SlideShare una empresa de Scribd logo

Memo re HIPAA violation Issues - new writing sample 121515

Descargar como DOC, PDF
B
Brian Lum
1 de 6
THE ZAPPIA LAW FIRM, A PROFESSIONAL CORPORATION Edward P. Zappia Eric W. LaPointe Brett M. Ehman Mary D. Manesis Laurie DeYoung Anna Zappia* Matthew J. Evans* *(Of Counsel) ─ Labor & Employment Law ─ 333 South Hope Street, Suite 3600 Los Angeles, California 90071 Telephone: (213) 814-5550 Facsimile: (213) 814-5560 www.zappialegal.com MEMORANDUM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT TO: EZ; COR GENERAL FROM: BL DATE: 12-15-15 RE: HIPAA VIOLATORS AND PRIVACY ISSUES IN DISCLOSING PRE- EMPLOYMENT TYPE BACKGROUND INVESTIGATION I. Facts i. The County of Riverside owns and operates the Riverside County Regional Medical Center (RCRMC). The UC Riverside (UCR) has residents who learn, study, and practice there, but they are UCR employees, and not County Employees. To get privileges at the RCRMC, the UCR contracts with the County for the County to do pre-employment-type background investigations on the Residents, even though the residents are UCR employees and not County employees. A UCR employee failed the background investigation to get privileges at the County’s RCRMC. Now both UCR and the resident want to see the background investigation failing the resident for medical privileges at the RCRMC. II. Issues i. Whether disclosing the background investigation to UCR and/or resident violates the Health Insurance Portability and Accounting Act (HIPAA)? ii. Whether disclosing the background investigation involves any other privacy issues such as the privacy of pre-employment background investigations. 1
THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 2 ─ Labor & Employment Law ─ III. Discussion 1. HIPAA Privacy Rule i. The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) issued to implement the requirements of HIPAA address the use and disclosure of individuals health information-called “protected health information” by organizations subject to the privacy rule called “covered entities.” i. Covered Entity-Every health care provider who electronically transmits health information in connection with certain transactions is a covered entity. The transmission must be in connection with a standard transaction. RCRMC is a “covered entity” and subject to the HIPAA. ii. Protected Health Information-The privacy rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “Protected Health Information” (PHI). Protected Health Information excludes individually identifiable health information. 1.In education records covered by the Family Educational Rights and Privacy Act as amended, 20 U.S.C. 1232g; 2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); 3. In employment records held by a covered entity in its role as employer; and ii. Permitted Uses-A covered entity may use or disclose protected information; i. To the individual who is the subject of the information with or without the individual’s authorization; ii. If the individual who is the subject of the information or the individual’s personal representative authorizes in writing (45 C.F.R. § 164.502(a)); iii. For their own health care operations which include the following activities: credentialing, and general administrative activities without an individual’s authorization. (45 C.F.R. § 164.502(a)(2)) iii. Restrictions: i. Uses and Disclosures of Psychotherapy Notes. Except when psychotherapy notes used by an originator to carry out treatment, or by the covered entity for certain other limited health care operations, uses and disclosures of psychotherapy notes for treatment, payment and health care options require the individuals authorization. (45 CFR § 164.508(a)(2)) iv. Required Disclosures-A covered entity must disclose protected health information in only two (2) situations: 1. To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information, and _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 3 ─ Labor & Employment Law ─ 2. To Health and Human Services (HHS) when it is undertaking a compliance investigation or review or enforcement action (45 C.F.R. § 164.502(a)(2)) 2. Privacy of Pre-employment background information i. California Requirements for Background Check Disclosures. a. In 2012, California changed the requirements for the background check disclosures employers must provide in order to conduct background investigations in California. b. Senate Bill 909 (SB 909), amended the California Investigative Consumer reporting Agencies Act (ICRAA), which regulates background checks in California, other than those involving credit reports. The amendments, which are codified in California Civil Code Sections 1786.16 and 1786.20, require additional disclosures by investigative consumer reporting agencies, as well as by employers who procure investigative consumer reports on job applicants or employees. ii. New requirements for employers; a. Under the ICRAA, any person who procures an investigative consumer report for employment purposes must provide a written disclosure, in a separate document, to the consumer (a job applicant or employee) before the report is obtained. The written disclosure must state: i. The fact that a report may be obtained; ii. The permissible purpose of the report; iii. The fact that the disclosure may include information on the consumer’s character, general reputation, personal characteristics, and mode of living, and; iv. The name, address, and telephone number of the investigative consumer reporting agency. b. This disclosure must also include the web address where the consumer “may find information about the investigative consumer reporting agency’s privacy practices, including whether the consumer’s personal information will be sent outside the United States or its territories.” If the investigative consumer reporting agency does not have a web site, then the employer must provide the consumer with a telephone number where the consumer can obtain the same information. iii. More information needed; a. We must determine whether the County used an outside consumer reporting agency to attain some of the pre-employment background check information to determine whether the California Investigative Consumer Reporting Agencies Act (ICRAA) applies. _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 4 ─ Labor & Employment Law ─ b. If the County is considered a third-party investigative consumer reporting agency based on the contract with the UCR to execute pre-employment type background investigations on the residents, they must follow all of the statutory requirements see statutes below) for credit agencies. i. As a reporting agency, under Section 1786.12 (f), the County is not allowed to furnish an investigative consumer report to UCR since that report contains medical information about the resident, unless the consumer consents to the furnishing of the report. We should determine if the resident is willing to consent to the furnishing of the report which contains medical information, and if there is a pre-existing waiver or consent form signed by the resident authorizing disclosure. c. If COR is considered an employer, they must comply with all employer disclosure requirements. As an agent of the employer, the County would have to comply or ensure that their principal, UCR complies with all statutory disclosure requirements placed on employers before the investigative consumer reporting agency used can furnish an investigative consumer reporting agency used can furnish an investigative consumer report to UCR. IV. Conclusion 1. Potential HIPAA violations The HIPAA only pertains to protected health information of the UCR resident contained in the background investigation. The County will not violate HIPAA by disclosing the resident’s medical information directly to him. We may violate HIPAA if we disclose his medical information without his written authorization. Written authorization must be obtained before disclosing psychotherapy notes. There may be around the written authorization requirement for non-psychotherapy medical documents contained in the background investigation. More information and legal research is required to determine this alternative route. (Disclosure of the resident’s PHI to UCR will not violate HIPAA if they are considered the UCR resident’s personal representative in the matter as an employer, or if they are considered a part of RCRMC’s health care operations or business associates). We should first determine if the UCR resident is willing to give written authorization to disclose his medical information. We should also determine if a previous waiver and consent form to disclose medical information protected by HIPAA exists between UCR and the student/resident/employee. If the resident is willing to authorize disclosure or if there is a consent form signed by the resident, this would allow the county to disclose his medical information without violating HIPAA. _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 5 ─ Labor & Employment Law ─ 2. Privacy of Pre-employment Background Information I could not find any source to clarify whether the County would violate any privacy issues by disclosing the background information to UCR. There are a lot of overlapping State and Federal statutory provisions that are contingent on the type and source of information used for the background check, whether the county is considered an “employer” or a reporting agency, the previous disclosures given by UCR to their residents, and whether residents have given prior written authorization to UCR to disclose private information and/or medical information. 3. We should only disclose the background investigation to the resident to avoid any potential HIPAA, FCRA, and ICRAA violations. Disclosing medical information or background investigations to UCR may lead to potential violations that are contingent on several unknown variables. There seem to be no potential violations on disclosing either medical or pre-employment background information directly to the UCR resident (subject of the private information). Additionally, under certain circumstances, the County may be required to disclose this information to the resident. ( California Civil Code Sections follow this portion of the inter-office memo, which I did not feel were necessary to provide for this sample.) _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 5 ─ Labor & Employment Law ─ 2. Privacy of Pre-employment Background Information I could not find any source to clarify whether the County would violate any privacy issues by disclosing the background information to UCR. There are a lot of overlapping State and Federal statutory provisions that are contingent on the type and source of information used for the background check, whether the county is considered an “employer” or a reporting agency, the previous disclosures given by UCR to their residents, and whether residents have given prior written authorization to UCR to disclose private information and/or medical information. 3. We should only disclose the background investigation to the resident to avoid any potential HIPAA, FCRA, and ICRAA violations. Disclosing medical information or background investigations to UCR may lead to potential violations that are contingent on several unknown variables. There seem to be no potential violations on disclosing either medical or pre-employment background information directly to the UCR resident (subject of the private information). Additionally, under certain circumstances, the County may be required to disclose this information to the resident. ( California Civil Code Sections follow this portion of the inter-office memo, which I did not feel were necessary to provide for this sample.) _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com

Recomendados

Hannah Haas Writing Sample - News Release
Hannah Haas Writing Sample - News Release Hannah Haas Writing Sample - News Release
Hannah Haas Writing Sample - News Release
Hannah Haas
 
News writing sample - Spare Change News
News writing sample - Spare Change NewsNews writing sample - Spare Change News
News writing sample - Spare Change News
Nate Leskovic
 
Sports News Writing Example
Sports News Writing ExampleSports News Writing Example
Sports News Writing Example
laurakrudolph
 
Sports writing
Sports writingSports writing
Sports writing
alner adulacion
 
Newswriting
NewswritingNewswriting
Newswriting
Antonio Delgado
 
Campus Journalism - News Writing
Campus Journalism - News WritingCampus Journalism - News Writing
Campus Journalism - News Writing
Antonio Delgado
 
Declaration of Erica
Declaration of EricaDeclaration of Erica
Declaration of Erica
Brian Lum
 
FL Judgment
FL JudgmentFL Judgment
FL Judgment
Brian Lum
 

Recomendados

Hannah Haas Writing Sample - News Release
Hannah Haas Writing Sample - News Release Hannah Haas Writing Sample - News Release
Hannah Haas Writing Sample - News Release
Hannah Haas
 
News writing sample - Spare Change News
News writing sample - Spare Change NewsNews writing sample - Spare Change News
News writing sample - Spare Change News
Nate Leskovic
 
Sports News Writing Example
Sports News Writing ExampleSports News Writing Example
Sports News Writing Example
laurakrudolph
 
Sports writing
Sports writingSports writing
Sports writing
alner adulacion
 
Newswriting
NewswritingNewswriting
Newswriting
Antonio Delgado
 
Campus Journalism - News Writing
Campus Journalism - News WritingCampus Journalism - News Writing
Campus Journalism - News Writing
Antonio Delgado
 
Declaration of Erica
Declaration of EricaDeclaration of Erica
Declaration of Erica
Brian Lum
 
FL Judgment
FL JudgmentFL Judgment
FL Judgment
Brian Lum
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 

Más contenido relacionado

Destacado

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Destacado (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Memo re HIPAA violation Issues - new writing sample 121515

  • 1. THE ZAPPIA LAW FIRM, A PROFESSIONAL CORPORATION Edward P. Zappia Eric W. LaPointe Brett M. Ehman Mary D. Manesis Laurie DeYoung Anna Zappia* Matthew J. Evans* *(Of Counsel) ─ Labor & Employment Law ─ 333 South Hope Street, Suite 3600 Los Angeles, California 90071 Telephone: (213) 814-5550 Facsimile: (213) 814-5560 www.zappialegal.com MEMORANDUM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT TO: EZ; COR GENERAL FROM: BL DATE: 12-15-15 RE: HIPAA VIOLATORS AND PRIVACY ISSUES IN DISCLOSING PRE- EMPLOYMENT TYPE BACKGROUND INVESTIGATION I. Facts i. The County of Riverside owns and operates the Riverside County Regional Medical Center (RCRMC). The UC Riverside (UCR) has residents who learn, study, and practice there, but they are UCR employees, and not County Employees. To get privileges at the RCRMC, the UCR contracts with the County for the County to do pre-employment-type background investigations on the Residents, even though the residents are UCR employees and not County employees. A UCR employee failed the background investigation to get privileges at the County’s RCRMC. Now both UCR and the resident want to see the background investigation failing the resident for medical privileges at the RCRMC. II. Issues i. Whether disclosing the background investigation to UCR and/or resident violates the Health Insurance Portability and Accounting Act (HIPAA)? ii. Whether disclosing the background investigation involves any other privacy issues such as the privacy of pre-employment background investigations. 1
  • 2. THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 2 ─ Labor & Employment Law ─ III. Discussion 1. HIPAA Privacy Rule i. The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) issued to implement the requirements of HIPAA address the use and disclosure of individuals health information-called “protected health information” by organizations subject to the privacy rule called “covered entities.” i. Covered Entity-Every health care provider who electronically transmits health information in connection with certain transactions is a covered entity. The transmission must be in connection with a standard transaction. RCRMC is a “covered entity” and subject to the HIPAA. ii. Protected Health Information-The privacy rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “Protected Health Information” (PHI). Protected Health Information excludes individually identifiable health information. 1.In education records covered by the Family Educational Rights and Privacy Act as amended, 20 U.S.C. 1232g; 2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); 3. In employment records held by a covered entity in its role as employer; and ii. Permitted Uses-A covered entity may use or disclose protected information; i. To the individual who is the subject of the information with or without the individual’s authorization; ii. If the individual who is the subject of the information or the individual’s personal representative authorizes in writing (45 C.F.R. § 164.502(a)); iii. For their own health care operations which include the following activities: credentialing, and general administrative activities without an individual’s authorization. (45 C.F.R. § 164.502(a)(2)) iii. Restrictions: i. Uses and Disclosures of Psychotherapy Notes. Except when psychotherapy notes used by an originator to carry out treatment, or by the covered entity for certain other limited health care operations, uses and disclosures of psychotherapy notes for treatment, payment and health care options require the individuals authorization. (45 CFR § 164.508(a)(2)) iv. Required Disclosures-A covered entity must disclose protected health information in only two (2) situations: 1. To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information, and _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
  • 3. THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 3 ─ Labor & Employment Law ─ 2. To Health and Human Services (HHS) when it is undertaking a compliance investigation or review or enforcement action (45 C.F.R. § 164.502(a)(2)) 2. Privacy of Pre-employment background information i. California Requirements for Background Check Disclosures. a. In 2012, California changed the requirements for the background check disclosures employers must provide in order to conduct background investigations in California. b. Senate Bill 909 (SB 909), amended the California Investigative Consumer reporting Agencies Act (ICRAA), which regulates background checks in California, other than those involving credit reports. The amendments, which are codified in California Civil Code Sections 1786.16 and 1786.20, require additional disclosures by investigative consumer reporting agencies, as well as by employers who procure investigative consumer reports on job applicants or employees. ii. New requirements for employers; a. Under the ICRAA, any person who procures an investigative consumer report for employment purposes must provide a written disclosure, in a separate document, to the consumer (a job applicant or employee) before the report is obtained. The written disclosure must state: i. The fact that a report may be obtained; ii. The permissible purpose of the report; iii. The fact that the disclosure may include information on the consumer’s character, general reputation, personal characteristics, and mode of living, and; iv. The name, address, and telephone number of the investigative consumer reporting agency. b. This disclosure must also include the web address where the consumer “may find information about the investigative consumer reporting agency’s privacy practices, including whether the consumer’s personal information will be sent outside the United States or its territories.” If the investigative consumer reporting agency does not have a web site, then the employer must provide the consumer with a telephone number where the consumer can obtain the same information. iii. More information needed; a. We must determine whether the County used an outside consumer reporting agency to attain some of the pre-employment background check information to determine whether the California Investigative Consumer Reporting Agencies Act (ICRAA) applies. _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
  • 4. THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 4 ─ Labor & Employment Law ─ b. If the County is considered a third-party investigative consumer reporting agency based on the contract with the UCR to execute pre-employment type background investigations on the residents, they must follow all of the statutory requirements see statutes below) for credit agencies. i. As a reporting agency, under Section 1786.12 (f), the County is not allowed to furnish an investigative consumer report to UCR since that report contains medical information about the resident, unless the consumer consents to the furnishing of the report. We should determine if the resident is willing to consent to the furnishing of the report which contains medical information, and if there is a pre-existing waiver or consent form signed by the resident authorizing disclosure. c. If COR is considered an employer, they must comply with all employer disclosure requirements. As an agent of the employer, the County would have to comply or ensure that their principal, UCR complies with all statutory disclosure requirements placed on employers before the investigative consumer reporting agency used can furnish an investigative consumer reporting agency used can furnish an investigative consumer report to UCR. IV. Conclusion 1. Potential HIPAA violations The HIPAA only pertains to protected health information of the UCR resident contained in the background investigation. The County will not violate HIPAA by disclosing the resident’s medical information directly to him. We may violate HIPAA if we disclose his medical information without his written authorization. Written authorization must be obtained before disclosing psychotherapy notes. There may be around the written authorization requirement for non-psychotherapy medical documents contained in the background investigation. More information and legal research is required to determine this alternative route. (Disclosure of the resident’s PHI to UCR will not violate HIPAA if they are considered the UCR resident’s personal representative in the matter as an employer, or if they are considered a part of RCRMC’s health care operations or business associates). We should first determine if the UCR resident is willing to give written authorization to disclose his medical information. We should also determine if a previous waiver and consent form to disclose medical information protected by HIPAA exists between UCR and the student/resident/employee. If the resident is willing to authorize disclosure or if there is a consent form signed by the resident, this would allow the county to disclose his medical information without violating HIPAA. _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
  • 5. THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 5 ─ Labor & Employment Law ─ 2. Privacy of Pre-employment Background Information I could not find any source to clarify whether the County would violate any privacy issues by disclosing the background information to UCR. There are a lot of overlapping State and Federal statutory provisions that are contingent on the type and source of information used for the background check, whether the county is considered an “employer” or a reporting agency, the previous disclosures given by UCR to their residents, and whether residents have given prior written authorization to UCR to disclose private information and/or medical information. 3. We should only disclose the background investigation to the resident to avoid any potential HIPAA, FCRA, and ICRAA violations. Disclosing medical information or background investigations to UCR may lead to potential violations that are contingent on several unknown variables. There seem to be no potential violations on disclosing either medical or pre-employment background information directly to the UCR resident (subject of the private information). Additionally, under certain circumstances, the County may be required to disclose this information to the resident. ( California Civil Code Sections follow this portion of the inter-office memo, which I did not feel were necessary to provide for this sample.) _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com
  • 6. THE ZAPPIA LAW FIRM CONFIDENTIAL ATTORNEY CLIENT PRIVILEGE ATTORNEY WORK PRODUCT 5 ─ Labor & Employment Law ─ 2. Privacy of Pre-employment Background Information I could not find any source to clarify whether the County would violate any privacy issues by disclosing the background information to UCR. There are a lot of overlapping State and Federal statutory provisions that are contingent on the type and source of information used for the background check, whether the county is considered an “employer” or a reporting agency, the previous disclosures given by UCR to their residents, and whether residents have given prior written authorization to UCR to disclose private information and/or medical information. 3. We should only disclose the background investigation to the resident to avoid any potential HIPAA, FCRA, and ICRAA violations. Disclosing medical information or background investigations to UCR may lead to potential violations that are contingent on several unknown variables. There seem to be no potential violations on disclosing either medical or pre-employment background information directly to the UCR resident (subject of the private information). Additionally, under certain circumstances, the County may be required to disclose this information to the resident. ( California Civil Code Sections follow this portion of the inter-office memo, which I did not feel were necessary to provide for this sample.) _____________________________________________________________________________________________________ 333 South Hope Street, Suite 3600, Los Angeles, CA 90071 - (213) 814-5550 www.zappialegal.com