HIPAA and Pennsylvania Law • • HIPAA Pennsylvania Law (50 P.S. § 7111(a) • necessary to carry • Written consent out treatment, • Those providing treatment • payment, or • County administrator for application for emergency exams • health care • To court for commitment proceedings operations • Under federal law, to federal agency providing treatment • ,
HIPAA Consent Forms • Plain language • Inform person that PHI may be used and disclosed for treatment, payment or health care operations • Notice that privacy practices may be changed • Tell individual that has right to request restrictions on use, but covered entity is not bound (if restrictions agreed upon, they are binding) • Consent may be revoked in writing • Individual must sign and date
Consent Form Mental Health: Pennsylvania • Time limit on validity with start and end dates • Agency or person to whom release will occur • Statement of the specific purposes for which released records are to be used • Specific relevant and timely information to be released • Signature and date for client or representative • Signature of staff person obtaining consent • Note that consent is revocable on written request – (PA Admin Code 5100.34)
Consent Form: Substance Abuse (PA) • Name of the person or agency to whom disclosure to be made • Specific information disclosed • Purpose of disclosure • Dated signature of client • Expiration date of consent – PA Admin Code 709.28
HIPAA and 42 CFR • A crosswalk between HIPAA and 42 CFR: http://sphhs.gwu.edu/departments/healthpol icy/DHP_Publications/pub_uploads/dhpPublic ation_DADD1CBA-5056-9D20- 3DE73E0BFFB8DA1B.pdf
HIPAA Disclosures in General • Valid authorization by individual required except – For treatment, payment, or health care operations – Specified uses where may object – Other specified uses and disclosures where authorization or opportunity to agree or object not required (45 CFR 164.512) – State laws may not be as broad – However, may disclose mental health information to “aftercare treatment provider”
Format for Disclosures Without Authorization (164.512) • HIPAA Standard permits a use, then • Defines the permitted disclosure – 42 CFR has a similar principle (information required to carry out the purpose of disclosure)
Permitted Disclosure: Public Health Activities • Disclosure of PHI permitted to enable public health activities such as – Disease prevention and control – Child abuse or neglect (state law and federal substance use law also permits) (PA Admin Code 5100.38) – To investigate work-related injury (with notice to employee) – 42 CFR permits disclosure of cause of death
Permitted Disclosure: Victims of abuse or neglect • PHI may be disclosed if covered entity reasonably believes person is victim of abuse, neglect, or domestic violence • Individual either agrees, or • State law permits, and covered entity believes necessary to prevent serious harm to individual or others, or • Person lacks capacity and law enforcement represents PHI required for “immediate enforcement activity”
Correctional Facilities • Can a jail send a treatment facility a list of bookings? • Can a jail flag mental health clients? • Can a mental health facility communicate with jail treatment staff without client’s consent?
Permitted Disclosures: Correctional Facilities • PHI can be disclosed without consent to provide health care to the inmate, or for the health and safety of other inmates or correctional officials (HIPAA) • If the person is released, e.g. on parole, then HIPAA rules apply • No similar provision in 42 CFR
Pennsylvania Law • Non-consented disclosure of mental health information permitted to “professional treatment staff of State Correctional Institutions and county prisons” when person referred for treatment (Pa Admin Code 5100.32(a)(1)
Courts
Permitted Disclosure: Judicial/Administrative Proceedings • PHI may be disclosed in response to – Order from court or administrative tribunal – Subpoena or discovery request without court order if • Reasonable efforts to provide notice, or • Reasonable efforts to obtain qualified protective order • Qualified protective order: Court order or stipulation by parties that information will not be used other than for litigation purposes and PHI will be returned or destroyed at end of litigation – 42 CFR requires court order – In general state law will require court order
Judicial Proceedings Pennsylvania • No subpoenaed records should be released without additional court order (5100.35) • Note Pennsylvania has very strong privilege law (42 Pa. C.S.A. 5944) • “The confidential relations and communications between a psychologist or psychiatrist and his client shall be on the same basis as those provided or prescribed between an attorney and client”
HIPAA and Special Issues
Law Enforcement: Fugitives, Suspects, Witnesses, Missing Persons • On officer’s request, provider may disclose: – Name and address – Date/place of birth – Social security number – ABO blood type – Type of injury – Date and time of treatment – Date and time of death (if applicable) – Distinguishing physical characteristics – DNA, dental bodily fluids not covered
Permitted Disclosure: Public Health Activities • Disclosure of PHI permitted to enable public health activities such as – Disease prevention and control – Child abuse or neglect (state law and federal substance use law also permits) (PA Admin Code 5100.38) – To investigate work-related injury (with notice to employee) – 42 CFR permits disclosure of cause of death
Permitted Disclosure: Victims of abuse or neglect • PHI may be disclosed if covered entity reasonably believes person is victim of abuse, neglect, or domestic violence • Individual either agrees, or • State law permits, and covered entity believes necessary to prevent serious harm to individual or others, or • Person lacks capacity and law enforcement represents PHI required for “immediate enforcement activity”
Permitted Disclosure: Law Enforcement • In compliance with court order/grand jury subpoena/administrative summons – Information sought is relevant and material – Request is specific and limited in scope – De-identified information not reasonable – 42 CFR is more restrictive
Permitted Disclosure: Law Enforcement (cont) • Information about victims of a crime – Individual agrees to disclosure or – Individual lacks capacity and • Law enforcement represents info necessary to determine whether law has been violated (but not by victim) • Info won’t be used against the victim • Covered entity determines is in victim’s best interest • No comparable provision in 42 CFR
Permitted Disclosure: Law Enforcement (cont) • Decedents, to alert law enforcement that covered entity believes death may have been suspicious (42 CFR is similar) • To coroner or medical examiner or funeral director (42 CFR requires consent from legal representative or family member) • Crime on premises (42 CFR is similar) • Crime in emergencies – Commission and nature of crime; location of crime or victim; identity, location, description of perpetrator
CONSUMER RIGHTS
Individual Access
Individual Right of Access • Key provision, designed for accuracy • Must allow inspection or copy in form requested within 30 days of request (30 day extension permitted; 60 days if not on-site)
May Deny Access • Psychotherapy notes • Information compiled in anticipation of legal proceeding • Inmate request, if harm may occur • Research-related information until end of research • If a 3 rd party (not a health care provider) gave information on promise of confidentiality
May Deny Access with Opportunity for Review • If reasonably likely access would cause harm to the individual or others • Requested information refers to a 3 rd party who may be endangered • Request is by a personal representative and disclosure would be reasonably likely to cause harm
If Request Denied • Must provide denial in writing within 30 days • Basis for denial • Right to review by designated licensed health care professional • Notice on how to file a complaint with HHS
Pennsylvania Law • Person has right of access and to make written corrections • Access may be denied – On documentation of team leader that disclosure of specific information will constitute a substantial detriment to treatment – When disclosure will reveal the identity of persons or breach trust of 3 rd party informants • Pa Admin Code 5100.33 (c)-(d)
Note on Minors • HIPAA defers to state law • In general, under Pennsylvania law, if minor is 14 or older, person who consented to treatment controls access to and disclosure of records – Pa Admin Code 35 P.S. 10101.2 (release of medical records)
Some Basic Rights Under HIPAA: Right to notice of privacy practices • http://www.hhs.gov/ocr/privacy/hipaa/under standing/consumers/noticepp.html • 4.01(b) Unless it is not feasible or is contraindicated, the discussion of confidentiality occurs at the outset of the relationship and thereafter as new circumstances may warrant.
Right to Inspect and Copy Record • http://www.hhs.gov/ocr/privacy/hipaa/unde rstanding/consumers/medicalrecords.html • Key provision, designed for accuracy • Must allow inspection or copy in form requested within 30 days of request (30 day extension permitted; 60 days if not on-site)
May Deny Access with No Right to Review • Psychotherapy notes • Information compiled in anticipation of legal proceeding • Inmate request, if harm may occur • Research-related information until end of research • If a 3 rd party (not a health care provider) gave information on promise of confidentiality
May Deny Access with Opportunity for Review • If reasonably likely access would cause harm to the individual or others • Requested information refers to a 3 rd party who may be endangered • Request is by a personal representative and disclosure would be reasonably likely to cause harm
If Request Denied • Must provide denial in writing within 30 days • Basis for denial • Right to review by designated licensed health care professional • Notice on how to file a complaint with HHS
Can Denial Become a Problem? • Incident: Cignet denied 41 patients, on separate occasions, access to their medical records when requested. The company also failed to cooperate with the HHS Office for Civil Rights’ investigation. • Penalties: The fine for the initial violation was $1.3 million. OCR concluded that Cignet’s committed willful neglect to comply with the Privacy Rule. The fine for these violations was $3 million.
Right To Request Confidential Communication • Client can ask that you communicate with her only in particular ways • As one example (from Yale University): – We normally send information relating to your care to the address and phone numbers you have provided. However, if you would like to have the information sent elsewhere to protect the confidentiality of the information, you may do so by completing our form to request confidential communication.
Other HIPAA Rights • Request an amendment of the record – http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthi t/correction.pdf • Request an accounting of disclosures (http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_an_accountin g_of_disclosures/index.html) • For a disclosure of medical information about an individual, an accounting is a record of: – The date of the disclosure – The name of the person or entity who received the information – A brief description of the information disclosed – A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure).
Need Not Account For • Oral communications for payment, treatment or health operations http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_ an_accounting_of_disclosures/370.html • But if for other purposes (for example, to public health authority) then must document
PENALTIES
Penalties
HIPAA Enforcement • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/ • Most common enforcement actions (89,000 complaints since 2003): 1. Impermissible uses and disclosures of protected health information; 2. Lack of safeguards of protected health information; 3. Lack of patient access to their protected health information; 4. Uses or disclosures of more than the minimum necessary protected health information; and 5. Lack of administrative safeguards of electronic protected health information.
“HIPAA Violations: UPMC Employee Criminally Indicted” • The indictment alleges that Pepala disclosed to other people the names, birth dates and Social Security numbers of patients, in violation of HIPAA laws. This patient data was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers. – http://www.healthleadersmedia.com/content/TEC- 256668/HIPAA-Violations-UPMC-Employee-Criminally- Indicted.html
“HHS investigating HIPAA violation at Pa. 911 dispatch center” • http://healthitsecurity.com/2013/03/27/hhs- investigating-hipaa-violation-at-pa-911- dispatch-center/
Can You Make All of This Work?
Multi-System Tools • System mapping • Uniform consent form • Business Associate Agreements • Patient Safety Organizations • Standard Judicial Orders
System Mapping
Uniform Consent Form • Essential tool • Individual consents to use within a treatment system • All providers are on the form • Other requirements may be met as well
Business Associate Agreements • Can be used for disclosure in which a party provides a “function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, utilization review, quality assurance, billing, benefit management, and repricing… (164.501) • Other functions as well, for example, provision of legal advice • 42 CFR permits qualified service organization agreements
Patient Safety Organization • Permits DHHS Secretary to certify these organizations • Designed to permit privileged exchange of information within the PSO • Relevant information includes – Efforts to improve patient safety and quality – Collection and analysis of patient safety work product – Development and dissemination of patient safety information, e.g. protocols, best practices, etc – Use of such information to encourage “a culture of safety and of providing feedback and assistance to effectively minimize patient risk” • Public Law 109-41, Section 921-925.
Standing Judicial Order • Courts are not covered entities • Courts may seek PHI • Best solution is a standard order
The Water Looked So Inviting… The HIPAA Security Rule
Privacy Security Risk
Some Basic Questions: Are You • Storing the data? or • Accessing it as needed? • Being asked for the data? or • Requesting the data? • Identifiable data? or • Non-identifiable data? • Protected health • Non-PHI? information (PHI)? Or • Covered entity? Or • Business Associate?
A Covered Entity is one of the following: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ A Health Care A Health Care A Health Plan Provider Clearinghouse This includes providers This includes: This includes entities • Health insurance such as: that process • Doctors companies nonstandard health • Clinics • HMOs information they • Psychologists • Company health plans receive from another • Dentists • Government programs entity into a standard • Chiropractors that pay for health (i.e., standard • Nursing Homes care, such as Medicare, electronic format or • Pharmacies Medicaid, and the data content), or vice ...but only if they military and veterans versa. transmit any health care programs information in an electronic form in connection with a transaction for which HHS has adopted a standard.
Recommend
More recommend
