Clinical Practice and Information Sharing: HIPAA, State - - PowerPoint PPT Presentation
Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal Issues Harrisburg, Pennsylvania December 3, 2013 John Petrila, J.D., LL.M. Professor College of Public Health University of South Florida
Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal Issues Harrisburg, Pennsylvania December 3, 2013
John Petrila, J.D., LL.M. Professor College of Public Health University of South Florida jpetril1@health.usf.edu
Welcome to Florida…And Do Hurry Back!
asking if Don Smith is or has been a patient at your treatment center. The
robbery.
NSA Chief Defends Spying On Americans, Claims 50 Foiled Terrorist Plots
Unmanned drones flying in US spying on Americans, says FBI
What Do These Celebrities Have in Common?
Californian Sentenced To Prison For HIPAA Violation
sentenced to four months in prison on April 27, 2010 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California
with Spears Family
UCLA hospitals to pay $865,500 for breaches of celebrities' privacy
The Latest in Privacy Fashion
confidentiality in legal proceedings in which the protected material otherwise would be subject to disclosure
Redmond v. Jaffee (1996)
TRUST
Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment
For this reason, the mere possibility of disclosure may impede development
relationship necessary for successful treatment.
services and their clients is necessary to develop the trust and confidence important for therapeutic intervention” (PA Admin Code 5100.31(b)
APA Ethical Principles 4.01 Maintaining Confidentiality
Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stored in any medium, recognizing that the extent and limits of confidentiality may be regulated by law or established by institutional rules or professional or scientific relationship.
– Within systems – Across systems
protected health information
for privacy of alcohol/substance use information
stricter than HIPAA but rarely stricter than 42 CFR Part 2, except of course in Pennsylvania
canceled for fear that revealing a resident’s date of birth could be a violation.
“Zebra” for a child in Newton, Mass., or “Elvis” for an adult in Kansas City,
students themselves, insisting a friend do it, for fear of passing out confidential information, the hospital’s patient advocate said.
their efforts to create immunization registries for children because information from doctors no longer flows freely. – Jane Gross, Keeping patient details private, even from kin. New York Times, July 3, 2007
–Health plans (group health plan, Medicare, Indian Health Service plan…) –Health care clearinghouses –Health care providers who transmit health information in electronic form
HIPAA Does Not Apply If
You only use paper, phone,
Submitting claims Checking claims status inquiry/response Checking eligibility/receiving response Enrolling/disenrolling in health plan Receiving heath care payments/remittance Providing coordination
No one does this electronically for you
and provides, alcohol or drug abuse diagnosis, treatment or treatment referral”
providing diagnosis, treatment or treatment referral
treatment is not a “program”
All patient records …relating to drug or alcohol abuse or drug or alcohol dependence prepared
clinic, drug rehabilitation or drug treatment center shall remain confidential and may be disclosed only with the patient's consent 71.1690.108(b)
What Does HIPAA Cover: Protected Health Information
– the past, present, or future physical or mental health of an individual; – the provision of health care to the individual; – or payment for health care
notes, and billing information
health information in electronic form
demographic information,
provider, health plan, employer, or health care clearinghouse;
health care, or payment
reasonably be used to identify the individual.
Pennsylvania Law: “Records Includes…
information, observations and reports
relating to a prospective, present, or past, client or patient…required or authorized…by the act or by the MHMR Act of 1966. (PA Admin Code 5100.31
42 CFR Part 2
whether recorded or not relating to a patient received or acquired by the program
a patient as alcohol or drug abuser, obtained by the program for diagnosis, referral, or treatment Pennsylvania Law
patient’s records that relates to drug
dependency, as defined in 71 P. S. § 1690.102
Psychotherapy Notes: HIPAA (164.501)
documenting or analyzing the contents of a conversation during a private counseling session
disclose
Psychotherapy notes are NOT
counseling session start and stop times, modalities and frequencies of treatment, results of clinical tests, and any summary of diagnosis, functional status, treatment plans, symptoms, prognosis, progress or testing
– http://www.apa.org/monitor/feb03/hipaa.html
mentally ill?
information to the officer?
emergency medical situation when release necessary to prevent serious risk of bodily harm or death…must be pertinent to relief of the emergency (Pa Admin Code 5100.31 (9)
Phila Center for Hum Dev, Pa Supreme Court, 1998)
– Patient makes immediate and specific threat of bodily harm – Specifically identified or readily identifiable victim – Can discharge through warning to potential victim
HIPAA: Permitted Disclosure: Threat to Health or Safety
a serious threat to the health or safety of individual
victim
person
– To protect an identified potential victim – No liability as long as good faith and no gross negligence
DISCLOSURES
7111(a)
emergency exams
providing treatment
for treatment, payment or health care operations
use, but covered entity is not bound (if restrictions agreed upon, they are binding)
Consent Form Mental Health: Pennsylvania
are to be used
– (PA Admin Code 5100.34)
Consent Form: Substance Abuse (PA)
disclosure to be made
– PA Admin Code 709.28
http://sphhs.gwu.edu/departments/healthpol icy/DHP_Publications/pub_uploads/dhpPublic ation_DADD1CBA-5056-9D20- 3DE73E0BFFB8DA1B.pdf
– For treatment, payment, or health care operations – Specified uses where may object – Other specified uses and disclosures where authorization
164.512) – State laws may not be as broad – However, may disclose mental health information to “aftercare treatment provider”
Format for Disclosures Without Authorization (164.512)
– 42 CFR has a similar principle (information required to carry out the purpose of disclosure)
Permitted Disclosure: Public Health Activities
activities such as
– Disease prevention and control – Child abuse or neglect (state law and federal substance use law also permits) (PA Admin Code 5100.38) – To investigate work-related injury (with notice to employee) – 42 CFR permits disclosure of cause of death
Permitted Disclosure: Victims of abuse
believes person is victim of abuse, neglect, or domestic violence
necessary to prevent serious harm to individual or
represents PHI required for “immediate enforcement activity”
bookings?
jail treatment staff without client’s consent?
Permitted Disclosures: Correctional Facilities
provide health care to the inmate, or for the health and safety of other inmates or correctional officials (HIPAA)
HIPAA rules apply
information permitted to “professional treatment staff of State Correctional Institutions and county prisons” when person referred for treatment (Pa Admin Code 5100.32(a)(1)
Permitted Disclosure: Judicial/Administrative Proceedings
– Order from court or administrative tribunal – Subpoena or discovery request without court order if
that information will not be used other than for litigation purposes and PHI will be returned or destroyed at end of litigation
– 42 CFR requires court order – In general state law will require court order
additional court order (5100.35)
between a psychologist or psychiatrist and his client shall be on the same basis as those provided or prescribed between an attorney and client”
Law Enforcement: Fugitives, Suspects, Witnesses, Missing Persons
– Name and address – Date/place of birth – Social security number – ABO blood type – Type of injury – Date and time of treatment – Date and time of death (if applicable) – Distinguishing physical characteristics – DNA, dental bodily fluids not covered
Permitted Disclosure: Public Health Activities
activities such as
– Disease prevention and control – Child abuse or neglect (state law and federal substance use law also permits) (PA Admin Code 5100.38) – To investigate work-related injury (with notice to employee) – 42 CFR permits disclosure of cause of death
Permitted Disclosure: Victims of abuse
believes person is victim of abuse, neglect, or domestic violence
necessary to prevent serious harm to individual or
represents PHI required for “immediate enforcement activity”
Permitted Disclosure: Law Enforcement
subpoena/administrative summons
– Information sought is relevant and material – Request is specific and limited in scope – De-identified information not reasonable – 42 CFR is more restrictive
Permitted Disclosure: Law Enforcement (cont)
– Individual agrees to disclosure or – Individual lacks capacity and
determine whether law has been violated (but not by victim)
Permitted Disclosure: Law Enforcement (cont)
entity believes death may have been suspicious (42 CFR is similar)
(42 CFR requires consent from legal representative or family member)
– Commission and nature of crime; location of crime or victim; identity, location, description of perpetrator
Individual Right of Access
within 30 days of request (30 day extension permitted; 60 days if not on-site)
proceeding
information on promise of confidentiality
May Deny Access with Opportunity for Review
to the individual or others
who may be endangered
disclosure would be reasonably likely to cause harm
care professional
corrections
– On documentation of team leader that disclosure of specific information will constitute a substantial detriment to treatment – When disclosure will reveal the identity of persons or breach trust of 3rd party informants
14 or older, person who consented to treatment controls access to and disclosure of records
– Pa Admin Code 35 P.S. 10101.2 (release of medical records)
Some Basic Rights Under HIPAA: Right to notice of privacy practices
standing/consumers/noticepp.html
contraindicated, the discussion of confidentiality occurs at the outset of the relationship and thereafter as new circumstances may warrant.
Right to Inspect and Copy Record
rstanding/consumers/medicalrecords.html
requested within 30 days of request (30 day extension permitted; 60 days if not on-site)
May Deny Access with No Right to Review
proceeding
information on promise of confidentiality
May Deny Access with Opportunity for Review
to the individual or others
who may be endangered
disclosure would be reasonably likely to cause harm
days
health care professional
HHS
patients, on separate
medical records when
failed to cooperate with the HHS Office for Civil Rights’ investigation.
initial violation was $1.3
Cignet’s committed willful neglect to comply with the Privacy Rule. The fine for these violations was $3 million.
Right To Request Confidential Communication
– We normally send information relating to your care to the address and phone numbers you have provided. However, if you would like to have the information sent elsewhere to protect the confidentiality of the information, you may do so by completing our form to request confidential communication.
– http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthi t/correction.pdf
(http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_an_accountin g_of_disclosures/index.html)
accounting is a record of:
– The date of the disclosure – The name of the person or entity who received the information – A brief description of the information disclosed – A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure).
http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_ an_accounting_of_disclosures/370.html
health authority) then must document
since 2003): 1. Impermissible uses and disclosures of protected health information; 2. Lack of safeguards of protected health information; 3. Lack of patient access to their protected health information; 4. Uses or disclosures of more than the minimum necessary protected health information; and 5. Lack of administrative safeguards of electronic protected health information.
“HIPAA Violations: UPMC Employee Criminally Indicted”
Security numbers of patients, in violation of HIPAA laws. This patient data was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers.
– http://www.healthleadersmedia.com/content/TEC- 256668/HIPAA-Violations-UPMC-Employee-Criminally- Indicted.html
“HHS investigating HIPAA violation at
investigating-hipaa-violation-at-pa-911- dispatch-center/
system
Business Associate Agreements
a “function or activity involving the use or disclosure
including claims processing or administration, utilization review, quality assurance, billing, benefit management, and repricing… (164.501)
legal advice
agreements
Patient Safety Organization
– Efforts to improve patient safety and quality – Collection and analysis of patient safety work product – Development and dissemination of patient safety information, e.g. protocols, best practices, etc – Use of such information to encourage “a culture of safety and of providing feedback and assistance to effectively minimize patient risk”
The Water Looked So Inviting… The HIPAA Security Rule
Privacy Security Risk
information (PHI)? Or
A Health Care Provider A Health Plan A Health Care Clearinghouse This includes providers such as:
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. This includes:
companies
that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
A Covered Entity is one of the following:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/
…creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter The HIPAA Privacy and Security Rules permit a covered entity to disclose PHI to a business associate…provided the covered entity obtains satisfactory assurances in the form of a contract
will appropriately safeguard the information
When You Want the Data
When You Are Asked for the Data
September 23, 2013: A Day You Will Always Remember
The Basic Domains of the Security Rule
Administrative Safeguards (operational standards)
Who is responsible? Policies and procedures Training
Physical Safeguards
Physical facilities Location of computers Disposal of electronic media
Technical Safeguards (controlling access)
Who may access information Under what conditions Audits and tracking of use Protection from malware,
The HIPAA Security Risk Analysis Standard
§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(A) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
confidentiality, availability and integrity of all e- PHI that you create, receive, maintain or transmit
vulnerabilities
threat occurrence as well as level of risk
http://www.hhs.gov/ocr/privacy/hipaa/administrative/ securityrule/nist80066.pdf
security is
agreements for you