How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

232 APPENDIX E—SUMMARY OF TRANSIT AGENCIES’ RESPONSES TO SURVEY 1. Forty-eight transit agencies responded to a survey that asked whether the agency receives, creates, transmits or maintains health information or records on individuals for whom the agency provides transpor- tation to doctors, hospitals, clinics, or other health care providers. Seventeen agencies responded affirma- tively and provided additional information in response to the survey-questions as summarized herein.96 2. Five transit agencies replied that they had not been advised, nor had they assumed, that they are sub- ject to HIPAA because the agencies possess health information or records on patrons for whom the agencies provide transportation to health care providers. However, 12 agencies responded that they had assumed or been advised that HIPAA applied to them and provided the following information: EBPC on behalf of AC Transit replied affirmatively that it had assumed that HIPAA applies to the agency but noted that it had nothing in writing. GATRA replied affirmatively and also stated that HIPAA policy and procedures are subject to annual re- view by the Massachusetts Executive Office of Health and Human Services (EOHHS). Copies of its agree- ments with the EOHHS are included in Appendix C. KAT stated that it has not been advised that HIPAA applies but “just work[s] under the assumption the information would be covered under HIPAA law.” MATA stated that it has a paratransit division that “maintains medical information on patrons that [ap- ply] for the service; therefore, MATA must comply with HIPAA Laws.” MTA reported that it had not been “formally advised but it has long been our assumption that we were subject to HIPAA, having no evidence to the contrary.” New Haven Transit stated that the agency has clients who sign a release of information if they wish to access transit service. North County Transit reported that it is stated in the agency’s eligibility application that a patron ac- knowledges the use of patron’s protected health information. Pierce Transit answered the question both yes and no, stating that “[t]he agency is not assumed to be a designated HIPAA organization, but we do handle some information that is protected under HIPAA.” Riverside likewise said that as part of the ADA certification process, the agency is provided with confi- dential medical information by applicants to be used to determine “barriers to accessing the fixed route sys- tem." Space Coast states that as a county agency the agency follows HIPAA law. Utah Transit also said that “[a]s we receive information from healthcare providers on our clients’ disabili- ties, we assume that we are to treat such information as confidential.” 96 East Bay Paratransit Consortium (EBPC) on behalf of AC Transit, Oakland, CA; Greater Attleboro-Taunton Re- gional Transit Authority (GATRA), Taunton, MA; Greater New Haven Transit District (New Haven Transit), Hamden, CT; Hillsborough Area Regional Transit Authority (HART), Tampa, FL; Kitsap Transit (Kitsap), Bremerton, WA; Knox- ville Area Transit (KAT), Knoxville, TN; Manchester Transit Authority (MTA), Manchester, NH; Memphis Area Transit Authority (MATA), Memphis, TN; Metro Transit (Metro Transit), Madison, WI; North County Transit District (North County Transit), Oceanside, CA; Pierce County Transportation Benefit Area Authority (Pierce Transit), Lakewood, WA; Riverside Transit Agency (Riverside), Riverside, CA; Salem-Keizer Transit (Salem-Keizer), Salem, OR; Space Coast Area Transit (Space Coast), Cocoa, FL; Utah Transit Authority (Utah Transit), Salt Lake, UT; Votran (Volusia County) (Votran), Daytona Beach, FL; and Whatcom Transportation Authority (Whatcom), Bellingham, WA.

233 Votran stated that section 8 of its paratransit eligibility application asks for information about a medical condition that does not permit an applicant to use regular, fixed route service. 3. Twelve agencies that advised that they receive health information or records from, or transmit health information or records to, a health care provider, health plan, or health care clearinghouse, as those terms are defined in the HIPAA laws and regulations, regarding patrons for whom they provide transportation to health care providers provided additional information.97 EBPC stated: In order to use the ADA (Americans with Disabilities Act) paratransit program provided by the East Bay Paratran- sit Consortium, applicants must complete a certification process, which is a requirement under the ADA. For EBPC, this includes a paper application, an in-person interview, and at times a medical verification received from a health care provider. All information in the rider’s file is strictly confidential and EBPC does not transmit this information to anyone. HART stated that it requires that medical certification forms be completed by physicians on patrons for eligibility for paratransit services. KAT reported that it receives medical information regarding a client’s need for paratransit service. Kitsap said that in some cases it may be necessary to contact named medical professionals for additional information about an applicant’s disability or “functional abilities regarding independent travel.” MATA requires certification of all patrons whose medical information is “received and stored on site.” Metro Transit advised that it collects health information for patrons for two purposes. First, “Metro re- ceives application for ADA Complementary Paratransit that includes health related information from a health care provider.” Second, “Metro receives applications for Reduced Fare Disabled Permits that include health related information from a health care provider. The applications are for determining eligibility only and are not required in service delivery.” MTA stated that during the application process clients must submit documentation from their health care provider that illustrates disability and its impact on the clients’ ability to use fixed routes. North County Transit said that it receives health information from medical providers to determine eligi- bility of service. Pierce Transit stated that as part of its ADA paratransit eligibility process the agency seeks “professional verification and reports from health care providers.” Space Coast stated that it receives “health information from health agencies and patrons.” Utah Transit said that the agency receives documentation of diagnosis for individuals that may affect functional ability to ride public transportation, information that is received by fax or provided to it by the client. Whatcom said that it seeks professional verification from physicians and other providers to assist an eli- gibility specialist in making an ADA paratransit determination. Four agencies replied that they do not receive or transmit such information: GATRA, New Haven Transit, Salem-Keizer, and Votran. 4. (a) Fourteen of the 17 agencies receiving or transmitting medical records stated that they are not a business associate of a covered entity as the term is defined in the HIPAA laws and regulations. However, three agencies reported as follows: 97 Riverside referred to its answer to question 2.

234 MATA stated that its agency is a business associate of a covered entity because it transports patrons to health care providers daily. GATRA stated that it is a business associate of a covered entity: the Massachusetts Executive Office of Health and Human Services. Space Coast reported that as a county agency it is covered by HIPAA. (b) Sixteen agencies responding to the survey stated that they are not a subcontractor of a business asso- ciate of a covered entity as the term is defined in the HIPAA laws and regulations. Salem-Keizer answered the question affirmatively; the agency stated that it has a “contract with the State of Oregon to provide rides for [the] Oregon Health Plan [and] Medicaid eligible participants.”98 A copy of agreements that Salem-Keizer provided are included in Appendix C. (c) Fifteen agencies stated that their agency is not a hybrid entity as the term is defined in the HIPAA regulations (e.g., the agency is not a department of a covered entity providing transportation services in con- nection with health care services subject to HIPAA). Metro Transit reported that although it is a depart- ment of the municipal government it is not a hybrid entity under HIPAA but that “[s]ome other departments of the municipality have been designated…hybrid entities.” Two agencies described themselves as hybrid agencies. North County Transit stated that it is a hybrid entity because it is “transporting some passengers to health care covered entities.” Pierce Transit identified itself as a hybrid entity. The agency stated that as much as 25% of the ADA paratransit trips it provides are Medicaid-eligible trips. 5. and 6. Questions 5 and 6 are consolidated for the purpose of the summary of the agencies’ responses. The agencies that stated that they receive, create, transmit, or maintain health information or records on patrons for whom they provide transportation services and described how and under what circumstances they receive, transmit, or maintain such information or records on their patrons. EBPC advised that it “does receive and maintain certain health information on riders certified to use the ADA paratransit program. Information comes directly from the applicant and on occasion is verified by a medical health professional. A paper file is created for each applicant and is stored in a filing cabinet in a room with secured access.” Furthermore, EBPC stated that “[i]n order to schedule rides for certified riders, an electronic client file is established in the data base. The client file only contains information necessary for the rider’s trip to be scheduled in a way that is safe for the rider and the driver.” According to EBPC, certain information is included in the client database and shared with a driver: whether mobility devices are used; whether a service animal accompanies a rider; whether a rider has vision issues and cannot see a vehicle approaching; whether a rider travels with a personal care attendant; whether a rider can never be left alone; whether a rider cannot walk up steps and requires a boarding chair to enter a van; and whether a rider travels with oxygen tanks. GATRA stated that “transportation authorizations are received via secured FTP transmission [and] are posted for subcontractors via secure FTP on our portal (web).” GATRA also stated that information or re- cords are received via telefax and “secure e-mail” and that GATRA stores documents in a secured area. HART stated that certifications provided by physicians are only accepted in “hard copy format through regular mail.” KAT reported that information may be delivered to the agency in person, by mail, or by telefax. 98 One agency did not respond to the question.

235 Kitsap reported that requests are sent by telefax or by mail to a named medical professional including a cover sheet, a questionnaire, and a release form. The response is returned to Kitsap, reviewed, and kept with the applicant’s file. The application is filed and retained on site. Inactive and archived passenger files are destroyed after 6 years. MATA stated that with respect to applications for paratransit service information on applicants’ medical conditions are received to help determine eligibility. The applications are received by mail, by email, or by hand and after being reviewed are stored in locked files. Metro Transit’s response was that the agency “maintains ADA paratransit application forms…in a se- cure area with limited access” and that “[o]nly hard copy files are maintained, no electronic copies.” Fur- thermore, Metro Transit reported that it maintains the confidentiality of the records in accordance with the ADA Paratransit Eligibility Manual (1993) prepared for the FTA and distributed by the US DOT. Metro Transit also stated that “paratransit service manifests are generated for distribution to directly op- erated service drivers and to contracted service drivers for transportation purposes only. These manifests contain the passenger’s name, address for pick up, drop off and pick up times, and mobility device type or space type. No health related information is provided on the manifests. Manifests are distributed manually and electronically.” Metro Transit reported that its Reduced Fare Disabled Permit applications are main- tained as hard copies but are not secured. MTA stated that “[c]lients of paratransit service must apply and be approved based on a disability that prevents access to [a] fixed route. [An] applicant must provide health information on disability [and] its ef- fect on using [a] fixed route.” However, MTA does not deal with electronic information as “applications are filled out on paper and physically stored.” New Haven Transit advised that clients mail their applications to the agency with their health informa- tion and that the applications are kept in locked files. North County Transit replied that it receives health information via mail, telefax, and e-mail from cov- ered health care provides for eligibility purposes. North County Transit noted that the ADA Paratransit Eli- gibility Manual, (available at http://ntl.bts.gov/DOCS/ada.html), in a section entitled “Observing Privacy Rights” states: The medical information that may be gathered as part of the ADA paratransit eligibility certification process should not be shared with any other party. This would include specific diagnosis provided by professionals and information about the nature of disabilities provided by the applicant. Access to eligibility files should be limited and those with access to these files should be informed and instructed to respect the privacy of applicants. This should include in- house staff as well as any third-party contractors used in the determination process. Information regarding a person's functional ability to use fixed route service, derived from the determination proc- ess can, however, be shared with other transit providers. Other entities may call to obtain more detailed informa- tion about a person's ability to travel if that person has requested service in another area as a visitor. Pierce Transit’s response to the survey stated that applications for paratransit as well as its requests for professional verification may be sent to Pierce by mail or by telefax and that the agency stores paper files. A copy of Pierce Transit’s Notice of Privacy Practices is included in Appendix C. Riverside stated that applicants submit a physician’s verification form documenting their disability, a document that becomes part of the certification file. However, the document is an internal one that is not “transmitted for any reason.” Riverside also said that documents are stored “electronically as part of the cer- tification file and used for comparison over time.” Salem-Keizer only receives information by mail or by telefax that are kept in “locked files.” Space Coast receives information by mail and by telefax. Whatcom said that it “receives health information related to paratransit eligibility applicants. The in- formation is authorized by consent of [the] applicant and the information is stored in locked, physical files

236 and password protected computer files.” Moreover, “[t]he information received is used only in making ADA determinations and in providing most effective/comfortable service to customers once approved.” 7. Eleven of 17 agencies, with one agency not responding to the question, stated that they had never pro- vided to their patrons or others a notice of their privacy policies or practices on the use or disclosure of pa- trons’ health information or records that the agency receives, creates, transmits, or maintains in connection with transporting patrons to health care providers.99 As for the other five transit agencies responding to the survey, EBPC reported: An applicant must sign a certification as part of the written application giving EBPC the right to seek verification from a health care professional, if it is needed and it will be used only to verify eligibility for paratransit services.… The applicant must also sign a second certification acknowledging he/she understands all information given to EBPC is confidential and only used to certify whether the applicant is eligible for the ADA paratransit service. Kitsap stated that a notice of privacy practices is included in the preapplication information with each application for service. Copies of Kitsap’s Medical Verification Release form and Notice of Privacy Practices are included in Appendix C. MATA noted that each application contains a section explaining that medical information will be kept confidential. Pierce Transit provided a copy of its Notice of Privacy Practices. See Appendix C. Although answering “no” to the question, Metro Transit stated that it provides a notice of confidentiality regarding the application for ADA paratransit eligibility. The Release of Information states: I, the applicant, understand that the purpose of this application form is to determine my eligibility to use Metro Paratransit Service. I agree to release the information requested to Metro and any eligibility review panel, and un- derstand that the information contained herein will be treated confidentially. I understand further the Metro re- serves the right to request additional information at its discretion. Original signature required. Copies, faxes or emails will not be accepted (please send or deliver the original application). On the other hand, Metro Transit states that the agency does not provide similar information for its Re- duced Fare Disabled Permit application. 8. Four agencies stated that they did not have security arrangements such as those required by the HIPAA laws and regulations for safeguarding health information or records, including those in electronic format, which the agencies receive, create, transmit, or maintain on patrons for whom they provide trans- portation to health care providers. However, 13 agencies stated that that they did have security for such re- cords.100 They described the security arrangements as follows. EBPC stated that electronic files are password protected and maintained in a locked-room that requires a pass code. EBPC also stated that there is limited medical information on clients in its database; that its staff understands that client-details are never to be “given out”; and that clients’ print-files are maintained in a secured room that requires a pass code. GATRA cited “employee training” and its service agreement with a subcontractor. HART said that medical certifications provided by physicians on patrons are stored in a locked file cabi- net in a locked file room and that only authorized personnel in the paratransit department have access to the information, meaning two or three employees of the agency. KAT stated that applications are kept in a locked file cabinet. MATA stated that all paratransit applications are stored in a secured area with “lockable files.” 99 Utah Transit stated that it communicates “[o]nly verbally in [an] interview with [the] client [that] all information is confidential and not shared without written request signed by client or agent of client.” 100 One agency did not respond to the question.

237 Metro Transit stated that its “paratransit application records are kept confidential. No electronic en- cryption has been implemented as of yet. All faxes for supplemental eligibility materials are sent to a fax machine in the secure area with limited access.” MTA similarly reported that all client health information is stored on site in a locked file cabinet with restricted access. North County Transit referred to a contractor’s HIPAA standards. Pierce Transit referred to its previously mentioned Notice of Privacy Practices, a copy of which is in- cluded in Appendix C. Riverside advised that its documents are “only stored electronically” and that “the software used to store the data has security measures built in to ensure the privacy and confidentiality of these documents.” Utah Transit states that all information is stored in a secure locked file room on all clients and that no information is shared except on the client’s or the client’s agency’s request. Votran referred to its eligibility application that contains documentation from a medical professional concerning the nature of the applicant’s disability that does not permit the applicant to use regular fixed route service. Whatcom stated that the agency did not “fall under HIPAA” but that Whatcom is “committed to mainte- nance of customer confidentiality.” 9. Fifteen agencies stated that they did not have now nor had they previously had a contract with a cov- ered entity as defined by the HIPAA laws and regulations to provide transportation to the named covered entity or to health care providers. GATRA, which replied replying affirmatively to the question, attached a copy of the amendments to a contract it has with the Massachusetts EOHHS. Metro Transit replied affirmatively because it had a contract with a covered entity but also explained that “none of the health records come from the covered entity. Health records come directly from the patron. The covered entity obtains a release from the patron to voluntarily participate in the program.” 10. Twelve agencies reported that the agencies had not been required or requested to provide health in- formation or records concerning the agencies’ patrons pursuant to a subpoena, including a Grand Jury sub- poena, a discovery request, or a court order.101 However, three agencies replied affirmatively to the inquiry: GATRA stated that it had a discovery request from a customer’s legal representative and that the agency provided the requested documents. MATA said that records of a paratransit patron’s scheduled rides have been “requested by court order because of a patron’s service complaint.” Riverside stated that information was requested “but due to HIPAA constraints, the Agency chose not to release the information.” 11. Sixteen agencies reported that they had not been requested or required to provide health information or records that they receive, create, transmit, or maintain on patrons for whom they provide transportation to health care providers pursuant to a request under a Freedom of Information Act or a Public Records Dis- closure Law.102 12. Although 2 agencies did not respond to the question, 15 agencies stated that they had not been the subject of any legal action or administrative proceeding in connection with the use or disclosure of health 101 Two agencies did not respond to the question. 102 One agency did not respond to the question.

238 information or records that the agencies receive, create, transmit, or maintain in connection with transport- ing patrons to health care providers. 13. Although 3 agencies did not respond to the question, 14 agencies stated that they are unaware of any state laws that are applicable to the agency on the use or disclosure of any health information or records that they receive, create, transmit, or maintain on patrons for whom they provide transportation to health care providers. In responding affirmatively to the question GATRA referred to Massachusetts General Law 66A (discussed in this digest). 14. Although 1 agency did not respond to the question, 16 agencies reported that they were unaware of any opinion by a court (e.g., federal, state, city, or county) in which an issue was whether HIPAA preempted any state law on the use or disclosure of health information or records. 15. Although 1 agency noted the possible applicability of HIPAA to the agency, 16 agencies reported that they were unaware of any federal privacy laws that apply or that may apply to them regarding their use or disclosure of health information or records that the agencies receive, create, transmit, or maintain on pa- trons for whom the agencies provide transportation to health care providers. 16. Agencies were asked whether the state attorney general or another official in the agency’s state, city, or county had issued any opinions regarding the applicability to the transit agency of any state or federal privacy laws, including but not limited to HIPAA, concerning health information or records that they re- ceive, create, transmit, or maintain on patrons for whom they provide transportation to health care provid- ers. Fifteen agencies reported that they were unaware of any such opinions; two agencies did not respond to the question. 17. The agencies were asked whether any of 10 federal laws identified in the survey103 had had any effect on health information or records that they receive, create, transmit, or maintain on patrons for whom the agency provides transportation to health care providers. Eleven agencies reported that they had not been affected by the laws.104 Utah Transit identified the Privacy Act of 1974 as being applicable to the agency. Three agencies identified the ADA as being applicable: EBPC reported that it is required to follow all ADA-regulations. Pierce Transit stated that “DOT/ADA Rules require a paratransit eligibility process which has required Pierce Transit to handle HIPAA-related information.” Whatcom noted that its agency is subject to DOT and ADA laws and regulations. Its response noted that the agency collects and maintains files “in accordance with ADA and DOT regulations for the specific pur- pose of authorizing and providing complementary paratransit service for disabled passengers.” 18. Sixteen transit agencies stated that they had not been sued in tort, for breach of contract, or otherwise regarding an alleged unauthorized or improper use or disclosure of health information or records they re- ceive, create, transmit, or maintain on patrons for whom they provide transportation to health care provid- ers.105 19. As for whether the agencies have a plan or policy regarding the handling of health information or re- cords in their possession on patrons when providing them with transportation during an emergency, 14 103 1) Patient Protection and Affordable Care Act; 2) Department of Transportation regulations; 3) Drug and Alcohol Treatment Programs; 4) Americans with Disabilities Act and the Rehabilitation Act of 1973; 5) Employee Retirement Income Security Act of 1974; 6) Family Educational Rights and Privacy Act; 7) Privacy Act of 1974; 8) Medicare and Medicaid; 9) Genetic Information Nondiscrimination Act; and 10) any other Federal Privacy Laws identified by the agency. 104 Two agencies did not respond to the question. 105 One agency did not respond to the question.

239 agencies reported that they did not have a plan or policy.106 Two agencies did not respond to the question. MATA reported stated that “[f]or any medical emergency during transport paramedics are called and they transport [a patron] to medical providers.” 20. Fourteen of 17 agencies explained (a) what they consider the industry practices or standards to be on receiving, creating, transmitting, or maintaining health information or records and/or on the use or disclo- sure of health information or records on patrons for whom they provide transportation to health care provid- ers and (b) some provided copies of any industry practices or standards and/or the agency’s polices or proce- dures in regard to the foregoing.107 EPBC stated that its staff knows that that all records must be treated confidentially; that there are two confidentiality certifications in the ADA application; that the information in electronic files is limited to per- tinent information about trip requirements only; and that print-files are kept in a secure location. HART stated that applications for paratransit service are stored in a secure/locked cabinet accessible only by “select/appropriate staff (two to three employees) in a locked file room.” Kitsap reported that all passenger records are treated as confidential and only reviewed by staff as is necessary to provide safe transportation. “Appropriate database securities are in place to prevent access to these records by nonessential personnel or the general public.” KAT stated that the information is private and that the records must be secured. “Operators are in- structed not to share any information to anyone outside of KAT.” MATA “only receive[s] medical information from health care providers and that information is only used for patron certification. The information is filed and secured.” Metro Transit addressed the issue as follows: Metro provides some 265,000 one way paratransit trips each year and 788,822 reduced fare fixed route trips each year for people with disabilities in the Madison metropolitan area. Some of those trips are to health care appoint- ments and some are coordinated with humans service agencies. Many trips are for employment purposes. Metro transit is not a health care provider and it does not make claims for service. Care organizations opt to make use of transit infrastructure to further their programs and for cost efficiencies. Utilizing public transit has a direct impact on patient care, costs, and access. Applying HIPAA regulations to public transit at each point of service would result in an increase cost to the service and potentially a reduction in service available. Public transportation entails requesting information about the nature of the trip which could potentially contain protected health information, if HIPAA regulations applied to public transit, it would in turn require that public transit comply with all HIPAA regulations, including providing privacy notices and acknowledgment of said notice (via gathering signatures at the time of each applicable boarding) and implementing security measures for electronic transmissions of manifests and direct service as opposed to shared ride service to avoid inappropriate dis- closure to unauthorized persons at the time of boarding. The implication if HIPAA is applied to public transit is a fundamental change in the manner in which public transit is delivered, increased costs, and decreased access not just for health care, but all trip purposes and would adversely affect all involved parties. MTA explained that it is a small paratransit service and that it does not transmit or create any records and that it only receives and maintains what is submitted in or with an application. New Haven Transit provided a copy of its Request for Professional Verification, Authorization to Release Confidential Information, and Physician or Other Professional Information. See Appendix C. Pierce Transit referred to its Notice of Privacy Practices provided with its response to the survey. See Appendix C. 106 Utah Transit explained that a client would have to call 911 because the agency does not do “same day emergency transportation.” 107 One agency did not respond to the question.

240 Riverside stated that it requires medical documentation supporting a claim of disability as allowed un- der the ADA regulations for certification to access paratransit service, information that is “confidential[] and is treated as such in our process.” Salem-Keizer reported that the information it receives “is functional (as far as ADA service eligibility) and eligibility data from the State of Oregon [is] covered by [a] confidentiality clause.” Copies of agreements provided by Salem-Keizer are included in Appendix C. Utah Transit reiterated that any information received from a client is confidential and is not shared without a client’s or a client’s agent’s written consent. Records are secured in locked room. Votran stated that “[h]ealth information is not disclosed to parties other than the necessary staff re- sponsible for processing paratransit eligibility applications or performing functional assessments.” Whatcom stated that the industry best practice is that of “maintaining confidential files in secure physi- cal setting and/or password protected computer files.”