HIPAA enforcement 'limited'.(Policy & Practice)(Health Insurance Portability and Accountability Act of 1996)(Brief article) - Family Practice News

The Centers for Medicare and Medicaid Services has not provided effective oversight and has taken only 'limited actions' to ensure that covered entities adequately implement patient privacy regulations contained in the Health Insurance Portability and Accountability Act of 1996, according to a report from the Health and Human Services Department's Office of Inspector General. The OIG found that the CMS had not conducted any compliance reviews of covered entities, and instead relied on complaints to target investigations. However, the CMS has received very few complaints about violations, the report said. 'As a result, the CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA security rule' or that electronic health information was being adequately protected, the report concluded. CMS has taken steps to begin conducting compliance reviews in an effort to identify security problems and vulnerabilities under HIPAA, the OIG said.

HIPAA enforcement 'limited'.(POLICY & PRACTICE)(Health Insurance Portability and Accountability Act )(Report)(Brief article) - Internal Medicine News

The Centers for Medicare and Medicaid Services has not provided effective oversight and has taken only 'limited actions' to ensure that covered entities adequately implement patient privacy regulations contained in the Health Insurance Portability and Accountability Act of 1996, according to a report from the Health and Human Services Department's Office of Inspector General. The OIG found that the CMS had not conducted any compliance reviews of covered entities, and instead relied on complaints to target investigations. However, the CMS has received very few complaints about violations, the report said. 'As a result, the CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA security rule' or that electronic health information was being adequately protected, the report concluded. CMS has taken steps to begin conducting compliance reviews in an effort to identify security problems and vulnerabilities under HIPAA, the OIG said.

Encryption for HIPAA not necessarily a given: change in final rule eliminates blanket requirement.(Health Insurance Portability and Accountability Act of 1996) - Rehab Continuum Report

Medical Banking Project founder John Casillas says one of the changes in the final Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule eliminated any requirement to encrypt electronically transmitted protected health information, even over the Internet or other open networks. Encryption is now an 'addressable' implementation specification, which means a provider or payer organization must determine whether it is appropriate to use the technology. Encryption was one of many required procedures or technologies in the proposed rule that now are addressable as the Department of Health and Human Services seeks to make the final rule more scalable for health organizations of all types and sizes.

Casillas says many providers implementing the security rule likely will decide encryption is a reasonable and appropriate way to protect data, but their trading partners may not agree. One area providers will have to consider is the electronic transmission of payment information, including protected health information, between providers, payers, and financial institutions.

Encryption still a good idea

For instance, an insurer may electronically transmit to its bank a payment file containing payment instructions for a batch of claims from multiple providers. The bank will transmit the file to the banking industry's automated clearinghouse network, which transmits the payments to the appropriate banks serving the providers listed in the payment file. The individual banks then will transmit electronic remittance advices that contain protected health information to their provider customers.

CMS implementing a grace period for HIPAA deadline. - Medical Device Daily

CMS implementing a grace period for HIPAA deadline

By KEVIN NEW

Medical Device Daily Washington Editor

WASHINGTON Officials who run the nations Medicare program assured providers not prepared for a looming regulatory deadline that cash flow would not be interrupted.

The Centers for Medicare & Medicaid Services (CMS; Baltimore, Maryland) said earlier this week that it would implement a contingency plan to accept non-compliant electronic transactions after Oct. 16 of this year, the deadline date for complying with the regulations of the Health Insurance Portability & Accountability Act (HIPAA).

The contingency plan will ensure that claims will continue to be processed for what CMS estimates to be thousands of providers not able to meet the deadline, it said. Otherwise, the claims would be rejected.

Implementing this contingency plan moves us toward the dual goals of achieving HIPAA compliance while not disrupting providers cash flow and operations, so that beneficiaries can continue to get the healthcare services they need, said CMS administrator Tom Scully.

The decision to establish a contingency plan was made due to statistics showing unacceptably low numbers of compliant claims being submitted, CMS said. CMS gained the authority to implement the contingency plan based on guidance it received from the U.S. Department of Health and Human Services (HHS; Washington) in late July.

The grace period will allow providers additional time to complete testing processes for new systems. CMS will regularly reassess the readiness levels of providers to determine how long to keep the contingency plan in effect, according to Tom Grissom, CMSs director of the Center for Medicare Management, the division responsible for administering reimbursement.

Medicare is able to process HIPAA-compliant transactions, Grissom said, but we need to work with our trading partners to increase the percentage of claims in production.

Because transactions often involve the participation of two covered entities, non-compliance from one could put the other party in a difficult position, CMS said. And covered entities making a good-faith effort to comply with HIPAA standards can implement their own contingency plans to maintain operations and cash flow, according to the HHS guidance document.

We encourage other plans to assess the readiness of their trading partners and implement contingency plans if appropriate, Grissom advised.

Device manufacturers are affected by HIPAA regulations only if they conduct standard transactions, John Bentivoglio, a partner at the Washington office of Arnold & Porter, told Medical Device Daily. Bentivoglio represents several medical device manufacturers and noted that his clients biggest concerns deal with research and marketing regulations in HIPAA.

Only the biggest device companies that interact directly with patients would be considered a covered entity, he said.

HHS clarified its definitions of standard transactions and healthcare in its HIPAA preamble from December 2000, Bentivoglio noted. Standard transactions are financial and administrative in nature relating to claims and billing matters, and most device manufacturers dont interact directly with patients, he explained.

Covered entities may use or disclose protected health information for research purposes without authorization under very limited circumstances, Bentivoglio added. Device manufacturers involved in research should work with institutional review boards to ensure that authorizations for disclosing information is included in an informed consent form, he said.

Recruiting patients with breast cancer and their families to behavioral research in the post-HIPAA period.(Health Insurance Portability and Accountability Act)(Clinical report) - Oncology Nursing Forum

Recruiting patients from clinical settings into cancer clinical trials is a difficult but essential element of the success of the National Cancer Institute's efforts to reduce cancer mortality. Overall, less than 50% of patients with cancer participate in treatment trials nationwide (Beskow, Sandler, & Weinberger, 2006; Elting et al., 2006; Gotay, 1991; Heiney et al., 2006). Even institutions with appropriate trials available that are dedicated to recruiting patients for clinical and behavioral trials often reported that recruitment rates are modest, varying from 19%-53% (of clinically eligible patients older than age 35) (Hunter et al., 1987; Lee, Marks, & Simpson, 1980; Spiro, Gowera, Evans, Facchini, & Rudd, 2000). Low recruitment yields into clinical trials commonly are reported among patients with cancer (Ashing-Giwa, 2005; Ashing-Giwa, Padilla, Tejero, & Kim, 2004; Hunter et al.; Hutchins, Unger, Crowley, Coltmant, & Albain, 1999; Sears et al., 2003). Recruitment yields in those studies have ranged from 16%-36%. Modest rates of recruitment occur for several reasons. Key barriers to patient participation in clinical trials often are provider-related, including the time commitment involved, obtainment of informed consent, and intrusion of the study on the physician-patient relationship (Benson et al., 1991; Lovato, Hill, Hertert, Hunninghake, & Probstfield,1997; Newcomb, Love, Phillips, & Buckmaster, 1990; Taylor, Margolese, & Soskoline, 1984).

Furthermore, clinical data now are more difficult to incorporate into research activities. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 described how clinical entities can use or disclose protected health information, including for research purposes. The regulations affect how researchers interact with participants and hospitals, physicians, and other organizations that provide access to participants and their data. Covered entities can disclose protected health information to researchers only if the study has obtained direct consent from patients, signed HIPAA authorization forms from patients, or a waiver of authorization from an institutional review board (IRB). Study recruitment materials and consent forms also must provide clear information to participants about who will have access to their medical information and how it will be used (HIPAAdvisory, 2003; Sands, 2003; U.S. Department of Health and Human Services, 2003). In November 1999, the U.S. Department of Health and Human Services published proposed regulations to guarantee patients new rights and protections against the misuse or disclosure of their health records. After extensive comments from thousands of individuals and organizations, the revised rules took effect on April 14, 2001.

The new rules resulted in confusion and concern at most academic research facilities. Ambiguities in interpretation and appropriate implementation left researchers unable to use standard procedures and forms for informed consent. Similarly, clinical facilities had to interpret the new laws and adjust approved procedures for providing researchers access to patients for research purposes.

Behavioral intervention research for patients with cancer and their family members includes psychosocial interventions to improve coping (Andersen, 1992; Baum & Andersen, 2001; Sears et al., 2003) and dietary and exercise changes as methods of preventing recurrence or improving physical functioning and quality of life (Chlebowski et al., 1993; McTiernan et al., 1998; Pierce et al., 1997). Behavioral research with patients and families also involves interventions to improve the health and coping of caregivers of patients with cancer (Donnelly et al., 2000). Obtaining high response rates is important in such studies because psychological and behavioral differences between responders and nonresponders limit generalizability.

Concerns were raised that complications of the HIPAA regulations would result in low response rates (Wolf & Bennett, 2006) or costly recruitment procedures (Friedman, 2006). Other investigators proposed that implementing HIPAA-based procedures would make recruitment of patients and families more confusing to potential study participants (Shalowitz & Wendler, 2006). As a result, a plan was created for approaching patients with breast cancer and their family members for research using rules based on implementation of the HIPAA regulations; the plan was implemented to determine eligibility and interest for future intervention research. The aim of this article is to assess the potential recruitment yields for patients and family members into behavioral research using a planned approach. Specifically, the article reports on the eligibility of patients with breast cancer and their family members to enter a set of behavioral intervention trials, their interest in participating in the trials, and the willingness of patients to provide contact information of spouses or partners and female firstdegree relatives for entry into separate research projects.

Recruitment Process

Participants in the present study were recruited from the Seattle Cancer Care Alliance in Washington, a multi-institution National Cancer Institute-designated comprehensive cancer center that includes the Fred Hutchinson Cancer Research Center, the University of Washington Medical Center, and the Children's Hospital and Regional Medical Center of Seattle. The Seattle Cancer Care Alliance's Breast Center offers various clinical, diagnostic, and treatment services to patients in a multidisciplinary setting. Patients, their spouses or partners, and their female first-degree relatives were to be recruited for separate randomized trials to reduce risk of recurrence (patient) or first primary cancer (others). The research received human subjects review approval from the Fred Hutchinson Cancer Research Center IRB.

The Seattle Cancer Care Alliance maintains a computerized database that tracks patient information, including age, gender, name, address, phone number, cancer diagnosis, and dates of clinic visits. Using the database, the Seattle Cancer Care Alliance Breast Center staff generated a list of the 100 patients with breast cancer most recently seen for treatment by a practicing oncologist in the year prior to initial study contact. After removal of duplicate or invalid contact information, 91 patients were available for contact. All participating patients were recruited from the contact list with a passive consent letter for initial contact. Eligible patients were at least 18 years old, diagnosed only with primary breast cancer, and (for one study) reporting high levels of depressive symptoms.

Recruiting male spouses or partners and female first-degree relatives to participate in studies of health behavior change and risk reduction also was attempted. Eligible spouse or partner participants were male and living with previously recruited patients. Eligible female first-degree relative participants were at least 18 years old and never diagnosed with breast cancer. Payment was not offered to participants as an incentive for completing the study survey or for agreeing to participate in future research.

Recruiting Procedures in a Specific Clinical Setting

One of the major barriers to recruitment is moving contact information from a clinical setting to a research setting in a legal and ethical way. Figure 1 presents the flow chart for study recruitment. HIPAA regulations focus on protecting participant privacy at several points of contact but do not specify the means of protection. The present study was performed shortly after the regulations were in effect, so procedures had to be defined to ensure the protection of participant privacy. Specifically, research teams could no longer access patient information and obtain initial consent from patients to be contacted about a potential research project. Therefore, a clinical contact step was included to allow patients to opt out of the recruitment process. Once patients had a chance to refuse participation, contact information could flow to the research team, who directly contacted nonrefusing patients to describe the study, collect eligibility and initial interest data, and invite participants for more intensive consent and data collection activities. Participants could refuse to participate further at each step of the process.

[FIGURE 1 OMITTED]

The research team worked closely with clinical staff to implement the new recruitment procedures. Clinical staff sent the initial approach passive consent letter that described the survey and was signed by the principal investigator of the study and patients' treating oncologist to the 91 patients identified as potential study participants. The letter requested patients' permission to contact them via the telephone and provided a toll-free study telephone number to call if they did not wish to be contacted. During the subsequent survey, the interviewers asked each patient if she had a male spouse or partner or living female first-degree relative(s). If the patient reported a male spouse or partner or living female first-degree relative(s), the interviewer asked whether the patient would be willing to allow the researcher to contact her spouse or partner or female relative(s) to participate in a survey about possible future research studies. Patients were not asked to call the relatives to obtain separate consent.

Seven days after initial consent, research interviewers called the nonrefusing patients and asked them to complete a 30- minute telephone survey covering questions about their health history, depression, sensitive psychosocial history, height and weight history, age, relatives' cancer history, and interest in potential research studies. If patients provided their consent to contact relatives, they were asked to supply the contact information for those family members.

Spouses or partners and female first-degree relative(s) for whom patients provided contact information were approached first by a letter stating that permission had been obtained from the patient to get in touch with them about the study and that they would be called to provide more information and were under no obligation to participate in the study. A telephone number was provided in the letter that family members could call if they did not wish to be contacted via telephone.

Six months later, data were collected on the spouses or partners and female first-degree relatives of the patients. The wait period was six months to minimize interaction between research staff and families during their loved ones' acute therapeutic period. Research interviewers contacted nonrefusing family members to explain the study further, obtain verbal consent, and complete the survey if they chose to participate.

Table 1 shows the recruitment yields for patients, spouses or partners, and female first-degree relatives in the present study. Seventy-seven percent of patients, 95% of spouses or partners, and 88% of female first-degree relatives provided survey data. The proportion of participants lost because of the researchers' inability to locate them was low; 10% of patients and no spouses or partners or female first-degree relatives were unable to be contacted, and fewer had nonworking phone numbers. Only 7% of patients, 2% of spouses or partners, and 2% of female first-degree relatives personally refused the survey offer.

 Table 1. Survey Approach Results for Patients and Relatives  Survey       Patients  Yield  Spouses   Yield    First-    Yield Approach                (%)     and      (%)     Degree     (%)                               Partners           Female                                                Relatives  Approach           91      -        41      -         85       - letters mailed  Letters            11    111        12    115         12     112 remailed  Incorrect           -      -         -      -          -       - address  Call               91    100        41    100         85     100 records fielded  Unable to          19    110         -      -          -       - contact  Nonworking         14    114         -      -          -       - phone number  Refused            16    117        11    112         12     112 personally  Refused via        12    112         -      -         13     114 family member  Deceased            -      -         -      -          -       -  Unable to           -      -        11    112         15     116 speak with  Total              70    177        39    195         75    188 completed surveys 

Patient Consent to Contact Relatives

At first contact, patients were asked about their willingness to allow researchers to contact their spouses or partners and female first-degree relatives regarding future research studies. At recontact, patients gave consent by confirming their initial willingness to allow the interviewer to contact a spouse or partner or female first-degree relative(s). Consenting patients also provided the contact information.

Most of the patients were willing to allow the interviewer to contact spouses or partners and female first-degree relatives and to provide the necessary contact information. At first contact, 55 and 68 patients reported the existence of a living spouse or partner and a living and eligible female first-degree relative, respectively. A total of 52 (95%) of the patients with spouses or partners stated that they would allow the interviewer to contact their spouses or partners, and 61 (87%) allowed the interviewer to contact female first-degree relatives. At recontact, 49 of the patients initially allowing spouse or partner contact were contacted. Forty-three (88%) of those patients provided consent and contact information for their spouses or partners. Fifty-eight patients who initially allowed at least one female first-degree relative to be contacted were reached; 48 (83%) provided consent and contact information for at least one female first-degree relative.

Eligibility for Future Studies

Age and self-reported height and weight were obtained from patients and first-degree female relatives. In addition, because one of the planned future studies required the recruitment of depressed patients with breast cancer, the nine-item depression scale found in the Patient Health Questionnaire (PHQ) was administered (Kroenke, Spitzer, & Williams, 2001; Spitzer, Kroenke, & Williams, 1999). Items include questions about the presence of different symptoms of depression.

Relatives' Assistance Needs

Spouses, partners, and female first-degree relatives were asked about their need for information about nine specific breast cancer topics (risk factors, risk in relatives, screening, treatment, healthful foods and exercise behaviors for prevention, coping with feelings, hearing others' experiences, and ways to talk with healthcare providers). For each topic, spouses and partners were asked about how much assistance in receiving information on that topic they would like in dealing with their wives' or partners' breast cancer. Female relatives were asked about how much assistance in receiving information on that topic that they would like for themselves. Answer choices were 'not at all,' 'a little bit,' 'some,' and 'very much.' Participants who responded 'very much' were considered as reporting a high need for information. Table 2 presents data on the specific needs reported by spouses and partners and female relatives. The most frequently self-reported needs in both groups were learning about cancer treatments, healthful foods, exercise, and breast cancer risk factors. No apparent differences existed in frequency of responding between the two groups.

 Table 2. Assistance Needs of Relatives of Patients With Breast Cancer                                   High Need (%)  Assistance Need             Spouses and  Female First-Degree                               Partners          Relatives  Breast cancer risk factor            46                   37 information  Information on risk in               33                   47 relatives  Information on screening             36                   53  Learning about cancer                67                   48 treatments  Learning about healthful             64                   63 foods  Learning about exercise              64                   52  Coping with feelings about           33                   39 cancer  Hearing others'                      18                   27 experiences  Help with talking to                 41                   36 providers 

Interest in Participating in Future Studies

Patients were asked about their interest in participating in (a) a research project on the possible benefits of exercise for patients in recovery from initial cancer treatment, (b) a research project involving possible benefits of social support, relaxation, and other psychosocial coping skills during recovery from initial treatment, and (c) a clinical trial of the antidepressant sertraline as a treatment for depression in patients with breast cancer. Spouses and partners were asked whether they would be interested in hearing more about a study in which they would learn ways to help their wives or partners with breast cancer. They also were asked whether they would be interested in participating in such a study. Spouses and partners were asked whether specific appointment schedules for the research would be manageable. To assess female first-degree relatives' interest in research, researchers asked them whether they would like to participate in a study designed to help female family members of patients with breast cancer understand their own breast cancer risk and learn ways to cope with their risk.

Interest in the research studies was high among all three groups. A total of 57 of 69 responding patients (83%) reported interest in participating in an exercise intervention study. Even if participation meant being assigned to a group not receiving an exercise intervention, 49 patients (70%) still reported that they would be interested in such a study. Of 69 responding patients, 53 (76%) reported interest in participating in a coping skills training study. If participation included the possibility of being assigned to a group without special coping skills training, 56 patients (81%) agreed to participate. Patient interest in a trial to test the efficacy of an antidepressant medication also was high, with 47 of 66 (71%) respondents reporting interest in participation. Fourteen patient participants (20%) had a probable presence of moderate depression based on the data from the PHQ depression screening, indicating eligibility for a behavioral study to treat depression in patients with cancer. Those participants reported particularly high rates of interest in the relevant research studies compared to nondepressed participants. Eleven of the 14 (79%) participants with moderate depression reported interest in the antidepressant clinical trial. In comparison, 36 participants (69%) who were not likely depressed reported interest.

Among the spouse and partner participants, 37 (95%) reported interest in hearing more about a study to help their wives or partners with breast cancer, and 34 (87%) reported interest in actually participating. In addition, 30 (77%) spouses or partners reported that a six-month, biweekly research clinic appointment schedule was manageable and 32 (82%) spouses or partners reported that a three-appointment and two-telephone session schedule was manageable. Among female relatives, 64 (85%) reported willingness to be contacted about a study to help family members understand their risk for breast cancer, and 49 (65%) reported actual interest in participating.

Discussion

The data indicate that procedures to contact, recruit, and obtain consent from patients and family members for behavioral research activities complementary to their primary cancer treatment can be implemented sucessfully in the era of new stringent privacy regulations, even during the acute diagnosis and treatment period. Research staff working together with clinical staff to plan and conduct the initial consent resulted in very few refusers at the initial contact point. Several strategies were identified for making the relationship functional; the strategies have received support from similar studies (Albert & Levine, 2005; Wolf & Bennett, 2006). In the present study, strategies that reduced cost while improving yield included discussions between clinical staff and research staff, financial support of clinical staff by the research team, and the addition of the clinical director to the key personnel of research grants. This IRB-approved process will serve as a model for the recruitment of participants for future studies.

Researchers screened 100% of eligible participants via telephone, making calculating the overall yield on a population basis easier. The screening results differ from the percentage of eligible participants identified in previous research (Sears et al., 2003). The initial positive response to the approach via telephone likely would be replaced by lower yields when participants are faced with actually attending a visit to determine eligibility and obtain consent, although increasing the burden on participants by scheduling a visit would be a good strategy to establish which participants actually would adhere to the study protocol.

The interest rates of spouses or partners and female firstdegree relatives approximately were equal, and a relatively large proportion of patients provided contact information for both. Getting a high yield of intact families, then, is possible, providing that the initial interest leads to actual participation. In another study of family recruitment (Helmes, Bowen, Bowden, & Bengel, 2000), initial interest clearly was related to participation in study activities; therefore, contacting potential participants to glean interest most likely will assist with overall recruitment yield.

In addition to assessing interest over the telephone, researchers were able to estimate eligibility for certain characteristics (e.g., body mass index) in the survey. The approach may not be the most accurate way to assess eligibility criteria but certainly provided a prevalence estimate for important variables.Confirming eligibility during an in-person data collection session would be necessary to obtain the accuracy required for an intensive intervention study. Using a computerized database to identify potential patients and to perform much of the initial screening for eligibility can reduce the amount of time physicians need to spend on research study activities to allow their patients to participate (Newcomb et al., 1990). Similarly, having research staff instead of clinical personnel handle informed consent for studies in which such procedures would be appropriate also reduces the amount of time physicians need to spend on study enrollment. This allows patients to participate in research while continuing their usual medical care with their physicians uninterrupted, thus minimizing interference with the physicianpatient relationship.

Little has been published about the health promotion or physical needs of family members of patients with cancer. The reported needs of potential family participants in the present study were diverse, but most wanted to learn about cancer and cancer treatments, dietary change, and exercise behavior change. The interest in prevention activities was exciting because of the new options for testing prevention and survivorship interventions. Participants interested in prevention would be eligible for many behavioral studies designed to change cancer risk. Risk reduction strategies often require hundreds of thousands of participants to achieve adequate power to identify differences in endpoints. Strategies developed in the present study would be helpful in recruiting the large samples needed for risk reduction studies.

Complaints about obtaining proxy consents or family contact information to the IRB or to clinical or research staff were not received from patients, their relatives, or their healthcare providers during this study. Modifying procedures to meet the current regulations was a straightforward process. The exercise improved clinical and research staff relationships because the roles of each were clearly delineated. Collaboration between overburdened clinical staff and eager research team members to modify and pilot procedures worked well in the present study. Procedures were designed by clinical investigators and staff, and the clinic procedures already in practice were considered in how best to organize the large amount of material for contact, mailing, and consent. When possible, the research staff shouldered any burden; otherwise, procedures were developed as a team that were easy to follow and did not deviate considerably from regular clinic procedures. Implementing a joint strategy to meet current guidelines and new ones as they come into play will be necessary.

References

Albert, S.M., & Levine, C. (2005). Family caregiver research and the HIPAA factor. Gerontologist, 45, 432-437.

Andersen, B.L. (1992). Psychological interventions for cancer patients to enhance the quality of life. Journal of Consulting and Clinical Psychology, 60, 552-568.

Ashing-Giwa, K.T. (2005). Can a culturally responsive model for research design bring us closer to addressing participation disparities? Lessons learned from cancer survivorship studies. Ethnicity and Disease, 15, 130-137.

Ashing-Giwa, K.T., Padilla, G.V., Tejero, J.S., & Kim, J. (2004). Breast cancer survivorship in a multiethnic sample: Challenges in recruitment and measurement. Cancer, 101, 450-465.

Baum, A., & Andersen, B.L. (2001). Psychosocial interventions for cancer. Washington, DC: American Psychological Association.

Beskow, L.M., Sandler, R.S., & Weinberger, M. (2006). Research recruitment through US central cancer registries: Balancing privacy and scientific issues. American Journal of Public Health, 96, 1920-1926.

Benson, A.B., Pregler, J.P., Bean, J.A., Rademaker, A.W., Eshler, B., & Anderson, K. (1991). Oncologists' reluctance to accrue patients onto clinical trials: An Illinois cancer center study. Journal of Clinical Oncology, 9, 2067-2075.

Chlebowski, R.T., Blackburn, G.L., Buzzard, I.M., Rose, D.P., Martino, S., Khandekar, J.D., et al. (1993). Adherence to a dietary fat intake reduction program in postmenopausal women receiving therapy for early breast cancer. The women's intervention nutrition study. Journal of Clinical Oncology, 11, 2072-2080.

Donnelly, J.M., Kornblith, A.B., Fleishman, S., Zuckerman, E., Raptis, G., Hudis, C.A., et al. (2000). A pilot study of interpersonal psychotherapy by telephone with cancer patients and their partners. Psycho-Oncology, 9, 44-56.

Elting, L.S., Cooksley, C., Bekele, B.N., Frumovitz, M., Avritscher, E.B., Sun, C., et al. (2006). Generalizability of cancer clinical trial results: Prognostic differences between participants and nonparticipants. Cancer, 106, 2452-2458.

Friedman, D.S. (2006). HIPAA and research: How have the first two years gone? American Journal of Ophthalmology, 141, 543-546.

Gotay, C.C. (1991). Accrual to cancer clinical trials: Directions from the research literature. Social Science and Medicine, 33, 569-577.

Heiney, S.P., Adams, S.A., Cunningham, J.E., McKenzie, W., Harmon, B., Hebert, J.R., et al. (2006). Subject recruitment for cancer control studies in an adverse environment. Cancer Nursing, 29, 291-299.

Helmes, A.W., Bowen, D.J., Bowden, R., & Bengel, J. (2000). Predictors of participation in genetic research in a primary care physician network. Cancer, Epidemiology, Biomarkers and Prevention, 9, 1377-1379.

HIPAAdvisory. (2003). HIPAA primer. Retrieved November 20, 2003, from http://www.hipaadvisory.com/regs/HIPAAprimer.htm

Hunter, C.P., Frelick, R.W., Feldman, A.R., Bavier, A.R., Dunlap, W.H., Ford, L., et al. (1987). Selection factors in clinical trials: Results from the Community Clinical Oncology Program Physician's Patient Log. Cancer Treatment Reports, 71, 559-565.

Hutchins, L.F., Unger, J.M., Crowley, J.J., Coltmant, C.A., & Albain, K.S. (1999). Underrepresentation of patients 65 years of age or older in cancertreatment trials. New England Journal of Medicine, 341, 2061-2067.

Kroenke, K., Spitzer, R.L., & Williams, J.B. (2001). The PHQ-9: Validity of a brief depression severity measure. Journal of General Internal Medicine, 16, 606-613.

Lee, J., Marks, J., & Simpson, J. (1980). Recruitment of patients to cooperative group clinical trials. Cancer Clinical Trials, 3, 381-384.

Lovato, L.C., Hill, K., Hertert, S., Hunninghake, D.B., & Probstfield, J.L. (1997). Recruitment for controlled clinical trials: Literature summary and annotated bibliography. Controlled Clinical Trials, 18, 328-352.

McTiernan, A., Ulrich, C., Kumai, C., Bean, D., Schwartz, R., Mahloch, J., et al. (1998). Anthropometric and hormone effects of an eight-week exercisediet intervention in breast cancer patients: Results of a pilot study. Cancer Epidemiology, Biomarkers and Prevention, 7, 477-481.

Newcomb, P.A., Love, R.R., Phillips, J.L., & Buckmaster, B.J. (1990). Using a population-based cancer registry for recruitment in a pilot cancer control study. Preventive Medicine, 19, 61-65.

Pierce, J.P., Faerber, S., Wright, F.A., Newman, V., Flatt, S.W., Kealey, S., et al. (1997). Feasibility of a randomized trial of a high-vegetable diet to prevent breast cancer recurrence. Nutrition and Cancer, 28, 282-288.

Sands, G. (2003, January 24). Welcome to privacy and security policies.Retrieved November 20, 2003, from http://www.fhcrc.org/admin/planning/ hipaa

Sears, S.R., Stanton, A.L., Kwan, L., Krupnick, J.L., Rowland, J.H., Meyerowitz, B.E., et al. (2003). Recruitment and retention challenges in breast cancer survivorship research: Results from a multisite, randomized intervention trial in women with early stage breast cancer. Cancer Epidemiology, Biomarkers and Prevention, 12, 1087-1090.

Shalowitz, D., & Wendler, D. (2006). Informed consent for research and authorization under the Health Insurance Portability and Accountability Act privacy rule: An integrated approach. Annals of Internal Medicine, 144, 685-688.

Spiro, S.G., Gowera, N.H., Evans, M.T., Facchini, F.M., & Rudd, R.M. (2000). Recruitment of patients with lung cancer into a randomised clinical trial: Experience at two centres. On behalf of the Big Lung Trial Steering Committee. Thorax, 55, 463-465.

Spitzer, R.L., Kroenke, K., & Williams, J.B. (1999). Validation and utility of a self-report version of PRIME-MD: The PHQ primary care study. Primary care evaluation of mental disorders. Patient Health Questionnaire. JAMA, 282, 1737-1744.

Taylor, K.M., Margolese, R.G., & Soskoline, C.L. (1984). Physicians' reasons for not entering eligible patients in a randomized clinical trial of surgery for breast cancer. New England Journal of Medicine, 310, 1363-1367.

U.S. Department of Health and Human Services. (2003, November 10). HIPAA privacy rule information for researchers. Retrieved November 20, 2003, from http://privacyruleandresearch.nih.gov/pr_08.asp

Wolf, M.S., & Bennett, C.L. (2006). Local perspective of the impact of the HIPAA privacy rule on research. Cancer, 106, 474-479.

Deborah J. Bowen, PhD, Jesse R. Fann, MD, MPH, M. Robyn Andersen, PhD, Isaac C. Rhew, MPH, Julie R. Gralow, MD, Frances M. Lewis, PhD, RN, Julie R. Hunt, PhD, Melanie Palomares, MD, MS, Carol M. Moinpour, PhD, and Donna P. Ankerst, PhD

Deborah J. Bowen, PhD, is a joint member at the Fred Hutchinson Cancer Research Center in Seattle, WA; Jesse R. Fann, MD, MPH, is an associate professor in the School of Medicine at the University of Washington (UW) in Seattle; M. Robyn Andersen, PhD, is an assistant member of the division of Public Health Sciences at the Fred Hutchinson Cancer Research Center; Isaac C. Rhew, MPH, is a predoctorate research associate in the Department of Epidemiology at UW in Seattle; Julie R. Gralow, MD, is an associate professor in the School of Medicine at UW in Seattle; Frances M. Lewis, PhD, RN, is a professor in the School of Nursing at UW in Seattle; Julie R. Hunt, PhD, is a senior staff scientist in the Division of Public Health Sciences at the Fred Hutchinson Cancer Research Center; Melanie Palomares, MD, MS, is an assistant professor in medical oncology in the Division of Population Sciences, a staff physician for the Cancer Screening and Prevention Program, and a member of the Comprehensive Cancer Center at the City of Hope in Duarte, CA; Carol M. Moinpour, PhD, is an associate member of the Fred Hutchinson Cancer Research Center; and Donna P. Ankerst, PhD, is an associate research professor in the Health Science Center at the University of Texas in San Antonio and a research scientist at the University of Munich in Germany. This research was supported by a grant (CA82894) from the National Cancer Institute and by Fred Hutchinson Cancer Research Center developmental research funds. (Submitted March 2007. Accepted for publication April 3, 2007.)

Digital Object Identifier: 10.1188/07.ONF.1049-1054

Understanding new HIPAA privacy standards for hospitals and other providers.(HIPAA) - Healthcare Strategic Management

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress in an attempt to bring 'administrative simplification' to the health care industry. One aspect of HIPAA is the privacy rule, issued by the Department of Health and Human Services (HHS) in December of 2000. The intent of this privacy rule is to protect patients' privacy rights with respect to certain of their health care information while also improving the efficiency and effectiveness of electronic transmissions of this information. The privacy rule states that covered health care providers may not use or disclose certain health information unless such use or disclosure is specifically permitted or required by the rule. This rule is predicted to have a major, widespread effect on the use and disclosure of information throughout the health care industry. With that in mind, this article will attempt to familiarize covered providers with the rule and set forth several important points to consider as providers work towards HIPAA compliance.

Who is covered by the HIPAA privacy rule?

* Health care clearinghouses (including billing services, other health care information management entities)

* All health care providers (including private physicians) who electronically transmit certain health care information (including claims and other encounter information, payment information, health plan enrollment information, health plan eligibility, health plan premiums, referral authorization and related information, first report of injury, health claims attachments, etc.)

* All providers who use billing services, clearinghouses, hospitals, or any other person or entity to electronically transmit such claims and other information on the provider's behalf

* Health plans (including HMOs, most group plans, health insurance issuers, employee welfare benefit plans, etc.).

What information is covered by the HIPAA privacy rule?

Protected health information includes information (oral, written and electronic) which identifies, or reasonably could be used to identify, a patient and is relating to the patient's past, present or future physical or mental health or condition; history of health care treatments received; and past, present or future payment for the provision of health care.

Key points to consider

These are just a few of the important considerations covered providers will face as they attempt to become HIPAA compliant. All covered providers must review the privacy rule carefully, preferably in consultation with legal counsel, to ensure compliance.

Know the compliance deadline and the penalties for non-compliance. Most health care providers covered by the privacy rule must be compliant by April 14, 2003 (April 14, 2004, for small health plans or providers). Violations of the HIPAA privacy rule may carry hefty penalties. Violators may face civil fines of up to $25,000 per person per violation per calendar year, and criminal penalties including a fine of up to $50,000, $100,000 or even $250,000 for certain violations, and possibly even imprisonment of up to 10 years. In addition, non-compliance with the privacy rule may expose covered providers to negligence claims.

Draft written policies and procedures

Covered providers must draft written policies and procedures regarding the use and disclosure of protected health care information. Examples of items to be included in a well-drafted policy statement include:

Allowing patients access to their health records (with some exceptions), and providing patients with a six-year accounting of most health information disclosures.

Allowing patients to amend their health information (with some exceptions).

Allowing patients to request that the health provider use alternate communication means for protected health information (for example, sending specified information to a patient's alternate address). Also allowing patients to request that the provider restrict disclosure of certain information.

Provide notice to all patients

All covered health care providers must provide to patients written, plain language notice (during office visits, through postings at premises and on Web sites, etc.) of the provider's procedures on the use and disclosure of patient health information and a description of the patient's rights and the provider's legal duties under the privacy rule.

The covered provider must designate and train a 'privacy official' to implement its policy, and a responsible person to receive and process inquiries and complaints in accordance with the rule. These persons must provide HHS with compliance reports and copies of certain records upon request to demonstrate compliance.

Train personnel

Training a covered provider's workforce as to how to store, use and disclose protected health information is crucially important, not only to ensure that the covered provider's policies and procedures are understood and followed, but also because HHS requires that covered providers document such training and produce such documentation upon request.

Obtain Patient Consents and Authorizations (and Understand the Difference). Covered Providers must understand when patient 'consent' is required (for health care providers, for the use and disclosure of protected health information specifically for purposes of treatment, payment and health care operations) and when specific patient 'authorization' is required (for all other covered providers and for all other disclosures of protected health information). Also, physicians must understand that certain authorizations are required to use information about research subjects. Covered providers must carefully draft such consents and authorizations to ensure they are in compliance with the privacy rule. (Covered providers must also understand the rule's restrictions on whether they may condition treatment on getting a consent or authorization, and whether they may administer certain health care treatments without prior consent or authorization.)

Understand business associate liability

A covered provider may allow a 'business associate' to gain access to protected health information, but the provider must first receive 'satisfactory assurance' (in the form of a 'business associate contract') that the business associate will protect the information in accordance with the privacy rule (and that the business associate will require the same compliance from its subcontractors and agents). A business associate's violation of HIPAA's privacy rule may expose a covered provider to liability as well, so covered providers must understand this aspect of the rule. In general terms, a 'business associate' is a person or entity who either:

* Receives protected health information from the covered provider in the performance of its service (legal, actuarial, accounting, consulting, data aggregation, management, administration, financial services, etc.), or

* Performs a function or service involving the use or disclosure of protected health information on the behalf of the covered provider (a clearinghouse, hospital, etc.).

Understand the 'minimum necessary' rule.

The privacy rule requires covered providers to use and disclose protected health information only to the 'minimum necessary' to accomplish the purpose of such use or disclosure (with exceptions).

Modify use of e-mail. Covered providers must pay particular attention to their use of e-mail in transmitting protected health information to patients and to others to ensure they do not violate the privacy rule.

The privacy rule affects the ways in which covered providers may use patient protected health information to engage in fundr aising and marketing efforts. Providers must understand what types of patient consents and authorizations are needed for them to engage in such efforts, and in what ways such efforts must be modified to ensure compliance.

Understand how this rule interacts with state and federal laws

The HIPAA privacy rule is complicated and wide-reaching. This rule will change the way certain health information is stored, used and disclosed throughout the health care industry. Even though most covered health care providers are given until April of 2003 to comply with the rule, providers should commence their efforts to become compliant, because their task is potentially a large one. Providers must determine what information may be disclosed, how it may be disclosed, and to whom it may be disclosed. They must draft policies, procedures, patient notices, consents, authorizations and business associate contracts. They also must begin training their personnel. These are large undertakings and must be done correctly--and preferably in consultation with experienced legal counsel to guide such providers through the rule.

Take an active role in your organization's HIPAA effort: case managers have expertise to share.(Health Insurance Portability and Accountability Act)(Brief Article) - Case Management Advisor

Case managers should be involved in their organization's Health Insurance Portability and Accountability (HIPAA) compliance initiatives, but in many cases, they're left out of the planning, Linda Reeder, RN, MBA, FACHE, RNCm, has found.

'What I am seeing that concerns me is that certain key disciplines, including case management, are not being involved in their organization's HiPAA steering committee or being actively involved in one of the work groups,' says Reeder, president of Envision Consulting, a Seattle e-health and clinical information technology consulting firm.

Less than a year remains for organizations to comply with the first of the regulations that go into effect under HIPAA, and efforts at meeting the deadline should be well under way at all covered entities, which include providers, payers, and health care information clearinghouses.

Case managers, quality managers, and educators often are not involved when their organization's processes are being evaluated to comply with HIPAA, but because of the sheer number of people with whom they interface, case managers have a lot of valuable information to offer, Reeder says.

Case managers should make an effort within their organizations to be involved in HIPAA planning, particularly efforts to comply with the privacy standards and in work groups that analyze the business procedures related to key transactions, Reeder says.

'Since case managers deal with and coordinate services for external parties, they need to be at the table and dealing with the operative issues. Case managers have a real understanding of work flow and could be an important factor in the organization's compliance plan,' Reeder says.

HIPAA offers opportunities for case managers to expand their roles in their organizations. For instance, case managers are in a good position to assume the role of their organization's privacy officer, Reeder suggests.

'Because a good part of HIPAA is education, and case managers are skilled in that area, they are in a unique position and have a real opportunity to play a central role,' Reeder says.

Case managers have the educational background; they know the parties involved; and they have a lot of expertise on how the system works. Being a privacy officer in your organization could be a career step.

'Case managers should position themselves and their organizations as being a leader in privacy and e-health. They can be emphasizing to the parties they interface with what their organization is doing to protect client privacy,' Reeder says.

Another reason case managers should be involved with their organization's HIPAA task force is to make sure their needs and daily functions are met when the security regulations are enacted. Under the security regulations, access is limited to 'need to know,' and, based on your job or your role in the company, you may not be able to access certain information. ('Need to know' means whether a certain piece of information is needed for the purpose for which the release is generated.)

'Case managers should work closely with the security officer to make sure they don't get more than they need but that they do have access to all the information they need,' says Beth Hjort, HIA, AHIM, practice manager for health information management for the American Health Information Management Association in Chicago.

'The spirit of HIPAA is that the patient remain in control of his or her protected or individually identifiable health information,' Hjort says.

At present, HIPAA regulations fall into three categories: privacy, security, and transaction and code set standardization.

* The privacy regulations are scheduled to go into effect April 2003. They mandate changes in the way individually identifiable health information is handled and disclosed. The U.S. Department of Health and Human Services issued proposed changes to the HIPAA privacy regulations on March 27, 2002.

The proposed changes in the HIPAA privacy regulations have strengthened the marketing requirements. Now, patients must sign a specific authorization to have their health care information used in external marketing programs.

The changes also give entities an additional year to revise contracts with business associates. The result will be that, instead of having to renew all contracts and make them compliant with HIPAA before April 2003, organizations can add HIPAA language over time as the contracts expire.

* The security standards protect the confidentiality of health care data that are stored or transmitted and require covered entities to develop a security plan. The final standards are expected this summer, but experts don't expect them to be significantly different from the proposed regulations.

At present, because the deadline for complying with the HIPAA privacy regulations is earlier than the transaction standards deadline, many organizations are concentrating on their privacy compliance efforts.

The Impact of HIPAA's Privacy Rules on the Discovery of Health Information During Litigation[dagger] - FDCC Quarterly

I.

INTRODUCTION

The Health Insurance Portability and Accountability Act of 1996' (hereinafter 'HIPAA') was enacted by Congress to 'improve portability and continuity of health insurance coverage in the group and individual markets.'2 To achieve this end, Congress enacted Subtitle F of Title II of HIPAA, which is entitled 'Administrative Simplification.'3 The 'Administrative Simplification' provisions require the implementation of standards by the secretary of Health and Human Services (hereinafter 'the secretary') to facilitate the electronic transmission of health information.4 The 'covered entities' required to comply with these regulations include health plans, health care clearinghouses, and health care providers.5

The enactment of HIPAA has materially changed the way that medical records are treated during litigation involving claims of personal injury or wrongful death. The purpose of this article is to briefly define the regulatory framework, and then analyze the published cases concerning the application of HIPAA to medical records in litigation involving personal injury allegations.

Section 1320d-2 of HIPPA states the following:

(a) Standards to enable electronic exchange.

(1) In general. The secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically . . . .6

A plain reading of the statute suggests that Congress provided the secretary with the authority to promulgate regulations concerning 'electronically' exchanged health information only. The secretary nevertheless established regulations governing the disclosure, privacy, and protection of medical information existing in both electronic and non-electronic form.7 These regulations can be found in Title 45 of the Code of Federal Regulations, Parts 160 and 164, and are referred to as the 'Privacy Rules.' The Privacy Rules provide the circumstances under which a 'covered entity' may disclose 'protected health information.'

'Protected health information,' as defined by the Secretary, concerns health information that is individually identifiable.8 'Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual' is not 'protected health information' and therefore does not fall under the auspices of the Privacy Rules.9

The Secretary's authority to promulgate regulations concerning the privacy of health records that do not exist in electronic form has been challenged unsuccessfully.10 The Fourth Circuit Court of Appeals and a Texas federal trial court have determined that since the definition of 'Health Information,' as provided by Congress in Section 1320d-1, includes information ''whether oral or recorded in any form or medium,'' the Secretary is empowered to regulate the privacy of medical records that exist in either electronic or non-electronic form.11 The district court in Association of American Physicians & Surgeons reasoned that 'regulating non-electronic as well as electronic transmissions of health information effectuates HIPA A's intent to promote the computerization of medical information and to protect the confidentiality of this health information.'12 The court also wrote that, '[t]herefore, even if HIPAA did not expressly allow [the Secretary] to regulate the transmission of non-electronic as well as electronic health information, the provisions of the Privacy Rule promulgated by [the secretary] are reasonably related to the purpose of HIPAA, the enabling legislation, and should be sustained.'13

The Fourth Circuit held that Congress did not unconstitutionally delegate legislative power to the secretary and that the HIPAA preemption provisions are not impermissibly vague under the Due Process Clause of the Fifth Amendment.14 Further, a challenge to the validity of HIPAA under the First, Fourth, and Tenth Amendments also has failed.15

II.

OVERVIEW OF THE 'PRIVACY RULES'

In general, the Privacy Rules provide that a 'covered entity' may disclose protected health information to the patient,16 in compliance with a HIPAA compliant authorization,17 for the treatment, payment, or management of health care operations,18 and pursuant to an agreement between the covered entity and the patient.19 The Privacy Rules also permit disclosure of otherwise protected health information in the context of judicial and administrative proceedings.20

With regard to the latter, disclosure specifically is permitted in response to a court order.21 Further, disclosure is permitted in response to a 'subpoena, discovery request, or other lawful process' if either the 'covered entity receives satisfactory assurance . . . that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request' or 'the covered entity receives satisfactory assurance . . . that reasonable efforts have been made ... to secure a qualified protective order.'22 In short, without a court order, the HIPAA regulations require a party to a litigation seeking protected health information to choose between providing the covered entity with proof of 'notice' to the patients at issue that the information has been requested, or seeking a 'qualified protective order.'23

The regulations provide that a 'covered entity' receives 'satisfactory assurances' that the patients affected by the disclosure of the health information have notice when the covered entity receives a 'written statement and accompanying documentation' that demonstrates the following:

(A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, has mailed a notice to the individual's last known address);

(B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and

(C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:

(1) No objections were filed; or

(2) All objections filed by the individual have been resolved by the court or the administrative tribunal, and the disclosures being sought are consistent with such resolution.24

The Privacy Rules also provide that a covered entity 'receives satisfactory assurance' that reasonable efforts have been made to secure a qualified protective order if:

(A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or

(B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.25

A 'qualified protective order' is defined in the Privacy Rules as an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:

(A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and

(B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.26

The Privacy Rules also permit disclosure for law enforcement purposes in compliance with a court-ordered warrant, a subpoena or summons issued by a judicial officer, a grandjury subpoena, or an administrative request, such as an administrative subpoena or summons, and a civil or an authorized investigative demand.27

There is no federal physician-patient privilege, either by statute or at common law.28 Further, in general, the federal courts have not recognized a constitutional right to privacy in one's medical records.29 Rather, Congress primarily has left it to the states to determine the level of privacy afforded to medical information maintained by health care entities.30 The HIPAA Privacy Rules therefore could potentially protect a patient's medical records in federal question cases when that protection otherwise would not occur.31 Although a number of states have enacted legislation protecting patients' medical information,32 the HIPAA regulations impact the discovery of health information in state court litigation, as well as in federal courts applying state law, because of the HIPAA preemption provision.33 Specifically, a state privacy statute is preempted by HIPAA unless 'the provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification' of the Privacy Rules.34

Covered entities were not required to comply with the secretary's regulations until April 13, 2003.35 Despite this compliance date, some courts required that covered entities, when disclosing health information, comply with the Privacy Rules on grounds that the privacy regulations manifested a strong federal policy towards protecting the privacy of a patient's medical records.36 One court, however, when presented with the issue of whether a criminal defendant's medical records should be suppressed because the disclosure of these records to law enforcement personnel did not accord with the secretary's regulations, would not ground its decision on the Privacy Rules because the disclosure was done in the 'pre-enforcement stage.' The court reasoned that such disclosure would risk an impermissible advisory opinion by the court.37

Although HIPAA does not create a private right of action,38 'covered entities' that were not parties to the litigation have refused to disclose health information in that litigation, fearing penalties for impermissible disclosure either under state laws or HIPAA.39 Given these circumstances, courts thus far have been willing to craft protective orders requiring disclosure of pertinent health records to the parties involved in litigation while simultaneously ensuring that the privacy rights of non-parties are protected in accord with the Privacy Rules.40

Some parties to litigation also have objected to the scope of health information disclosure under the HIPAA Privacy Rules.41 In these cases, the courts have been unwilling to permit a litigant to use the protections afforded by the Privacy Rules as a shield to deny adversaries access to health information that is relevant to the litigation.

III.

IMPACT OF HIPAA's PRIVACY RULES ON DISCOVERY OR DURING LITIGATION

Turning now to the extant cases concerning the scope and effect of HIPAA regulations on the collection of medical records in litigation, the following cases are relevant as of this writing. In National Abortion Federation v. Ashcroft,42 a lawsuit was commenced by a 'professional organization of abortion providers' and seven physicians in the Southern District of New York challenging the constitutionality of the Partial Birth Abortion Ban Act of 2003 ('PBABA'). PBABA prohibits certain late-term abortion procedures. One of the physicians, Dr. Hammond, was an attending at Northwestern Memorial Hospital. In support of plaintiffs' motion for a temporary restraining order, Dr. Hammond asserted that he performed PBABA-banned abortions on women with a variety of medical conditions for the protection of their health.

The government served Dr. Hammond with a demand to identify the relevant patient medical record numbers for the 'medically necessary abortion procedures' allegedly performed by Dr. Hammond and to produce the medical records concerning those patients. The court wrote that the government's demand was designed to obtain impeachment material against Dr. Hammond.

Dr. Hammond responded to the government's demand by asserting that he did not possess or control the records requested. The government then served Northwestern Memorial Hospital ('Northwestern') with a subpoena under Federal Rule of Civil Procedure 45. The subpoena was accompanied by an order signed by the district court judge sitting in New York who presided over the action. The order authorized Northwestern to disclose the records, and the government agreed to accept records that redacted any identifying information.

Northwestern moved to quash the subpoena on grounds that the records were privileged under HIPAA and Illinois law. The court held that the subpoena complied with HIPAA because a court order authorizing disclosure was attached.43 However, the court recognized that 'a contrary state health information privacy law will not be preempted by a HIPAA regulation if the state law is 'more stringent'' than the HIPAA regulation.44 The court held that Illinois statutory law did not permit disclosure of the records, even if the identifying information was redacted. The court therefore granted Northwestern's motion to quash.

In A Helping Hand, LLC v. Baltimore County, Maryland,45 the plaintiff, 'A Helping Hand,' alleged that the defendant violated the Americans with Disabilities Act and the Due Process Clause of the Fourteenth Amendment. Arguing that the defendants improperly prevented it from locating a methadone treatment clinic in Baltimore County, the plaintiff moved for a protective order to bar defendants from obtaining medical information concerning Helping Hand's patients during discovery. The court considered this information important because whether Helping Hand's patients were 'individuals with disability' under the ADA was a threshold issue in the litigation. If they were not, then plaintiff had no grounds to argue that the defendants interfered with the ADA rights of plaintiff's patients.

Defendants countered that since the issue whether a person was afforded 'disability status' required 'individual assessment,' they were entitled to the information about Helping's Hand's clients. Helping Hand responded that the information was privileged under HIPAA and Maryland's patient-psychotherapist privilege.

The court determined that HIPAA did not prevent disclosure of the information to defendants. The court held that, '[e]ven assuming the patient data is covered by HIPAA, the HIPAA regulations permit discovery of protected health information so long as a court order or agreement of the parties prohibits disclosure of the information outside the litigation and requires return of the information once the proceedings are concluded.'46 The court reasoned that, 'while no such order or agreement is yet in effect, the parties presumably could obtain one.'47

The court also held that the Maryland provision cited by plaintiff did not apply since the lawsuit was governed by federal law under Federal Rule of Evidence 501. Given that the privilege for confidential communications between a patient and a psychotherapist applied under federal law, state law would not apply. And, since Helping Hand had not even asserted the federal privilege, disclosure of the records was warranted.

Notwithstanding its determination regarding the privilege, the court noted that it would be sufficient for purposes of the lawsuit if defendants were to obtain only: (1) Helping Hand's general policies and practices in accepting patients, and (2) the typical characteristics of the patients served by Helping Hand. The court reasoned that the 'general' information about the 'typical patients' served by Helping Hand was sufficient in light of the 'extremely sensitive' nature of the information and because 'association with even a single person meeting the statutory criteria may afford Helping Hand a claim.'48

The issue now dominating this analysis is whether these two cases can be reconciled. The court in both engaged a balancing test by weighing the probative value of the information requested with the privacy concerns at stake. Both courts likewise reasoned that the information requested was extremely sensitive. However, the probative value varied with each determination.

The court in National Abortion Federation stated that a woman's decision to undergo an abortion involves 'issues indisputably of the most sensitive stripe.' The court then balanced this privacy concern against the minimal, ' any probative value,' that the information might have on the case and 'the ready availability of information traditionally used to challenge the veracity of Dr. Hammond's scientific assertions and medical opinions.'49 The court reasoned that, 'when contrasted with the potential loss of privacy that would ensue were these medical records used in a case in which the patient was not a party, the balance of harms resulting from disclosure severely outweighs the loss to the government through non-disclosure.'50 In A Helping Hand, however, the court recognized that the information requested was probative to a 'threshold issue' in the case, i.e., whether the clients of Helping Hand were 'individuals with disability' under the ADA.

A further discrepancy between the cases concerned the issue of HIPAA preemption. The court in A Helping Hand stated that the Maryland privacy provisions did not apply because federal and not state law governed the lawsuit. The court did not analyze whether the Maryland provisions were more stringent than HIPAA. In contrast, the court in National Abortion Federation rested its federal decision on state privacy statutes, despite its determination that a federal physician-patient privilege existed concerning a woman's decision to undergo an abortion. It is at least arguable that each court's decision on the preemption issue was predetermined by the balancing act.

In another relevant decision, the defendant physician in United States v. Sutherland61 was accused of unlawfully distributing and dispensing controlled substances. The government issued subpoenas to a non-party hospital to compel production of the pharmacy records of the defendant's patients. The hospital moved to quash the subpoena on grounds that disclosure of the requested information would subject it to civil liability under state law in West Virginia.

The district court reasoned, however, that as 'this is a federal criminal matter[;] state laws of procedure do not apply,' and 'patients have no expectation of privacy in medical records with regard to federal criminal proceedings because there is no federal physicianpatient privilege.'52 Although compliance with the secretary's regulations was not required at the time the subpoena issued, the district court considered the regulations to be 'persuasive in that they demonstrate a strong federal policy of protection for patient medical records.'53

The court held that the government in this criminal proceeding had a 'compelling interest' in obtaining the prescription records.54 Since the government's subpoena was not accompanied by a court order and was not a grand-jury subpoena, however, the court did not rely on section 164.512(e)(l)(i) or 164.512(f) to justify disclosure of the pharmacy records at issue. Instead, consistent with section 164.512(e)(ii), the court crafted a protective order it considered sufficient to provide 'reasonable assurances' to the hospital that the affected patients would have notice and an opportunity to object to the disclosure of their records.

'[I]n accord with the Standards issued by the secretary,' the court ordered the government to 'provide written notice prior to production of the subpoenaed records to the last known address of each individual whose records are sought under the subpoena.'55 The court also ruled that any 'notice must inform the individual that he or she may object to the disclosure within five business days' and that 'all objections by the government or by affected individuals' would be resolved prior to the start of trial.56

The case of Hutton v. City of Martinez57 is likewise relevant. The plaintiff there alleged that his civil rights were violated when an out-of-shape police officer shot him in the back because the officer was incapable of pursuing the plaintiff on foot. The police officer was named as a defendant. Plaintiff served various discovery demands seeking information about the officer's physical condition on the day of the alleged shooting. The officer's worker's compensation carrier, however, declined to produce any medical records concerning the officer's work-related back injury. (Apparently, the defendant-officer raised no objection to the production of these records for the purposes of this litigation). The plaintiff also subpoenaed for deposition the claims person who handled the officer's worker's compensation claim regarding the back injury. When the claims person was produced for the deposition, however, her attorney instructed her not to answer any questions regarding the officer's worker's compensation file on grounds that such testimony was not permitted under HIPAA.

The court held that HIPAA did not preclude the production of the records requested in the case at issue because, consistent with section 164.512(e)(iv), the parties agreed to a protective order that would adequately safeguard the defendant officer's privacy interests. Although the court's decision did not state the terms of the protective order, the order presumably required that the information be used only within the pending litigation and that the material be returned to the covered entity or destroyed at the end of the litigation, in keeping with the spirit of 45 CFR section 164.512(e)(v).

In Lemieux v. Tandem Health Care of Florida, Inc.58 the plaintiff was involved in a car accident and was hospitalized at Lakeland Regional Medical Center (hereinafter 'Lakeland'). A non-party, Dr. Greenberg, treated him at that site. The patient later was transferred to Arbors, an in-patient rehabilitation facility and a named defendant in the case. While at Arbors, the plaintiff was treated by non-party Dr. Fielding. The plaintiff also received treatment at Arbors from non-party Dr. GoIl, the physician who eventually discharged him from Arbors. Drs. GoIl, Greenberg, and Fielding were not employees or agents of Arbors.

The plaintiff sued Arbors for negligent hiring and retention, and 'for various violations of Chapter 400 of the Florida statutes.'59 During discovery proceedings, the plaintiff filed a motion seeking court approval to conduct ex-parte discussions with the aforementioned physicians. Florida's physician-patient privilege, grounded in statutory law,60 authorizes disclosure of a patient's medical records under four circumstances: (1) to other health care providers involved in the care and treatment of the patient; (2) if permitted by written authorization from the patient; (3) if compelled by subpoena; and (4) to attorneys, experts, and other individuals necessary to defend the physician in a medical negligence action in which the physician is or expects to be a defendant.61

Under the Florida statute, the court determined that Drs. GoIl, Fielding, and Greenberg could not engage in an ex parte discussion with Arbors' attorneys since the physicians were not employees of Arbors and were not currently treating the patient. Furthermore, the disclosure was not made from one health care provider to another; instead, it was made from one health care provider to the attorney of another health care provider. The court also noted that nothing prevented Arbors from serving the treating physicians with a subpoena to appear for a deposition.

In a footnote, the court wrote that HIPAA did not preempt Florida's statutory physician-patient privilege even though the Florida statute did not require that the entity disclosing medical information provide written notice to the patient that the patient could object to the disclosure. The court reasoned that the Florida statute, although 'proceduralIy' less strict, was 'substantively' more strict than the Privacy Rules because 45 CFR section 164.512(e)(1)(ii) requires only that a covered entity receive 'satisfactory assurance' that the patient who is the subject of the protected health information has been given notice of the intended disclosure. Under the Florida statute, however, disclosure based on notice alone was not permitted.

The court in United States ex rel. Mary Jane Stewart v. Louisiana Clinic62 addressed similar issues. The plaintiffs in that case brought a qui tarn action alleging that the defendant-physicians and medical clinic defrauded the federal government by presenting false claims for reimbursement of medical services provided to Medicare and Medicaid participants. The plaintiff requested various medical records concerning non-party patients. The defendant Dr. Flood moved for a protective order, asserting that the medical records would result in civil liability to the non-party patients under Louisiana state law if produced with patient identifying information.

In that regard, a Louisiana statute provided that disclosure of medical records was authorized only 'after a contradictory hearing with the patient... and after a finding by the court that the release of the requested information is proper.'63 The court held that the Louisiana statute did not apply, however, because the action was commenced under the authority of a federal statute, giving rise to exclusive federal question jurisdiction. It was also preempted by HIPAA. The court reasoned that since the Louisiana statute permitted disclosure under the given facts without the patient's consent, it did not adequately address the 'form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information,' as required by 45 CFR Section 160.202(4).64

Nevertheless, the court held that disclosure of the medical information at issue was permitted under 45 CFR Section 164.512(e). It observed that since the plaintiffs and defendants 'have complied with the HIPAA regulations at issue by seeking an appropriate protective order and that the court has authority to order disclosure of nonparty patient information, subject to such a protective order, without conducting a contradictory hearing or having the parties obtain the patients' consent,' disclosure was warranted.65

The court therefore crafted a protective order that required a 'twofold' production of the records. First, the defendants were required to provide a set of 'unredacted' documents to plaintiffs' counsel. The court reasoned that the plaintiffs 'must be allowed to see the patient names so that they can investigate the validity of the claims for services rendered to those patients.'66 second, a set of 'redacted' records were to be provided and were permitted to be used by any party for any pretrial purpose.

The court order also provided that 'no more than two paralegals employed by counsel of record and one expert per party retained in connection with this litigation' should review those records.67 Further, '[a]ll persons to whom such information is disclosed must sign an affidavit that must be filed into the record, agreeing to the terms of the protective order and submitting to the jurisdiction of this Court for enforcement of those terms.'68 Finally, the court ordered that the scope of health information disclosure was restricted only to the litigation at hand.

In Horn v. Hernandez,69 the plaintiff commenced an action in New York State Supreme Court to recover damages arising from two motor vehicle accidents. The plaintiff alleged in the bill of particulars that she became 'sick, sore, lame and disabled . . . and suffers great physical and mental pains.'70 One of the defendants requested that the plaintiff provide an authorization for her psychiatric records. In response, the plaintiff moved for a protective order, claiming that the court was without authority to compel production of the authorizations because of HIPAA preemption.

The court rejected plaintiff's argument that it was without jurisdiction to require the release of her psychiatric records. It stated that the Privacy Rules specifically permitted the court to compel production of the authorization under section 164.512(e)(l)(i). The court reasoned that HIPAA does not impede 'the authority of this court to order a party in action before it to disclose medical, dental or other health information and/or records to adversarial parties by directing the party whose physical, emotional and/or mental condition is in controversy to execute authorizations permitting the release of health information deemed conditionally protected under the general provisions of HIPAA and its regulatory framework.'71 The court held that since the plaintiff had placed her mental and emotional condition in controversy in the lawsuit, she waived her psychiatrist-patient privilege. Consequently, it ordered production of an authorization for the release of those records.

The case of Lewis v. Clement72 involved the dissolution of a dental partnership. The issue before the New York State Supreme Court was whether the plaintiff, who was one of the group's partners, was entitled to the patient records of the other members of the dental practice. The defendants asserted that the plaintiff was only entitled to the records of those patients that he actually treated while a partner with the group. In its decision, the court recognized the New York common law principle that a former partner is only entitled to the records of patients with whom a patient-physician relationship was created during the existence of the partnership.

The defendants, however, also argued that under HIPAA they were not permitted to share any files with the plaintiff. The court ruled that since the 'parties herein do not dispute that [the group] transmitted health information in electronic form,' the partnership group was a 'covered entity' under HIPAA.73 The court held that the records relating to plaintiff's patients required disclosure to the plaintiff since 'HIPAA cannot be used as a sword or shield in disputes between partners as it relates to the sharing of patient records.'74 The court continued, noting that if 'the physician (the covered entity) has a relationship with a patient, the remaining partners may not refuse to provide files by virtue of HIPAA,' as long as there was a physician-patient relationship.75

IV.

ANALYSIS

As of this writing, the date by which 'covered entities' were required to comply with the HIPAA Privacy Rules is eight months passed. This article has discussed each of the reported decisions addressing the impact of the Privacy Rules on the discovery of health information during litigation. Of course, these decisions are few. However, the practical effects of the Privacy Rules already have impacted litigation practice.

The HIPAA regulations have changed the way that defense firms gather medical records, protect those records once gathered, send records to experts and others for review, and ultimately dispose of those records. In those jurisdictions where ex parte communications with treating physicians were permitted, that practice must be re-examined in light of HIPAA regulations.

Another area of potential concern for covered entities and their business associates is civil tort liability for impermissible disclosure of identifiable health information. As discussed above, the Privacy Rules expressly state that no federal private right of action has been created. The question whether a state law cause of action exists will depend, of course, on each individual state. One commentator acknowledges the potential for such an action, since the HIPAA Privacy Rules create duties of care with respect to health information.76 To date, however, there are no reported cases in this regard.

As demonstrated by the holdings in Sutherland and Louisiana Clinic, some federal courts have interpreted HIPAA as creating a 'pseudo' federal statutory physician-patient privilege. The HIPAA Privacy Rules only restrict the disclosure of health information by 'covered entities.' In both cases, the courts determined that the health information at issue was relevant and material. However, instead of simply ordering the covered entity to disclose the health information, which would have addressed the concerns of the 'covered entities' under section 164.512(e)(1), the courts used the Privacy Rules as a guideline to impose conditions on disclosure in order to protect the privacy of non-parties.

One important question left unanswered by the decision in United States of America v. Sutherland is the following: What grounds, if asserted by a non-party, would be sufficient to deny a party to a litigation access to health information of a non-party that is otherwise material and relevant? Although this question remains open, the potential clearly exists for significant litigation delays based on this court's interpretation of HIPAA. The court ordered that, insofar as a non-party objects to the disclosure of his or her health information, a pre-trial hearing must 'resolve' the issue. Depending on the number of non-parties objecting to the disclosure of their health information, the burden of such additional litigation could be significant. In contrast, the court in Louisiana Clinic did not allow for the possibility of several pre-trial 'hearings' to determine whether non-parties' heath information is discoverable. That court, however, crafted a 'two-fold' protective order and limited access of these records to two paralegals and one expert within each party's law firm. The question that remains affecting this limitation is what relief will be available if a further expert is needed. One surmises that at least they will be required to show cause why additional disclosure of the health information is necessary.

These issues, however, do not appear to surface when the health information involves a party. As demonstrated by the Hutton and Horn decisions, a litigant will not be permitted to use HIPAA as a means to deny access to material health information to an adversary. As demonstrated in Hutton, however, a litigant must be required at a minimum to obtain an authorization or seek a 'qualified protective order' before obtaining health information from a non-party 'covered entity.'

Although published decisions concerning application of the Privacy Rules during litigation are few in number, it is clear that the Privacy Rules must be addressed by litigants whenever the potential exists to discover health information for the prosecution or defense of their cases. For this reason, it is important for all practitioners to become reasonably acquainted with the Privacy Rules and understand their potential impact. Further, insofar as covered entities are potentially exposed to statutory penalties under HIPAA and state tort claims, covered entities should ensure that their legal departments remain abreast of the Privacy Rules and corresponding case law.

Until the HIPAA Privacy Rules are addressed with greater frequency by appellate courts, some degree of uncertainty for litigants and non-party 'covered entities' will continue. Issues regarding when or under what conditions identifiable health information must be properly disclosed under the Privacy Rules will predominate.

[Author Affiliation]

Michael D. Shalhoub is a partner in the New York office of Heidell Pittoni Murphy & Bach, LLP. He is a trial lawyer whose practice concentrates in the defense of business, professional and insurance interests brought into litigation over products liability, medical and professional liability, employment discrimination and commercial disputes. Active in the courtroom, Mr. Shalhoub has resolved over eighty cases at the trial stage, including favorable jury verdicts, in products liability, medical malpractice, employment discrimination, coverage, construction accidents and general liability. He is active in the FDCC and DRI, and is currently the Chair of DRI's Medical Liability and Health Care Law Committee.

[Author Affiliation]

HIPAA Contract Dos and Don'ts.(Brief Article) - Collections & Credit Risk

Under HIPAA, a valid business associate contract must include the following privacy requirements:

(a) It must generally describe the types of uses and disclosures of protected health information that may be made by the business associate.

(b) It must allow the healthcare organization to terminate the contract if the business associate violates a material term of the contract's privacy requirements.

(c) It must require that the business associate will:

- Not use or further disclor required by the contract or as required by law;

- Use appropriate safeguarinformation other than as provided for by the contract;

- Report to the healthcareinformation not providedaware;

HIPAA privacy regs: Six steps to compliance.(Health Insurance Portability and Accountability Act of 1996 )(privacy regulations) - Employee Benefit News

As the April 14, 2003 compliance deadline for HIPAA privacy regulations draws ever nearer, a quick compliance readiness self-audit and road map can help you stay on track and make the entire process a lot less overwhelming.

While the regulations are complex, and satisfying their requirements will involve a multifaceted, ongoing effort, understanding what's involved is made easier to grasp by breaking it down into the following six elements:

* Recognizing how HIPAA privacy regulations affect your organization.

* Reviewing your relationships with service providers.

* Making the needed plan document amendments.

* Communicating the new rules to employees.

* Training personnel who will be involved in compliance.

* Getting ready for the impact on employees.

Here is a streamlined look at what's involved in each element.

How your organization is affected: The answer depends upon whether you are a 'covered entity' (i.e., a typical employer-sponsored health plan), a 'hybrid entity' (single legal entities that perform both covered and noncovered functions) or a 'business associate' (for example, a TPA). In addition, you need to know which of the health and welfare benefits you offer are actually covered by the HIPAA privacy rules.

For example, disability, workers' compensation and life insurance are not. Medical, hospital, drug, behavioral health, and other health benefits are. You also need to look closely at such benefits as Employee Assistance Programs (EAPs) to determine whether they are an ERISA plan and, consequently, a Covered Entity under HIPAA. And don't forget to look at the elements of your flexible spending arrangements that may be covered.

Provider relationships: First, pinpoint all the 'business associates' that provide services to your health plan and determine what changes will be required in their operations (including the reports they generate and how they handle individual privacy rights).

Next, prepare a business associate agreement (or get one from the business associates) and execute it by April 14. While some organizations may be eligible for an exception from this timeline, it will probably consume more effort to determine eligibility for an exemption than to simply execute a standard agreement.

Plan amendments: If your group health plan is self-insured, then the plan documents must, of course, be amended. If they are not amended, you cannot receive 'Protected Health Information' (PHI) for plan administration purposes. In addition, you need to create 'firewalls' between the group health plan and the human resources function.

Steps must be taken to assure that protected health information isn't used or disclosed for employment or other benefit plan purposes. If your group health plan is fully insured, you may need to amend plan documents if PHI is used for purposes such as audits or quality control.

Employee communications: The most basic requirement here is, by April 14, prepare a Notice of Privacy Practices and have a game plan in place to distribute the notice. This effort may require coordination with business associates. If your group health plan is fully insured, you may be exempt from this requirement, but nevertheless you should be mindful that employees will be receiving such notices from insurance carriers. Although HIPAA doesn't mandate that SPDs be revised, you may want to do so just the same.

Staff training: Employees who use PHI must be trained on how to comply with the new regulations prior to April 14. Therefore, you should schedule training promptly and establish procedures for tracking and documenting training. Benefits staff should be trained first, while establishing the firewall to guard against improper disclosure of protected health information. Next, train HR staff on HIPAA privacy compliance, and promulgate a ban on improper use and disclosure of protected information. Finally, conduct compliance training for line managers and supervisors.

Prepare for employee impact: Employees will need to be advised of new procedures that will be in place to assure regulatory compliance. For example, employees may face new questions when interacting with human resources, 'call centers' or HMOs about their health claims. In addition, employee consent may be required for HR professionals to carry out routine tasks involving disability benefit applications, integrated disability management, or implementing routine ADA and FMLA-related tasks.

Given the importance of preventing health information from being used in the employment process, HR should evaluate all the places where firewalls need to be built.

You should work closely with your attorneys and consultants as you move through the challenges of HIPAA compliance. You must retain the ability to examine PHI for plan administration purposes, particularly in these times of rampant health cost increases. Consequently, you must put in place those policies that will protect employee PHI, but assure that you can fully analyze the cost implications of your benefit plans.

Remember that HIPAA requires reasonable and flexible policies and procedures - and that only your business knows what standards will work for it.