Good afternoon, and welcome to today's Health, Information, and Privacy, an Introduction and Overview webinar, developed and presented by ACOM and AIHA. My name is Danielle Feinberg, and I'm with the American College of Occupational and Environmental Medicine. There are two features available to communicate with the panelists and other attendees. You may post general messages in the chat box. Messages can be shared with either the panelists or all participants. Use the dropdown to select who you want to share your message with. Give it a try by introducing yourselves to all the panelists and attendees. Let us know your role and where you are from. Questions, on the other hand, must be submitted to the Q&A box. Panelists are monitoring this box for questions. We won't monitor the chat box, and we don't want to lose your questions, so please be sure to post all questions here. As a reminder, we will send out a link to the archive presentation as well as the handouts once the webinar has completed today. Today's webinar is being presented by Neil Felcher and Dr. Kenji Saito. Neil Felcher is the Director, EHS, for the Bureau of Engineering Design and Construction of the New York City Department of Environmental Protection. He is responsible for managing the EHS section for a $10 billion capital construction program. Additionally, he is an adjunct professor at Hunter College, teaching undergraduate and graduate environmental public health courses. Formerly as an attorney in the environmental group of the litigation department of a large law firm, he counseled clients on administrative and environmental matters. His practice was concentrated on environmental, health and safety, and construction law. He also provided advice and counsel on the complex issues surrounding the interfaces of bankruptcy, condemnation, and environmental laws. He is admitted to the practice of law in both New Jersey and New York. A certified industrial hygienist and certified safety professional, Mr. Felcher previously worked as an industrial hygiene, health and safety, and environmental consultant and expert witness. He is an AIHA fellow and has written and lectured on the aspects of experts and their work in the legal arena, environmental law, ethics, personal liability issues, and the incorporation of EHS into design and construction services. He was honored by selection onto the inaugural AIHA Distinguished Lecturers List. He served as an editor for the seventh edition of the New Jersey Environmental Law Handbook and was the editor of Legally Speaking, the newsletter of the former legal branch of the ASSE Consultant Practice Specialty. Dr. Saito is president and chief medical and science officer of Live Well, Work Well, a med law company, and president of the New England College of Occupational Environmental Medicine and president-elect of the American College of Occupational Environmental Medicine. As assistant clinical professor at Dartmouth College University of New England and adjunct faculty at the University of Pennsylvania and instructor at Harvard University, Kenji enjoys training the next generation of leaders in occupational health, well-being, leadership, and organizational development, digital health, innovations, data analytics, entrepreneurship, medical legal consultation, and bioethics. Growing up as a sushi chef in a small family business kindled Kenji's entrepreneurial spirit where he is currently involved with several startups in digital well-being, culinary and lifestyle medicine platforms in the Boston and Los Angeles area, and with environmental remediation technology in the Miami area. He is also a consultant advisor for employee health and wellness to several national and global companies in the consumer products, marketing, transportation, manufacturing, nutraceutical, pharmaceutical industries, and work with various government and regulatory agencies. As a physician licensed in Maine and Pennsylvania, he continues to practice clinical occupational health, seeing pilots as a senior medical examiner for the FAA, and as an attorney, he is barred in the Commonwealth of Pennsylvania. During his spare time, he enjoys serving as one of the founding members for Kids' Chance of Maine, Maine Medical Association, and House of Delegate to the American Medical Association. Thank you, gentlemen, for joining us today. I will now turn it over to Neal Feldsher. Okay, thank you and welcome. This is the legal perspective for this course, or for this session of health information and privacy. And, you know, as most legal talks will be, I apologize, because I'm sure it's going to be a little bit boring, but I just want to cover some of the background and the legal aspects here, especially when regards to, you know, the discussion of HIPAA. You know, so many laws are either written for enforcement and lawyers, and then there's others that are written, you know, for the general public, but we typically keep them so simple. And unfortunately, HIPAA is one of these ones, and especially with, you know, the pandemic that has led into, it's become into everyone's purview of understanding HIPAA, and yet no one seems to understand it. And I spent the last two and a half years, not just with, you know, explaining it to the everyday person, but especially OEHS people who have suddenly been sideswiped by having access to record that they haven't had or needed the information they haven't had before. But, so that's really what this is going to be, is sort of that legal perspective of what we're talking about under health information and privacy. And there's nothing like a talk from an attorney without some sort of disclaimer. So I will just make my usual disclaimer of there is no attorney-client relationship here. This should not be considered legal advice. I can't give legal advice to 300 or 400 people at one time. And certainly this is not the multi-jurisdictional practice of law, because that would be against my code of ethics. And I did want to, of course, mention, while I am an employee of New York City and the Department of Environmental Protection, the opinions expressed herein are those of myself and may not represent those of my agency or the city leadership. And I'm here representing myself. So just wanted to mention that as part of our standard disclaimer when we give speeches. So, as I said, HIPAA has come under everyone's idea since the start of this pandemic. And I mean, but we've heard, and I suspect many of you have heard some just crazy references to HIPAA. And I just give a couple of the odder examples I've seen. As a city and a government agency, we did require and we did put into our postings that personnel needed to be vaccinated. And in an interview, I had an individual during the interview when they were reminded that that's part of the job. Their response actually was, that's real? You can't do that. HIPAA doesn't allow you to require any vaccinations. And no, that person was not a selected candidate for the job. But no, as I'm gonna explain, that's not HIPAA. We can also look to some of our celebrity friends. So here's a public figure, was at a press conference and was asked if vaccinated. And their response was, I don't necessarily think that's exactly important. I think that's HIPAA. No, that's not HIPAA. And by the way, this was asked, as you see in 2021, when at the time the NFL had very specific requirements. So it was somewhat relevant to ask the question. And lastly, since we figured out that our employees don't know what they're talking about and our celebrities don't know what they're talking about, we probably should ask the government because if anyone knows, it would be our Congress people because they write the laws. So a US representative was asked if they were vaccinated at an interview and their response was, well, you see your first question is a violation of my HIPAA rights. And with HIPAA rights, we don't have to reveal our medical records and that also involves our vaccine records. Well, luckily this person was not part of the group that wrote HIPAA, but I wish they had known to read the law. This isn't HIPAA either. So with that as the background of this, I wanna start the health discussion with HIPAA because you can't start that from anywhere but that. And so what exactly is it? This started in 1996, Health Insurance Portability and Accountability Act. And it actually started exactly what it sounds like. It was about allowing people to be able to easily move from doctor to doctor and take their health information and make it portable and not where you can't get it or it's very difficult to get it or you have to go to a new doctor to ask them to make official requests to another doctor, another practice to try to get your information. That was really where this started was simply this sort of public displeasure at what it takes every time your company switches insurance providers, how difficult it was for people. And that's really what the basis of this was and to allow people access to their own records. Of course, like most laws, they got it only slightly correct when they first wrote it. And as most laws, it goes through many, many years of revisions and then goes through periods where we don't revise it even though it needs revisions, which is sort of where we are now with HIPAA. But we've made a number of changes to this over time. One of them was GINA, the Genetic Information and Non-Discrimination Act was added to this and it modified HIPAA. It wanted to add not just medical records but add genetic information, things that may not necessarily be an actual in the sense of information of a specific illness, but an underlying prevalence or an underlying possibility due to genetic factors or whatever that might be to ensure that that was being protected and that you couldn't be discriminated against for that. Of course, we've also added into the realm of electronic communication. Remember in 96, while computers were certainly prevalent, it wasn't necessarily the most prevalent matter in many practices, in many health practices, in many providers, in a lot of the work, a lot of stuff was still being sent. You wouldn't receive your bills electronically. Many people were still receiving everything by mail back then. But as that changed, we had to start adding things like cybersecurity. So with that, we came up with the Health Information Technology for Economic and Clinical Health Act, HITECH, that was added. And it really started adding security aspects here and especially in regards to electronic information. They've added a few other things. We've had the breach notification rule was also added at a similar time, requiring that if we're gonna add security measures, we should know when they're breached. When you have a failure, you probably have a duty to inform people. And then we've had some of these other amendments. It was the on the bus rule in 2013, which was sort of our last major update. We've added some more in 2021. They've added some more cybersecurity measures. And I will say as a true measure of how dysfunctional Congress is, there is currently a bipartisan amendment for HIPAA. And if it gives you an idea of how bipartisan it is, I believe it left committee with a vote of, I think it was 52 to two, is how it got out of committee. So that's pretty bipartisan. And even that doesn't seem like it's gonna get past Congress. Even though everyone seems to agree that it's needed and this is the right thing to do, we still can't get it done. So take that for what it's worth. But that's our current update right now that we're looking at. And that will cover certain things. It does require certain information and I'll cover a tiny bit of that, really want to move on to the major components of HIPAA. And I think what most of us get or most of us hear about or people get confused about is the privacy side of it. What we call the HIPAA privacy rule. What does it protect? Who does it protect? When does it protect? And so one of the primary focuses of this is it applies to covered entities. That's the language you're going to hear, covered entities. And those are very limited in the grand scheme of the world from the medical side, from the people we might deal with as health professionals or medical professionals, that might be our primary focus. But from the grand scheme of the world, you'll see that this rule applies to health plans, healthcare providers, healthcare clearing houses, it's a lot of processing entities and then business associates of them. That's it. Which sort of goes back to the examples of you don't see employers in there. You don't see press in there. You don't see family members in there. If a family member asks you how your doctor visit went, that's not a violation of HIPAA. If a spouse asks you what happened and what they said, that's not a violation of HIPAA. We're not covered. It really is aimed at the medical profession. And gradually we've added all these ancillary bodies. We don't wanna cover the doctor and the hospital, but meanwhile, let the lab do whatever they want with your data. So we wanna protect that. It also specifically only applies to protected health information, PHI. I'm gonna come back to that in one second, but it's a covered entity and it's protected health information. If you're not dealing with them, HIPAA doesn't apply legally. One thing it does require, if HIPAA applies to you, you need to have a privacy officer. You need to have a person who's responsible. You're going to need to have a plan, a program, and everything that goes away with that, procedures, whether it be SOPs or whatever you might wanna call them. You need maybe have training on those rules, but a privacy officer who's answerable for all of that. But what it doesn't do, it doesn't regulate covered entities from requesting information. Even if you're a covered entity and HIPAA applies to you, you can still ask for information. Imagine if your primary care physician recommends you go see a cardiologist and you go to the cardiologist and they say, why are you here? I can't tell you that HIPAA protects you from knowing it. No, it doesn't. They can ask, they need that information. So we wanna make sure that covered entities can get whatever they need and they can request it. Of course, once they get that PHI, they do need to protect it too. They are a covered entity and they now have handle of your or someone's protected health information. And just a reminder, HIPAA does not cover your disclosure. If it's your public health, sorry, protected health information, you can do whatever you want with it. You wanna put it on the web, fine. No one stops you. HIPAA has no application to an individual and their health information. So what is PHI? It needs to be individually identifiable. It has to be linkable back to you or the specific person. It may refer to a past condition, a present condition, a future condition, it might be a mental health, might be a physical condition, might be a diagnosis, whatever it might be, but it needs to be individually identifiable. And it can also refer to the care, the treatment, anything that deals with that individual healthcare information or associated with that. So reasonably identifiable, sorry, identifiable, or on a reasonable basis, it can be used to identify. So if I've got thousands of data points, the odds of statistically, and typically, by the way, they often look at statisticians for, do we believe this to be reasonably identifiable? The question becomes is, could you identify someone out of that? Probably not, but what if it was a small group? What if you only had four pieces of data and three of them are females and one's a male and you've disclosed it? Well, I think we can pretty much guess which one of them, at least one of them is, that's a reasonable basis. We can identify that. That would be an issue here. So whether it's identifies by name, by identification, or something that you could use to reasonably get back to them, then we would consider that to be a violation. And even if you're a covered entity, so let's say you're a hospital, all you do is manage protected health information. That's what you do as a, maybe not your major course of business, but it's an ancillary part of the major course of your business. These don't apply for them as an employer. So while they have to do that for every patient who comes in, every person they see, it is not the same for them and their own people. They're just like every other employer where HIPAA does not apply. There are some exemptions to this. And I just want to cover these real quick because I think you see some of these sometimes. And also I think at least one or two of these point to things I'm going to recommend at the end to really be a good practice if HIPAA doesn't apply to you. Certainly, as I said, privacy exemptions to the individual and also anyone you identify, if you wish to identify your children, your parents, your spouse, whatever it might be, you can identify people to know that. And anyone who's been in a doctor's office recently, that's a common form that they ask you to indicate is can someone else see these records that we talked to about them? Also, internal amongst covered entities and the healthcare providers, we want them to be able to talk to each other. If a primary care physician wants to send you to a hospital or send you to a specialist, they have to be able to talk to each other. They have to be able to share information. The lab has to be able to share information and send it back to the medical group. You have to have that. It has to be an exemption. Otherwise, our medical care would completely disintegrate. De minimis disclosure. This is what we often refer to as the minimum amount necessary to achieve what's necessary to achieve. HIPAA does not look for perfection. HIPAA looks for you to have privacy, security requirements in place. It does not expect perfection. If there is a minor mistake or a release of something, as long as it was what they view as the minimis disclosure, the minimum amount necessary, even if it was a mistake, as long as you have good procedures, they're not really coming after you. They're not really gonna find a violation here. Decedent necessity. Certainly, you need to be able to talk to funeral homes and morticians and things like that. For purposes of organ donation, medical providers have to be able to speak to people. We also have these exemptions for the public interest. Public health. Certainly, this one was commonly noted during the pandemic. We also wanna make sure that if there is a legal obligation, if you are served with subpoena, if there is a law in your state that requires certain information to be released, that you have that right. You don't have to go, oh no, HIPAA's involved. We have to run to a court to figure this out. You shouldn't have to do that. And certainly in the public interest, we certainly want things such as abuse, indications of neglect, domestic violence to be reported and not to be protected by HIPAA. We're not looking for a victim to basically be victimized the second time because HIPAA protects the other party. Threat to safety or health is another one. The language on this is looking to be changed just to try to make it a little easier to understand. But essentially, if there's a perception, and certainly I think with some of the recent outbreaks we've seen with things like monkey pox and of course COVID and things like that, this is certainly something that could be implicated where HIPAA would be at least mitigated for the purposes of reporting. Workers' compensation is included here. And also research is included here, but it does need to be recognized research and it does need to be anonymized data. You can't just basically release private information including names and the like unless that is agreed to, but research itself is protected. What was later added was the security side of this. We started with the privacy side. We've made changes. Some of those changes have been added over the years, but security has been added through the HITECH Act and it was strengthened last year through the Safe Harbor provisions. But we're looking to guarantee because as we move from PHI into what we're now calling ePHI, electronic protected health information, and electronic protected health information is the primary area we see nowadays. We don't see much paper anymore. It's almost entirely electronic, which does give us the problem of cybersecurity issues. It requires administrative, physical, technical safeguards to be implemented. It requires you to have a safety officer. And this is where the breach notification rule that was later added in 09 was implemented that you need to notify the people who are affected by, and certainly you need to notify the government of breaches. And frankly, by the way, you see the same thing on the consumer side of this where you now get notifications every time your bank has been hacked or your credit card company has been hacked. They have very strict breach notifications on the consumer financial and financial sides, just like we now have on the healthcare side and the health information side. And they have to look, so you have to have a pretty strong procedures here, responding, identification, whether it's a crime, a threat, and assessing the breach and notification. And there's a lot of rules in regards to this. I will say last year, they did pass a Safe Harbors Act, basically saying that if you're implementing best security practices that are current, you do need to have best security practices that are current. I believe they use the term within the last 12 months, I think is the terminology they use. They will give you the safe harbor of an assumption that you did what you should do. You know, if your cybersecurity is five years old and no, you won't get that, but if you're keeping your cybersecurity up to date, even if you are hacked, then there is an expectation that you are doing the right thing. But we certainly wanna understand, you know, like I said, whether you have a breach or not. And this has unfortunately been a fairly common occurrence recently. So what about the enforcement side of HIPAA? The most common people that have been cited against HIPAA, and this is the correct order, general hospitals, private practices and physicians, pharmacies, outpatient facilities, and community health centers. That's the order that they are given in from the, according to the chart that they give of who they've gone, or who's been most cited. Not necessarily who's been most investigated, but who's been most cited. And so, but you notice what you don't see here, you really don't see necessarily individuals. You certainly don't see everything you hear about in the press of like, you know, a team outing someone on their team or a press person asking something or releasing something. You know, they're just not a covered entity. It doesn't apply to them. And the most common allegations, and I think these are somewhat useful in identifying, you know, certainly areas for improvement within your own possible practices, but certainly impermissible uses and disclosures of protected health information, lacking the actual safeguards, not following through with what you're supposed to do in regards to the privacy or security rules, lack of patient access. Remember, that's what HIPAA started at. The whole purpose of HIPAA started, or one of the main purposes, was to ensure that people get rights and access to their protected health information, lack of administrative safeguards, and then use or disclosure of more than the minimum necessary. Remember that there's that language again, minimum necessary. And I'm going to bring that up at least one or two more times, because I think that's a very important element if HIPAA doesn't apply to take that philosophy of, you know, it doesn't apply, but I probably should still think about using the least amount, the minimum necessary, and using it for the minimum necessary. They do have discretion. The government does have discretion. And certainly with COVID, they issued a lot of discretionary letters, because if you think about it, you know, I don't know how many of you may have had telehealth with your employees, or you personally did, but many cases it was over Zoom or something like that, which is not necessarily a secure medium. And certainly early during COVID, you saw it wasn't a very secure medium. That would have been a violation of HIPAA. You know, you need to have cybersecurity measures in place. That isn't it. And so they've given waivers or discretionary letters for all these community testing sites, business associates now sharing all protected health information, namely being able to report to health agencies how many results they're getting, you know, as opposed to, imagine if you're in a big city and, you know, you could have 20,000 doctor's offices reporting to Department of Health. Is that really what you want? Or is it a lot easier for the three labs to report? Three labs reporting, you know, 200 to 2,000 samples a day is a lot easier than 1,000 medical facilities and community testing sites reporting 20 tests each. So we wanted to make sure, so that's been a lot of what they've done, but they do have those rights to do that. But, you know, they've been looking for updates the same way many of the regulated communities have been looking for updates. So I think to close with the HIPAA side of this, you know, I think for the common EHS person, this probably shouldn't apply, but it really depends. I mean, it depends upon your practice. It depends upon where you practice. Depends upon how you practice at your company or private practice, you know. And even if it doesn't apply to you, it probably applies to the people you work with. If you've got, if you're doing OSHA compliance for, and have medical surveillance programs, if you have injury care, accident victims, and you're responsible, whether it be workers' comp, whether it be investigations from the health and safety side, whether you're part of the HR department in managing those claims, whatever it might be, most likely those entities you're working with probably have HIPAA requirements. So you need to at least understand what they can and what they can't give you, and the way that they need to give it to you, or how you might want to request it if you're the contracting person trying to get a medical surveillance program off the ground, and what do you want them to give you if you don't want protected health information? And how do you want to get it? Do you want to look at it more like a fitness for duty sort of thing, where I simply want to know a yes, no, or do you want personal information, and then how are you going to get that? Wellness programs have become a big deal, and the question under HIPAA is really, it varies. If you're running it as part of your health plan, it may very well fit under HIPAA. If you just have a wellness program that's disassociated with your health plan, then maybe not. But I will say, you know, one of the things the government has looked at recently is government has recently looked at potentially extending HIPAA to people like Google and Samsung because of our watches. They're saying that that is potentially protected health information. It's not just number of steps. This gives other information. This gives information potentially about my heart rate, stress rates. It's giving a lot more than simply, you know, Neil took 20 steps this morning and that's all he did, and then he sat down. And so they have not extended it, but there has been a discussion that they may wish to extend it. And certainly don't forget that you can always disclose protected health information as required by law. Other privacy issues. A lot of states have implemented various privacy rules and different states have gone after different issues here. Some have gone after some of the HIPAA type issues. A few have gone after to try to extend HIPAA requirements or extend the obligation of covered entities. Many others have gone after consumer protection sides, which may deal with medical information, but it deals with it as a consumer of that practice, of that going to that hospital, going to that medical provider, using that laboratory and what they can and can't do and how they must communicate with you and how they can. So you need to understand that, especially if you're part of like a multi-state practice or a multi-state company, you need to understand the states you work in and does anything apply to you there? Is there a privacy rule that may extend there? And certainly these have come up. I will say Virginia set the standard under the sort of the consumer protection side. They made it super simple. I think it was six or eight pages long. Connecticut and I think three or four other states have followed them and said, we want simple. We just really want to protect consumers and we're not looking to get into the HIPAA side. Other ones have decided to get into the HIPAA side and cover that. But the good news is as employers, they typically always included employer exemptions because they understand that employers need access to certain pieces of data. And I think two of the main questions I typically get are the, you know, how does this intersect with either workers comp and trying to deal with a workers comp claim or how does it deal with OSHA requirements? As I said, workers comp is a specific exemption inside of HIPAA because they want to know that, you know, a claim has to still be processed. You can't not tell the workers comp board or whatever it is in your state about injury because of HIPAA. So workers comps are state-specific. It's going to vary state by state, but recognize that HIPAA across the board has an exemption for it. But do recognize, you know, workers comp gives an employer many rights and requirements. You typically have the ability of reviewing the files. You typically are allowed to have independent medical examiners. And I don't know of any state that doesn't allow you to investigate the accident because that's frankly one of the things they expect you to do. So certainly that is in there. And like I said, it's certainly exempted. So, you know, for processing of claims, you know, you shouldn't have this problem with HIPAA. And the similar thing on the OSHA side, even though people constantly say like, well, I can't tell you that because of OSHA or because of HIPAA, that's not really true. OSHA does require the, you know, incidence logging of all work-related injuries and illnesses on the 300 form. That 300 form needs to be available for review. The summary form gets posted every year, but the other one needs to be on file, needs to be available for review. Could there be HIPAA information in there? Possibly, but the fact is you're required to keep it by another law. HIPAA does not exempt you from having it because remember as an employer, it's not, you're not a covered entity, which means HIPAA doesn't apply specifically to it. Because it is a disclosure required by law. Like I said, you're not a covered entity in that regard. So certainly just like workers' comp, you have that ability of putting there. And I will just quickly remind people, there are specific exemptions for what you put on those 300 logs. There are certain types of injuries and accidents that do not get, they're considered private, that with a name does not go on there, but that's another issue that's not a HIPAA issue. And the last couple of things, discrimination issues, workers' comp has specific requirements, being careful about discriminating against people that have workers' comp claims, genetic information information, and certainly the America with Disabilities Act amendments, you know, and reasonable accommodations. You have to consider this, you can't ignore these. You know, so certainly be careful if you have this information. If you're taking disciplinary action or terminating people, you need to be sure to document that, that you're not utilizing this information in a way that could be considered discriminatory. So where do I conclude? If you're a covered entity, you need to comply. If it doesn't apply, I think some of this can really be taken as a guidance for a standard of care. And I really think you need to ask yourself some of these questions, you know, do you have something that would be considered protected health information if you were a covered entity? Would that be protected health information? And if so, do you need it? If you don't need it, stop collecting it, don't use it. If you do need it, think about how are you storing it? Where are you storing it? Who has access? How do you share it? And I think that minimum necessary concept plays an important role here of what do you do with it? You know, and how do you share it? Do you share all of it? Or do you share the minimum amount necessary for managers to make their decision or EHS professionals to make decisions, you know, or for purposes of procurement or purposes of redesign of workspaces or whatever it might be, what are you sharing and why are you sharing it? Is it individual or can you consolidate it for them? And I think that's an important stuff to consider because I think, like I said, most of us wouldn't have actual HIPAA concerns, but I do think you need to take some of these aspects, ask them to yourself, see if you can minimize them to make a good practice out of this. And with that, I went a little longer than I expected. I want to turn it over to Dr. Saito so that he can put this more into an application and then we'll open it up for Q&A after that. Wonderful, thank you, Neil. And while I'm pulling that up, if everybody can log on to this polling software, I'm not sure if everybody can see the chat. It's pollav.com backslash medlaw. Everybody able to see my slides okay? Great, okay. So yes, if everybody can go to the website for the live polling, that'll be great. I want to make this very interactive and we're going to apply some of the principles we just learned sort of from HIPAA, but also taking a step back, understanding the principles of privacy. How is this going to apply when you approach different situations where maybe there hasn't been any precedents, especially in this day and age of the pandemic, we're always looking at new things and looking at how we approach these problems and solve for them based on knowledge we have from the past. So before I get started, just some housekeeping as well, just disclosing my conflicts of interest and other roles that I have, different employment opportunities that I've worked with consultant and other entities that I've had some financial relationships with. Disclaimer, just like Neil, I do work for different entities, necessarily represent my own opinions or those of the ones I work for as outlined here and previously. I do use a lot of pictures that are copyrighted. So they're protected, just using this for fair use and for educational purposes only. So let's get started on this live polling. So hopefully everybody was able to log in. In the meantime, I'll just do a brief sort of regulatory slash legal updates, and you'll have links to each one of these as well, but we're looking at kind of employee digital privacy or any kind of record keeping regulations. These are all the agencies and rules and regs that apply. We talked a lot about HIPAA. Neil briefly touched upon the discriminatory aspects of how the ADA, GINA or EEOC might have some opportunities for challenges there and making sure we follow their codes and regs, as well as OSHA, HHS, workers' compensation, and most recently the 21st Century Cures Act, which we'll talk about a bit here as well, since that's relatively new and I just wanna make sure everybody's aware. So let's see if this is working for us here. If you can just let me know, what kind of work do you do? What kind of occupation or professions do you work in? Because this will give me an idea. And this is like social media. If you're seeing your answer there, you can like it and I'll bring it to the top. And if you don't, I guess you can also downvote as well. So I'm just curious to see a majority of us here. Are we AHS folks? Are we physicians? It looks like we have a bunch of industrial hygiene, hospital-based program, nurse practitioners, wonderful, CIH, great. So we do have a bunch of different groups of people here and give an idea of where we're all coming from. So I'll try to do this towards the physicians. Now I'll be happy to share some survey results. We did with a bunch of physicians at the American Occupational Health Conference last year, where we did some polling. So it'd be nice to compare what our physician colleagues thought of, what our IH colleagues think of today around privacy and how it applies to these different professions that we have. So most of us are occupational medicine, occupational health, employee safety. We have practice providers, nurse practitioners, folks from public health hospitals and nurses, wonderful. So let's go to the next slide. And it's gonna ask you about the profession and industry you're in. So for those of us working in the healthcare, I'm just curious to see what kind of industry you're in. So most of us are in healthcare, what we suspected. So urgent care, okay, we can talk about that. Chemical manufacturing, transportation, entertainment, how exciting. University-based programs, tribal healthcare, wonderful. So most of us seems to be in healthcare and second to occupational health, probably onsite or near-site clinics, spirometry training and government, okay. So I'll try to gear my sort of responses and talk towards to the top three of healthcare, especially occupational health services and some of the based on case management, okay. And then also systems here. Next question, how many years have you been practicing in your field? And I always like to start my talks with this question because I'm always thinking about the future and the future of our career and what we can do. I hope I didn't mess this up when I went too far and too quick. Let's see if it caught up yet in the polling. Seems like we're doing fine with the polling previously. Did I kick us out? I probably did, okay. So let's see if I go back here, go here, there we go. How many years have you been practicing? Most of us have been practicing for 16 plus years. And I've always talked to this as a challenge, especially for those of us looking at association. As most of you know, I'm the president-elect of AECOM and we're excited about our partnership with AIHA, particularly looking at the future of occupational health and how do we best collaborate moving to the future. And it always worries me when we have a huge experience and more seasoned folks and not as many filling the pipeline. And I think that's gonna be a challenge for most of us as we kind of look to see most half or three fourths of us here are very seasoned and it's great to hear and be able to hopefully train the next generation. The succession plan is gonna be important. And part of that is understanding privacy. You know, as we all talked about today, privacy applies in very conceptual ways, but also very practical and pragmatic ways. And I'll share with you some of the regulations. Not only U.S., it looks like we have some questions in the chat about global perspectives on privacy and how do we sort of transition this principle of privacy confidentiality into a world that is sort of new to understanding what privacy means in a day and age of social media. People can go online and look for things or look for pictures of others in a very unique way. So I'm just curious to see what your thoughts were around privacy, what kind of words come to mind when you're thinking about privacy or HIPAA or anything else that we've talked about today. Security, so we're looking at it from a compliance perspective, right? So when you look at some of the modalities for approaching regulations or approaching any kind of issues that we want to control, you can look at it from a risk-based perspective or compliance-based perspective. And some of the compliance-based modalities look at security as a top challenge that we want to meet and develop regulations to be able to be compliant and to keep everybody safe and secure. So it's nice to have our mixed colleagues here of over 500 registrants today that look at occupational health and industrial hygiene or environmental health and safety and security tends to come up the most. So the words get bigger as more people type in the same words, synonyms and whatnot. So it looks like most of us talk about confidentiality, looking at privacy from a secure perspective, looking at it from healthcare. I think there's a lot of confusion around it and we'll come back to this because I think it's important to sort of get this concerns we have and I'll share this too so we can kind of see what it is. A lot of legal components to it as well as understanding what is consent and what kind of permissions we need. And I think we've talked about respect, which is great. Ultimately, if you look at some of the EU GDPR based programs, the philosophy is based out of respect for others, privacy, confidentiality, or autonomy as well. Very unique to that as compared to some of the Western perspectives, especially you look at some of the East Asian or Southeast Asian perspective on privacy, it was quite unique. And I appreciate some of our diversity we have in the US. We have some tribal members here as well as to regards to what is confidential and private to them might be very different, especially when you're looking at environmental health aspects of it or to the individual components as well. So thank you for sharing this. I'll share this with the group afterwards so you can see sort of what kind of word clouds we have around this. And it really develops our framework for our conversation today around what does privacy mean? And Neil touched on it briefly about different legislation in the US. You can see here in this year, the different states have passed legislation and this what green means here is California, Colorado, Connecticut, Virginia, and Utah have now dedicated state laws that can go above and beyond to protect not only consumers and in some cases, medical consumers as well. As we kind of move to that model where medical care and delivery is on a consumer basis, I think these laws would become more relevant. And interestingly too, you can see the age where it applies from 13 to 16. And you'll see some of the proposed ones, 18 years old is when some of these obligations start to kick in. So even those of us who are in pediatric care earlier on or looking at patients in a medical home to be very wary about these additional consumer protection. And we talked about the wearable devices, right? As we look at new technology developing, what kind of medical information we're capturing, especially for wellbeing program and employee work site, be careful what kind of information you're receiving and what kind of privacy laws might apply beyond HIPAA or different consumer privacy rules. So if you look at some of these trackers for 2022, you can see a lot of these states have started to introduce bills. Some of them have been signed in the green states. They can see it's becoming a trend. It's becoming a trend that's becoming more important as people look at privacy from a very unique perspective and legislating this, regulating this. So making sure we understand what are the repercussions if you don't follow some of these consumer-based privacy rules. So just be very cognizant, especially in the states you work in, especially in the Northeast, West Coast, they're expected to sort of improve some scrutiny around privacy and privacy rules overall. So why do you think this is happening? Why do you think information sharing has become so important? And for folks to regulate it in a way that hasn't been regulated before, as we talked about HIPAA and there's other regulations, and it's to provide better care. Is it also to provide modalities for patients, employees, claimants, to be able to see what kind of information is being written about them. Mobility, I wanna talk about the electronic modalities of transmission of information. We've moved long and far, although I've worked some clinics that still have paper records, CD records, microfilm, looking at microfiche films that are preserved in archives. I've seen a lot of data being stored in various media that is important to be able to share. The question is, how do we share that? How do we share this in this day and age where digital transmission is quite so easy to do, but how do we do that in a secure, safe, and private way? And I think this is what we're talking about here is, how do we get that continuity of care? How do we transmit this data? How do we collaborate with our colleagues to be able to share information if you're referring them out to experts or to consultants? What do we do in those cases? And how do we be able to better share that information and improve access to that as well? So it's very important as we kind of think about information sharing from this perspective and sharing our knowledge and be able to share our best practices and be able to manage. I know we had some case managers here too without being able to share this information, it would be really challenging to share this information. So very similarly, when we asked this question to our physician colleagues, it's all centered around patient transparency, engagement. So you can see a little bit of a nuance here between some of our EHS colleagues and folks from AIHA members and ACOG members that we're kind of similarly looking at consumers or patients in unique ways and why information sharing is very important for that. So a follow-up to that would be, why is information protection so important then? We just talked about, we wanna be more transparent. We wanna care, have mobility and transmission of our electronic data. So why is this so important to protect that information? If you want more transparency, more ease of transmission, discrimination, right? We talked about different EEOC or GINA regulations there to prevent information from being exposed in a way that might be detrimental to the employee, your patient or your claimants. And we have regulations here in the US that protect you for that. And likewise, worldwide as well. Privacy is another important implicit bias. And I think this is an interesting question about sort of the cultural perspective of privacy and autonomy and even just generational cultural differences. As you probably see some of the younger generations are open to social media and out in the metaverse looking at sharing information in very unique ways of different and those considered private in recent years have not been so private recently as well. Disparities that start to come up. So we can see a lot of this theme now. Weaponization, that's an interesting concept to see what information can do. And there's some really good ethics debate right now around data, big data and how privacy can truly be a very powerful weapon in kind of the informational cultural world as well. So if we have time, we can talk about that towards the end as well. I'm glad people are bringing these really good points up. So there was some survey that was done last year just to talk about the ONC's rule on information blocking. And we'll talk about that shortly, but I just wanna let you know, I'm gonna benchmark you against the survey that was done to about 4,000 people last year to see whether, are you familiar with this term? What is information blocking? How does it apply to occupational health specifically? And I'm not surprised if most of us have never heard this before. And this is why we're having this webinar today to discuss a majority of us looks like don't understand or don't know what this information blocking rule is since it was just introduced last year. And this is what we saw at AOHC last year as well is most of us didn't know, but it seems like it's even wider here, especially amongst some of our EHS colleagues. So most of us, 47% here, we had a most majority of 90% was not familiar with what the term information blocking means. So what does it mean? And this is that last link I shared with you in a previous slides, a couple of slides ago about the 21st Century Cures Act. It's a final rule that was passed as of April 5th, 2021 after delays of implementing this during a pandemic. They said, no more, we're gonna start implementing this April 5th, 2021. It applies to anybody who has health information and health information exchanges actors must comply and say that you must be able to transmit information now to patients or your employees or your claimants when they request it in an electric medium. So interestingly, I always like to ask, well, how do you normally exchange information when patients ask you to share the patient data? Are you giving them as paper records, CDs, through email, online portals? And for those who is doing email, seems like majority so far and online portals, there's a lot of privacy rules that you need to follow there as well. But you can see paper is still common. I still have a lot of colleagues that work out of facts and be able to fax these information out. Can be very challenging sometime and making sure that we have a right way and secure way of transmitting data because this new rule actually asks us to be able to transmit information in a secure way and in an electric media. So make sure we're ready. I was waiting for the CD to happen before I go to the next slide, because it still exists, especially for those in imaging as well. And this is what we saw. Now, most people didn't use online portals with the medical centers and email and paper as being a third as well. So the survey did show a lot of people still use paper. Hopefully that's changing, which is nice to hear that we're relying on other exchange media, but a majority of healthcare organizations still need to get caught up and find that there are going to be penalties if they don't do so. So when you do change data or give out data and people give you releases and waivers, are you charging for your medical records? Or if you don't know, that's fine too. I'm just curious to see what people are charging because sometimes it can become burdensome, especially having to spend money in developing an online portal. What are the burdens from an employer perspective? And for those of you who don't know, that's fine. This is why it's good to ask these questions because some people do for free. Majority, I would say, offer those records for free. And the question is, do you have to? People and other services you've done charge about $25 or so, because I think that's a fair de minimis use of fees to be able to charge them and that's fine to be okay. And that's what they found as well. And this is what we saw, a majority of folks in the medical centers, occupational health also did not charge for this, but you can. And this is what the Cures Act talks about. I'll try to wrap up in a couple of minutes so we can have some time for questions about developing it. It doesn't mean it has to be at no cost as well. There are some exceptions. You can't overcharge. So that's why I kind of like to do the survey to see. I think I want to leave off with this couple of last important questions. Have you or a facility made any changes to meet these rules and requirements? I think most of us probably either don't know or say no, because it's challenging when you know when you're an employed situation and you're ultimately responsible as an individual provider and your facility's not up to date, what do you do? I think this is gonna be very important. And similarly to what we found with occupational physicians at medical centers, most of them didn't know either. So what do we do here now? So the survey said most of us, about 48%, were not aware of any policies or anything that was changed in your employed area. This includes all areas that have these electronic health records. So do you think that's a problem for you as individuals, as civil penalties, or are you concerned about, it's more of a facilities problem, so you're not so worried about it, or you're not sure? So most of us are not sure. Some of us understand there are civil penalties. So we'll come back to that as well. So there are civil penalties associated, just like HIPAA does. How does that apply here? So about 39% aren't sure, but there are civil monetary penalties that occur. So a survey this year of March, 2022, one year later after the April 5th deadline for initiating information sharing amongst providers, the ONC data shows 77% of individual providers were having complaints lodged against them, either by their patients, their employee, the claimants, or by their attorney representatives. So majority are targeting individual providers. So just be weary. Hopefully I've scared you enough to at least look into this further and find out when you're talking about privacy, not just HIPAA, it's also about the Cures Act and what kind of penalties might arise if you don't comply, share information, and get the right waivers or correct consent to release some of these information to the individual and really figuring out how does this apply in the occupational health world? So I'm gonna stop there. So we have some time for questions, hopefully. So I'm gonna turn it back to Danielle. Hopefully it'll help facilitate some of these questions we might have and spend a little bit of time on that. Thank you. All right. Thank you so much. We do have a lot of really great questions. We've got about four or five minutes to answer questions. So I wanna make sure that we get into the, our very first question is, one minute. I have been informed by my EEOC that Gina does not allow me to ask about family history when doing annual occupational physical exams. This seems so incongruent when I'm not aware and this seems so incongruent when obtaining diligent medical history information when assessing a first responder employee's risk for coronary heart disease. Coronary heart disease remains one of the top causes of death for firefighters. Is this an accurate application of Gina? I'll give my opinion. And look, I'm not gonna say another regulator's wrong. I don't agree with that use, but I also wonder whether this, in this application, whether the person is an in-house provider versus, because I think if you had gone to an independent medical provider, they can ask anything and no one's gonna suggest that Gina's involved in it. This is unfortunately one of those areas where, you know, when you're part of the employer, there is that perception that you're immediately going to use this to discriminate against someone and not protect them. And I think that's an issue, but I could see it either direction. And, you know, that could be a reason to use someone outside the operation so that it's not implicated. Yeah, and also in the US, it's different from state to state. So California specifically outlines and calls out individual employers not being able to ask these questions, especially family history, because they've been found to be discriminatory practices in itself. So, you know, I would always say, recommend you talking to your local council, especially around the privacy rules there. But yes, California, you can't. Other states are maybe. So find out locally what your jurisdiction and precedence is for that. Next question. Are the contents of injury status reports provided by workers, compensation medical provider network clinics covered by HIPAA? I'm gonna lump this together with some other questions. It was a question in regards to temperature screening, and it was also a question in regards to OSHA medical records. And I think you lump them all together because I think, you know, I have a similar answer for all of them is essentially when you're talking about employers, you should, most employers are never going to be a covered entity. And like I said, even people who are covered entities or health plan providers, they're, you know, they're in the field, they're businesses, when they deal with their own employees, HIPAA, they are exempted from HIPAA. So I'm gonna say, you know, HIPAA is not specifically gonna be implicated, but I will, I do wanna say, you know, the philosophy behind HIPAA is, you can't just say HIPAA doesn't apply. Yippee, I'm gonna do whatever I want with all this information, which would be PHI if HIPAA does apply. I still think you need to consider those best practices of what am I doing with this information? Do I need it? Should I have it? How am I sharing it? How am I storing it? But no, you're not gonna be cited under HIPAA because HIPAA, you're not a covered entity. And like I said, I just lumped, I think four questions in there, because I think they're all, they are three on there, all the same basic answer is, you know, as an employer, HIPAA is not gonna be that, not gonna be the deciding factor. Excellent. Are employers able to receive all medical surveillance records from contract healthcare vendor? So I don't know, just to clarify, does that mean like exposure data or surveillance data? Like what kind of data? I guess it really depends, but overall, correct me if I'm wrong, Neil, but if you have exposure data that's in the OSHA 300 log or whatever might be, that's separate from the medical records. So it's not under, it's not a covered entity, just like, or protect health information. Is that right? I thought what they were, I think what they're asking is, you know, if you've got like a medical surveillance program or something like that, you know, are you getting the specifics of, let's say you send your employee for testing to see if they can do certain types of work and wear certain types of equipment, do you get the actual medical file or do you simply get the, yes, they can, no, they can't? I think that's how I took this question. And so I think that was sort of a combination between the two and, you know, no, I mean, I don't think, first of all, I think as an occupational health person, I don't think you really want, or as an EHS person, I'm not sure you want all those records, but you do need enough to make EHS decisions. Just knowing that the person failed doesn't help you identify whether you've been exposing them to lead or mercury or, you know, some other metal. You need to know more than simply that. So I think the truth is somewhere in the middle here. I don't think you would be providing simply the entire medical record, but I think that is part of what you're probably discussing as part of hiring that, how do they refer to it as a screening medical surveillance provider? How would you contract with them and what are you looking to get from them? In some case, I think a yes, no fit for duty is acceptable, but I think if you're having exposures, you need to understand what those exposures are. You can't address them. No, I agree. And that's also where it's coming from, where is it going to is always a question I like to ask. Like if it's going to your internal occupational health clinic, it's a little different than going straight to HR or going to safety, because there's a lot of information there that might be useful for an occupational health clinic, but not so useful for an EHS individual in safety. So I think just be cognizant and mindful of that, because sometimes you don't want to overshare because now you're going to have yourself held to a higher standard of having information and respond to that information that might be inappropriate or discriminatory. So attorneys like to look for that during discovery. So just be careful of where it's going, where it's going, who's coming from, where's it going to, and for what reason it's being used for. And those are just the general principles you want to follow. Okay, we have time for one last question. And if we didn't get to your question today, we will try and pull them and see if we can address them after. For multinationals who are operating in the EU, can you describe any areas of conflict between the US-based HIPAA framework and the EU's GDPR-driven PHI privacy requirements or global companies trying to implement a universal privacy policy? Is there a conflict between the US and EU frameworks? Are you familiar with GDPR much, Neil? I am not. My practice has been concentrated in this country now for 15 years. So I've stopped dealing with other countries. I can briefly address it, because that's a, address it, because it's actually a very complex question to ask. But the general rule of thumb right now for multinational companies is, follow what the GDPR is doing and you're covered for the US. Because the regulations there have been, the regulations there have been debated for almost a decade before they adopted it and it's adopted for the entire European Union. So we kind of look at that and say, okay, if companies are based in the US but have businesses in EU, which most multinational companies do, end up having to follow GDPR anyway. So there's actually talk now in the US as to whether we should have reciprocity in the US saying, well, why don't we just follow the same rules as GDPR? So I think if you're trying to reconcile the difference, I'd follow the one that has stricter regulations. And that way, if you need to make a policy that's standardized, it's easy to follow meeting the higher and rigorous requirements for privacy protections under the GDPR. That's a five minute question or answer that could be a lot longer. Yeah, and I would just add one more thing to our last question, because someone just sent a link to an OSHA letter of interpretation, which was a really good reminder, by the way, that a lot of the OSHA requirements flow to the employer and you have obligations, depending upon the types of medical records, you have obligations for retention periods. So if you are not getting those records, you better have some other way of maintaining those records. You can't say I hired a provider and I don't know what they did with them, but I know I was supposed to keep them for 30 years if it was a 30 year record. So just a reminder that, as I said, as someone said, it's a really good reminder that depending upon OSHA, you have retention policies that you must have. So if you're not gonna get those records, you need to be sure that they're being maintained elsewhere even if they're medical records. And that alone is another hour topic. I know we only had an hour today, so it was a little bit short, but I'm glad we had the appetite for this. At least it gives us an idea of what we can do and collaborate into the future. And I think this is gonna be a very fruitful one with AIHA and AECOM to partner on these kinds of important topics. So please continue to send on your comments to us because that would help us develop future programming and future topics. And I know we're kind of out of time. So back to you, Danielle. Yeah, absolutely. And we will capture the questions and see which ones we were able to answer and which ones we were unable to. I do wanna let everybody know for updates on any future webinars, please visit aecom.org backslash webinars. And even our topic today, this may be something as Dr. Saito mentioned, perhaps we'll revisit. Additionally, we have our virtual fall summit coming up November 13th through 17th, just right around the corner. It will be five days and information is available on the AECOM website. I encourage you to take a look. I do wanna thank Dr. Saito and Mr. Felcher for joining us today. Thank you so much for sharing your knowledge and your expertise with us. A copy of the slides and a link to the archive presentation will be sent to everyone who registered for the webinar. If you attended live today, you will also receive a link to a survey to request your feedback and claim your CME. Again, thank you to everyone for joining us today. We wish you all the best. Gentlemen, thank you for sharing your knowledge and everyone please stay safe and have a wonderful day. Thank you everyone. Bye for now. Bye bye, thanks.

HIPAA regulations

healthcare settings

privacy rules

security requirements

protected health information

minimum necessary disclosure

privacy officers

electronic PHI

enforcement actions

health information