Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Memo re HIPAA violation Issues - new writing sample 121515
1. THE ZAPPIA LAW FIRM, A PROFESSIONAL
CORPORATION
Edward P. Zappia
Eric W. LaPointe
Brett M. Ehman
Mary D. Manesis
Laurie DeYoung
Anna Zappia*
Matthew J. Evans*
*(Of Counsel)
─ Labor & Employment Law ─
333 South Hope Street, Suite 3600
Los Angeles, California 90071
Telephone: (213) 814-5550
Facsimile: (213) 814-5560
www.zappialegal.com
MEMORANDUM
CONFIDENTIAL
ATTORNEY CLIENT PRIVILEGE
ATTORNEY WORK PRODUCT
TO: EZ; COR GENERAL
FROM: BL
DATE: 12-15-15
RE: HIPAA VIOLATORS AND PRIVACY ISSUES IN DISCLOSING PRE-
EMPLOYMENT TYPE BACKGROUND INVESTIGATION
I. Facts
i. The County of Riverside owns and operates the Riverside County Regional
Medical Center (RCRMC). The UC Riverside (UCR) has residents who learn,
study, and practice there, but they are UCR employees, and not County
Employees. To get privileges at the RCRMC, the UCR contracts with the County
for the County to do pre-employment-type background investigations on the
Residents, even though the residents are UCR employees and not County
employees. A UCR employee failed the background investigation to get
privileges at the County’s RCRMC. Now both UCR and the resident want to see
the background investigation failing the resident for medical privileges at the
RCRMC.
II. Issues
i. Whether disclosing the background investigation to UCR and/or resident violates
the Health Insurance Portability and Accounting Act (HIPAA)?
ii. Whether disclosing the background investigation involves any other privacy
issues such as the privacy of pre-employment background investigations.
1
2. THE ZAPPIA LAW FIRM CONFIDENTIAL
ATTORNEY CLIENT PRIVILEGE
ATTORNEY WORK PRODUCT
2
─ Labor & Employment Law ─
III. Discussion
1. HIPAA Privacy Rule
i. The Standards for Privacy of Individually Identifiable Health Information (Privacy
Rule) issued to implement the requirements of HIPAA address the use and
disclosure of individuals health information-called “protected health information”
by organizations subject to the privacy rule called “covered entities.”
i. Covered Entity-Every health care provider who electronically transmits
health information in connection with certain transactions is a covered
entity. The transmission must be in connection with a standard transaction.
RCRMC is a “covered entity” and subject to the HIPAA.
ii. Protected Health Information-The privacy rule protects all “individually
identifiable health information” held or transmitted by a covered entity or
its business associate, in any form or media, whether electronic, paper, or
oral. The Privacy Rule calls this information “Protected Health
Information” (PHI). Protected Health Information excludes individually
identifiable health information.
1.In education records covered by the Family Educational Rights and
Privacy Act as amended, 20 U.S.C. 1232g;
2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
3. In employment records held by a covered entity in its role as employer;
and
ii. Permitted Uses-A covered entity may use or disclose protected information;
i. To the individual who is the subject of the information with or without the
individual’s authorization;
ii. If the individual who is the subject of the information or the individual’s
personal representative authorizes in writing (45 C.F.R. § 164.502(a));
iii. For their own health care operations which include the following
activities: credentialing, and general administrative activities without an
individual’s authorization. (45 C.F.R. § 164.502(a)(2))
iii. Restrictions:
i. Uses and Disclosures of Psychotherapy Notes. Except when
psychotherapy notes used by an originator to carry out treatment, or by the
covered entity for certain other limited health care operations, uses and
disclosures of psychotherapy notes for treatment, payment and health care
options require the individuals authorization. (45 CFR § 164.508(a)(2))
iv. Required Disclosures-A covered entity must disclose protected health information
in only two (2) situations:
1. To individuals (or their personal representatives) specifically when
they request access to, or an accounting of disclosures of, their
protected health information, and
_____________________________________________________________________________________________________
333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
3. THE ZAPPIA LAW FIRM CONFIDENTIAL
ATTORNEY CLIENT PRIVILEGE
ATTORNEY WORK PRODUCT
3
─ Labor & Employment Law ─
2. To Health and Human Services (HHS) when it is undertaking a
compliance investigation or review or enforcement action (45 C.F.R. §
164.502(a)(2))
2. Privacy of Pre-employment background information
i. California Requirements for Background Check Disclosures.
a. In 2012, California changed the requirements for the background check
disclosures employers must provide in order to conduct background
investigations in California.
b. Senate Bill 909 (SB 909), amended the California Investigative Consumer
reporting Agencies Act (ICRAA), which regulates background checks in
California, other than those involving credit reports. The amendments, which
are codified in California Civil Code Sections 1786.16 and 1786.20, require
additional disclosures by investigative consumer reporting agencies, as well as
by employers who procure investigative consumer reports on job applicants or
employees.
ii. New requirements for employers;
a. Under the ICRAA, any person who procures an investigative consumer report
for employment purposes must provide a written disclosure, in a separate
document, to the consumer (a job applicant or employee) before the report is
obtained. The written disclosure must state:
i. The fact that a report may be obtained;
ii. The permissible purpose of the report;
iii. The fact that the disclosure may include information on the
consumer’s character, general reputation, personal characteristics, and
mode of living, and;
iv. The name, address, and telephone number of the investigative
consumer reporting agency.
b. This disclosure must also include the web address where the consumer “may
find information about the investigative consumer reporting agency’s privacy
practices, including whether the consumer’s personal information will be sent
outside the United States or its territories.” If the investigative consumer
reporting agency does not have a web site, then the employer must provide the
consumer with a telephone number where the consumer can obtain the same
information.
iii. More information needed;
a. We must determine whether the County used an outside consumer reporting
agency to attain some of the pre-employment background check information
to determine whether the California Investigative Consumer Reporting
Agencies Act (ICRAA) applies.
_____________________________________________________________________________________________________
333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
4. THE ZAPPIA LAW FIRM CONFIDENTIAL
ATTORNEY CLIENT PRIVILEGE
ATTORNEY WORK PRODUCT
4
─ Labor & Employment Law ─
b. If the County is considered a third-party investigative consumer reporting
agency based on the contract with the UCR to execute pre-employment type
background investigations on the residents, they must follow all of the
statutory requirements see statutes below) for credit agencies.
i. As a reporting agency, under Section 1786.12 (f), the County is not
allowed to furnish an investigative consumer report to UCR since
that report contains medical information about the resident, unless
the consumer consents to the furnishing of the report. We should
determine if the resident is willing to consent to the furnishing of
the report which contains medical information, and if there is a
pre-existing waiver or consent form signed by the resident
authorizing disclosure.
c. If COR is considered an employer, they must comply with all employer
disclosure requirements. As an agent of the employer, the County would have
to comply or ensure that their principal, UCR complies with all statutory
disclosure requirements placed on employers before the investigative
consumer reporting agency used can furnish an investigative consumer
reporting agency used can furnish an investigative consumer report to UCR.
IV. Conclusion
1. Potential HIPAA violations
The HIPAA only pertains to protected health information of the UCR resident
contained in the background investigation. The County will not violate HIPAA by
disclosing the resident’s medical information directly to him.
We may violate HIPAA if we disclose his medical information without his written
authorization. Written authorization must be obtained before disclosing
psychotherapy notes. There may be around the written authorization requirement for
non-psychotherapy medical documents contained in the background investigation.
More information and legal research is required to determine this alternative route.
(Disclosure of the resident’s PHI to UCR will not violate HIPAA if they are
considered the UCR resident’s personal representative in the matter as an employer,
or if they are considered a part of RCRMC’s health care operations or business
associates).
We should first determine if the UCR resident is willing to give written
authorization to disclose his medical information. We should also determine if a
previous waiver and consent form to disclose medical information protected by
HIPAA exists between UCR and the student/resident/employee. If the resident is
willing to authorize disclosure or if there is a consent form signed by the resident, this
would allow the county to disclose his medical information without violating HIPAA.
_____________________________________________________________________________________________________
333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
5. THE ZAPPIA LAW FIRM CONFIDENTIAL
ATTORNEY CLIENT PRIVILEGE
ATTORNEY WORK PRODUCT
5
─ Labor & Employment Law ─
2. Privacy of Pre-employment Background Information
I could not find any source to clarify whether the County would violate any
privacy issues by disclosing the background information to UCR. There are a lot
of overlapping State and Federal statutory provisions that are contingent on the
type and source of information used for the background check, whether the
county is considered an “employer” or a reporting agency, the previous
disclosures given by UCR to their residents, and whether residents have given
prior written authorization to UCR to disclose private information and/or medical
information.
3. We should only disclose the background investigation to the resident to avoid any
potential HIPAA, FCRA, and ICRAA violations.
Disclosing medical information or background investigations to UCR may lead to
potential violations that are contingent on several unknown variables. There seem to
be no potential violations on disclosing either medical or pre-employment
background information directly to the UCR resident (subject of the private
information). Additionally, under certain circumstances, the County may be required
to disclose this information to the resident.
( California Civil Code Sections follow this portion of the inter-office memo, which I did not feel
were necessary to provide for this sample.)
_____________________________________________________________________________________________________
333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
6. THE ZAPPIA LAW FIRM CONFIDENTIAL
ATTORNEY CLIENT PRIVILEGE
ATTORNEY WORK PRODUCT
5
─ Labor & Employment Law ─
2. Privacy of Pre-employment Background Information
I could not find any source to clarify whether the County would violate any
privacy issues by disclosing the background information to UCR. There are a lot
of overlapping State and Federal statutory provisions that are contingent on the
type and source of information used for the background check, whether the
county is considered an “employer” or a reporting agency, the previous
disclosures given by UCR to their residents, and whether residents have given
prior written authorization to UCR to disclose private information and/or medical
information.
3. We should only disclose the background investigation to the resident to avoid any
potential HIPAA, FCRA, and ICRAA violations.
Disclosing medical information or background investigations to UCR may lead to
potential violations that are contingent on several unknown variables. There seem to
be no potential violations on disclosing either medical or pre-employment
background information directly to the UCR resident (subject of the private
information). Additionally, under certain circumstances, the County may be required
to disclose this information to the resident.
( California Civil Code Sections follow this portion of the inter-office memo, which I did not feel
were necessary to provide for this sample.)
_____________________________________________________________________________________________________
333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com