HIPAA, Privacy, Confidentiality, Reasonable Safeguards of - - PowerPoint PPT Presentation

Presented to BHH ASOC Committee on 09/17/15

HIPAA, Privacy, Confidentiality, Reasonable Safeguards of Information & 42 CFR Part 2

Mary Harnish, MFT, Compliance & Privacy Manager Mental Health Services Mary.Harnish@hhs.sccgov.org (408) 885-5784 Patrick Garcia, MSW, MPA Administration Division Director Behavioral Health Services Dept. Pat.Garcia@hhs.sccgov.org (408) 793-1809

• Dr. Noel M. Panlilio

Compliance Officer Substance Use Treatment Services Noel.Panlilio@hhs.sccgov.org (408) 755-7850

Multiple overlapping privacy regulations

• Regulations change over time, and Federal, State, and

Local regulations may overlap. Current laws include:

• HIPAA
• WIC Sections 5328, 5150-5344
• 42 C.F.R.

Whenever there are multiple standards to apply, ALWAYS follow the more restrictive standard.

What is HIPAA?

• The Health Insurance Portability and Accountability Act is a Federal Law

that:

• Protects the Privacy of patient information
• Provides for electronic and physical security of protected health information (PHI)
• Requires “minimum necessary use, and disclosure”
• Specifies patient rights to approve or deny the access and use of their medical

information.

What Qualifies As PHI?

• PHI can be any verbal, written, recorded, or electronic information that identifies or can be used to identify a patient such

as:

• Name
• Address
• Social Security or Drivers License number
• Physical characteristics
• Diagnosis
• Date of Service
• Type of Treatment
• Etc.

Anything that can be used to identify the individual is PHI and must be kept confidential!

What is ePHI?

• ePHI is protected health information that is created, received, stored, or

transmitted electrically.

• Any PHI when stored electronically becomes ePHI
• ePHI includes information on laptops, memory sticks, smart phones, PDA, email, and
• ther electronic storage devices.

WHY DOES THIS MATTER TO YOU?

BECAUSE YOU ALREADY AGREED TO DO IT!

• As part of being hired, you were provided with the Compliance Plan Policy (#412-101)
• The end of the policy includes the BHSD code of conduct.
• On the day you were hired you read and signed it, agreeing to abide by HIPAA and other requirements.
• Policies require sanctions for staff who do not comply
• And if that’s not enough…
• You may face fines of up to $25,000 per violation, misdemeanor charges, potential legal action by the

patient, formal notification to licensing boards, and disciplinary action from your employer.

• SEE PRIVACY DO’s and DON’Ts HANDOUT

How Does HIPAA Work?

HIPAA regulations protect Private Health Information in 4 ways:

• Security Standards (Physical, Technical, and Administrative safeguards, electronic patient

information.)

• Privacy Standards (Protection of individual health information, and patients rights)
• Transactions Standards (electronic billing claims management)
• National Provider Identifier Standards (a unique identifier for healthcare providers)

WHO CAN WE DISCLOSE PHI TO

Minimum Necessary Access

• A minimum necessary amount of PHI is accessible to persons needing to know based on:
• Job Function
• Behavioral Practices
• Control Access
• You may assume minimum necessary information is being requested when it is:
• A request for PHI from another health care provider or health plan
• The request from a business associate or public official AND the request states that it is the minimum

necessary

Minimum Necessary does not apply for

• Disclosure to a Provider for treatment of a mutual patient.
• Use or disclosures to a patient’s personal representative.
• Disclosures to the Department of Health & Human Services.
• Use in preparation for and for disclosures required by law.

Permitted Use and Disclosure Without Consent

• Under HIPAA, you may use or disclose PHI without patient authorization or

consent to:

• The individual patient
• For Treatment, payment, or health care operations (TPO)
• HIPAA allows disclosure of PHI with conditions for:
• Incidental Occurrences
• Public Good disclosure

Disclosure Without Consent – Incidental Disclosures

• HIPAA permits incidental disclosures if we first
• Disclose only the minimum amount of PHI necessary to accomplish the purpose of

the disclosure

• Take reasonable measures to safeguard PHI.
• Examples of incidental disclosures include:
• Seeing PHI while conducting IS maintenance
• Overhearing telephone conversations

Disclosure Without Consent – Public Good

• Disclosures that do not require consent include:
• Reporting professional misconduct to a licensing agency
• Disclosures to Federal, Medicare, CDC, or other entities as required
• Public Health Activities such as communicable diseases
• Disclosures required by law (i.e. court order)
• Reporting victims of abuse, neglect, or domestic violence
• Health oversight activities
• Judicial and Administrative proceedings
• To avert a serious threat to health or safety (e.g. Tarasoff)

Permitted Use and Disclosure with Consent

• Patient Authorization / Consent are Required for:
• Access, use, or disclosures to certain permitted persons or entities for non-TPO

activities

• Disclosures to a third party specified by the patient

The HIPAA Privacy Rule – Areas Requiring Protection

• Several functions occur in any healthcare facility where reasonable Administrative,

Technical, and Physical safeguards must be practiced including:

• Workplace Conversations
• Workstation Activities
• Disposal and Recycling
• Emailing
• Faxing
• Computer and Equipment use
• Password protections

Patients Rights

• Under HIPAA, patients have the rights to
• Right to access record with reasonable period of time. This includes the right to a copy of the file (P&P 210)
• A Notice of Privacy Practices (P&P 244)
• Right to request a modification of the record or to insert a statement disputing the record if the Program

refuses the request (P&P 212 )

• Right to confidential communication (P&P 244)
• Right to request restriction of disclosures (P&P 244)
• Right to an accounting of disclosures of client PHI (P&P 245)
• Right to complain about violations of privacy/confidentiality (P&P 222)

Patients Rights – Access to Records

• Procedure
• The client fills out a form requesting access
• Staff take the completed for to the program manager
• The manager communicates the decision to allow or deny access in a timely manner
• Copies of the request and program response are forwarded to the Custodian of

Records

• Arrangements are made for the client to have access to her/his record which may

include making a copy of the record

Patients Rights – Notice of Privacy Practice

• A Notice of Privacy Practice must be provided to all clients upon intake and/or

admission describing

• How we will use and disclose client PHI
• What rights the client has in respect to the PHI
• Where and how the client may access their PHI
• Where and how they can file a complaint if they feel their rights have been violated

Complaint Process

• Clients have a right to file a complaint if they feel their PHI is

inappropriately used and disclosed.

• Any client wishing to file a HIPAA/Privacy complaint may be

referred to the Mental Health Services Compliance and Privacy Manager, Mary Harnish at (408) 885-5784

• They may also complain to the Office of Civil Rights @

OCRComplaint@hhs.gov

• What is 42 C.F.R. Part 2?
• Regulations implementing Federal drug and alcohol

confidentiality law (42 U.S.C. § 290dd-2)

Overview: 42 CFR Part 2

21

• Generally,
• Disclosure of information that identifies patient (directly
• r indirectly) as having a current or past drug or alcohol

problem (or participating in a drug/alcohol program) is generally prohibited

• Unless
• Patient consents in writing or
• Another exception applies

Overview: 42 CFR Part 2

22

• What is 42 C.F.R. Part 2?
• Federal law
• Governs confidentiality of alcohol and drug treatment

and prevention information

• Regulations implement statutes enacted in 1970s
• Purpose of law:
• Privacy protections encourage people to seek treatment

(stigma)

Overview: 42 CFR Part 2

23

• Generally,
• This is true even if the person seeking the information
• Already has it
• Has other ways to get it
• Has some kind of official status
• Has obtained a subpoena or warrant
• Is authorized by State law

Overview: 42 CFR Part 2

24

• Who is covered?
• Drug/alcohol treatment and prevention “programs”

that are

• Federally assisted

must follow 42 C.F.R. Part 2

Overview: 42 CFR Part 2

25

HIPAA Health care provider, health plan, health care clearinghouse + Transmits health information electronically (covered transactions) = Covered by HIPAA

Overview: HIPAA and 42 CFR Part 2

26

42 C.F.R. Part 2 Program + Federally assisted = Covered by 42 C.F.R. Part 2

• Who must comply with both?
• The vast majority of alcohol/drug treatment programs are covered by

both

• What happens if both apply?
• General rule: Follow the law that gives patients more privacy protections
• How does State law fit in?
• Same general rule: Follow the law that gives patients more privacy

protections

Overview: HIPAA and 42 CFR Part 2

27

Overview: HIPAA and 42 CFR Part 2

28

PURPOSE HIPAA 42 CFR Disclosure of information for the purpose of payment No patient consent required Patient consent required Medical treatment and/or emergency Permits disclosure without patient consent when providing treatment or its healthcare operations or for the treatment activities of another healthcare provider Permits disclosure only to medical personnel who have a need for information for the purpose of treating a condition that poses an immediate threat to the health of any individual and that requires immediate medical intervention. Law Enforcement Permits disclosures without consent if

• fficer has arrest or

search warrant Requires a Court Order, except if the purpose is related to a patient's commission of a crime on the premises of a program or against program personnel or to a threat to commit such a crime. Even then, only the information that is necessary to treat the emergency condition should be disclosed.

• Ten Exceptions

1.

Written consent

2.

Internal communications

3.

No patient-identifying information

4.

Medical emergency

5.

Court order

6.

Crime on program premises/against program personnel

7.

Research

8.

Audit/Evaluation

9.

Reporting child abuse/neglect

10.

Qualified service organization agreement

Overview: 42 CFR Part 2 Exceptions to Rule Prohibiting Disclosures

29

• SCVHHS Departments Business Associate Agreement:
• Agreement comprised of multiple County Departments:
• Valley Medical Center and Clinics (VMC)
• Mental Health Department (MHD)
• Department of Alcohol and Drug Services (DADS)
• Public Health Department (PHD)
• Custody Health Services
• Valley Health Plan (VHP)

Business Associate Agreement

30

• SCVHHS Departments Business Associate

Agreement: Why ? Health care reform is changing the landscape in which

healthcare is delivered, organized, and paid for.

A key feature of emerging environment is integration and

coordination of care, including integration of primary and behavioral (addiction and mental) health care.

The adoption and use of health information technology is

essential to achieving health reform goals.

Business Associate Agreement

31

• SCVHHS Departments Business Associate Agreement:
• BAA executed on 02/08/13
• Protect privacy and provide security of PHI disclosure in compliance with:
• HIPAA
• HITECH Act
• CA Welfare & Institutions Code
• 42 CFR Part 2
• Other Applicable Laws

Business Associate Agreement

32

• SCVHHS Departments Business Associate Agreement:
• Permitted Uses:
• Integrated Care, Coordinating Mutual Referrals and services for

patients of SCVHHS Departments

• Administrative oversight, billing and compliance related activities
• Analysis and evaluation of services provided
• Entering data into and maintaining an integrated SCVHHS

electronic health record

Business Associate Agreement

33

• SCVHHS Departments Business Associate Agreement:
• With Health Link Implementation date on May 4, 2013,

SCVHHS Staff are trained on:

• HIPAA
• Confidentiality 42 CFR Part 2
• CA Welfare and Institutions Code
• Trainings are in the County’s E-Learning Modules

Business Associate Agreement

34

QUESTIONS