![Page 1: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/1.jpg)
Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal Issues
Harrisburg, Pennsylvania
December 3, 2013
John Petrila, J.D., LL.M.
Professor
College of Public Health
University of South Florida
![Page 2: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/2.jpg)
![Page 3: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/3.jpg)
Welcome to Florida…And Do Hurry Back!
![Page 4: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/4.jpg)
There is a Knock on the Door
• And a police officer is standing there, asking if Don Smith is or has been a patient at your treatment center. The officer says Smith is a suspect in a bank robbery.
• Does HIPAA permit you to answer?
![Page 5: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/5.jpg)
NSA Chief Defends Spying On Americans, Claims 50 Foiled Terrorist Plots
Unmanned drones flying in US spying on Americans, says FBI
![Page 6: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/6.jpg)
What Do These Celebrities Have in Common?
• Drew Barrymore
• Arnold Schwarzenegger
• Tom Hanks
• Leonardo DiCaprio
![Page 7: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/7.jpg)
Californian Sentenced To Prison For HIPAA Violation
• Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27, 2010 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California
![Page 8: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/8.jpg)
Dr. Phil Breaches APA's Code of Conduct with Spears Family
![Page 9: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/9.jpg)
UCLA hospitals to pay $865,500 for breaches of celebrities' privacy
![Page 10: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/10.jpg)
The Latest in Privacy Fashion
![Page 11: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/11.jpg)
Today’s Workshop
• Values underlying confidentiality
• Core legal principles and statutes
• Consumer rights
• Penalties
• Electronic security
![Page 12: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/12.jpg)
First, A Definition
• Confidentiality: The MHP’s ethical and legal obligation to the client with regard to privacy of communications
• Privilege: The law’s recognition of confidentiality in legal proceedings in which the protected material otherwise would be subject to disclosure
![Page 13: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/13.jpg)
Values
![Page 14: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/14.jpg)
![Page 15: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/15.jpg)
Redmond v. Jaffee (1996)
TRUST
Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace.
For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment.
![Page 16: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/16.jpg)
Pennsylvania Law Agrees
• “Confidentiality between providers of services and their clients is necessary to develop the trust and confidence important for therapeutic intervention” (PA Admin Code 5100.31(b)
![Page 17: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/17.jpg)
APA Ethical Principles 4.01 Maintaining Confidentiality
Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stored in any medium, recognizing that the extent and limits of confidentiality may be regulated by law or established by institutional rules or professional or scientific relationship.
![Page 18: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/18.jpg)
Why Share Information?
• Continuity in clinical care
– Within systems
– Across systems
• Policy analysis
• Real-time decisionmaking
![Page 19: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/19.jpg)
Some Difficulties
• Overly restrictive legal advice
• Liability fears
• Dated statutes
• Conflicting laws
• Old technology
![Page 20: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/20.jpg)
Law
LAW
![Page 21: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/21.jpg)
![Page 22: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/22.jpg)
Some Basic Points To Remember
• HIPAA sets a minimum standard for privacy of protected health information
• 42 CFR Part 2 sets the highest possible standard for privacy of alcohol/substance use information
• State confidentiality laws are almost always stricter than HIPAA but rarely stricter than 42 CFR Part 2, except of course in Pennsylvania
• The privacy regulations get too much focus
• The security regulations do not get enough focus
![Page 23: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/23.jpg)
The (Mis)Application of HIPAA
• Birthday parties in nursing homes in New York and Arizona have been canceled for fear that revealing a resident’s date of birth could be a violation.
• Patients were assigned code names in doctor’s waiting rooms — say,
“Zebra” for a child in Newton, Mass., or “Elvis” for an adult in Kansas City, Mo. — so they could be summoned without identification.
• Nurses in an emergency room refused to telephone parents of ailing
students themselves, insisting a friend do it, for fear of passing out confidential information, the hospital’s patient advocate said.
• State health departments throughout the country have been slowed in
their efforts to create immunization registries for children because information from doctors no longer flows freely.
– Jane Gross, Keeping patient details private, even from kin. New York
Times, July 3, 2007
![Page 24: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/24.jpg)
Which Elvis Please?
![Page 25: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/25.jpg)
VIPAA?
![Page 26: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/26.jpg)
Who Is Covered?
AKA Is the Law Just Trying to Make Me Hate It?
![Page 27: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/27.jpg)
Who Does HIPAA Cover?
• Myth: HIPAA applies to everybody
• Fact: HIPAA applies only to –Health plans (group health plan, Medicare,
Indian Health Service plan…)
–Health care clearinghouses
–Health care providers who transmit health information in electronic form
![Page 28: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/28.jpg)
HIPAA Does Not Apply If
You only use paper, phone, or fax for
Submitting claims Checking claims status inquiry/response Checking eligibility/receiving response Enrolling/disenrolling in health plan Receiving heath care payments/remittance Providing coordination of benefits No one does this electronically for you
![Page 29: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/29.jpg)
Who Does 42 CFR Part 2 Cover?
• “PROGRAM”
• An individual or entity that “holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or treatment referral”
• Unit within a general medical facility that holds itself out as providing diagnosis, treatment or treatment referral
• The incidental provision of alcohol or substance abuse treatment is not a “program”
![Page 30: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/30.jpg)
Pennsylvania Law
All patient records …relating to drug or alcohol abuse or drug or alcohol dependence prepared or obtained by a private practitioner, hospital, clinic, drug rehabilitation or drug treatment center shall remain confidential and may be disclosed only with the patient's consent
71.1690.108(b)
![Page 31: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/31.jpg)
What Is Covered?
![Page 32: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/32.jpg)
What Does HIPAA Cover: Protected Health Information
• Any oral or recorded information relating to – the past, present, or future physical or mental health of an
individual; – the provision of health care to the individual; – or payment for health care
• Includes the traditional medical record, personal
notes, and billing information
• The security regulation applies only to protected health information in electronic form
![Page 33: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/33.jpg)
Individually identifiable
• a subset of “health information,” including demographic information,
• (1) that is created or received by a health care provider, health plan, employer, or health care clearinghouse;
• (2) that relates to the person’s health condition, health care, or payment
• (3) that identifies the individual, or might reasonably be used to identify the individual.
![Page 34: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/34.jpg)
Pennsylvania Law: “Records Includes…
• all written clinical information, observations and reports
• or fiscal documents, relating to a prospective, present, or past, client or patient…required or authorized…by the act or by the MHMR Act of 1966. (PA Admin Code 5100.31
![Page 35: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/35.jpg)
Substance/Alcohol Abuse
42 CFR Part 2
• Records: Any information whether recorded or not relating to a patient received or acquired by the program
• Any information identifying a patient as alcohol or drug abuser, obtained by the program for diagnosis, referral, or treatment
Pennsylvania Law
• Information in a patient’s records that relates to drug or alcohol abuse or dependency, as defined in 71 P. S. § 1690.102
![Page 36: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/36.jpg)
Psychotherapy Notes: HIPAA (164.501)
• Notes in any medium recorded by a MHP documenting or analyzing the contents of a conversation during a private counseling session
• Requires specific patient authorization to disclose
• Payment cannot be denied for non-disclosure
![Page 37: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/37.jpg)
Psychotherapy notes are NOT
• Medication, prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment, results of clinical tests, and any summary of diagnosis, functional status, treatment plans, symptoms, prognosis, progress or testing
– http://www.apa.org/monitor/feb03/hipaa.html
![Page 38: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/38.jpg)
![Page 39: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/39.jpg)
Intercept 1
• Can a dispatcher mention the person may be mentally ill?
• Can a police officer mention this?
• Can a mental health center provide any information to the officer?
![Page 40: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/40.jpg)
Pennsylvania Law
• Non-consented disclosure permitted in response to emergency medical situation when release necessary to prevent serious risk of bodily harm or death…must be pertinent to relief of the emergency (Pa Admin Code 5100.31 (9)
• Duty to disclose in Tarasoff situations (Emerich v Center for Phila Center for Hum Dev, Pa Supreme Court, 1998) – Patient makes immediate and specific threat of bodily harm
– Specifically identified or readily identifiable victim
– Can discharge through warning to potential victim
![Page 41: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/41.jpg)
HIPAA: Permitted Disclosure: Threat to Health or Safety
• If use or disclosure is necessary to prevent or lessen a serious threat to the health or safety of individual or public
• To a person able to prevent the threat, including the victim
• Is necessary for law enforcement to apprehend the person
• Most state laws makes disclosure discretionary – To protect an identified potential victim – No liability as long as good faith and no gross negligence
![Page 42: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/42.jpg)
DISCLOSURES
![Page 43: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/43.jpg)
![Page 44: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/44.jpg)
HIPAA and Pennsylvania Law
• HIPAA
• necessary to carry out treatment,
• payment, or
• health care operations
• Pennsylvania Law (50 P.S. § 7111(a)
• Written consent
• Those providing treatment
• County administrator for application for emergency exams
• To court for commitment proceedings
• Under federal law, to federal agency providing treatment
• ,
![Page 45: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/45.jpg)
HIPAA Consent Forms
• Plain language
• Inform person that PHI may be used and disclosed for treatment, payment or health care operations
• Notice that privacy practices may be changed
• Tell individual that has right to request restrictions on use, but covered entity is not bound (if restrictions agreed upon, they are binding)
• Consent may be revoked in writing
• Individual must sign and date
![Page 46: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/46.jpg)
Consent Form Mental Health: Pennsylvania
• Time limit on validity with start and end dates
• Agency or person to whom release will occur
• Statement of the specific purposes for which released records are to be used
• Specific relevant and timely information to be released
• Signature and date for client or representative
• Signature of staff person obtaining consent
• Note that consent is revocable on written request – (PA Admin Code 5100.34)
![Page 47: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/47.jpg)
Consent Form: Substance Abuse (PA)
• Name of the person or agency to whom disclosure to be made
• Specific information disclosed
• Purpose of disclosure
• Dated signature of client
• Expiration date of consent
– PA Admin Code 709.28
![Page 48: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/48.jpg)
HIPAA and 42 CFR
• A crosswalk between HIPAA and 42 CFR: http://sphhs.gwu.edu/departments/healthpolicy/DHP_Publications/pub_uploads/dhpPublication_DADD1CBA-5056-9D20-3DE73E0BFFB8DA1B.pdf
![Page 49: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/49.jpg)
HIPAA Disclosures in General
• Valid authorization by individual required except – For treatment, payment, or health care operations
– Specified uses where may object
– Other specified uses and disclosures where authorization or opportunity to agree or object not required (45 CFR 164.512)
– State laws may not be as broad
– However, may disclose mental health information to “aftercare treatment provider”
![Page 50: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/50.jpg)
Format for Disclosures Without Authorization (164.512)
• HIPAA Standard permits a use, then
• Defines the permitted disclosure
– 42 CFR has a similar principle (information required to carry out the purpose of disclosure)
![Page 51: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/51.jpg)
Permitted Disclosure: Public Health Activities
• Disclosure of PHI permitted to enable public health activities such as
– Disease prevention and control
– Child abuse or neglect (state law and federal substance use law also permits) (PA Admin Code 5100.38)
– To investigate work-related injury (with notice to employee)
– 42 CFR permits disclosure of cause of death
![Page 52: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/52.jpg)
Permitted Disclosure: Victims of abuse or neglect
• PHI may be disclosed if covered entity reasonably believes person is victim of abuse, neglect, or domestic violence
• Individual either agrees, or
• State law permits, and covered entity believes necessary to prevent serious harm to individual or others, or
• Person lacks capacity and law enforcement represents PHI required for “immediate enforcement activity”
![Page 53: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/53.jpg)
![Page 54: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/54.jpg)
Correctional Facilities
• Can a jail send a treatment facility a list of bookings?
• Can a jail flag mental health clients?
• Can a mental health facility communicate with jail treatment staff without client’s consent?
![Page 55: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/55.jpg)
Permitted Disclosures: Correctional Facilities
• PHI can be disclosed without consent to provide health care to the inmate, or for the health and safety of other inmates or correctional officials (HIPAA)
• If the person is released, e.g. on parole, then HIPAA rules apply
• No similar provision in 42 CFR
![Page 56: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/56.jpg)
Pennsylvania Law
• Non-consented disclosure of mental health information permitted to “professional treatment staff of State Correctional Institutions and county prisons” when person referred for treatment (Pa Admin Code 5100.32(a)(1)
![Page 57: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/57.jpg)
Courts
![Page 58: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/58.jpg)
Permitted Disclosure: Judicial/Administrative Proceedings
• PHI may be disclosed in response to
– Order from court or administrative tribunal – Subpoena or discovery request without court order if
• Reasonable efforts to provide notice, or • Reasonable efforts to obtain qualified protective order • Qualified protective order: Court order or stipulation by parties
that information will not be used other than for litigation purposes and PHI will be returned or destroyed at end of litigation
– 42 CFR requires court order
– In general state law will require court order
![Page 59: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/59.jpg)
Judicial Proceedings Pennsylvania
• No subpoenaed records should be released without additional court order (5100.35)
• Note Pennsylvania has very strong privilege law (42 Pa. C.S.A. 5944)
• “The confidential relations and communications between a psychologist or psychiatrist and his client shall be on the same basis as those provided or prescribed between an attorney and client”
![Page 60: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/60.jpg)
HIPAA and Special Issues
![Page 61: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/61.jpg)
Law Enforcement: Fugitives, Suspects, Witnesses, Missing Persons
• On officer’s request, provider may disclose: – Name and address
– Date/place of birth
– Social security number
– ABO blood type
– Type of injury
– Date and time of treatment
– Date and time of death (if applicable)
– Distinguishing physical characteristics
– DNA, dental bodily fluids not covered
![Page 62: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/62.jpg)
Permitted Disclosure: Public Health Activities
• Disclosure of PHI permitted to enable public health activities such as
– Disease prevention and control
– Child abuse or neglect (state law and federal substance use law also permits) (PA Admin Code 5100.38)
– To investigate work-related injury (with notice to employee)
– 42 CFR permits disclosure of cause of death
![Page 63: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/63.jpg)
Permitted Disclosure: Victims of abuse or neglect
• PHI may be disclosed if covered entity reasonably believes person is victim of abuse, neglect, or domestic violence
• Individual either agrees, or
• State law permits, and covered entity believes necessary to prevent serious harm to individual or others, or
• Person lacks capacity and law enforcement represents PHI required for “immediate enforcement activity”
![Page 64: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/64.jpg)
Permitted Disclosure: Law Enforcement
• In compliance with court order/grand jury subpoena/administrative summons
– Information sought is relevant and material
– Request is specific and limited in scope
– De-identified information not reasonable
– 42 CFR is more restrictive
![Page 65: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/65.jpg)
Permitted Disclosure: Law Enforcement (cont)
• Information about victims of a crime – Individual agrees to disclosure or
– Individual lacks capacity and • Law enforcement represents info necessary to
determine whether law has been violated (but not by victim)
• Info won’t be used against the victim
• Covered entity determines is in victim’s best interest
• No comparable provision in 42 CFR
![Page 66: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/66.jpg)
Permitted Disclosure: Law Enforcement (cont)
• Decedents, to alert law enforcement that covered entity believes death may have been suspicious (42 CFR is similar)
• To coroner or medical examiner or funeral director (42 CFR requires consent from legal representative or family member)
• Crime on premises (42 CFR is similar) • Crime in emergencies
– Commission and nature of crime; location of crime or victim; identity, location, description of perpetrator
![Page 67: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/67.jpg)
CONSUMER RIGHTS
![Page 68: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/68.jpg)
Individual Access
![Page 69: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/69.jpg)
Individual Right of Access
• Key provision, designed for accuracy
• Must allow inspection or copy in form requested within 30 days of request (30 day extension permitted; 60 days if not on-site)
![Page 70: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/70.jpg)
May Deny Access
• Psychotherapy notes
• Information compiled in anticipation of legal proceeding
• Inmate request, if harm may occur
• Research-related information until end of research
• If a 3rd party (not a health care provider) gave information on promise of confidentiality
![Page 71: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/71.jpg)
May Deny Access with Opportunity for Review
• If reasonably likely access would cause harm to the individual or others
• Requested information refers to a 3rd party who may be endangered
• Request is by a personal representative and disclosure would be reasonably likely to cause harm
![Page 72: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/72.jpg)
If Request Denied
• Must provide denial in writing within 30 days
• Basis for denial
• Right to review by designated licensed health care professional
• Notice on how to file a complaint with HHS
![Page 73: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/73.jpg)
Pennsylvania Law
• Person has right of access and to make written corrections
• Access may be denied
– On documentation of team leader that disclosure of specific information will constitute a substantial detriment to treatment
– When disclosure will reveal the identity of persons or breach trust of 3rd party informants • Pa Admin Code 5100.33 (c)-(d)
![Page 74: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/74.jpg)
Note on Minors
• HIPAA defers to state law
• In general, under Pennsylvania law, if minor is 14 or older, person who consented to treatment controls access to and disclosure of records
– Pa Admin Code 35 P.S. 10101.2 (release of medical records)
![Page 75: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/75.jpg)
Some Basic Rights Under HIPAA: Right
to notice of privacy practices
• http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html
• 4.01(b) Unless it is not feasible or is contraindicated, the discussion of confidentiality occurs at the outset of the relationship and thereafter as new circumstances may warrant.
![Page 76: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/76.jpg)
Right to Inspect and Copy Record
• http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/medicalrecords.html
• Key provision, designed for accuracy
• Must allow inspection or copy in form requested within 30 days of request (30 day extension permitted; 60 days if not on-site)
![Page 77: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/77.jpg)
May Deny Access with No Right to Review
• Psychotherapy notes
• Information compiled in anticipation of legal proceeding
• Inmate request, if harm may occur
• Research-related information until end of research
• If a 3rd party (not a health care provider) gave information on promise of confidentiality
![Page 78: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/78.jpg)
May Deny Access with Opportunity for Review
• If reasonably likely access would cause harm to the individual or others
• Requested information refers to a 3rd party who may be endangered
• Request is by a personal representative and disclosure would be reasonably likely to cause harm
![Page 79: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/79.jpg)
If Request Denied
• Must provide denial in writing within 30 days
• Basis for denial
• Right to review by designated licensed health care professional
• Notice on how to file a complaint with HHS
![Page 80: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/80.jpg)
Can Denial Become a Problem?
• Incident: Cignet denied 41 patients, on separate occasions, access to their medical records when requested. The company also failed to cooperate with the HHS Office for Civil Rights’ investigation.
• Penalties: The fine for the initial violation was $1.3 million. OCR concluded that Cignet’s committed willful neglect to comply with the Privacy Rule. The fine for these violations was $3 million.
![Page 81: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/81.jpg)
Right To Request Confidential Communication
• Client can ask that you communicate with her only in particular ways
• As one example (from Yale University): – We normally send information relating to your care to
the address and phone numbers you have provided. However, if you would like to have the information sent elsewhere to protect the confidentiality of the information, you may do so by completing our form to request confidential communication.
![Page 82: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/82.jpg)
Other HIPAA Rights
• Request an amendment of the record – http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthi
t/correction.pdf
• Request an accounting of disclosures
(http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_an_accounting_of_disclosures/index.html)
• For a disclosure of medical information about an individual, an accounting is a record of: – The date of the disclosure – The name of the person or entity who received the information – A brief description of the information disclosed – A brief statement of the purpose of the disclosure (or, as an
alternative, a copy of the request for a disclosure).
![Page 83: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/83.jpg)
Need Not Account For
• Oral communications for payment, treatment or health operations http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_an_accounting_of_disclosures/370.html
• But if for other purposes (for example, to public health authority) then must document
![Page 84: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/84.jpg)
PENALTIES
![Page 85: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/85.jpg)
Penalties
![Page 86: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/86.jpg)
![Page 87: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/87.jpg)
HIPAA Enforcement
• http://www.hhs.gov/ocr/privacy/hipaa/enforcement/ • Most common enforcement actions (89,000 complaints
since 2003): 1. Impermissible uses and disclosures of protected health
information; 2. Lack of safeguards of protected health information; 3. Lack of patient access to their protected health
information; 4. Uses or disclosures of more than the minimum necessary
protected health information; and 5. Lack of administrative safeguards of electronic protected
health information.
![Page 88: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/88.jpg)
“HIPAA Violations: UPMC Employee Criminally Indicted”
• The indictment alleges that Pepala disclosed to other people the names, birth dates and Social Security numbers of patients, in violation of HIPAA laws. This patient data was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers. – http://www.healthleadersmedia.com/content/TEC-
256668/HIPAA-Violations-UPMC-Employee-Criminally-Indicted.html
![Page 89: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/89.jpg)
“HHS investigating HIPAA violation at
Pa. 911 dispatch center” • http://healthitsecurity.com/2013/03/27/hhs-
investigating-hipaa-violation-at-pa-911-dispatch-center/
![Page 90: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/90.jpg)
Can You Make All of This Work?
![Page 91: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/91.jpg)
Multi-System Tools
• System mapping
• Uniform consent form
• Business Associate Agreements
• Patient Safety Organizations
• Standard Judicial Orders
![Page 92: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/92.jpg)
System Mapping
![Page 93: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/93.jpg)
Uniform Consent Form • Essential tool
• Individual consents to use within a treatment system
• All providers are on the form
• Other requirements may be met as well
![Page 94: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/94.jpg)
Business Associate Agreements
• Can be used for disclosure in which a party provides a “function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, utilization review, quality assurance, billing, benefit management, and repricing… (164.501)
• Other functions as well, for example, provision of legal advice
• 42 CFR permits qualified service organization agreements
![Page 95: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/95.jpg)
Patient Safety Organization
• Permits DHHS Secretary to certify these organizations
• Designed to permit privileged exchange of information within the PSO
• Relevant information includes
– Efforts to improve patient safety and quality
– Collection and analysis of patient safety work product
– Development and dissemination of patient safety information, e.g. protocols, best practices, etc
– Use of such information to encourage “a culture of safety and of providing feedback and assistance to effectively minimize patient risk” • Public Law 109-41, Section 921-925.
![Page 96: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/96.jpg)
Standing Judicial Order
• Courts are not covered entities
• Courts may seek PHI
• Best solution is a standard order
![Page 97: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/97.jpg)
The Water Looked So Inviting… The HIPAA Security Rule
![Page 98: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/98.jpg)
Privacy
Security
Risk
![Page 99: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/99.jpg)
Some Basic Questions: Are You
• Storing the data? or
• Being asked for the data? or
• Identifiable data? or
• Protected health information (PHI)? Or
• Covered entity? Or
• Accessing it as needed?
• Requesting the data?
• Non-identifiable data?
• Non-PHI?
• Business Associate?
![Page 100: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/100.jpg)
A Health Care Provider
A Health Plan A Health Care Clearinghouse
This includes providers such as: •Doctors •Clinics •Psychologists •Dentists •Chiropractors •Nursing Homes •Pharmacies ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
This includes: •Health insurance companies •HMOs •Company health plans •Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
A Covered Entity is one of the following:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/
![Page 101: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/101.jpg)
Business Associate
…creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter
The HIPAA Privacy and Security Rules permit a covered entity to disclose PHI to a business associate…provided the covered entity obtains satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information
![Page 102: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/102.jpg)
What is Minimal Necessity?
When You Want the Data
When You Are Asked for the Data
![Page 103: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/103.jpg)
![Page 104: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/104.jpg)
![Page 105: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/105.jpg)
September 23, 2013: A Day You Will Always Remember
• http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
![Page 106: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/106.jpg)
The Basic Domains of the Security Rule
Administrative Safeguards (operational standards) Who is responsible? Policies and procedures Training
Physical Safeguards Physical facilities Location of computers Disposal of electronic media
Technical Safeguards (controlling access) Who may access information Under what conditions Audits and tracking of use Protection from malware,
![Page 107: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/107.jpg)
![Page 108: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/108.jpg)
![Page 109: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/109.jpg)
The HIPAA Security Risk Analysis Standard
§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(A) –
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
![Page 110: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/110.jpg)
Risk Analysis
• Scope: Potential risks and vulnerabilities to confidentiality, availability and integrity of all e-PHI that you create, receive, maintain or transmit
• Identify and document potential threats and vulnerabilities
• Assess current security measures
• Determine likelihood and potential impact of threat occurrence as well as level of risk
• Document all of this
![Page 111: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/111.jpg)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf
![Page 112: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/112.jpg)
![Page 113: Clinical Practice and Information Sharing: HIPAA, State ... Harrisburg Presentation.pdf · Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal](https://reader031.vdocuments.mx/reader031/viewer/2022031516/5d00655a88c993d67e8ba22e/html5/thumbnails/113.jpg)
Implications for Governance
• You will only be taken as seriously as your security is
• Someone has to be responsible for security
• There are many checklists online
• You will have to have someone who can create agreements for you