160.103.

P

A

Hybrids

HIPAA also encompasses “hybrid” organizations, which are “covered entities” whose business activities include both covered and non-covered functions.

The Privacy Rule permits any covered entity to elect hybrid status and comply with the Privacy Rule only as it relates to its covered activities.

6

P

A

7

Group Health Plans

“Group health plans,” which are employee benefit plans that provide actual health care benefits to employees.

It includes not only major medical plans, but also vision, dental, group long-term care plans.

“Section 125” plans or “flexible spending accounts” which allow employees to select certain health care benefits (or other kinds of employee benefits) are included.

P

A

8

Self Insured Plans

An employer that retains some administrative functions concerning the administration of an employee health plan may fall within the HIPAA Privacy Rule.

The Privacy Rule will also apply to an employer that receives private health information from a covered entity.

P

A

Business Associates

Business associates are those companies/employers that conduct business with covered entities (i.e., health plans, health care providers and clearinghouses), and who provide assistance to covered entities.

9

P

A

10

Business Associate Contracts

In allowing health care providers and plans to give PHI to “business associates,” the Privacy Rule conditions such disclosures on the provider or plan obtaining by contract, assurance that the business associate will use the information only for the purposes for which they were engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them and a history of certain disclosures.

P

A

11

American Recovery and Reinvestment Act of 2009 (ARRA)

Another part of ARRA, the Health Information Technology for Economic and Clinical Health Act (“HITECH”), as of February 10, 2010, imposes significant new privacy and security requirements on group health plans and other covered entities subject to HIPAA. HITECH primarily affects group health plans in two areas for 2010: breach notification and the business associate rules.

P

A

12

Business Associates under HITECH

Business associates are directly subject to most of the security and privacy rules of HIPAA. As a result, group health plans will wish to amend their business associate agreements to incorporate these new responsibilities, including the business associate's duty to notify the plan of any breach of unsecured PHI, and to allocate the risks associated with the costs of compliance in the event of a breach.

P

A

13

Enforcement

No private right of action under HIPAA. Complaints can be filed with the Office of Civil

Rights at the Department of Health & Human Services.

P

A

14

Penalties

Civil monetary penalty is based on the offender's scienter.

An unknowing violation is subject to a minimum penalty of $100 per violation, and a maximum of $50,000 per violation, with a yearly cap of $1.5 million.

Violations resulting from willful neglect are subject to a minimum penalty of $10,000 per violation and a maximum penalty of $50,000 per violation, with a yearly cap of $1.5 million.

P

A

15

Cooney v. Chicago Public Schools,943 N.E.2d 23 (Ill. App. 1st Dist. 2010)

All Printing & Graphics, Inc., was retained by the Board of Education of the City of Chicago (Board) to print, package and mail a “Chicago Public Schools–COBRA Open Enrollment List” to over 1,700 former CPS employees. The mailing, sent sometime between November 23, 2006, and November 27, 2006, informed the former employees that as COBRA participants, they could change their insurance benefit plans. The list sent to each plaintiff contained the names of all 1,750 plaintiffs, along with their addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information (COBRA list).

Are they violating HIPAA?

P

A

16

Cooney v. Chicago Public Schools

Holding: HIPAA prohibits the disclosure of “individually identifiable health information to another person.” 42 U.S.C. 1320d–6(a)(3) (2006). But, “employment records held by a covered entity in its role as employer” are specifically excluded from HIPAA protection. 45 C.F.R. § 160.103 (2006). Because the Board held plaintiffs' health insurance elections in its role as an employer, the Board's disclosure falls outside HIPAA's coverage.

P

A

17

Illinois Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA)

Designed to protect the confidentiality of patients to ensure that no information about their treatment, or the fact that they are being treated at all, is released without the patient's consent.

Therapists and mental health providers cannot disclose records to anyone without consent of patient except for narrow exceptions

P

A

18

Consensual Disclosure

The Act provides for the consensual disclosure of information by a recipient. 740 ILCS 110/5. Section 5 makes it clear that a recipient may consent to disclosure of information for a limited purpose and that any agency or person who obtains confidential and privileged information may not redisclose the information without the recipient's specific consent.

P

A

19

Employers

Employer must get permission to redisclose even for application of benefits.

MHDDCA is stricter than HIPAA and therefore has precedence.

P

A

20

Remedies

Actual Damages. – Reimbursed for any monetary loss suffered or other

losses incurred as a result of the violation of the Act. This may include compensation for emotional pain and suffering.

Injunctive or Affirmative Relief. – Court may requiring the person to do something or to

prohibit that person from doing something Fees and costs.

P

A

21

Karraker v. Rent-a-Center, 315 F.Supp. 2d 675 (C.D. Ill. 2005)

Plaintiffs, current and former employees of Rent-a-Center (RAC), alleged that RAC required all employees or outside applicants seeking management positions to take a battery of written tests, collectively referred to as the Management Test. Several tests included in the Management Test were personality inventories that inquired about personal information including sexual preferences and orientation, religious beliefs and practices, and medical conditions.

P

A

22

Karraker v. Rent-a-Center

APT scored and interpreted the Management Test for RAC, creating a two-page psychological profile about the individuals. RAC distributed this report to the employees' immediate supervisor and placed a copy of it in the employees' personnel file. RAC used the test results in deciding which employees to promote and what additional training to require. Plaintiffs assert that RAC formulated no policy or procedure for keeping the test results confidential.

P

A

23

Karraker v. Rent-a-Center

Claim: Specifically, Plaintiffs claim that the Management Tests were “psychological tests” and that the profiles APT provided to RAC prescribed personal growth exercises that the employee must undergo if he wanted a management job. The profiles summarized psychological characteristics of the individual employees and then recommended corrective action, a function of the tests that constituted mental health services.

P

A

Karraker v. Rent-a-Center

Holding: Although Plaintiffs' characterization of the tests and the MHDDCA are indeed novel, it is perhaps possible for them to develop facts that would establish a claim under the Act. It is, therefore, inappropriate to dismiss their claims at this stage in the proceedings. (7th Circuit subsequently ruled that the MMPI was a psychological test and the defendant’s use of it was a violation of the ADA – see, Karraker, 411 F.3d 831 (7th Cir. 2005)24

P

A

QUESTIONS?

25

CONFIDENTIALITY IN THE WORKPLACE UNDER HIPAA &

ILLINOIS MHDDCA