1 / 14

I.G. Subpoenas and the HIPAA Privacy Rule

I.G. Subpoenas and the HIPAA Privacy Rule. The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions of the Office of Inspector General, Department of Health and Human Services. The Inspector General’s Authority.

tynice
Download Presentation

I.G. Subpoenas and the HIPAA Privacy Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. I.G. Subpoenas and the HIPAA Privacy Rule • The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions of the Office of Inspector General, Department of Health and Human Services

  2. The Inspector General’s Authority • Inspector General Act of 1978 5 U.S.C. App 3 • Inspector General Subpoenas 5 U.S. C. App 3 §6(a)(4) “to require by subpoena the production of all [documents] necessary in the performance of the functions assigned by this Act.”

  3. HIPAA Privacy Rule • 45 C.F.R. § 164.512 permits covered entities to disclosure protected health information (PHI) without patient consent for the 12 “national priorities” listed in this section. • Most disclosures to the HHS IG will come under 45 C.F.R. §§ 164.512(a) and 164.512(d)

  4. The Inspector General as Health Oversight Agency • Definition of a health oversight agency 45 C.F.R. § 164.501 • Regulation preamble 65 Fed. Reg. 82492 (Dec 28, 2000)

  5. The Health Oversight Exception • 45 C.F.R. § 164.512(d) • Permits covered entities to disclose protected health information to a health oversight agency for oversight activities authorized by law.

  6. The Health Oversight Exception • Examples of health oversight activities: • audits, • civil, administrative or criminal investigations, • inspections, • licensure or disciplinary actions, civil, administrative or • criminal proceedings or actions

  7. The Health Oversight Exception • More health oversight activities: • Health fraud investigations conducted with the FBI/DoJ. • Both IG subpoenas and DoJ’s administrative subpoenas (18 U.S.C. §3486) are used. • The HIPAA Privacy Rule permits covered entities to disclose to both types of subpoena under the health oversight exception.

  8. The Health Oversight Exception • More health oversight activities • Joint investigations with other agencies: health oversight investigation conducted in conjunction with an investigation related to a claim for public benefits not related to health. • Example: social security number fraud involving Medicaid and other public benefits such as food stamps, housing vouchers.

  9. The Required by Law Exception • 45 C.F.R. § 164.512(a) • Permits covered entities to “disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.”

  10. Required by Law • Definition of required by law 45 C.F.R. § 164.501 • Includes subpoenas issued by a governmental inspector general. Also includes the “Medicare conditions of participation with respect to health care providers participating in the program.”

  11. Overlap of Health Oversight and Law Enforcement • Some requests for disclosure of PHI could fit under more than one exception in 45 C.F.R. § 164.512 • Regulation Preamble • 65 F.R. 82524: Covered entity may disclose PHI as permitted by one paragraph of §164.512 regardless of whether the disclose fails to meet the requirements under a different paragraph of §164.512 or elsewhere in the rule.

  12. Health Care Fraud as Health Oversight • Regulation Preamble 65 Fed. Reg. 82532 explains that health care fraud was moved from law enforcement in the notice of proposed rule making to health oversight in the final rule.

  13. Informing the Covered Entity • Subpoena cover letter • OIG will cite applicable section of the HIPAA Privacy Rule that permits disclosure • OIG may demand a suspension of accounting of disclosures per 45 C.F.R. § 164.528 • Verification of Identity • 45 C.F.R. § 164.514(h)(2)(ii)

  14. Conclusion • The HIPAA Privacy Rule permits covered entities to disclose PHI in response to IG subpoenas. • The OIG will work with covered entities to allay concerns about an IG subpoena; however, when necessary, we will take action to enforce the subpoena. • If a covered entity has questions about disclosure of PHI related to an IG subpoena from the HHS OIG, it should contact the Office of Counsel to the Inspector General at (202) 619-0335.

More Related