I.G. Subpoenas and the HIPAA Privacy Rule - PowerPoint PPT Presentation

About This Presentation

Title:

I.G. Subpoenas and the HIPAA Privacy Rule

Description:

Number of Views:98

Avg rating:3.0/5.0

Slides: 15

Provided by: OIG8

Learn more at: https://assets.hcca-info.org

Category:

more less

Transcript and Presenter's Notes

Title: I.G. Subpoenas and the HIPAA Privacy Rule

1
I.G. Subpoenas and the HIPAA Privacy Rule

The views and opinions expressed in the
presentation are those of the presenter, and not
necessarily official positions of the Office of
Inspector General, Department of Health and Human
Services

2
The Inspector Generals Authority

Inspector General Act of 1978
5 U.S.C. App 3
Inspector General Subpoenas
5 U.S. C. App 3 6(a)(4) to require by subpoena
the production of all documents necessary in
the performance of the functions assigned by this
Act.

3
HIPAA Privacy Rule

45 C.F.R. 164.512 permits covered entities to
disclosure protected health information (PHI)
without patient consent for the 12 national
priorities listed in this section.
Most disclosures to the HHS IG will come under 45
C.F.R. 164.512(a) and 164.512(d)

4
The Inspector General as Health Oversight Agency

5
The Health Oversight Exception

45 C.F.R. 164.512(d)
Permits covered entities to disclose protected
health information to a health oversight agency
for oversight activities authorized by law.

6
The Health Oversight Exception

7
The Health Oversight Exception

More health oversight activities
Health fraud investigations conducted with the
FBI/DoJ.
Both IG subpoenas and DoJs administrative
subpoenas (18 U.S.C. 3486) are used.
The HIPAA Privacy Rule permits covered entities
to disclose to both types of subpoena under the
health oversight exception.

8
The Health Oversight Exception

More health oversight activities
Joint investigations with other agencies health
oversight investigation conducted in conjunction
with an investigation related to a claim for
public benefits not related to health.
Example social security number fraud involving
Medicaid and other public benefits such as food
stamps, housing vouchers.

9
The Required by Law Exception

45 C.F.R. 164.512(a)
Permits covered entities to disclose protected
health information to the extent that such use or
disclosure is required by law and the use or
disclosure complies with and is limited to the
relevant requirements of such law.

10
Required by Law

Definition of required by law
45 C.F.R. 164.501
Includes subpoenas issued by a governmental
inspector general.
Also includes the Medicare conditions of
participation with respect to health care
providers participating in the program.

11
Overlap of Health Oversight and Law Enforcement

Some requests for disclosure of PHI could fit
under more than one exception in 45 C.F.R.
164.512
Regulation Preamble
65 F.R. 82524 Covered entity may disclose PHI as
permitted by one paragraph of 164.512 regardless
of whether the disclose fails to meet the
requirements under a different paragraph of
164.512 or elsewhere in the rule.

12
Health Care Fraud as Health Oversight

Regulation Preamble
65 Fed. Reg. 82532 explains that health care
fraud was moved from law enforcement in the
notice of proposed rule making to health
oversight in the final rule.

13
Informing the Covered Entity

Subpoena cover letter
OIG will cite applicable section of the HIPAA
Privacy Rule that permits disclosure
OIG may demand a suspension of accounting of
disclosures per 45 C.F.R. 164.528
Verification of Identity
45 C.F.R. 164.514(h)(2)(ii)

14
Conclusion

The HIPAA Privacy Rule permits covered entities
to disclose PHI in response to IG subpoenas.
The OIG will work with covered entities to allay
concerns about an IG subpoena however, when
necessary, we will take action to enforce the
subpoena.
If a covered entity has questions about
disclosure of PHI related to an IG subpoena from
the HHS OIG, it should contact the Office of
Counsel to the Inspector General at (202)
619-0335.