2 ObjectivesWe want you to come out of this session with enough of a general understanding to keep you (mostly) out of trouble regarding confidentiality rules and regulation.We want to show you some generally good ways on how to do thatWe want to have fun doing.Please ask questions if we’re not clear enough.
3 Agenda:What 42 CFR, Part 2 and HIPAA do, who they cover, who it impactsSome ways in which the two differWhich of the two takes precedence and whenWhat you need to know when dealing with the judicial systemCivilCriminalSuggested form language for disclosuresDisclosures without patient consent
4 Rules for LifeMissing somebody? CALL Wanna meet up? INVITE Wanna be understood? EXPLAIN Have questions? ASK Don’t like something? SAY IT Like something? STATE IT Want something? ASK FOR IT Love someone? TELL THEM Keep your life SIMPLE
5 You can achieve compliance, but not certificationAs per the Department of Health and Human Services (DHHS), which manages and is responsible for enforcing Health Insurance Portability and Accountability Act (HIPAA) rules, there is no company entrusted to certify individuals as “HIPAA Certified” or companies…getting “official HIPAA certification”This means youcan become entangled!
6 Substance abusers, or those who have sought treatment for substance abuse, have their confidentiality protected by 42 CFR, Part 2. In some cases these regulations are more stringent than HIPAA.Confidentiality in this field is protected 2 ways:All information identifying a person as a substance abuser is confidential and may not be released without consent from the client or legal guardian (42 CFR, Part 2)All personal health information—including demographic data— that is created by the provider and relates to the person’s medical or mental health, the services provided, and payment provided falls under the protection of HIPAA and may not be released without consent by the client or legal guardian. (45 C.F.R. Parts 160 and 164)
7 42 CFR Covers:Records of the identity, diagnosis, prognosis, or treatment of any patient, which are maintained in connection with the performance of any program or activity relating to drug abuse, alcoholism or alcohol abuse education that is conducted, regulated or assisted by the Federal government must be confidential.
8 42 CFR Impacts any federally assisted program: Those receiving Medicaid fundsThose certified for Medicare reimbursementsThose receiving federal pass-through dollars from the stateA program is defined as: Any individual or entity that declares they/it provides and does provide alcohol/drug abuse diagnosis, treatment, counseling, or referral to treatment
9 42 CFR protects: Current patients Past patients, including deceased Those who are applying for treatmentPatient is defined as an individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program
10 This means the patient is protected from divulging information to: Family membersThe patient’s attorneyPolice (even with a search warrant, or in civil cases without additional legal requirements)EmployerPatient or legal guardian must sign a written release for these entities to acquire personal information
11 Key benchmark for 42 CFR, Part 2 Diagnosis and treatment:The act or process of deciding the nature of a diseased condition by examination of the symptomsA careful analysis of the facts meant to explain somethingA decision based on such an examination or analysisGeneral Rule: Information that identifies an individual as a patient of a program may not be used or disclosed without the patient’s signed authorization, unless an exception for the use or disclosure applies
12 HIPAA :Designed to ensure maintenance of health insurance coverage when you change jobsAdministrative simplification – Healthcare processes becoming very complex – look to standardize information – make it easierProtects privacy of health information held by health plans, health care clearinghouses and most providers, including drug & alcohol programs
13 HIPAA Mandates: Patient access to records Form and content of patient noticeForm and content of agreements with qualified service organizationsMethod for revoking consentProtocols and procedures for researchCircumstances under which past crimes may be reported
14 HIPAA-permitted Disclosures, Government & Other Purposes As required by other lawsPublic health activitiesVictims of abuse, etc.Health oversight activitiesWorkers’ compensationLaw enforcement purposesDecedents - coroners and medical examinersOrgan procurementResearch purposes, under limited circumstancesImminent threat to health or safety (to the individual or the public)Specialized government functionJudicial and administrative proceedings
16 HIPAA vs. 42 CFR, Part 2 HIPAA: health care industry 42 CFR: drug and alcohol programsThe laws cover a lot of the same materialSome points of difference – more specific or more recent rule usually appliesFor treatment providers, in most casesthe rules of 42 CFR Part 2 are more stringent
17 Standards for Uses and Disclosures HIPAA or 42 CFR?Apply whichever standard is more restrictive (usually 42 CFR, Part 2)Standards that provide greater privacy protectionsExceptions:Disclosures to the individual whose health information is at issueDisclosures to federal Department of Health and Human Services for HIPAA compliance determinations
18 Disclosures: HIPAA 42 CFR, Part 2 Rule to Follow Release, transfer, provision of access to, or divulging information in any other manner outside the entity (organization).A communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the record of a person who has been identified as a alcohol or drug abuser.
19 Uses and Disclosure Standards: HIPAA42 CFR, Part 2Rule to FollowEntity may not use or disclose Personal Health Information (PHI) except as permitted or required under the regulations.PHI may be used or disclosed only as permitted by the regulations and may not be used in any civil, criminal, administrative or legislative proceedings. Court orders must be signed by a judge in order to have records released in a court of law.
20 Treatment: HIPAA 42 CFR, Part 2 Rule to Follow Entity may use or disclose PHI to carry out treatment.No disclosures are allowed to outside providers without consent by patient.
21 Payments: HIPAA 42 CFR, Part 2 Rule to Follow PHI may be released to provide or obtain reimbursement for health care servicesNo disclosures are allowed to external sources without consent by patient.
22 Judicial & Administrative Proceedings: HIPAA42 CFR, Part 2Rule to FollowNo authorization required to disclose information in the course of a judicial or administrative proceeding.Information may be disclosed only under a unique court order meeting requirements of 42 CFR Part 2. A subpoena is not sufficient. Both the court order and a subpoena must be issued to compel disclosure.
23 Right To Access: HIPAA 42 CFR, Part 2 Rule to Follow Individuals have the right to inspect and obtain copies of their information for as long as the information is maintained, except for:A. Psychotherapy notesB. Information compiled for civil, criminal or administrative action or proceedingC. Information substance to CLIARegulations do not prohibit patient access to records, including opportunity to inspect and copy any records maintained about the patient. The program is not required to obtain written authorization in order to provide access to patient.
25 The first step is a consent form with language fitting both regulations: ElementsPatient nameMeaningful and specific description of informationSpecific name or general description of Persons authorized to discloseName of individual or organization to receivePurpose of disclosureExpiration date/ event (no longer than reasonably necessary for purposeRequired statements:Right to revokeWhether authorization is a condition of treatment42 CFR Part 2 re-disclosure statementObtain appropriate signature or signatures copy to individual
29 Patient Authorization/Consent Statement to accompany disclosureThis information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR Part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or is otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.
30 Court Orders HIPAA’s More Permissive Provisions won’t work here Subpoena alone is not sufficientCourt Order, including search warrant, alone not sufficientSatisfactory Assurances?Nope
31 Court Orders: Civil Motion for Release of Records filed in court Fictitious name orSealed proceedingNotice to patient and providerOpportunity to respondHearingCriteria for orderOther ways of obtaining information not available or effectivePublic interest and need for disclosure outweigh injury to patient, physician-patient, and treatment
32 Court Orders: Civil Confidential communications Necessary to protect against an existing threat, including child abuseNecessary to prosecute a serious crime, orDoor openedContent of OrderLimit disclosure to essentialLimit recipientsCourt Order alone is not sufficientSubpoena is required, also
33 Court Order: CriminalMotion, Notice, and Hearing like Civil Court OrderCriteriaExtremely serious crimeReasonable likelihood of substantial valueOther ways of obtaining info not effectivePublic interest weighingIndependent representation for record holderSame criteria for confidential communicationsContent of orderLimit disclosure to essentialLimit recipientsOrder alone is not sufficientSubpoena is required
34 Are there disclosures permitted without consent?
35 Permitted Disclosure—No Consent Medical emergencyImmediate threat to health and in need of treatmentCannot disclose to family w/o consent but medical personnel can discloseCrimes on the premises – staff can call police, regardless of whether on or off premises, e.g. counselor on way home is accosted by patient – but only basic facts. Limited to circumstances, but can disclose:Patient namePatient statusAddress or last known location
36 Permitted Disclosure—No Consent Internal communicationsStaff within a program can share information on a need to know basisStaff may share information with a supervising or billing agencyImportant to define scope of program – who exactly is a member of the program?Administration/Qualified Service Organization AgreementWritten agreement between program and an outside agency that provides supportive service (cannot have agreement between 2 agencies where both are subject to 42 CFR)May not enter into QSO with law enforcement without consent
37 Permitted Disclosure—No Consent Outside auditors, central registries and researchers – funders, licensing agencies permitted to audit, provided there is a signed agreement regarding redisclosureMay not redisclose patient identities in any mannerCommunications that do not disclose patient-identifying information, e.g. aggregate data about patientsResearch – No identifying information and must either have a consent (which can be unwieldy) or a waiver from an Institutional Review Board (IRB)
38 Mandatory Disclosure: No Consent State child abuse and neglect reporting lawsReport according to state lawDoes not cover release of recordsOther Disclosures?Vulnerable Adult AbuseGunshot wound or burnBirth of childPublic Health CrisisAttended or unattended death
39 Audit & Evaluation Activities Disclosure is permissible if recipients agree in writing on redisclosure restrictionsPerson who conducts an audit or evaluation on behalf of federal, state, or local agencies providing financial assistance to the program or authorized by law to regulate the program’s activitiesThird party payerPeer review organizationOtherwise qualified to conduct audit/evaluation activities (on premises only)Special rules for Medicaid/Medicare audits (42 C.F.R. 2.53(c))
40 Audit, Evaluation, & Oversight Key Factors for 42 CFR complianceGet statement in writing on redisclosure restriction operationsFeds and state should provide in request for disclosureSome organizations may rise to level of BA (e.g., accreditation organizations)Third party payer disclosures could fall in hereDo you need to identify patient status?
41 Qualified Service Organizations Person that provides services to a program that has entered into a written agreement acknowledging it is bound by 42 CFR Part 2 and will resist judicial disclosure (other than as permitted)Examples (operational services to organization, not program to program for substance abuse treatment)Data processingBill collectingDosage preparationLaboratory AnalysisProfessional services (legal, medical, accounting)Services to prevent, treat child abuse, including training on nutrition and child care or individual and group counseling
42 QSOs and Business Associates Identify QSO statusIdentify Business Associate statuse.g., laboratory analysis would fall under treatmentWritten AgreementBound by 42 CFR Part 2 disclosure and judicial resistance provisionsOther Business Associate provisions
43 42 CFR, Part 2 and Minors:If a minor has legal capacity to consent under State law, no other consent is requiredIf parental consent is required, need both consentsIn states requiring parental consentMinor must consent to disclosure to parent orProvider must decide minor lacks capacity to make rational choiceCriteria for Examining lack of capacityExtreme youthPresence of mental or physical conditionMinor’s situation poses substantial threat to life and well-being of minorCommunicating can reduce that threat