Download presentation
Presentation is loading. Please wait.
Published byAron Horton Modified over 8 years ago
2
Reconciling Medical Record Privacy and Security Requirements Across Systems October 10, 2006 Renee H. Martin Tsoules, Sweeney & Martin, LLC 29 Dowlin Forge Road Exton, PA 19341 Tel.: (610) 423-4200 Fax: (610) 423-4201 rmartin@tshealthlaw.com
3
Copyright Tsoules, Sweeney & Martin, LLC 2 Overview Coordination of Care for Co-occurring Problems and Illnesses IOM Report Barriers/Hindrances –Cultural –Financial –Legal HIPAA and pre-emption PA Mental Health Law Federal and State Substance Abuse
4
Copyright Tsoules, Sweeney & Martin, LLC 3 Overview (Continued) National Health Information Network Electronic Health Records Organizational approaches
5
Copyright Tsoules, Sweeney & Martin, LLC 4 Coordination of Care - Paramount Mental and substance abuse and illnesses rarely occur in isolation. Physical illnesses (heart disease, diabetes, cancer, neurological illnesses) frequently accompany mental and substance abuse. Diverse providers often fail to detect and treat these co-occurring problems.
6
Copyright Tsoules, Sweeney & Martin, LLC 5 Barriers to Collaboration/Coordination Separation of MH/Substance Abuse from general health care Separation of MH/Substance Abuse from each other Reliance on multiple systems and non-health care sectors to secure MH/Substance Abuse services (juvenile and criminal justice, education, child welfare) Multiple and separately licensed and regulated care providers Separate and multiple disclosure confidentiality requirements
7
Copyright Tsoules, Sweeney & Martin, LLC 6 Barriers to Collaboration/Coordination Separate financial systems and coverage Separate cultures
8
Copyright Tsoules, Sweeney & Martin, LLC 7 Legal Parameters for Sharing Healthcare Information HIPAA Privacy Rule: Generally: Permits (“Covered Entities”) to release – without patient authorization – protected health information (PHI) (except psychotherapy notes) to another provider for treatment, payment and health care operations.
9
Copyright Tsoules, Sweeney & Martin, LLC 8 Scope: Who is Covered? Limited to “covered entities”: –Health care providers who transmit health information in electronic transactions for which the Secretary has adopted standards –Health plans –Health care clearinghouses –Sponsors of prescription drug discount cards Business associate relationships (indirectly)
10
Copyright Tsoules, Sweeney & Martin, LLC 9 Organizational Issues Hybrid Entities (designate health care component(s)) Organized Health Care Arrangements (OHCAs) – multiple covered entities can share PHI; e.g., clinically integrated care settings (medical staff and hospital). –OHCAs hold themselves out to public as joint arrangement –OHCAs participate in joint activities that include UR, QA or sharing of financial risk
11
Copyright Tsoules, Sweeney & Martin, LLC 10 Organizational Issues Affiliated Covered Entities – legally separates CEs that are under common ownership. One entity has the power directly or indirectly to significantly influence or direct actions of the other or has ownership or equity interest of 5% or more in another. –Must document relationship –Adhere to Security requirements
12
Copyright Tsoules, Sweeney & Martin, LLC 11 Business Associates Agents, contractors, others hired to do work on behalf of covered entity that requires use and disclosure of PHI to Business Associate Covered entity must obtain satisfactory assurances – usually through a contract – that a business associate will safeguard protected health information, limit use and disclosure
13
Copyright Tsoules, Sweeney & Martin, LLC 12 Preemption of State Law General Rule State law will be preempted if a standard, requirement, or implementation specification of HIPAA Privacy Rule is contrary to a provision of state law.
14
Copyright Tsoules, Sweeney & Martin, LLC 13 Preemption of State Law “…contrary to a provision of State law…” –A covered entity would find it impossible to comply with both the state and federal requirements or –The provision of state law is an obstacle to compliance and enforcement of HIPAA.
15
Copyright Tsoules, Sweeney & Martin, LLC 14 Preemption of State Law (Cont'd.) HIPAA Privacy Regulations preempt Pennsylvania laws and regulations except: State law relates to privacy of PHI and is more stringent than HIPAA.
16
Copyright Tsoules, Sweeney & Martin, LLC 15 What is "More Stringent"? When state law is compared to the HIPAA Privacy Regulations, the state law : 1.Restricts or prohibits a use/disclosure permitted by HIPAA. 2.Permits greater rights of privacy in or to access or amendment of PHI. 3.Provides more information to the Individual.
17
Copyright Tsoules, Sweeney & Martin, LLC 16 What is "More Stringent"? (Cont'd.) 4.Narrower in scope or duration; reduces coercive effect surrounding authorizations. 5.Provides for the retention or reporting of more information or longer duration.
18
Copyright Tsoules, Sweeney & Martin, LLC 17 HIPAA Privacy Administrative Requirements DOCUMENTED policies, procedures and systems Designate privacy official and contact person Implement administrative, technical and physical safeguards Privacy Training Legal Documents – Notice of Privacy Practices; Business Associate Complaint mechanism Human Resource enforcement policies
19
Copyright Tsoules, Sweeney & Martin, LLC 18 HIPAA Preemption/Privacy Rule Result: PA mental health law generally supersedes HIPAA and PA law applies relative to use and disclosure of PHI. PA law silent on many of these administrative requirements. So must look to and comply with many of these administrative requirements.
20
Copyright Tsoules, Sweeney & Martin, LLC 19 HIPAA Security Rule HIPAA Privacy covers what information you protect – the use and disclosure of PHI HIPAA Security covers how you protect that information and when –Adopt national standards for safeguards to protect the confidentiality, integrity, and availability of the data
21
Copyright Tsoules, Sweeney & Martin, LLC 20 General Requirements Ensure –Confidentiality: who can see the information –Integrity: the information has not been altered in any way –Availability: it can be accessed on a timely basis
22
Copyright Tsoules, Sweeney & Martin, LLC 21 General Requirements Applies to electronic protected health information –Note that privacy extends to oral and written communications Applies to the electronic PHI that a covered entity: –Creates –Maintains –Transmits
23
Copyright Tsoules, Sweeney & Martin, LLC 22 General Requirements Covered entities must: –Protect against reasonably anticipated threats or hazards to the security or integrity of information –Protect against reasonably anticipated uses and disclosures as outlined in the privacy rule –Ensure compliance by workforce –Develop business associate contracts as appropriate
24
Copyright Tsoules, Sweeney & Martin, LLC 23 Overarching Themes Security is technology neutral –Outlines what needs to be done to protect the information, but not how it should be done Security is comprehensive –Covers the technical, administrative, and behavioral aspects of compliance
25
Copyright Tsoules, Sweeney & Martin, LLC 24 Regulatory Approach Scalability (size) and flexibility (implementation) Organizational approaches should account for: –Size –Complexity –Technical Infrastructure –Cost –Potential Security Risks
26
Copyright Tsoules, Sweeney & Martin, LLC 25 Regulatory Approach Developed standards –Administrative –Physical –Technical Within each standard are a series of implementation specifics that can be either Required or Addressable
27
Copyright Tsoules, Sweeney & Martin, LLC 26 Regulatory Approach Required – A MUST Addressable – a covered after conducting a documented risk analysis, may: –Implement a solution if reasonable and appropriate –Implement an equivalent measure, if reasonable and appropriate –Not implement
28
Copyright Tsoules, Sweeney & Martin, LLC 27 Administrative Standards Security Management –Risk analysis (R) –Risk management (R) Assigned Responsibility: Security Officer– (R) Workforce Security –Termination procedures (A) –Clearance procedures (A)
29
Copyright Tsoules, Sweeney & Martin, LLC 28 Administrative Standards Information Access Management –Isolating clearinghouse (R) –Access authorization (A) Security Awareness and Training (R ) Security Incident Procedures (R) Contingency Plan –Disaster Recovery Plan (R) Evaluation (R) Business Associate Contracts
30
Copyright Tsoules, Sweeney & Martin, LLC 29 Physical Standards Facility Access Controls – All addressable –Contingency operations –Facility Security Plan –Access control –Maintenance records Workstation Use Workstation Security Device and Media Controls
31
Copyright Tsoules, Sweeney & Martin, LLC 30 Technical Standards Access Control –Unique user ID (R) –Emergency access (R) –Automatic logoff (A) –Encryption and decryption (A) Audit Controls Integrity Controls Person or Entity Authentication Transmission Security
32
Copyright Tsoules, Sweeney & Martin, LLC 31 HIPAA Security Standards Security Standards do not preempt state law. PA mental health laws silent Must implement HIPAA Security Standards
33
Copyright Tsoules, Sweeney & Martin, LLC 32 SUBSTANCE ABUSE RECORD CONFIDENTIALITY
34
Copyright Tsoules, Sweeney & Martin, LLC 33 Substance Abuse Confidentiality Confidentiality of Alcohol and Drug Abuse Patient Records (42 C.F.R. Part 2) –Protects from disclosure: –The records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, training, treatment, rehabilitation, or research, which is conducted, regulated or directly or indirectly assisted by any department or agency of the United States.
35
Copyright Tsoules, Sweeney & Martin, LLC 34 Substance Abuse Confidentiality Confidentiality of Alcohol and Drug Abuse Patient Records (42 C.F.R. Part 2) –Definitions “Records” – include any information received or acquired by a program whether oral or written. The prohibitions against disclosure of records continue to apply to records irrespective of the patient’s status in the program. (Continued)
36
Copyright Tsoules, Sweeney & Martin, LLC 35 Substance Abuse Confidentiality –Definitions “Patient” – includes any individual who either has applied for or has been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an individual with alcohol or drug abuse in order to determine that individual(s) eligibility to participate in a program. (Continued)
37
Copyright Tsoules, Sweeney & Martin, LLC 36 Substance Abuse Confidentiality –Definitions “Programs” – The requirements apply only to a “federally assisted alcohol or drug abuse program” – defined as an individual or entity or an identified unit within a general medical facility “who holds itself out as providing, and provides alcohol or drug abuse diagnosis, treatment or referral for treatment.” (Continued)
38
Copyright Tsoules, Sweeney & Martin, LLC 37 Substance Abuse Confidentiality The Federal Confidentiality Requirements do NOT apply to the following: –Hospital emergency room and general medical surgical patients’ records where the health care facility is not a federally assisted “program” – does not have an identified unit which provides substance abuse services, or medical personnel or other staff whose primary function is the provision of substance abuse services and who are identified as being such providers. (Continued)
39
Copyright Tsoules, Sweeney & Martin, LLC 38 Substance Abuse Confidentiality The Federal Confidentiality Requirements do NOT apply to the following: –Interchange of records within the Armed Forces and the Veteran’s Administration. –Crimes on program premises or against program personnel –Communications between a program and a “qualified service organization” of information needed by the organization to provide services to the program. –Internal communications within program
40
Copyright Tsoules, Sweeney & Martin, LLC 39 Substance Abuse Confidentiality Disclosure: Exceptions –Internal Communications Can occur within a program/office or with an entity having direct administrative control, if information is needed Staff can share information with each other, supervisors Staff of the hospital’s record-keeping or billing department
41
Copyright Tsoules, Sweeney & Martin, LLC 40 Substance Abuse Confidentiality Consent Requirements –Consent Form Requirements Redisclosure of information released is prohibited without written consent
42
Copyright Tsoules, Sweeney & Martin, LLC 41 Substance Abuse Confidentiality Exceptions to the Consent Requirement— Nonconsensual Disclosure Permitted –To medical personnel in a “bona fide” medical emergency; –To medical personnel of the FDA who need the information to notify patients of errors in drug labeling or manufacture; –To qualified personnel when conducting scientific research, management audits, financial audits or program evaluation (cannot identify directly or indirectly any individual patient in any such report); (Continued)
43
Copyright Tsoules, Sweeney & Martin, LLC 42 Substance Abuse Confidentiality Exceptions to the Consent Requirement— Nonconsensual Disclosure Permitted –To governmental or third party payers, with certain restrictions; and –If authorized by a court order and a subpoena, issued after a showing of “good cause.” 42 U.S.C. § 290dd-2(b)(2); 42 C.F.R. § § 2.51-2.53.
44
Copyright Tsoules, Sweeney & Martin, LLC 43 Substance Abuse Confidentiality Disclosure: Exceptions With Patient Consent –Patient can authorize specific disclosures –The Patient’s consent must be in writing –Consent must contain specific elements: (very similar to HIPAA authorization)
45
Copyright Tsoules, Sweeney & Martin, LLC 44 Substance Abuse Confidentiality Disclosure: Exceptions –Qualified Service Organization Agreement Program or office can disclose to QSO without consent QSO: a person or agency that provides services that the program/office itself does not provide (e.g., data processing, billing, professional services, vocational counseling) QSO must be qualified to communicate with the program/office (i.e., written agreement)
46
Copyright Tsoules, Sweeney & Martin, LLC 45 Substance Abuse Confidentiality Disclosure: Exceptions –Qualified Service Organization Agreement Program or office may freely communicate with QSO only the information needed by QSO Program or office can enter into such an agreement only if QSO offers service the program/office does not offer Program/office doesn’t have to inform patients about QSOs
47
Copyright Tsoules, Sweeney & Martin, LLC 46 Part 2: “Security” Requirements Written records must be “maintained in a secure room, locked file cabinet, safe, or similar container.” 42 C.F.R. § 2.16. PA law-records shall be secured within a locked storage container. 4 Pa. Code § 257 (d)(1)(i).
48
Copyright Tsoules, Sweeney & Martin, LLC 47 MENTAL HEALTH PATIENT RECORDS
49
Copyright Tsoules, Sweeney & Martin, LLC 48 Confidentiality of Records INPATIENT PSYCHIATRIC SERVICES Confidentiality of Records under MHPA: All documents concerning persons in treatment shall be kept confidential and, without the person’s written consent, may not be released or their contents disclosed to anyone except: (a)those engaged in providing treatment for the person; (b)the county administrator; (c)a court in the course of commitment proceedings; and (d)Under Federal laws governing patient information where treatment is undertaken in a federal agency.
50
Copyright Tsoules, Sweeney & Martin, LLC 49 Confidentiality of Records Non-Consensual Release of Information Treatment Records are confidential and shall not be released nor disclosed without written consent of client/patient except relevant portions or summaries may be released or copied as follows: –Persons actively engaged in treatment –Third Party Payors (information released without consent or court order is limited) –Reviewers and Inspectors (e.g. JCAHO, CARF) –Response to court order (§5100.35(b)) –Emergency medical situation –Minimum Necessary
51
Copyright Tsoules, Sweeney & Martin, LLC 50 Confidentiality of Records Patient Access to Records and Control Over Release of Records –14 years of age or older who understand nature of documents to be released –A person chosen by client/patient –If client/patient is deceased, client/patient’s executor or personal representative of estate –Parent or Guardian if person is under 14 or incompetent
52
Copyright Tsoules, Sweeney & Martin, LLC 51 Confidentiality of Records Patient Access to Records and Control Over Release of Records –Records from other Agencies become part of record; subject to control by client/patient
53
Copyright Tsoules, Sweeney & Martin, LLC 52 Confidentiality of Records Consensual Release to Third Parties –Access to records granted to third parties upon written consent of client/patient –Client/patient designates Payor-designates consent to release for reimbursement – minimum necessary applies –Client/patient has right to inspect –Mandated Requirements in consent form
54
Copyright Tsoules, Sweeney & Martin, LLC 53 Confidentiality of Records Release to Courts –No release of records in response to a subpoena or other discovery proceedings without patient consent or an additional court order –Duty to Inform Court –Inform client/patient’s attorney –Defense counsel for Provider may review records; minimum necessary applies –Violations include civil and criminal liability
55
Copyright Tsoules, Sweeney & Martin, LLC 54 Release of Mental Health Records Under Act 147 Rights of Minors Except for the limited rights of a parent/legal guardian general rule: The minor (age 14 or older) shall control the release of the minor's mental health inpatient and outpatient treatment records and information to the extent allowed by law. Release subject to the provisions of the MHPA and other applicable federal and state statutes and regulations.
56
Copyright Tsoules, Sweeney & Martin, LLC 55 Nation Moving to Electronic Health Care Records National Health Information Infrastructure President’s New Freedom Commission on Transforming Mental Health Treatment Recommendations –Use HIT to improve access and coordination –Develop and implement integrated HER and personal health systems
57
Copyright Tsoules, Sweeney & Martin, LLC 56 So,... Where are we going? Most MH/Substance Abuse treatment is paper based –3,000 to 10,000 hours of care go undocumented = $360,000 to $1 million annually –25,000 to 42,000 hours of lost clinical time due to paper inefficiencies-annual value $2.2 to $3.7 million –13,000-20,000 hours of support staff time spent on unnecessary medical record work-annual value $500,000-$700,000.
58
Copyright Tsoules, Sweeney & Martin, LLC 57 National Health Information Infrastructure Executive Order 1335, April 2004 – –Called for widespread adoption of interoperable EHRs within 10 years –Created position of National Coordinator for Health Information Technology –National Coordinator issued a Framework for Strategic Action issued July 21, 2004 –Consists of 4 goals, each with 3 strategies
59
Copyright Tsoules, Sweeney & Martin, LLC 58 Goals of the NHII Informing Clinical Practice –Promoting use of EHRs by Incentivizing EHR adoption Reducing the risk of EHR investment
60
Copyright Tsoules, Sweeney & Martin, LLC 59 Goals of the NHII Interconnecting clinicians by creating interoperability through –Regional Health Information Organizations (RHIOs) –National health information infrastructure –Coordinating federal health information systems
61
Copyright Tsoules, Sweeney & Martin, LLC 60 Goals of the NHII Personalizing care –Promotion of personal health records –Enhancing consumer choice by providing information about institutions and clinicians –Promoting tele-health in rural and underserved areas
62
Copyright Tsoules, Sweeney & Martin, LLC 61 Goals of the NHII Improving population health –Unifying public health surveillance –Streamlining quality of care monitoring –Accelerating research and dissemination of evidence
63
Copyright Tsoules, Sweeney & Martin, LLC 62 Regional Health Information Organization RHIO Public health surveillance Quality accountability Research Others? Health Plan Consumers Provider
64
Copyright Tsoules, Sweeney & Martin, LLC 63 Overcoming Legal Barriers 1.Unified Programs 2.Take advantage of current law 3.Universal Authorizations 4.Effectuate change (locally and nationally) Come to the table!
65
Copyright Tsoules, Sweeney & Martin, LLC 64 Ways to Disclose Under HIPAA and 42 C.F.R. § 2 Use the OHCA and Affiliated Entity options to define your “program” more expansively Use the Qualified Service Organization/ designation with a mental health treatment provider to permit disclosure to mental health provider NOTE: Mental health treatment provider precluded from redisclosing under QSO designation.
66
Copyright Tsoules, Sweeney & Martin, LLC 65 Ways to Disclose Under PA Mental Health Law/HIPAA Take advantage of current law: Does an exception apply? Can you “embed” providers into one agency and facility? Provider-Provider Provider – Payor Use universal/3 way compliant authorization when necessary/appropriate
67
Copyright Tsoules, Sweeney & Martin, LLC 66 Ways to Disclose: Non-PHI De-identified data –May be aggregated/shared –Is it truly de-identified? Limited data sets –For public health, research or operations –Need data use agreement
68
Copyright Tsoules, Sweeney & Martin, LLC 67
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.