Upload
amia-mcleod
View
215
Download
0
Embed Size (px)
Citation preview
“HIPAA In Relation to Other Federal Laws”
Professor Peter P. Swire
Ohio State University
Consultant, Morrison & Foerster LLP
Glasser LegalWorks/HIPAA Conference
October 23, 2002
Overview
Basics of HIPAA and other laws Other federal laws:
– FERPA, Privacy Act, etc. HIPAA and Financial Services Conclusion
I. Basics of HIPAA and Other Laws When are you required to disclose medical data? Much confusion on this during drafting period Basic HIPAA approach -- HIPAA itself never
requires disclosure Exactly two exceptions
– Access to patient records, Sec. 164.524– HHS enforcement of the rule, Sec. 160.310(c)
“Required by Law”
Many situations where other law requires you to disclose medical data– Most clearly for a court order– Not a HIPAA violation to comply
Sec. 164.512(a): “A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.”
Basics on required disclosures
HIPAA (almost) never requires disclosure HIPAA generally creates new legal
limitations on using and disclosing PHI HIPAA says you may disclose where
required by other law It’s your call what you are required to do --
HIPAA doesn’t give the answer Both HIPAA and other law apply
The Privacy Act as Example
Law applies to federal agencies, with fair information practices limiting disclosure and providing access
As of April, 2003 federal agencies will comply with both laws, where applicable
HIPAA enforcement for HIPAA violations Privacy Act enforcement for Privacy Act
violations
EMTALA as Example
Requires treatment on site where patient arrives in emergency situation
HIPAA applies -- must protect PHI but can use & disclose it more broadly for treatment, payment & health care operations
EMTALA applies -- a separate, ongoing legal requirement
Public Health & Health Oversight Public health, Sec. 164.512(b) Health oversight, Sec. 164.512(d) Both say covered entity “may” disclose No new compulsion from HIPAA to require
the disclosure If a covered entity believes disclosure is not
appropriate, and disclosure is permitted by HIPAA, then the other law governs
II. HIPAA Provisions about Other Law Some provisions in HIPAA specifically point to
other statutes as supplying the applicable law Workers’ Comp, Sec. 164.512(l)
– May disclose “as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault”
– Required vs. permissive disclosure the key
FERPA -- Educational Records
In HIPAA:– Definition of “protected health information”
excludes– “educational records” covered by – the Family Educational Rights and Privacy Act,
20 U.S.C. 1232g Therefore, if records covered by FERPA,
no HIPAA obligations
FERPA
“Educational records” are:– “those records, files, documents, and other
materials which– contain information directly related to a
student; and– are maintained by an educational agency or
institution or by a person acting for such agency or institution”
What Does this Mean for Schools
K-12 nurses -- clearly only have FERPA and not HIPAA
Universities and schools serving over 18 years old -- right to the student instead
What if student health services also serve non-students? Spouses, employees?– Legally, HIPAA applies to those– Practically, keep separate?
HIPAA and the End of College Athletics!
Will we learn that the quarterback is hurt? Will sports gamblers be able to pursue their chosen profession?
FERPA -- governs school athletes, authorizations required as today
Pro sports -- authorization can be required by the employer– Will union contracts limit that?
III. HIPAA & Financial Services
Gramm-Leach-Bliley & HIPAA 2 statutes, comply with both Does that mean 2 notices for covered entities? GLB came first
– GLB agencies contemplated that compliance with HIPAA would count for GLB notice
– I am not aware of any follow-up clarification by GLB agencies
GLB & HIPAA
HHS comments, Dec. 2000– agencies consult to avoid duplication– insurers covered by GLB would be subject to
states, not FTC The upshot:
– Health insurers or other dual covered entities likely can give only HIPAA notice
– No definitive word from GLB agencies, though
HIPAA and Financial Services
The “payment” exception in HIPAA Sec. 1179
Easy case– Check, credit card and the basic routing
information– Name, account numbers, what is needed to
process the payment itself– That data entirely outside of HIPAA
Payments and HIPAA
“Back office”– As financial institution goes deeper, and does back
office for a covered entity, HIPAA risk grows– At some point, become business associate
Clearinghouse– Convert standard/nonstandard transactions– Specialized financial services entity, can become a
covered entity
Conclusion on Other Fed. Laws
Disclosure required by other law, then at least may disclose PHI
Disclosure permitted by other law, then HIPAA limits apply
Disclosure forbidden by other law, then HIPAA does not authorize the disclosure (with tiny possible exceptions)
Contact Information
Web: www.peterswire.net Email: [email protected] Phone: (240) 994-4142