Presentation on theme: "4/28/2015 1 Confidentiality of Medical Information Public Health Nursing and Professional Development Unit Eunice B. Inman, RN, BSN Pamela Serrell, RN,"— Presentation transcript:
4/28/2015 1 Confidentiality of Medical Information Public Health Nursing and Professional Development Unit Eunice B. Inman, RN, BSN Pamela Serrell, RN, BSN Ellen Shope, RN, BSN Lynn Conner, RN, BSN Gay G. Welsh, RN, BSN, MPH
4/28/2015 2 Introduction Objectives for this presentation include: Identify laws that require NC Local Health Departments to keep patient information confidential. Identify which information is confidential. Describe when confidential information may be disclosed. Describe how best to document disclosures of confidential information.
4/28/2015 3 Introduction This presentation is meant to introduce an overview of confidentiality laws and how those laws address some of the issues that arise in NC local health departments. It is not meant to be comprehensive. Please consult an attorney if you need more information or advice for a specific situation.
4/28/2015 4 Vocabulary Confidential as defined by Webster is private, secret.
4/28/2015 5 Confidentiality The general ethic in the provision of health care is that a patient’s secrets uttered in confidence must be safeguarded by the physician, other health care providers, and the agency’s workforce (employees, volunteers, trainees, and other persons whose conduct, in the performance of their duties, is under the direct control of the agency, whether or not they are paid by the agency).
4/28/2015 6 Laws Affecting LHDs in NC HIPAA Privacy Rule (45 CFR Parts 160 & 164): Federal law that governs when covered entities – a term that includes most health care providers, including LHDs – may and may not use and disclose PHI without a client’s permission. (Other federal and NC laws must also be considered in conjunction with HIPAA requirements.)
4/28/2015 7 HIPPA Privacy Rule…cont. Requires covered entities to have written policies & procedures designed to comply with the Privacy Rule. Requires the implementation of administrative, technical, and physical safeguards to protect the privacy of individually identifiable health information. Requires mitigation, to the extent possible, when breaches occur that violate the Privacy Rule or the covered entities’ policies/procedures when the breach is known by the covered entity.
4/28/2015 8 HIPAA Privacy Rule…cont. HIPAA Definitions: PHI = Protected Health Information: Individually identifiable health information (IIHI) that is transmitted electronically or maintained in any form or medium by a covered entity. T = Treatment activities of a healthcare provider: Includes provision, coordination, management of health care & related services, referrals, consultations, etc.
4/28/2015 9 HIPAA Privacy Rule…cont. P = Payment for treatment Includes reimbursement for services, benefit coverage, eligibility, billing, collections, etc. O = Health Care Operations that support the activities of healthcare provider Includes QI, credentialing, financial and medical review audits, business management, etc. Please refer to the HIPAA Privacy Rule for more detailed explanations.
4/28/2015 10 ARRA - American Recovery & Reinvestment Act ARRA = Federal Law Effective 02/18/09 primarily found at 45 CFR Part 164, Subpart D (45 CFR 164.400 - 164.414) Contains the HITECH Act that exceeds HIPAA in protecting PHI.
4/28/2015 11 ARRA - American Recovery & Reinvestment Act Within ARRA is the Health Information Technology for Economic & Clinical Health Act (HITECH Act) Broadens and supplements HIPAA privacy and security requirements, and various state privacy breach notifications. Safeguards PHI above and beyond current HIPAA requirements. Extends requirements to certain non-covered entities, covered entities, and to business associates of covered entities Includes breach notification requirements for a privacy breach.
4/28/2015 12 ARRA - American Recovery & Reinvestment Act AARA & HITECT Act (continued) HITECH Act may be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforceme ntrule/hitechenforcementifr.html Guidance for managing breaches: http://www.sog.unc.edu/node/1040 under Security Breaches.
4/28/2015 13 NC Identity Theft Protection Act NC Identity Theft Protection Act (GS 75-60, Article 2A) NC law requiring private businesses and government agencies to protect personally identifying information that could be used for identity theft. Includes specific actions private businesses and government agencies must take when experiencing a security breach involving personally identifying information that is not encrypted (not necessarily electronic encryption). Requires notifications of breaches to individuals, media, and NC Attorney General’s Office in specific situations.
4/28/2015 14 NC Identity Theft Protection Act NC Identity Theft Protection Act found at : http://www.ncga.state.nc.us/EnactedLegislation/S tatutes/HTML/ByArticle/Chapter_75/Article_2A.ht ml Guidance may be found at http://www.sog.unc.edu/node/1045 Scroll down to “What does The Identity Theft Act Mean for Local Health Departments.”
4/28/2015 15 Other NC State Laws re Confidentiality Public Health Patient Confidentiality Law (GS 130A-12): (revised, effective 01/01/12) NC law that applies only to LHDs, DHHS & DEHNR Medical records held by either are confidential and are not subject NC’s public records law. Disclosure of information only may occur with appropriate authorization or as required by federal or state law.
4/28/2015 16 Other NC State Laws re Confidentiality Privilege Laws: (GS 8-53 and GS 8-53.13) NC laws meant to prevent information from being introduced into court proceedings against the patient’s will. GS 8-53 – Communications between patients and their physicians (and others working under the direction of the physician) are privileged. GS 8-53.13 – Communications between patients and nurses are privileged. Privileged information may be introduced in two circumstances: The patient gives permission for the disclosure The judge orders the disclosure after finding that it is necessary for the proper administration of justice.
4/28/2015 17 Laws Protecting Specific Situations Title X Family Planning: (45 CFR59.11) Federal law that requires providers to keep information about Title X Clients confidential and disclose it only with the client’s documented consent (permission), unless the disclosure is necessary to provide services to the client or is required by law.
4/28/2015 18 Law Protecting Specific Situations Communicable Disease Confidentiality: (GS 130A-143) (revised, effective 01/01/12) State Law that applies to information or records that identify a person who has or may have a reportable communicable disease or condition. Such information may be disclosed only when the disclosure fits into one of eleven circumstances specified in the statute. (Please consult the statute for these.)
4/28/2015 19 Law Protecting Specific Situations Family Education Rights & Privacy Act: Under FERPA school nurses must protect access to and disclosure of student education records. FERA may be found at: Title 34, Part 99--Family Educational Rights and Privacy Schools may also fall under HIPAA. Helpful Q&A re HIPAA & FERPA in schools may be found at: http://www.sog.unc.edu/node/832http://www.sog.unc.edu/node/832
4/28/2015 20 Law Protecting Specific Situations Employees working with aspects of mental health or substance abuse clients may be subject to laws affecting those services. Please consult appropriate sources for legal resources applicable to these services.
4/28/2015 21 Pharmacy Records Law Availability of pharmacy records (G.S 90-85.36): Pharmacy, whether written or electronic, orders are not public records and may only be provided to the following persons. Persons for whom the prescription was written Parent, Guardian or Persons standing in loco parentis of a minor child or disabled adult Pharmacy owner & Pharmacist filling the prescription Healthcare provider writing the prescription or otherwise treating the patient
4/28/2015 22 Pharmacy Records Law (List continued…) Anyone presenting an authorization for the release or subpoena for pharmacy information Includes researchers Any business entity responsible for paying for the medical care of the person for whom the prescription was written Pharmacy Board members HIPAA covered entity or non-covered health care provider for TPO purposes
4/28/2015 23 Licensure Laws Components of Nursing Practice for the Registered Nurse ( 21 NCAC 36.0224): (g)(4) is the specific section of administrative code that says the nurse must uphold confidentiality. (g) Collaborating involves communicating and working cooperatively with individuals whose services may have a direct or indirect effect upon the client's health care and includes: (4) safeguarding confidentiality.
4/28/2015 24 Licensure Laws Components of Nursing Practice for the Licensed Practical Nurse ( 21 NCAC 36.0225): (g)(3) is the specific section of administrative code that says the LPN must uphold confidentiality as delegated by the registered nurse. (g) Collaborating involves communicating and working cooperatively with individuals whose services may have a direct or indirect effect upon the client's health care and includes: (3) safeguarding confidentiality.
4/28/2015 25 Ethics and Policies ANA Code of Ethics: Interpretive Statement, Provision 3.2 “…the nurse has the duty to maintain confidentiality of all patient information.” To do less Jeopardizes the patient’s welfare Destroys trust in the nurse/patient relationship which jeopardizes the nurse’s ability to provide quality care.
4/28/2015 26 Ethics and Policies AMA Code of Ethics: Opinion 5.05 Confidentiality The information disclosed to a physician by a patient should be held in confidence. The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services. The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication.
4/28/2015 27 Ethics and Policies Local Health Department Policy & Procedure: Safeguards Policies – covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. Safeguard policies/procedures include, but are not limited to: Policy sets forth guidance to safeguard and maintain the integrity of the designated record set (financial and medical records as defined by HIPAA) and how best to protect the rights of clients while affording the providers of care appropriate access.
4/28/2015 28 Which Information is Confidential? Agency Confidentiality Policy – Affirms the agency’s resolve to abide by the laws presented. Any IIHI about a client is confidential – assume that it is all confidential. It is not just the medical status or treatment information that is protected. Even the fact that they are a client is protected. Any (IIHI) individually identifiable health information the LHD has on a person who is not a client is most likely confidential. Example: blood lead information cared for by a local pediatrician and environmental health is doing a home investigation.
4/28/2015 29 Which Information is Confidential? Individually Identifiable Health information (IIHI) includes: the client’s demographic information (name, address, age, date of birth, etc.). information that is created or received by a health care provider, health plan, employer, or health care clearinghouse. information related to the past, present, or future physical or mental health condition of the individual, provision of health care, or the past, present, or future payment for the provision of health care. any information that identifies the client, or to which there is reasonable basis to believe that the information can be used to identify the client.
4/28/2015 30 Which Information is Confidential? Protected Health Information includes: IIHI that is transmitted electronically or maintained in any form or medium by the covered entity. And everything else mentioned if not addressed in laws for specific services.
4/28/2015 31 When may LHDs Disclose Patient Information? With the client’s (or personal representative’s) permission. Permission must be in the proper format. In most cases the permission must be in writing. Must be on an appropriate HIPAA compliant authorization form.
4/28/2015 32 When may LHDs Disclose Patient Information? Under certain circumstances without the client’s (or personal representative’s) permission as specified by law. Broadly these include: Treatment, payment and healthcare operations as defined by HIPAA, G.S. 130A-12, & G.S. 130A-143. Please consult your HIPAA Officer or County Attorney regarding these definitions.
4/28/2015 33 When may LHDs Disclose Patient Information? When it is required by another law. The following slides will address these. Subpoenas & other court orders Response guidance for LHDs from the NC School of Government may be found at: http://shopping.netsuite.com/s.nl/c.433425/it.I/id.218/.f?sc=7&category=49
4/28/2015 34 Laws requiring disclosure of info. NC law requires the disclosure of confidential information or records for specific purposes for each of the following: (The following is a partial list of those who may demand records or information.) HIPAA covered entities must verify the identity of the individual demanding the information and their authority to obtain the information. G.S. 130A-385: Chief medical examiner or county medical examiner when a death is under investigation. G.S. 130A-209: Diagnoses of cancer to central cancer registry
4/28/2015 35 Laws requiring disclosure of info. List … cont. GS 7B-301: Any person or institution must report known or suspected child abuse/neglect or child deaths believed to be due to maltreatment to DSS. GS 7B-302: Records or information relevant to the investigation of known or suspected cases of child abuse or neglect may be released to director of social services GS 7B-601: or guardian ad litem representing the child GS 7B-1413: The N.C. Child Fatality Prevention Team, a community child protection team, and N.C. Child Fatality Task Force may review information they deem relevant to their task.
4/28/2015 36 Laws requiring disclosure of info. List … cont. GS 108A-102: Report suspected abuse of elderly or disabled adults to Social Services Director. GS 130A-5 and 130A-15: NC Secretary of HHS may see patient records when the patient’s physician and a DHHS physician agree that there is a “clear danger to public health” and other health hazards. GS 130A-135 et seq.: Outbreaks of reportable communicable diseases. G.S. 130A-144: Local Health Directors or State Health Director may demand medical records pertaining to the diagnosis, treatment, or prevention of communicable disease.
4/28/2015 37 Laws requiring disclosure of info. List … cont. G.S. 51-2: Disclose relevant medical information of minors seeking to marry to court appointed guardian ad litem. G.S.90-21.20: Report wounds/injuries to law enforcement if there appears to be criminal violence involved. G.S. 130A-153 and 10A NCAC 41A.0406: Disclosures of immunizations to specific providers, schools, etc.
4/28/2015 38 Laws requiring disclosure of info. List … cont. G.S. 130A-456: Physicians must be report occupational injuries on farms and other reportable occupational diseases and illnesses to DHHS. G.S. 130A-458: Persons in charge of laboratories that provide diagnostic services must report findings related to reportable occupational diseases and illnesses to DHHS.
4/28/2015 39 Laws requiring disclosure of info. List … cont. G.S. 130A-476(b): Authorizes State Health Director to issue temporary order requiring health care providers to report specifically requested medical information to local health director or State Health Director to investigate a possible bioterrorist incident. State and federal auditors of programs such as Medicaid may review patient records under applicable state and federal regulations.
4/28/2015 40 Other exceptions requiring disclosure. Responding to a court order, subpoena, warrant, & other law enforcement and judicial requests: Response guidance for LHDs from NC SOG may be found at: http://shopping.netsuite.com/s.nl/c.433425/it.I/id.218/.f?sc=7&c ategory=49 LHDs may disclose information without a patient’s permission upon receipt of a proper court order provided only the PHI disclosed is expressly authorized by the court order. A subpoena must never be ignored; however, depending on the type of subpoena, automatic disclosure of information is not always appropriate. (Consult the above guidance and local attorney.)
4/28/2015 41 Other exceptions requiring disclosure. Health department should have a carefully crafted policy for handling subpoenas, court orders and law enforcement & judicial requests. All the above requests should be brought to the attention of the health director immediately. Consulting the LHD Attorney about the above types of legal requests prior to disclosing information is a good idea.
4/28/2015 42 Obtaining Consent For TPO "Consent" as defined by HIPAA means that the client is giving the covered entity permission to use and disclose their protected health information for treatment, payment, and other health care operations. Obtaining “consent for TPO” is optional under HIPAA and is no longer required by NC law (G.S.130A-12(3), revised, effective 01/01/12.)
4/28/2015 43 Obtaining Consent For TPO “Consent”…cont. It is no longer recommended that local health departments obtain “consent for TPO.” Continuing to obtain “consent for TPO” may result in barriers to care in specific circumstances and lost reimbursement if a client refuses to sign the consent for TPO as the mandated services are still required to be provided.
4/28/2015 44 Verification Requirements Prior to disclosing requested PHI to a person or entity the HIPAA Privacy Rule requires covered entities to verify two things: the requesting person’s identity (personal identity or as an appropriate designee of a requesting entity). the requesting person’s authority to receive the information. Covered entities must have internal Verification Policies & Procedures and must have trained their staff on the policy/procedure.
4/28/2015 45 Obtaining Permission to Disclose Information (Authorization) HIPAA Authorization Forms: Must contain specific elements. Must be used for disclosures outside the realm of TPO. Please see the following references: IOG: http://www.sog.unc.edu/node/818http://www.sog.unc.edu/node/818 DPH: http://publichealth.nc.gov/lhd/http://publichealth.nc.gov/lhd/ See “Problem Oriented Health Record” topic and select DHHS Form 4056.
4/28/2015 46 Obtaining Permission for Treatment "Consent for Treatment" Obtaining informed consent to treat a patient is an entirely different legal obligation as opposed to obtaining “consent for TPO,” which is not a legal obligation. “Consent for Treatment” means that the client is giving permission to the health care provider to provide medical care and treatment to the client. (G.S. 90-21.13) Obtaining “consent for TPO,” which is no longer recommended, means the client is giving the covered entity permission to use and disclose their PHI for treatment and payment activities as well as health care operations. Health departments still need informed consent to treat a patient.
4/28/2015 47 Obtaining Permission for Treatment GS 90-21.13: Informed consent to healthcare or procedure. Valid consent means that a reasonable person under all the surrounding circumstances would be: mentally and physically competent to give consent. able to understand the implications, risks and hazards of the treatment or procedure. consent voluntarily to the treatment or procedure, and without coercion from the requestor.
4/28/2015 48 Documenting Disclosures When information is disclosed with client’s consent (via HIPAA compliant authorization) Put copy of signed authorization in client’s record. HIPAA requires that the client be given a copy of the signed authorization. Make a note in the record when the information is actually released. Disclosures made with the client’s authorization are not required to be included in the Accounting of Disclosures. (The client has the right to ask for an accounting of disclosures. See http://www.sog.unc.edu/node/818 for guidance on accounting of disclosure requirements.)
4/28/2015 49 Documenting Disclosures When information is disclosed without permissio when meeting a legal requirement to disclose, documentation in the client’s record should include: the date and the fact of its disclosure, to whom it was disclosed why it was disclosed the name of staff member that disclosed the information the signature/initials of the staff member recording the documentation in the record -Disclosures made without client authorization are required to be included in the Accounting of Disclosures.
4/28/2015 50 Questions Now a few minutes for questions.