CRITICAL INCIDENTS UPDATES
NOVEMBER 2004
| |
Since the publication of this book, the Department of Health and Human Services has adopted its final regulations on the privacy of individually identifiable health information. The Privacy Standards require substantial change in the privacy practices of health care provider organizations and health plans. However, the Privacy Standards leave intact any existing laws that are more stringent or more protective of confidential health information. The federal law regarding the confidentiality of substance abuse treatment records (42 C.F.R. Part 2) is in many instances more stringent in its protection of information than are the Privacy Standards. As a result, in many situations providers that are governed by both 42 C.F.R. Part 2 and the Privacy Standards have not had to change their existing practices with respect to the handling of confidential information. Therefore, you will notice that these updates do not always refer to HIPAA even when discussing the confidentiality of information. In those instances, 42 C.F.R. Part 2 is still the controlling law. In other instances, where provisions of HIPAA do apply, the relevant HIPAA requirements are included in the update.
Chapter 2 Updates
SARBANES-OXLEY REFORMS
Over the past few years there have been several high-profile corporate and accounting scandals in the news. Some of these have involved the health care industry; some of these have involved not-for-profit corporations. Efforts to reduce the likelihood of further corporate abuse have taken many forms. The most dramatic of these efforts was the passage in July 2002 of the Sarbanes-Oxley Act (the “SOX Act”). The fundamental purpose of the SOX Act is to rebuild public trust in corporations and accounting firms. Although the SOX Act applies primarily to publicly-traded companies, it is expected to significantly impact what is considered “best practices” for all types of organizations.
In addition, new SEC rules, other legislative action and recent case law have also contributed to the renewed scrutiny of corporate practices, in many instances expressly the practices of not-for-profits. For example, revisions to Form 990 reporting requirements have been proposed. Massachusetts and New York have already proposed laws similar to the SOX Act that would be applicable to non-profits and their auditors. There has also been private action to impose stricter requirements on all entities, such as through provisions in director and officer liability insurance policies and covenants in bond documents. Finally, there is an increasing number of lawsuits that allege director or officer breaches of fiduciary duties.
The SOX Act includes eleven parts addressing public company oversight boards, auditor independence, corporate responsibility, enhanced financial disclosures, analysis of conflicts of interest, SEC resources and authority, studies and reports, corporate and criminal fraud accountabilities, white collar crime penalty enhancements, corporate tax returns and corporate fraud accountabilities. The primary reforms initiated by the SOX Act that have relevance to entities that are not publicly traded are as follows:
Audit Committees. An audit committee must be established, responsible for hiring, setting compensation and overseeing the auditor’s activities. Audit committee members should be “independent” and should include at least one financial expert. The SOX Act defines “independent” as not being part of the management team and not receiving any compensation.
Recent case law also suggests that the definition of a conflict of interest should be expanded to include significant personal relationships.
Code of Ethics. The organization should adopt a code of ethics that applies to the company’s principal officers. Loans to any director or executive of the company are prohibited.
Accounting and Auditor Standards. The lead or reviewing partner of the auditing firm should be rotated every five years (audit firm rotation is NOT required). Auditing firms are prohibited from providing any non-audit services to the company concurrent with auditing services, with certain limited exceptions such as tax preparation.
Financial Certification. The CEO and CFO must certify a company’s financial statements and also to the effectiveness of internal controls implemented to ensure the reliability and integrity of the financial statements.
The following two provisions of the SOX Act apply to all entities and every entity should ensure compliance with these requirements:
Whistleblowers. Under SOX, it is illegal for any corporation to punish a whistleblower under any circumstance and in any manner including termination, demotion and suspension. A whistleblower is defined as an employee who reports suspected illegal activity to law enforcement or a government oversight agency.
Document Destruction. Under SOX, it is illegal for any corporation to destroy, alter or falsify any document used in an official proceeding, such as a federal investigation.
On January 22, 2004, the Internal Revenue Service announced that it intends to release a set of best practices for nonprofit organization governing boards. Marvin R. Friedlander, Chief of Technical Group, IRS said the best practices to be released as part of the IRS’ 2004 work plan only indirectly relate to the governance obligations imposed on public companies under the SOX Act. This guidance will be a set of "do's and don'ts" focusing primarily on educating boards on their members' corporate compliance oversight obligations. The IRS has indicated that the guidance is designed to give board members insight into how the service views their audit and compensation review responsibilities and to encourage proactive corporate governance.
Since the SOX Act and the SEC rules apply only to publicly-traded entities (with the exception of the two provisions described above), whether any or all of the reforms should be implemented in a private or non-profit corporation depends on the particular facts and circumstances of the organization. The anticipated IRS guidance as well as other legislative and case law developments over the next few months will also affect an organization’s position on implementing reforms.
Corporate Compliance Guidance
The American Health Lawyers Association (AHLA) and the Office of Inspector General of the United States Department of Health and Human Services (OIG) have cooperated to release educational corporate compliance resources. The most recent compliance guide, An Integrated Approach to Corporate Compliance: A Resource for Health Care Boards of Directors is a supplement to the April 2003 AHLA/OIG joint publication, Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors.
According to the AHLA/OIG, recent developments in the corporate and securities world, including the health care field, have refocused attention on effective corporate governance and the role of the General Counsel in promoting ethical conduct and compliance with the law. Although corporate compliance programs are well established in most health care industry segments, they continue to evolve in response to the Sarbanes-Oxley Act, emerging “best practices” and changes in the business environment. The AHLA/OIG is committed to assisting health care organization directors.
The publications are an important reference for all health care organizations. Not only do these resources identify key compliance issues and roles, they probe health care leaders with in-depth questions – the answers to which are critical to a successful compliance program. Both publications can be downloaded from the AHLA website at the following website addresses:
http://www.healthlawyers.org/oigahla/OIG-AHLA-CorpResp-CorpCompl.pdf
http://www.healthlawyers.org/oigahla/OIG-AHLA-CorpResp-CorpComp2.pdf
We recommend that you review these educational resources and use the information to develop a dialogue within your organization.
Chapter 3 Updates
Chapter 3, Vignette 3, page 33 – See also United States General Accounting Office (GAO) Report Medicare Fraud and Abuse: DOJ Continues to Promote Compliance With False Claims Act (April 2002), GAO-02-546 and Department of Justice Memorandum entitled Principles of Federal Prosecution of Business Organizations (1/20/03). Additionally, acts of corporate corruption can also trigger penalties under the Sarbanes-Oxley Act of 2002, especially concerning misstatements of a financial nature. See 18 U.S.C. 1500.
Chapter 3, Vignette 9, page 42 – Additionally, the HIPAA Privacy Rules place restrictions on the use of client information for fundraising and marketing purposes. See 45 CFR 164.514 and 45 CFR 164.508.
Chapter 3, Vignette 16, page 52 – Additionally, a service organization such as a bill collection agency that has access to protected health information will also be considered a business associate of the treatment agency under the HIPAA Privacy Rules. See 45 CFR 164.504.
Chapter 3, Vignette 18, page 54– See also the Department of Health and Human Services Office of Inspector General (OIG) Special Advisory Bulletin Offering Gifts and Other Inducements to Beneficiaries (8/30/02).
Chapter 3, Vignette 21, page 58 – The IRS has also recently added an article to its website that discusses intermediate sanctions issues. See Health Care Provider Reference Guide, which can be viewed at http://www.irs.gov/pub/irs-tege/eotopicc04.pdf. Also see the IRS FY 2002 CPE article concerning intermediate sanctions updates, which can be viewed at http://www.irs.gov/charities/article/0,,id=101915,00.html. The IRS also has a new search tool to facilitate research regarding Section 4958 of the IRS Code regarding Intermediate Sanctions. The tool can be accessed at http://www.irs.gov/pub/irs-tege/eotopicb04.pdf.
Chapter 3, Vignette 25, page 63 – See also IRS Health Care Provider Reference Guide section entitled Joint Ventures or Partnerships with For-Profit Entities which can be viewed at http://www.irs.gov/pub/irs-tege/eotopicc04.pdf.
Chapter 3, Vignette 27, page 65 – Additionally, the Department of Health and Human Services Office of Inspector General (OIG) issued a Special Advisory Bulletin regarding contractual joint ventures on 4/23/03, which discusses concerns about a variety of joint venture arrangements.
Chapter 3, Vignette 30, page 67 – The HIPAA Privacy and Security Rules have also added additional requirements concerning the safeguarding of electronically stored health information. See 45 CFR 160 and 164.
Chapter 3, Vignette 31, page 69 – See also IRS Health Care Provider Reference Guide section entitled Insiders, Disqualified Persons and Private Benefit which can be viewed at http://www.irs.gov/pub/irs-tege/eotopicc04.pdf. Also see the IRS FY 2002 CPE article concerning intermediate sanctions updates, which can be viewed at http://www.irs.gov/charities/article/0,,id=101915,00.html. The IRS also has a new search tool to facilitate research regarding Section 4958 of the IRS Code regarding Intermediate Sanctions. The tool can be accessed at http://www.irs.gov/pub/irs-tege/eotopicb04.pdf.
Chapter 4 Updates
Chapter 4, Vignette 32, page 71 – See also Reimer v. Champion Healthcare Corp.(258 F.3d 720, 8th Cir. July 16, 2001), which states that hospital employees’ on-call time was not so restricted as to be covered by the Fair Labor Standards Act. The Court noted that the only restrictions placed on the on-call employees were to be reachable by phone or beeper, be able to report to the hospital within 20 minutes, and refrain from alcohol or mind-altering drugs.
Chapter 4, Vignette 33, page 73 – See also Wakulich v. Mraz, 751 N.E.2d 1 (1st Dist. 2001), where the court refused to recognize a cause of action against adult social hosts for serving alcoholic beverages to a minor who was subsequently injured. However, this case was remanded to determine whether the defendants could be charged with negligence for undertaking to care for the plaintiff’s daughter after she lost consciousness from excessive drinking.
Chapter 4, Vignette 34, page 74 – See also Wilhelm v. CSX Transportation, Inc., No. 01-41123, 2003 WL 21259666 (6th Cir., May 29, 2003), in which the plaintiff sued his employer for damages caused by second-hand smoke while working. The Appellate Court reversed the District Court’s ruling and remanded the case to address arguments that the employer’s failure to abate second-hand smoke, which aggravated the plaintiff’s preexisting lung disease, was not a breach of duty.
Chapter 4, Vignette 35, page 76 – Additionally, in a recent 9th Circuit decision, the Court ruled that a seemingly neutral policy of refusing to rehire an employee who was terminated or resigned under threat of termination could potentially violate the Americans With Disabilities Act’s prohibition of discrimination against former drug users when applied to deny re-employment to a former employee who resigned because of drug use but subsequently stopped using illegal drugs. Hernandez v. Hughes Missile Systems, No. 01-15512 (9th Cir. 2002). (Remanded by the U.S. Supreme Court to the 9th Circuit for reconsideration - 540 U.S. 44)
Chapter 4, Vignette 36, page 77 – See Vignette 35
Chapter 4, Vignette 39, page 81 – Due to recent insider trading scandals involving major corporations such as Enron and Arthur Andersen, the federal government enacted the Sarbanes-Oxley Act of 2002 (H.R. 3763). This Act imposes numerous disclosure requirements concerning financial information as well as stiff penalties for violations or non-compliance.
Chapter 4, Vignette 42, page 85 – Bowers v. Hardwick has been overturned in the recent Supreme Court case of Lawrence & Garner v. State of Texas, No. 02-102 123 S.Ct. 2472 (June 26, 2003). In this case, Houston, Texas police entered a private home in response to a reported weapons disturbance, which later proved to be a false report. The Plaintiffs were arrested for engaging in deviate sexual intercourse. The Court held that the Texas statue making such activity a crime violated the Due Process Clause, and also specifically overturned Bowers v. Hardwick on the same grounds. The Court stated that the liberty rights at issue went beyond whether consenting adults could engage in a certain sex act, because the penalties of such laws have far-reaching consequences. The Court also stated that the liberty protected by the Constitution allows homosexual persons the right to choose to enter upon relationships in the confines of their homes and their own private lives.
Chapter 5 Updates
Chapter 5, Vignette 51, page 97 – See, as an example, Erica Burbank v. Los Angeles County MTA, KC035498 (Los Angeles Super. Ct., May 24, 2002), concerning the negligent hiring of a bus driver who later raped a passenger; Saine v. Comcast Cablevision of Arkansas, Inc., 2003 Ark. Lexis 554 (Ark. Sup. Ct., Oct. 23, 2003), where a cable installer raped and attempted to murder a woman who was having cable installed in her house. The Court dismissed the negligent hiring claim, but remanded the case concerning negligent retention and negligent supervision claims.
Chapter 5, Vignette 54, page 100 – See O’Connell v. Quality Labor Services, 2003 N.Y. App. Div. Lexis 9310 (N.Y. App. Ct., Sept. 11, 2003), where a former employee was denied unemployment compensation after being fired for working a second job without permission of his employer.
Chapter 5, Vignette 59, page 107 – See, as an example, Eitler v. Regional Medical Center-South Bend Campus, Inc., 789 N.E. 2d 497 (Ind. App. Ct., June 3, 2003), in which the plaintiff sued for defamation, claiming that she was not given assignments by her employer because of a negative “reference check report” from her previous employer. The court held that by signing an authorization/release requesting her former employer to complete the reference check report, she consented to the release of the material, even if it was defamatory. Therefore, her consent is a complete bar to the defamation claim.
Chapter 6 Updates
Chapter 6, Vignette 66, page 122 – See also Farber v. North Carolina Psychology Board, 569 S.E. 2d 287 (N.C. App. Ct. March 26, 2002) concerning a psychologist’s improper relationship with a client, and In the Matter of Edmund L. Skatler, Petitioner v. Barbara DuBuono, as Commissioner of the New York State Department of Health, et al., Respondents, 694 N.Y.S.2d 496 (N.Y. Sup. Ct., July 15, 1999), concerning a psychiatrist’s inappropriate behavior with a client and a resident physician. Also, after a series of articles in the Cleveland, Ohio Plain Dealer concerning psychologists convicted of sexual offenses who received little or no censure by the Ohio State Board of Psychology, the State of Ohio in 2002 enacted SB 9, which makes sex between mental health professionals and their clients a felony punishable by imprisonment and fines. Ohio is the 24th state (as of 2002) to criminalize client-therapist sex.
Chapter 6, Vignette 67, page 125 – See also In the Matter of the Disciplinary Proceedings Against: Peter J. Bowes, Wisconsin Examining Board of Social Workers, Marriage and Family Therapists and Professional Counselors, #LS0103291CPC, regarding the dual relationship of a therapist who also acted as a “spiritual advisor”.
Chapter 6, Vignette 69, page 128 – The HIPAA Privacy Standards would also restrict Jerry’s access to the records of clients who participated in treatment with him. Again, such records should not be released to Jerry without an authorization from the client. See 45 CFR 164.506 and 45 CFR 164.508.
Chapter 6, Vignette 71, page 131 – The criminal justice consent would also need to comply with the requirements for authorizations under the HIPAA Privacy Standards including the fact that an authorization can only be irrevocable if a program has relied on the authorization in providing treatment. A valid consent form (authorization) must also meet all the requirements of the Privacy Standards. The following additional information is required to be included in the authorization:
- Prohibition on redisclosure unless consented to by the client in writing;
- Prohibition on condition of authorization, which states that the program may not refuse to treat the client if the client refuses to sign the authorization, except for the provision of research-related treatment or if the purpose of the treatment is solely to create PHI for disclosure to a third party; and
- Explanation that revocation must be in writing, along with an explanation of how the client may revoke the authorization.
See 45 CFR 164.508 and 45 CFR 164.512(i).
Chapter 6, Vignette 72, page 133 – The HIPAA Privacy Standards are consistent with 42 CFR Part 2 in that they defer to state laws regarding what age a minor may consent to receive treatment, or when parental and/or guardian consent is required. See 45 CFR 164.502(g).
Chapter 6, Vignette 82, page 145 – Although the HIPAA Privacy Standards would permit disclosure in additional situations, the more stringent rules of 42 C.F.R. Part 2 will control. However, HIPAA does mandate disclosure in two circumstances:
- To the Secretary of the Department of Health and Human Services, or his or her delegate, when the Secretary requests access to determine whether the entity is complying with the Privacy Standards;
- To the client and to the client’s personal representative.
Chapter 6, Vignette 84, page 147 – Any consent would also need to meet the requirements of the HIPAA Privacy Standards.
Chapter 6, Vignette 88, page 150 – The HIPAA Privacy Standards do not specifically address disclosure of HIV status although such information would be protect health information. Providers should also continue to follow applicable state and federal laws.
Chapter 6, Vignette 91, page 154 – See Vignette #70.
Chapter 6, Vignette 94, page 157 – See also Cox v. Miller, 2001 U.S. Dist. LEXIS 11455 (S.D.N.Y. July 30, 2001) concerning a U.S. District Court ruling that Alcoholics Anonymous members are not required to testify in the trial of a man who admitted in his AA meetings to having nightmares about a murder he committed while in a drunken stupor. The judge ruled that the AA members did not need to testify because the group is a religious organization, and under New York law confessions made to a clergyman or other minister of any religion cannot be used as evidence. This case was later reversed (Cox v. Miller, 296 F.3d 89 (July 17, 2002)). See additionally DeStefano v. Emergency Housing Group, Inc., U.S. Ct. App. Docket No. 99-9146 (April 20, 2001), wherein the court held that an Alcoholics Anonymous program at a treatment facility constituted a religion for First Amendment purposes and therefore state funding of the facility violated the establishment clause of the First Amendment (separation of church and state). However, since no coercion of clients to join AA was found, the case was remanded to determine whether facility staffers actively inculcated clients in AA doctrines.
Chapter 6, Vignette 99, page 161 – See Vignette #72
Chapter 6, Vignette 101, page 163 – Under the HIPAA Privacy Standards, a client does have a right to access his/her record. A covered entity must provide an individual with a copy of his or her designated record set except for:
- Psychotherapy notes (must be kept separate from the record);
- Information compiled in reasonable anticipation of, or use in, a civil, criminal or administrative action; and
- PHI maintained by a covered entity subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA) to the extent access would be prohibited by law, or PHI maintained by a covered entity exempt from CLIA.
In addition, a covered entity may deny an individual access to their record under certain circumstances such as if a licensed health care professional determines that the access requested would endanger the life or physical safety of the individual, or would cause substantial harm to the individual. Usually, the client has a right to review of the denial.
Chapter 6, Vignette 104, page 166 – See Rush Prudential HMO, Inc. v. Moran (No. 00-1021, June 20, 2002), where the U.S. Supreme Court held that ERISA does not pre-empt the provision of the Illinois Health Maintenance Organization (HMO) Act which requires HMO’s to provide an independent medical necessity review when it denies a treatment that an enrollee’s primary care physician deems necessary. See also Aetna Health, Inc. v. Davila (No. 02-1845) which the U.S. Supreme Court unanimously held that ERISA completely pre-empts state statutes allowing individuals to sue HMOs for injuries that may have been caused by the HMO’s treatment coverage decisions.
Chapter 6, Vignette 132, page 196 - The State of Oregon has taken the unprecedented step of legalizing physician-assisted suicide. The law, OR 127.800, also known as the Death With Dignity Act, was passed in 1998 and in April 2002 a 9th U.S. District Court judge ruled that the U.S. Justice Department lacked the authority to overturn the Oregon law. However, in September 2003 the federal government took the issue to the 9th Circuit Court of Appeals in a further attempt to strike down the law. The government argues that the Controlled Substances Act, a federal law that controls what drugs a doctor may prescribe, does not allow the administration of a lethal does of medication. Proponents argue, and the 9th U.S. District Court agreed, that the federal government was attempting to use the Controlled Substances Act to determine what is a legitimate medical practice.
Chapter 7 Updates
Chapter 7, Vignette 140, page 207 – See Vedernidov v. West Virginia University, 55 F. Supp. 2d 518 (N.D. W.Va. 1999), in which the court held that one year of abstinence will not be considered to be current use of illegal drugs. However, the court further stated that “the use of illegal drugs during the weeks and months prior to a discharge is considered current use.” The court also stated that the touchstone is whether “the drug use was sufficiently recent to justify the employer’s reasonable belief that the drug abuse remained an ongoing problem.” Furthermore, in the case of Zenor v. El Paso Healthcare System, Limited, 176 F.3d 847 (5th Cir. 1999), the 5th Circuit Appellate Court held that an employee who was terminated after disclosing his cocaine use was not a “qualified individual” under the ADA because he was a current user of illegal drugs at the time of his dismissal. Also, because the employee was a cocaine user, he was not otherwise qualified for the job of a pharmacist. Again, because the employee was a current user of illegal drugs, he failed to prove that he was disabled within the meaning of the ADA. In determining whether the employee was a current illegal user of drugs, the court used the date of his termination, September 20, 1995. Considering that the employee admitted to last using cocaine on August 15, 1995, when he self-reported his addiction and admitted himself to a hospital, the court held that five weeks of abstinence was not enough time to not be considered a current user of an illegal drug at the time of his termination.
See also EEOC v. Exxon, 203 F.3d 871 (5th Cir. 2000) concerning Exxon’s substance abuse policy, which permanently removed any employee from certain safety-sensitive, little supervised positions if the employee had undergone treatment for substance abuse. The issue before the court was whether an employer under the ADA might defend a questioned personnel decision as based on a standard justified as “business necessity” or as a “direct threat” in each circumstance. The court held that when an employer has developed a standard applicable to all employees of a given class, an employer need not proceed under the direct threat test. Rather, it may defend the standard as a business necessity. Thus, an employer need only demonstrate that the standard is job related and consistent with business necessity rather than focusing on the specific risk posed by the individual employee’s disability. Additionally, see Raytheon v. Hernandez, Case No. 02-749 (U.S. Sup. Ct., Dec. 2, 2003), in which an employee who tested positive for cocaine and was allowed to resign in lieu of discharge was rejected for rehiring because former employees who resign in lieu of discharge are ineligible for rehire pursuant to company policy. The employee argued he was not rehired because of his record of disability. The Supreme Court held that when an employee claims disparate treatment in violation of the ADA, the employer must submit a legitimate, non-discriminatory reason for its action. In the present case, the employer claimed it had a neutral policy against rehiring any employee previously fired for violating workplace conduct rules. Because the 9th Circuit applied the wrong legal standards, the case was remanded to decide if the case should go to a jury to consider whether Raytheon properly rejected the employee’s application.
Chapter 7, Vignette 142, page 212 – Additionally, the recent enacted Sarbanes-Oxley Act of 2002 imposes additional obligations upon boards of directors of public companies concerning corporate governance and disclosure rules. Some of these obligations include:
- A prohibition against new loans to directors and executive officers, as well as material changes to any terms of existing loans; and
- A requirement that audit committees establish procedures for handling anonymous treatment of complaints concerning accounting and auditing matters, and protecting employees against retaliatory discharge or other adverse actions for providing information as whistleblowers to the employee’s supervisor or any governmental authority (this latter obligations applies to all companies).
The SEC also recently (December 2003) adopted final rules regarding nominating committee functions and communications between security holders and boards of directors. These rules require disclosure in proxy statements regarding the operations of board nominating committees and the means, if any, by which security holders may communicate with members of the board of directors.
Chapter 7, Vignette 150, page 221– See also Mack v. Otis Elevator Company, 326 F.3d 116 (2d Cir. 2003), in which the Second Circuit refined the test for determining whether an employee is properly classified as a “supervisor” for purposes of imputing liability to the employer in sexual harassment cases alleging a hostile work environment. As the court discussed, it is crucial to determine whether the harasser is a supervisor or a co-worker, as an employer may not be held liable for a sexually hostile environment created by a co-worker. The court held that the test of supervisory status is whether the authority given by the employer to the employee enabled or materially augmented the ability of the employee to create a hostile work environment for his subordinates. Applying this test, the court found that the harasser, who held the title of “mechanic-in-charge”, was a supervisor for purposes of imputing liability since the harasser directed the particulars of the employee’s workdays, including her work assignments. The harasser was also the senior employee on the work site. Interestingly, under an amendment to the California Fair Employment and Housing Act which became effective January 1, 2001, co-workers are now held personally liable for workplace harassment, regardless of whether the employer knew or should have known about the conduct.
Chapter 8 Updates
Chapter 8, Overview, page 237 – The federal confidentiality laws supercede HIPAA provisions relate to these types of disclosures.
Chapter 8, Vignette 166, page 247 – See Vignette #88, Chapter 6.
Chapter 8, Vignette 167, page 248 – See Vignette #88, Chapter 6.
Chapter 8, Vignette 170, page 251 – See Vignette #186.
Chapter 9 Updates
Chapter 9, Vignette 176, page 260 – A prevention program, if considered a covered entity, would be required to comply with HIPAA. Whether the program is a covered entity would depend on whether the program is a health care provider who transmits protected health information electronically. Consult an attorney for additional guidance on whether a specific prevention program would be covered by HIPAA.
Chapter 9, Vignette 185, page 273 – See also Board of Education v. Earls, No. 01-332 (Sup. Ct., June 27, 2002, which narrowly upheld school drug testing of students involved in extracurricular activities, including non-athletic activities. The American Civil Liberties Union also maintains an ongoing database of cases it has filed concerning student drug testing at www.aclu.org.
Chapter 9, Vignette 186, page 274 – HIPAA adds additional legal issues for both SAP and EAP programs. For instance, under HIPAA there is no exception for disclosure to employers of the PHI of employees who participate in an EAP. In order to disclose PHI to an employer, the EAP must obtain consent from the employee pursuant to the regulations. If an employer requires participation in an EAP as an alternative to discipline, the provider may condition treatment on the employee completing an authorization for disclosure.
Additionally, under HIPAA an SAP program, if considered a covered entity, would be required to comply with the HIPAA requirements. There are additional concerns about the interaction of the HIPAA requirements with requirements under 42 CFR Part 2 as well as the Family Educational Rights and Privacy Act (FERPA), which governs educational records. Providers should consult an attorney for additional guidance on these issues.
Chapter 9, Vignette 191, page 280– See Vignette #186
Chapter 9, Vignette 192, page 283– See Vignette #186
Chapter 9, Vignette 193, page 285– See Vignette #185
Chapter 9, Research Overview, page 302 – The HIPAA Privacy Rule has added some additional requirements concerning disclosures of information for research purposes that must also be followed. HIPAA does allow an authorization for research purposes to be combined with any other type of written permission for the same research study, including a consent to participate in the research study. A provider may also condition the provision of research-related treatment on the execution of an authorization for the use or disclosure of PHI. For a more complete discussion of what constitutes an appropriate authorization under HIPAA, see Vignette #71, Chapter 6.
HIPAA also allows a covered entity to use or disclose PHI without authorization if the covered entity obtains board approval of a waiver of authorization. HIPAA requires such approval for research by either an IRB or a privacy board before the research can commence. An IRB is required for organizations that regularly conduct research with human subjects and receives federal funding. A privacy board may otherwise be used and must consist of members with varying backgrounds and professional competencies who will review research protocols in connection with clients’ privacy rights. The Board must include at least one member who is not affiliated with the provider, researcher or sponsor and not related to any person affiliated with such entities. Also, no member may have a conflict of interest. See 45 CFR 164.508 and 45 CFR 164.512(i).
Chapter 9, Vignette 208, page 305– See the Research Overview discussion above concerning authorizations and the use and disclosure of PHI for research purposes as well as Vignette #71, Chapter 6. See also 45 CFR 164.508 and 45 CFR 164.512(i).
|
|