Confidentiality of Substance Use Disorder Treatment Information in an Era of Integration and Health Information Exchanges Ellen Weber University of Maryland Francis King Carey School of Law Tuerk Conference April 9, 2014
Overview Integration of mental health/substance use disorder services and implications for health privacy – Provider – Administrative Services Organization (ASO) Health Information Exchange (HIE) and application to substance use disorder treatment
Health Privacy Standards Substance Use Disorder Treatment Records Federal Law – Confidentiality of Alcohol and Drug Abuse Patient Records, 42 U.S.C. § 290dd-2, 42 C.F.R. Part 2 – Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164 State Law – Maryland Health Information Exchange Regulations (COMAR ) – Maryland Confidentiality of Medical Records Law, (Md. Code Ann., Health-Gen. I, § et seq.) explicitly adopts the standards under the federal confidentiality of alcohol and drug abuse patient records regulations.
42 C.F.R. Part 2 or HIPAA SUD treatment programs are covered under both sets of federal standards 42 C.F.R. Part 2 standards will apply in most situations rather than HIPAA - prohibits disclosures that HIPAA would permit – Key Functions Treatment Payment Health Care Operations HIPAA Standards – Patient access to own records – Administrative requirements – e.g. correction of records – Security standards
42 C.F.R. Part 2 Coverage Standards Which Programs Are Covered Person or entity that holds self out as providing and provides alcohol or drug abuse diagnosis, treatment or referral for treatment. (42 C.F.R. § 2.11) Must be federally assisted (42 C.F.R. § 2.12): – Receives federal funds – directly or indirectly – Tax exempt status – Operated by the federal government – Carries out treatment services under license, certification, or registration of the federal government; i.e. certified as Medicare provider; authorized to conduct methadone treatment program; prescribe buprenorphine
General Medical Care Settings Identified unit within a general medical facility that holds itself out as providing, and provides, substance use diagnosis, treatment or referral for treatment Medical personnel or staff within a general medical facility whose primary function is to provide substance use diagnosis, treatment or referral for treatment and are identified as such providers Federally Assisted 42 C.F.R. § 2.11.
SAMHSA Guidance General Medical Facilities – hospitals, trauma centers, federally qualified health centers Primary care practice – specialized unit or practitioner(s) with primary function of providing SUD services and identified as such – Physician who prescribes suboxone is “federally assisted” but must also have SUD treatment as his/her primary function and be identified as specialized personnel SBIRT – Patient information protected under Part 2 if entity conducting services is a “program”
HIPAA Coverage Standard Covered Entity – health care provider who transmits any health information in electronic form in connection with a covered transaction – Health care provider - person who furnishes, bills or is paid for medical or health care – Exchanges information in electronic media – Health information – any information relating to present, past or future physical or mental health condition; provision of or payment for health care – Transaction – transmission of information to carry out financial or administrative activities related to health care, claims and payment, claims status 45 C.F.R. § and
42 C.F.R. Part 2 and HIPAA Coverage Standards Which Patients Are Covered Individual who has applied for or been given treatment at a federally assisted program. (42 C.F.R. § 2.11) HIPAA – no standard other than covered entity
42 C.F.R. Part 2 Coverage Standards What Is Protected Patient identifying information cannot be disclosed by program. (42 C.F.R. § 2.12). Disclosure (42 C.F.R. § 2.11) – Revealing patient as an alcohol or drug abuser by disclosing name, address, SSN, photograph, fingerprint or other information that can be readily used to identify person – Verifying patient’s status in a program – Communicating any information from record of patient who has been identified as a patient.
Restrictions on Disclosure: Unconditional Compliance Cannot disclose patient identifying information even if program believes person seeking already has it, has other means of obtaining it, is a law enforcement officer, has obtained a subpoena. (42 C.F.R. § 2.13). Must respond to inquiries in manner that does not reveal individual is or has been alcohol or drug patient. (42 C.F.R. § 2.13).
Exceptions to Non-Disclosure Rule Internal Communications Communications of information between or among personnel within a program or between a program and an entity having direct administrative control over the program – Personnel must have a need for the information to carry out duties related to diagnosis, treatment or referral for treatment. (42 C.F.R. § 2.12). Sharing outside treatment unit – Different units of an agency cannot share information with program unless whole agency is considered the program – Hospitals and other general medical facilities – specialized unit/personnel cannot share information without Part 2 compliance
Exceptions to Non-Disclosure Rule Consent Written consent that contains required information (42 C.F.R. § 2.31) Prohibition against redisclosure – Program must provide a written notification to recipient of treatment information that it is barred from making any further disclosure of the information unless patient consents to redisclosure or otherwise permitted under Part 2 (42 C.F.R. § 2.32) – Redisclosure also prohibited for: Third-party payers that received program records Entities with direct administrative control over program that received internal communications (42 C.F.R. § 2.12(d)(2))
Exceptions to Non-Disclosure Rule Qualified Service Organization/Business Associate Agreement Qualified Service Organization (QSO) - entity that provides services to a program (data processing, bill collecting, dose preparation, laboratory analysis, legal, medical, electronic health information exchange) QSO enters written agreement (QSOA) with program allowing it to receive patient identifying information that is necessary to carry out tasks and agrees to comply with Part 2 (42 C.F.R. § 2.11) Business Associate Agreement requirements also apply if covered by HIPAA Part 2 limitations: – Agreements are 2-way between program and QSO/BA and don’t allow exchange of patient information to other entities – Health Information Exchange Implications
Exceptions to Non-Disclosure Rule: Court Order Process Court order: purpose is to authorize disclosure of patient information that would otherwise be prohibited under 42 C.F.R. Part 2 (42 C.F.R. § 2.61) Court must adhere to special requirements to make it effective (See 42 C.F.R. § 2.64 and 2.65) Different from subpoena for records or testimony or other order issued by courts. – Subpoena is insufficient to require disclosure by program (42 C.F.R. § 2.61); – HIPAA would permit disclosure of protected health information in response to a subpoena or court order (45 C.F.R. § (e))
Integration of Services Mental health and substance use disorder services in a program Integration of substance use disorder services and somatic care services
Administrative Services Organization Authorization of Services Payment of Services Data Submission Audits Disclosure of Part 2 information by the ASO Other?
Maryland’s Health Information Exchange Services – Encounter Notification System – DIRECT – secure exchange of patient health information – CRISP Portal Participants – 46 hospitals – Major labs and radiology centers
CRISP Portal Maryland’s designated Health Information Exchange (HIE) – Interoperable system for electronic exchange of protected health information among participating organizations – Ensures secure exchange of PHI to provide patient care – Can be a payor HIE (COMAR ) Query participating organizations about patients who have not “opted out” to obtain patient health information Information retained by the participating organization and transmitted through the HIE
Health Information Exchange Participating Organization – HIPAA covered entity that enters agreement with HIE that allows authorized users to use, access, disclose protected health information Primary Use of HIE data – Treatment, payment, reporting to public health authorities, health care operations, other uses/disclosures permitted by law – Patient consent not required under HIPAA Secondary Use of HIE Data – Population-based activities related to improving health or reducing health costs – Protocol development – Case management and care coordination – Contacting health care providers and patients to provide information about treatment alternatives COMAR ;
Health Information Exchange Opt-Out - written notice by health care consumer that she/he has elected to not participate in HIE – HIE cannot disclose PHI Exceptions – Core elements of master patient index (MPI) – Disclosures required under federal or state law – Results of diagnostic tests ordered by physician – Prescription drug information dispensed by pharmacy – Reporting to public health authorities, as authorized by law – Communications allowed without patient consent when using point-to-point transmission.
HIE Rules Sensitive Information Sensitive Information – Part 2 information – Mental health records as protected under state law (Health-Gen. § 4-307) – Any other information with specific legal protections in addition to HIPAA or Maryland Confidentiality of Medical Records Act Point-to-Point Transmission – Secure electronic transmission by a single entity that can only be read by the single receiving entity – Fax or secure clinical messaging (DIRECT) – Mirrors paper-based exchange of information
HIE Rules Transmission of Sensitive Information May only be transmitted via point-to-point transmission (pending regulations governing access, use, disclosure through an HIE or maintenance of information by an HIE) – Must obtain consent prior to disclosure to and through an HIE to an authorized recipient – Medical emergency - do not need patient consent to disclose information needed to treat condition that is immediate threat to health of any individual and requires immediate medical intervention under Part 2 COMAR
HIE Rules Transmission of Sensitive Information Disclosure and redisclosure of Part 2 information – Health care provider must identify self as Part 2 provider – Indicate on all patient records that must be disclosed only through point-to-point transmission if patient consent has been obtained – Participating organization may not redisclose without consent or as permitted under Part 2 – Participating organization must maintain Part 2 records consistent with law COMAR
Hospital Practice Hospitals not subject to Maryland’s HIE Rules – Protected health information exchanged between hospital and credentialed professionals – Among credentialed professionals on hospital staff – Between hospital and affiliated ancillary clinical service provider who has a business associate agreement with hospital Hospitals must still comply with Part 2
Questions and Contact Ellen Weber University of Maryland Carey School of Law Drug Policy and Public Health Strategies Clinic