H OGAN & H ARTSON, L.L.P. http:\\.
-
Upload
natalie-carney -
Category
Documents
-
view
214 -
download
1
Transcript of H OGAN & H ARTSON, L.L.P. http:\\.
![Page 1: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/1.jpg)
HHOGAN &OGAN & H HARTSON, L.L.P.ARTSON, L.L.P.http:\\www.hhlaw.comhttp:\\www.hhlaw.com
““Publications”Publications”““Health”Health”
![Page 2: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/2.jpg)
HIPAA Special Issues: Making Compliance Possible
Donna A. Boswell
Fall 2002
HOGAN & HARTSON, L.L.P.
![Page 3: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/3.jpg)
HOGAN & HARTSON,
L.L.P.
THE Secret to HIPAA: Responsibility Belongs Where You Say It Does
• Rule applies directly to a “covered entity”• A corporate entity, partnership or foundation can
narrow its scope of liability through the “hybrid entity” rules.
• The “OHCA rules” can be used to streamline administrative burdens and liability
• A covered entity can voluntarily expand the scope of its liability by entering into a “business associate” relationship, or by using the affiliated entity rules.
![Page 4: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/4.jpg)
HOGAN & HARTSON,
L.L.P.
The Compliance Goal:Getting A Handle On Costly Administrative Requirements
• Acknowledgement/intake process
• Authorizations and revocations
• Access/amend/accounting
• Restricted communications
• Requests for restricted use/disclosure
• Employee training and firewalls (and developing policies/systems for same)
![Page 5: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/5.jpg)
HOGAN & HARTSON,
L.L.P.
Just tell me what I have to do -- Why do I care about these?
“covered entity” “hybrid” entity “health care component”
“business associate” “non-covered provider”“OHCA” “workforce”
Perhaps the most critical implementation challenge for lawyers is
establishing the relationships between these HIPAA structures and
the legal entities and individuals that must implement the requirements.
![Page 6: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/6.jpg)
HOGAN & HARTSON,
L.L.P.
HIPAA Entities Are Not Corporate Persons
![Page 7: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/7.jpg)
HOGAN & HARTSON,
L.L.P.
HIPAA Entities Are Designations
in Compliance Documentation and/or Notice
![Page 8: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/8.jpg)
HOGAN & HARTSON,
L.L.P.
Tell me the Hybrid Entity Story…
• Hybrid entity: “A single legal entity that is a covered entity whose business activities include both covered and non-covered functions”
• That designates “health care components” (HCCs) in accord with the rule. – Must not leave any “covered entity” outside of a HCC
– May include only a component that performs a “covered function” or an “internal BA”
![Page 9: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/9.jpg)
HOGAN & HARTSON,
L.L.P.
The Hybrid Entity Lived “Happier” in HIPAA Land Because…
• A rule reference to “covered entity” refers to HCC – (e.g., policies for workforce uses, disclosures,
minimum necessary, training, security)
• A rule reference to “protected health information” refers to PHI created or received by/behalf of the health care component. – (e.g., access/inspect/amend/accounting; fundraising)
![Page 10: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/10.jpg)
HOGAN & HARTSON,
L.L.P.
Compliance Teamwork:Using OHCAs To Pool Obligations and Limit Liability
• When a HIPAA entity has a legal obligation--– Who -- what corporate or living person -- may
perform it?– How do you address “apparent agency” issues?
When does performance “count” as compliance for a particular entity?
– Who is liable if it is not performed?
![Page 11: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/11.jpg)
HOGAN & HARTSON,
L.L.P.
Organized Health Care Arrangements
1. Clinically integrated care setting in which individuals typically receive care from more than one provider.
2. Organized system of care --“Hold themselves out” as joint arrangement, andparticipate in joint activities (UR, QA, PMT risk)
3. Group plan and HII or HMO 4. 2 or more group plans of same sponsor5. 2 or more group plans and HMOs, HIIs
![Page 12: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/12.jpg)
HOGAN & HARTSON,
L.L.P.
OHCA Facts
• Is a definition only; not a required designation. • May have a joint notice; need not have the same
P&Ps• Need not have BAAs for “joint activities” of the
OHCA • May include non-covered providers• A living human being can be in an OHCA and be
a separate covered entity (or non-covered provider) – no special designation required
• A covered entity can be in more than one OHCA
![Page 13: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/13.jpg)
HOGAN & HARTSON,
L.L.P.
OHCA Issues and Utility
• A tool for managing apparent agency liability & consumer protection issues.
• Designation via Notice, which also can establish responsibility for authorizations, revocations, and exercise of certain rights (e.g., confidential communications, restrictions)
• Policies and procedures – a HIPAA designation option
![Page 14: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/14.jpg)
HOGAN & HARTSON,
L.L.P.
Special Liability Issues
• Who will sign business associate agreement for the OHCA?
• When a “use” is authorized, are there restrictions on who may do it?
• When a “disclosure” is authorized, are there restrictions on what the recipient may do with the information?
• Does the entity that is authorized to disclose have legal obligations after doing so?
![Page 15: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/15.jpg)
HOGAN & HARTSON,
L.L.P.
Business Associate Agreements: Expansions of Liability
• “On behalf of such covered entity…performs or assists in the performance of:
– “(A) A function or activity involving the use or disclosure of …[PHI], or
– “(B) Any other function or activity regulated by this subchapter, or
• “…legal, actuarial, accounting, consulting , data aggregation, management, administrative, accreditation, or financial services… [involving PHI]
![Page 16: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/16.jpg)
HOGAN & HARTSON,
L.L.P.
BA Issues? (P. 53253)
• A third party is not your BA if PHI is for:– A covered function (e.g., treatment, payment),
unless for the third party is performing the function on your behalf (e.g., billing)
– A non-covered function, whether or not on your behalf, that is a disclosure permitted by the regulation (e.g., research, law enforcement, public health reporting)
– An activity where PHI access is “incidental”
![Page 17: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/17.jpg)
HOGAN & HARTSON,
L.L.P.
Why not do a BA -- to be sure?
• Belts and suspenders do not help – you need only one compliance mechanism
• If you have a BA agreement with a third party:– all information transfers and all uses by the BA become
“uses” by the CE -- if the BA activity is not a permissible use (i.e., TPO) the agreement is evidence of a CE violation
– CE must cure, mitigate or report known violations– for each patient request of an accounting, you must
have a mechanism to check BA’s disclosures for purposes of providing the accounting.
![Page 18: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/18.jpg)
HOGAN & HARTSON,
L.L.P.
![Page 19: H OGAN & H ARTSON, L.L.P. http:\\.](https://reader036.fdocuments.in/reader036/viewer/2022080209/55146f6e550346494e8b5f9c/html5/thumbnails/19.jpg)
HHOGAN &OGAN & H HARTSON, L.L.P.ARTSON, L.L.P.
555 13th Street NW555 13th Street NWWashington, DC 20004Washington, DC 20004
202-637-5600202-637-5600http:\\www.hhlaw.comhttp:\\www.hhlaw.com