Presentation is loading. Please wait.

Presentation is loading. Please wait.

OCR’s Guidance on the HIPAA Privacy Rule and Sharing Information Related to Mental Health and Recent OCR Activities Sherri Morgan, JD, MSW and Marissa.

Published byAllyson Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "OCR’s Guidance on the HIPAA Privacy Rule and Sharing Information Related to Mental Health and Recent OCR Activities Sherri Morgan, JD, MSW and Marissa."— Presentation transcript:

1 OCR’s Guidance on the HIPAA Privacy Rule and Sharing Information Related to Mental Health and Recent OCR Activities Sherri Morgan, JD, MSW and Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialists U.S. Dept. of Health & Human Services, Office for Civil Rights November 12, 2014 1

2 Mental health guidance – Background – Family and Friends – Health and Safety Other recent guidance and outreach Enforcement updates Topics Covered 2

3 Context for guidance includes President’s Executive Actions on Reducing Gun Violence and Congressional inquiries. Guidance clarifies how the Privacy Rule applies in certain situations to the disclosure of protected health information (PHI) of a patient who is being treated for a mental health condition. Does not create a new rule or amend existing standards. HIPAA Privacy Rule and Sharing Information Related to Mental health 3

4 Available at: http://www.hhs.gov/ocr/privacy/hipaa/understand ing/special/mhguidance.html OCR Guidance on Sharing Information Related to Mental health 4

5 Strong privacy protections are critical for maintaining individuals’ trust in health care providers and willingness to access treatment, particularly for mental health conditions. At times, sharing health and mental health information is needed to enhance treatment and for the health and safety of the patient or others. The HIPAA Privacy Rule is balanced to protect privacy and allow uses and disclosures of information for treatment and certain other purposes. Background 5

6 HIPAA generally applies uniformly to all PHI, including mental health information. An exception exists for psychotherapy notes, which receive special protections. Psychotherapy notes: 1.document or analyze the content of a counseling session; 2.are maintained separately from the rest of the medical record; and 3.do not include medications, session start and stop times, treatment modalities and frequencies, clinical test results, and certain summary clinical information. 45 CFR § 164.508(a)(2)—Protections for psychotherapy notes HIPAA Protections for Mental Health Information 6

7 Patients and personal representatives do not have a right to access psychotherapy notes under HIPAA. Generally, separate written authorization is required to disclose psychotherapy notes to a third party. ) Exceptions (subject to minimum necessary): authorization is not required to disclose psychotherapy notes to prevent or lessen serious and imminent threats, as required by law (e.g., for mandatory reporting such as reporting of abuse), for mental health training, for defending a lawsuit, to coroners and medical examiners, for OCR to determine compliance, or for oversight of the originator of the notes. Psychotherapy Notes ̶ Access and Disclosure 7

8 45 CFR § 164.510(b)—Uses and disclosures of PHI requiring an opportunity for the individual to agree or object 45 CFR § 164.502(g)—Personal representatives of adults and minors 45 CFR § 164.524(a)(1)(i)—No right to access psychotherapy notes Sharing Information with Family and Friends 8

9 Must give patient opportunity to agree or object: – Ask patient’s permission – Inform patient of intent to inform family or friends and give opportunity to object – Infer from circumstances, using professional judgment, that patient does not object May disclose only the PHI directly relevant to person’s involvement in patient’s care/payment for care 45 CFR § 164.510(b) Communications with Family, Friends and Others Involved in a Patient’s Care—Individuals Who are Present and Have Decision Making Capacity 9

10 If a patient with capacity objects to disclosure, the provider may only disclose if: – Doing so is consistent with applicable law and standards of ethical conduct; and – Provider has a good faith belief that patient poses a serious and imminent threat to self or others, and family member or friend is reasonably able to prevent or lessen that threat. – See 45 CFR 512(j) Exception for Threats to Health or Safety Communications with Family, Friends and Others Involved in a Patient’s Care—Individuals with Decision Making Capacity Who Object 10

11 Permissible, where patient does not object: A psychiatrist discusses with a patient’s sister who is present at an appointment, the drugs the patient needs to take A mental health clinician gives information to a patient’s spouse about warning signs that may signal a developing mental health emergency Impermissible: A nurse discusses a patient’s mental health information with the patient’s brother after the patient stated she does not want family to know about her condition. Examples of Sharing Patients’ PHI With Family 11

12 Health care provider determines, based on professional judgment, that sharing information is in best interests of the patient May disclose only the PHI directly relevant to person’s involvement in patient’s care/payment for care 45 CFR § 164.510(b)(3) Communications with Family, Friends and Others Involved in a Patient’s Care—Individuals Not Present or Without Decision Making Capacity 12

13 Incapacity may be temporary or long-term. If a patient does not have capacity to agree or object due to current mental state, the provider may disclose limited information to family and friends if provider determines, based on professional judgment, that disclosure is in the patient’s best interests, taking into account the patient’s prior expressed preferences and circumstances of the current situation. Once patient regains capacity, provider should offer patient opportunity to agree or object to any future sharing of information. Mental Condition May Constitute Incapacity 13

14 Rules on sharing information with family and friends generally apply. Permission to disclose a serious and imminent threat may apply, depending on the circumstances. Disclosing Patients’ Medication Non-compliance 14

15 HIPAA protects the confidentiality decisions of patients if they choose not to allow disclosure of mental health information to family and friends. HIPAA doesn’t prevent providers from listening to family members or other caregivers who may have concerns about the health and well-being of the patient. – If patient later requests access to record, provider may withhold from the patient information that was shared by another person under a promise of confidentiality, if disclosing the information would reveal its source. 45 CFR § 164.524(a)(2)(v) Options for Concerned Family and Friends 15

16 Fact Sheet for Providers on Disclosures to Family Members and Friends www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ provider_ffg.pdf Related OCR Resources 16

17 Generally, parents are the personal representatives of their minor children for HIPAA purposes, and providers may share patient information with a patient’s personal representative. However, there are certain exceptions, e.g., where a minor may obtain certain health care services without parental consent under State or other law. HIPAA defers to state law to determine age of majority. See OCR Guidance on Personal Representatives, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentiti es/personalreps.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentiti es/personalreps.html Parents and Minors 17 45 CFR § 164.502(g)

18 45 CFR § 164.512(j)—Disclosures to prevent or lessen a serious and imminent threat to health or safety 45 CFR § 164.512(f)(2)—Disclosures to locate or identify suspects, fugitives, material witnesses, or missing persons 45 CFR § 164.512(f)(1)—Disclosures to law enforcement pursuant to court orders, warrants, and subpoenas; and administrative requests 45 CFR § 164.512(a), (c)—State and other law mandatory disclosures (e.g., abuse, domestic violence injuries, etc.) Disclosures for Health and Safety Purposes 18

19 Disclosures are permitted to law enforcement, family, friends or others who are in a position to avert the threatened harm—when disclosure “is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others.” Disclosures must be consistent with applicable law and standards of ethical conduct. See Letter to Nation’s Health Care Providers (1/15/2013) www.hhs.gov/ocr/office/lettertonationhcp.pdf www.hhs.gov/ocr/office/lettertonationhcp.pdf 45 CFR 164.512(j) Dangerous Patients and Public Safety Disclosures 19

20 A health care facility may notify law enforcement that a psychiatric patient has been released from the facility in response to: Law enforcement requests, if the patient is a suspect, fugitive, material witness (only certain information may be disclosed) Court orders, warrants, judicial subpoenas, written administrative requests Mandatory reporting requirements Serious and imminent threats Temporary Psychiatric Holds 20 45 CFR § 164.512

21 Concurrent diagnosis for a mental health disorder and drug or alcohol abuse is not uncommon. Providers in federally assisted drug and alcohol abuse treatment programs are subject to 42 USC § 290dd-2 and 42 CFR § 2.11, et. seq. (“Part 2”). Part 2 confidentiality rules are more stringent than HIPAA and may apply in dual diagnosis cases, if treatment is in a Part 2 program. 42 CFR Part 2 Programs Dually-diagnosed Patients with Drug or Alcohol Abuse 21

22 FERPA, not HIPAA, generally applies to schools’ information about students. OCR Guidance on FERPA and HIPAA http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden tities/hipaaferpajointguide.pdf http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden tities/hipaaferpajointguide.pdf School Personnel Notifications to Parents or Law Enforcement 22

23 Additional Resources and Guidance 23

24 Part of HHS implementation of the United States v. Windsor decision 45 CFR § 160.103 Definitions Spouse – includes individuals who are in a legally valid same-sex marriage celebrated in a state, territory or foreign jurisdiction. Marriage – includes both same-sex and opposite-sex marriages Family member – includes dependents of a same-sex marriage OCR Guidance on HIPAA and Same-sex Marriage Understanding Spouse, Family Member, and Marriage 24

25 Definition of “family member” is relevant to: – § 164.510(b) - uses and disclosures of PHI to persons involved in the individual’s care or payment for care, and for notification purposes. – § 164.502(a)(5)(i) – prohibition against uses and disclosures of genetic information for underwriting purposes. Applies to genetic tests of a family member of the individual or the manifestation of a disease or disorder in a family member of the individual. Available at http://www.hhs.gov/ocr/privacy/hipaa/understanding http://www.hhs.gov/ocr/privacy/hipaa/understanding Same-sex Marriage Guidance Applied 25

26 OCR RULEMAKING UPDATE What’s Done? What’s to Come? 26 What’s Done: – Interim Final Rules Enforcement penalties Breach Notification – Omnibus Final Rule HITECH provisions, including final rulemaking on IFR above GINA provisions Other rule changes – NICS NPRM – CLIA Final Rules Access to test results directly from labs What’s to Come: – From HITECH Accounting of Disclosures Methods for sharing penalty amounts with harmed individuals – NICS Final Rule

27 Notice of Privacy Practices http://www.hhs.gov/ocr/privacy/hipaa/model notices.html 27

28 Medscape Resource Center: Public Outreach Initiatives http://www.medscape.org/sites/advances /patients-rights 28

29 Medscape Training Videos: Public Outreach Initiatives http://www.medscape.org/viewarticle/810563 http://www.medscape.org/viewarticle/810568 29

30 Mobile Devices: http://www.healthit.gov/mobiledevices Mobile Devices 30

31 What’s to Come More Guidance: Business Associates Breach Notification Rule Security Rule Cloud Individual Rights Minimum Necessary Emergency Situations Other Privacy Rule Topics More Training: Online Training Modules Audit Program 31

32 Enforcement Information 32

33 500+ Breaches by Type of Breach as of 9/2014 33

34 500+ Breaches by Location of Breach as of 9/2014 34

35 35 Breach Highlights September 2009 through September 2014 Approximately 1,113 reports involving a breach of PHI affecting 500 or more individuals – Theft and loss are 58% of large breaches – Laptops and other portable storage devices account for 34% of large breaches – Paper records are 21% of large breaches Approximately 120,000+ reports of breaches of PHI affecting less than 500 individuals

36 Lessons Learned Appropriate Safeguards Prevent Breaches Evaluate the risk to e-PHI when at rest on removable media, mobile devices and computer hard drives Take reasonable and appropriate measures to safeguard e-PHI – Store all e-PHI to a network – Encrypt data stored on portable/movable devices & media – Employ a remote device wipe to remove data when lost or stolen – Train workforce members on how to effectively safeguard data and timely report security incidents 36

37 Lessons Learned: HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information. Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected as well as the confidentiality of their health data. Recent Enforcement Actions 37

38 Sherri Morgan, JD, MSW Health Information Privacy Specialist HHS, Office for Civil Rights Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist HHS, Office for Civil Rights Q & A 38

Download ppt "OCR’s Guidance on the HIPAA Privacy Rule and Sharing Information Related to Mental Health and Recent OCR Activities Sherri Morgan, JD, MSW and Marissa."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Anne Arundel County Fire Department

Anne Arundel County Fire Department
Confidentiality and HIPAA

Confidentiality and HIPAA
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
North Carolina State University Health Information Privacy 4/16/03.

North Carolina State University Health Information Privacy 4/16/03.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Copyright 2006 Rubin Law Firm, LLC Drafting HIPAA Compliant Subpoenas & Discovery Presented by:RACHEL B. RUBIN Kansas Bar Association Annual Meeting June.

Copyright 2006 Rubin Law Firm, LLC Drafting HIPAA Compliant Subpoenas & Discovery Presented by:RACHEL B. RUBIN Kansas Bar Association Annual Meeting June.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Similar presentations

Ads by Google