Presentation on theme: "Honberg on HIPAA The Myths of HIPAA Understanding the Rules and Guidelines Presentation by Ron Honberg National Director, Policy and Legal Affairs, NAMI."— Presentation transcript:
Honberg on HIPAA The Myths of HIPAA Understanding the Rules and Guidelines Presentation by Ron Honberg National Director, Policy and Legal Affairs, NAMI Family to Family Institute, NAMI Convention June 18, 2005
Honberg on HIPAA Can Privacy and Quality Health Care be Reconciled? “Civilization is the progress towards a society of privacy.” Ayn Rand, The Fountainhead (1943)
Honberg on HIPAA Major NAMI Concerns About Medical Privacy Protecting sensitive information about mental health treatment Affording consumers control over own medical information Providing families/caregivers with access to essential information. Increasing efficiencies in communicating vital medical information
Honberg on HIPAA History 1996 - Health Insurance Portability and Accountability Act (HIPAA) enacted “Administrative Simplification” Provisions –Congress directed to enact legislation establishing standards for the electronic exchange, privacy and security of health information. –If Congress unable to do so within 3 years, responsibility shifted to Secretary of HHS
Honberg on HIPAA History, continued Three year deadline for Congressional action expires Nov. 3, 1999 - HHS Secretary Shalala issues proposed rule 52,000 comments submitted from various stakeholders (including NAMI) 12/28/2000 - Final rule published 2/2001 - Moratorium placed on final rule 8/14/2002 - Modified final rule published
Honberg on HIPAA Who is Covered by HIPAA? Public and private health plans (private insurance, Medicaid and Medicare, VA, etc.) Health providers who transmit records electronically –Paper records not applicable, unless provider transmits some records electronically. Health care clearinghouses, e.g. billing services, community health management information systems, etc.
Honberg on HIPAA What Information is Protected? Information that concerns an individual’s past, present or future physical or mental health, health care treatment, or payment for the provision of healthcare. Information that identifies the individual or can reasonably be used to identify the individual (e.g. date of birth, SSN). If common identifiers removed (“de- identified”), covered entity has no way of recovering that information, HIPAA does not apply.
Honberg on HIPAA Scenario I Dr. Freud, a psychiatrist from Tulsa, contacts Dr. Kildare, a family doctor in Oklahoma City. Dr. F. has begun treating Sally, a woman with schizophrenia, who is a long time patient of Dr. K. Dr. F. requests information from Dr. K. about her medical history, current medications, and her capacity for adhering to a medication regimen. However, he does not include a signed consent form with this request. Should Dr. K. provide Dr. F. with the requested information?
Honberg on HIPAA Signed Consent is Optional PHI may be disclosed without signed authorization for: –Treatment –Payment –Health care operations (e.g. administration, credentialing, quality assurance, medical audits, etc.). However, providers have the option of obtaining consent.
Honberg on HIPAA Notice of Privacy Practices Required Provided one time, generally at beginning of health care relationship. Must include: –Description of potential disclosures –Posted in “clear and prominent” places –Electronically available on website Differs from authorization (consent), which is required each time PHI is released. Reasonable effort to obtain patient’s signature required. –However, cannot condition provision of treatment on signature.
Honberg on HIPAA Psychotherapy Notes Exception Disclosure of psychotherapy notes requires specific consent. Psychotherapy notes are notes separated from the rest of the medical record pertaining to the details of therapy/counseling sessions. Psychotherapy notes do not include information about medications, clinical test results, and summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.
Honberg on HIPAA Some Disclosures Require Signed Authorizations Psychotherapy notes Disclosures to an employer of the results of a pre- employment medical exam. Disclosures to a life insurer or another insurer (with the exception of a submission for payment for a specific medical service). Marketing products or services –Exceptions: communications by health plans or providers with individuals already receiving services (health information, alternative therapies, etc.)
Honberg on HIPAA Relationship of HIPAA to State Laws In general, if laws are incompatible, HIPAA preempts state law. But, exception to general rule of preemption may apply if the state law provides greater privacy protections than the HIPAA rule. HHS makes determination, in response to a request from State or other entity or person. Fed HIPAA rule is a “floor”, not a “ceiling”.
Honberg on HIPAA Pa. Stat. Ann. Title 50, Sec. 7111 Documents concerning inpatient treatment, involuntary outpatient treatment, are confidential. Cannot be disclosed without written consent, except disclosure permitted:: –to treatment providers; –county administrator –court in course of legal proceedings for involuntary treatment or evaluation; Copy of all pertinent records must accompany patient when transferred from one facility to another. (Title 50, Sect. 4602).
Honberg on HIPAA Scenario II Charlie Jones, who has a long history of bipolar disorder, was hospitalized in Denver 10 days ago after a suicide attempt. Charlie is being discharged to move in with his brother, Brian, who lives in Colorado Springs. While Brian knows about his brother’s history of bipolar disorder, he is not aware that his brother recently attempted suicide. The psychiatrist who has treated him at the hospital feels that he is ready for discharge, but knows that he is still struggling with symptoms. Should the psychiatrist inform Brian about the suicide attempt and the need for follow-up care and monitoring?
Honberg on HIPAA Communications with Caregivers A covered entity may rely on an individual’s informal permission to disclose information to family or friends who function as caregivers. Hospital similarly may inform family/friends that person is there, general condition, etc. Person must be informed, have opportunity to agree or object. Several states, e.g. Vermont, Maine, and Ohio, have enacted legislation specifically permitting disclosures to family members and caregivers.
Honberg on HIPAA Lack of Capacity to Consent (Formally or Informally) If emergency exists and/or person lacks capacity to agree or object, a provider may disclose health information to caregivers if it is in the individual’s best interests based on the professional judgement of the provider. HIPAA rule states that designated surrogate should be vested with authority to make decisions in cases of incapacity. Rule is not clear whether a formal determination of incapacity is necessary.
Scenario III John, who has a history of schizophrenia, has been arrested in Nashville and is being held on trespassing charges. He calls his mother in California, a clinical psychologist, and tells her where he is. Concerned that he is a suicide risk (he has a history of suicide attempts), she calls the jail and tries to inform them about her son’s mental illness and potential suicidality. The chief medical officer at the jail refuses to talk to her, citing privacy concerns. John subsequently hangs himself. Under HIPAA, was it permissible for the medical officer to speak with his mother?
Honberg on HIPAA Communicating Information to Providers Covered entities (including treatment providers) are not precluded under HIPAA from accepting information from families or others knowledgeable about the individual and his/her treatment needs. Unless the individual objects, the jail in this case would also not be precluded from responding to the mother’s questions.
Honberg on HIPAA Law Enforcement and Criminal Justice Rule permits (does not require) disclosure to law enforcement in certain cases, including: –Required by law (e.g. court order or subpoena) –to identify or locate a suspect, fugitive, missing person, etc. –to provide information about a crime victim –to inform law enforcement of a person’s death –When a covered entity believes that PHI is evidence of a crime
Honberg on HIPAA Judicial and Administrative Proceedings Covered entities may disclose when request is pursuant to a court order or from an administrative tribunal. Jaffee v. Redmond, 518 U.S. 1 (1996). - Supreme Court recognized psychotherapist-patient privilege. –“Effective psychotherapy depends upon an atmosphere of confidence and trust.” Absent compelling evidence of the evidentiary value of disclosure, the privilege will be protected. Court explicitly states that privilege applies to psychiatrists, psychologists and social workers.
Honberg on HIPAA Scenario IV Mary has received services from a Community Mental Health Center in Denver intermittently over the years. Recently, she graduated from law school and is now applying for admission to the Colorado Bar. The Bar application includes a question inquiring about hospitalizations for treatment of serious mental illnesses during the past five years. Applicants who answer affirmatively must provide further documentation from a psychiatrist or psychologist establishing that they are capable of practicing law.
Honberg on HIPAA Scenario IV, cont. Mary is concerned that her psychiatric records at the CMHC are inaccurate and that the Center may therefore provide information that could harm her chances to be admitted to the Bar. She contacts the CMHC and requests that she be permitted to inspect her records. Is the CMHC obligated to let her do so?
Honberg on HIPAA Access to One’s Own Records Individuals generally have the right under HIPAA to review and obtain a copy of their own records. –Psychotherapy notes may be excepted, if maintained as a separate part of the record. Individuals may be denied access if the provider believes that access could be harmful. –But, provider must provide justification, and the individual who has requested the information can seek independent review.
Honberg on HIPAA Amending One’s Records Under HIPAA, individuals also have the right to request amendments to their records to correct inaccuracies. If a request is accepted, the covered entity must make “reasonable” efforts to provide the amended version requested by the individual. If a request is denied, the covered entity must provide a written explanation and the individual must be allowed to insert a statement of disagreement into the record.
Honberg on HIPAA Scenario V Rick is employed by the ACME Accounting Firm. Last year, following the death of his mother, he experienced a bout with severe depression and sought help from the Employee Assistance Program offered by his employer. He was subsequently referred to a psychologist for counseling and prescribed anti-depressant medications. His treatment was covered under ACME’s self-insured health plan. Now, Rick is concerned that his employer may have access to information about his depression and drinking. Is he protected by HIPAA?
Honberg on HIPAA Disclosures to Employers In general, medical information may not be disclosed to employers, with the following exceptions: –In cases involving work related illnesses or injuries (workers compensation cases). –To comply with employer duties under OSHA or similar State laws. Covered entities that make such disclosures must notify employee in writing.
Honberg on HIPAA Disclosures to Employers, cont. Generally, employers are not “covered entities” and therefore are not subject to the requirements of the rule. –Exception - Records maintained by an employer in its capacity as a health care provider are covered (e.g. a hospital). ADA requires employers to protect medical information, e.g. results of medical exams should be kept confidential and in separate medical files.
Honberg on HIPAA “Business Associates” Person or organization that carries out activities on behalf of a covered entity and has access to PHI. (Can include auditor, attorney, management consultant, etc.). Does not include entities who collaborate in providing treatment. Provider who knows of breach of privacy by business associate required to take reasonable steps to “cure” the breach. –If unsuccessful, must report breach to the HHS Secretary.
Honberg on HIPAA Administrative Requirements Covered entities must develop and implement written privacy policies and procedures. Covered entities must designate a privacy official “responsible for developing and implementing its privacy policies and procedures, and a person or office responsible for providing information and handling complaints.” Covered entities must train its workforce on privacy policies and procedures.
Honberg on HIPAA HIPAA and Research PHI may be disclosed under three circumstances: –If information is not PHI. (Rule identifies 18 elements that must be removed from information disclosed). –If person signs a valid authorization form. –When authorization requirement is waived by an IRB or a “Privacy Board.”
Honberg on HIPAA Enforcement and Remedies Civil penalty of $100 per willful violation, with total not to exceed $25,000 per year. Criminal penalties, including fine and imprisonment, for person who knowingly obtains and discloses PHI. Criminal sanctions enforced by the U.S. Department of Justice.
Honberg on HIPAA Read notice of privacy practices carefully. –Rule requires covered entities to provide clear and comprehensive information about privacy practices. Ask questions. Make sure you understand who will share information. Recognize that sharing information can be positive, particularly in the treatment context. Do not accept a simple “no” answer to requests to see medical records. Recommendations for Consumers and Family Members
Honberg on HIPAA Recommendations for Providers Read rule carefully (or ask attorney to prepare a summary). Learn your state’s medical privacy rules and how they interface with the federal rules. Take common sense steps to protect privacy, e.g. make sure that staff is not careless with records. Appoint a privacy officer (rule requires). Review relationships with “business partners” and make sure that they are apprised about privacy rules.
Honberg on HIPAA Questions and Comments “I wish I had an answer to that, because I’m tired of answering that question.” Yogi Berra