1 COSIG Confidentiality Training for Breaking Barriers/ Building Dreams and OASIS Dept. of Alcohol...

1

COSIG Confidentiality Training for

Breaking Barriers/ Building Dreams and OASIS Dept. of Alcohol and Other Drug Abuse Services:

George Crosland, Manager of Program Accountability

Carl Kraeff, Management Consultant Jenny Bouknight, COSIG Liaison

Department of Mental Health Alan Powell, Assistant General Counsel

Vocational Rehabilitation Department Jeb Batten, Staff Attorney

2

General Introduction

The goal of this training is to familiarize No Wrong Door front line personnel with confidentiality laws and regulations.

This briefing is an abbreviated version of the Legal Action Center briefing that was presented to alcohol and drug abuse personnel last year.

Nonetheless, the full Legal Action Center presentation is made available as a handout.

3

This training is designed to provide general information, and is not presented as legal advice

The specific application of this information may vary based on specific facts and circumstances.

Specific application may also vary based upon other law and individual agency practices and procedures, including individual Privacy Practices.

General Introduction (Cont.)

4

Individual practices and procedures may include:

Type of Consent/Authorization Response to subpoenas Reporting of abuse and neglect Duty to Protect/Warn More restrictions to disclosure than applicable law

As needed, consult with your supervisor and/or legal counsel as applicable.

General Introduction (Cont.)

5

Frequently Asked Questions

When must I disclose client information? What is a subpoena and how should I handle it? What is a court order and how should I handle it? How should I deal with an arrest warrant from law

enforcement for a client in my facility? Who has final approval on whether or not I, the

counselor, discloses client information? When does 42CFR apply and HIPAA does not? How do I best protect myself from violating HIPAA

and/or 42CFR? When should consult with my agency supervisor

and/or attorney to clarify client confidentiality questions?

CONFIDENTIALITY AND COMMUNICATION:

DRUG AND ALCOHOL TREATMENT RECORDS

Legal Action Center

(212) 243-1313

© 2007

7

CONFIDENTIALITY AND COMMUNICATION: DRUG AND ALCOHOL

TREATMENT RECORDS

The following PowerPoint Presentation was created by the Legal Action Center for use in trainings conducted by its staff, and may only be used by

others with express written permission. Any other use, including copying or disseminating any

portion of this Presentation for profit or otherwise, is strictly prohibited. This Presentation does not

constitute legal advice. Please consult the

Legal Action Center for further information, or for answers to questions raised by this Presentation.

8

PART I:

INTRODUCTION

9

What is HIPAA?

Health

Insurance

Portability

Accountability

Act of 1996

10

HIPAA GENERALLY . . .

Establishes a federal floor of safeguards to protect the privacy of medical records and other Personal Health Information (PHI) by restricting use & disclosure.

Applies to PHI transmitted in electronic, written or oral form.

Allows individuals access to medical records & to have more control on how it is used.

11

Who must comply with HIPAA’s privacy standards?Health Care Clearinghouses, Health Plans, and Health Care Providers…That process claims, payment and remittance, coordination of benefits, claims status, or enrollment and disenrollment in a health plan…And transmit covered transactions in electronic form…

MUST comply with HIPAA’s privacy standards.

12

What is 42 C.F.R. Part 2?

It’s the set of federal regulations governing “confidentiality of alcohol and drug abuse patient records.” It implements the federal law on this topic.

Drug and alcohol treatment and prevention providers have been covered by these regulations and law for 30 years.

13

BUT Wait….

If I am a drug or alcohol program and have to follow 42.C.F.R. Part 2’s privacy standards, do I have to follow HIPAA? How can I do both, especially when they say different things?

14

YES

Treatment providers and programs must follow both 42 C.F.R. Part 2 and HIPAA.

The challenge comes when the two laws conflict.

15

Which providers must comply with 42 C.F.R. Part 2?

Providers must meet the definition of “program” and be “federally assisted.”

“Program” includes any person or organization that, in whole or in part, provides alcohol or drug abuse diagnosis, treatment or referral for treatment or prevention.

16

Which providers must comply with 42 C.F.R. Part 2 (cont.) A program is “federally assisted” if it:

receives federal funds in any form is assisted by the IRS through a grant of tax exempt

status is authorized to conduct business by the federal

government (e.g. licensed to provide methadone; certified as a Medicare provider)

is conducted directly by the federal government or by a state or local government that receives federal funds.

17

42 C.F.R. Part 2 and HIPAA: The General Privacy Rule

DISCLOSURE OR USE OF RECORDS OR OTHER PATIENT-RELATED INFORMATION IS PROHIBITED

18

The General Privacy Rule (cont.)

Does not matter whether or not the person/entity seeking the information:

already has it, has other ways to get it, has some kind of official status, has obtained a subpoena or warrant, or is authorized by state law.

19

InternalCommunications

No patient identifying information

Permitted Disclosures

Proper Consent

Qualified Service Organization Agreement

Medical Emergency

Research/ Audit

Court Order

Reporting suspected child abuse and neglect

Crime on program premises or against program personnel

42 C.F.R. Part 2 Exceptions to General Rule

20

DAODAS Advice

Clear the release with immediate supervisor

Make sure the request for release is proper, complete, and signed

Make sure the intended recipient gets it

Make sure you have re-disclosure authority

21

HIPAA vs. 42 C.F.R. Part 2We’ll discuss . . .

Which exceptions to the basic 42 C.F.R. Part 2 rule do not change under HIPAA

Which exceptions do change under HIPAA

22

PART II:

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA

23

HIPAA vs. 42 C.F.R. Part 2 Which Exceptions Have Not Changed

a. Law Enforcement/Legal Proceedingsb. Crimes on Program Premises/Against Program

Personnelc. Medical Emergenciesd. Child Abuse Reportinge. Internal Communicationsf. Minorsg. Duty to Warnh. Audit and Evaluation

24

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).

(a) Law enforcement and legal proceedings: subpoenas, court orders,

criminal prosecutions, warrants

25

Subpoenas

You are served with a subpoena that directs you to appear in court with your entire file on a particular patient and testify about the records in the file.

You get a subpoena in the mail that directs you to turn over your entire file on a particular patient to an attorney.

Should you turn the records over and/or testify?

26

Subpoenas (cont.)

Answer:

27

Subpoenas (cont.)

So What Should I Do If I Receive a Subpoena?

28

Subpoenas (cont.)

Answer:

Do not simply ignore a subpoena. Contact your program’s attorney (if you have one) Contact the client to see if she will consent (in writing) to

your responding to the subpoena If subpoena is issued by an attorney, and your client does

not consent to your responding, contact the attorney to say that confidentiality laws do not permit you to respond – attorney has to get a proper court order

Contact Legal Action Center if your program has no attorney and you have questions

29

Subpoenas (cont.)

Scenario:A process server walks in the front door of

Richmond Hill Drug Treatment Program and serves Carlos, the office manager, with a subpoena. The subpoena calls for Sue, one of the counselors, to come to court tomorrow for a hearing to determine whether Richmond Hill’s records about a patient should be turned over to the court in the context of a divorce hearing. Sue knows the patient’s wife is trying to show that the patient isn’t fit to have custody of their two sons. She believes he is a good man and a better parent than the wife. Plus, tomorrow is her day off. What should Sue do?

30

Subpoenas (cont.)

Answer:

31

Subpoenas (cont.)

Again, it’s possible that the subpoena may simply compel attendance at hearing to determine whether a court order should issue to disclose confidential information.

All the more reason to read the document carefully and consult with an attorney.

32

Court Order 42 C.F.R. Part 2: a court may issue an order

authorizing disclosure of confidential records only after it follows certain procedures and makes particular determinations

Again, a subpoena alone is not sufficient to authorize/compel a program to disclose information (but again, it may be enough to compel attendance at a hearing about disclosure)

33

Who can seek a court order?

Your program

An attorney in a case involving the person whose records are sought (the attorney need not represent that person, and often does not)

34

Court Order: Requirements Before Order Can Be Issued In A Civil Case

Notice (to the program and to the person whose records are sought)

Opportunity to be heard (for the program

and the person whose records are sought)

Proceeding must be brought using fictitious name

35

Court Order: Requirements Before Order Can Be Issued In A Civil Case (cont.)

Confidential proceeding (courtroom is closed, or hearing held in the judge’s chambers)

Good cause: order should be issued only if court finds the public interest and need for disclosure outweigh adverse effect disclosure will have on patient and treatment services

36

Limits on Scope of Order Order must limit disclosure to information

essential to fulfill the purpose of the disclosure Must be restricted to those people who need the

information for that purpose Court should take steps to protect confidentiality,

e.g. sealing records from public view

37

Limits on Scope of Order (cont.)

Court may not authorize disclosure of “confidential communications” by a patient to a program unless the disclosure is: Necessary to protect against threat to life or of

serious bodily injury Necessary to investigate or prosecute an extremely

serious crime In connection with proceeding where patient

presented evidence about the confidential communication

38

Criminal Investigations or Prosecutions: Court Orders to Disclose Confidential Information

An agency seeking a court order for purpose of investigating or prosecuting a

patient for a crime must meet 5 stringent criteria

39

Criminal Investigations or Prosecutions (cont.)

First,

The crime involved must be extremely serious, such as an act causing or threatening to cause death or serious injury.

40

Criminal Investigations or Prosecutions (cont.)

Second,

The records sought must be likely to contain information of significance to the investigation or prosecution.

41

Criminal Investigations or Prosecutions (cont.)

Third,

There must be no other practical way to get the information.

42

Criminal Investigations or Prosecutions (cont.)

Fourth,

The public interest in disclosure must outweigh harm to patient and the provision of treatment.

43

Criminal Investigations or Prosecutions (cont.)

Fifth,

When law enforcement seeks an order, the program must have the opportunity to be represented by counsel.

44

Search and Arrest WarrantsVery difficult situation for programsProgram cannot just agree to give

officer what he/she wants without consent or a valid court order

45

Search and Arrest Warrants: What to Do?

Program should take the following steps:

Produce copy of 42 C.F.R. Part 2 and explain that program cannot cooperate without an appropriate court order.

Try to contact a lawyer to help resolve the situation.

46

Search and Arrest Warrants: What to Do (cont.)

Ask to contact the prosecuting attorney or commanding officer. Stress that illegally seized records will not be admissible in court.

If an officer insists on entry, DO NOT forcibly resist.

47

Final Note About Arrest Warrants

If a patient committed or threatened to commit a crime on the program premises, the program may produce the individual, as 42 C.F.R. Part 2 has a special exemption for crimes on program premises or against personnel.

48

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).

(b) Crimes on Premises or Against Personnel

49

Crimes on Premises or Against Personnel (cont.)

Definition

When a patient . . .Commits or threatens to commit a crimeOn program premises orAgainst program personnel

50

Crimes on Premises or Against Personnel (cont.)

A patient punches another patient.

A patient grabs a counselor’s wallet.

Program wants to call the police and report.

May the program do that?

51

Crimes on Premises or Against Personnel (cont.)

Answer:

52

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).

(c) Medical Emergencies

53

Medical Emergency – Definition Immediate threat To any individual’s health Requires immediate medical intervention

54

Medical Emergency (cont.)

Josh, a resident of a Pine Tree Drug Rehab Services, has a heart attack in the day room.

May the program call 911 and tell the dispatcher the location (Pine Tree Drug Rehab Services)?

55

Medical Emergency (cont.)

Answer:

56

Medical Emergency (cont.)

Best Practice:

Have all incoming patients/clients sign a form indicating who should be contacted in case of emergency and authorizing release of information about the emergency and their whereabouts.

57

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).

(d) Child Abuse and Neglect

58

Child Abuse and Neglect

HIPAA and 42 C.F.R. Part 2 permit providers to comply comply with state mandates for: Initial report Written confirmation

59

Child Abuse and Neglect (cont).

What if a program receives a subpoena to produce additional information or records after the initial report is made? Can it turn over the documents?

60

Child Abuse and Neglect (cont.)

Answer:

61

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).

(e) Internal Communications

62

Internal Communications

Information may be disclosed to staff: within a program

- or - To an entity with administrative

control If the recipient needs information to

provide alcohol or drug services

63

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).

(f) Minors

64

Minors

Both HIPAA and 42 C.F.R. Part 2 leave the issue of who is a minor, and whether a minor can obtain health care or alcohol or drug treatment without parental consent entirely to state laws.

65

Minors (cont.)

Scenario:

Mike, who is 16 years old, was just admitted to a residential treatment program because of a marijuana problem. Fred, his boy scout leader, calls and asks how he is doing. Mike’s mother has signed a form permitting you to talk with Fred. Mike does not want you to do that. You know Fred from church and know he is a good man. Can you talk to Fred without Mike’s permission?

66

Minors (cont.)

Answer:

67

Minors (cont.)

Programs must always obtain the minor’s consent for disclosures and cannot rely on the parent’s signature instead.

If parental consent was not required to treat the minor, then parental consent is not required to make disclosures.

If parental consent for treatment is required, the consent of both the minor patient and the parent or guardian is required.

68

Minors (cont.)

Scenario:

Missy, who is 16 years old, was doing well in her alcohol treatment program, but has just relapsed. She is drinking so much that she is passing out.

Can the program tell her mother?

69

Minors (cont.)

Answer:

70

Minors (cont.)

Answer:

71

Minors (cont.)

The program believes Missy’s mom really should know about the situation with her daughter. Can’t it do anything?

72

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).

(g) Duty to Warn

73

Duty to Warn Tarasoff v. Regents of the University of California:

where therapist determines that patient presents serious danger of violence to another, has duty to notify the victim, the police, or take other reasonable steps to protect the victim.

HIPAA permits health care providers to disclose information to prevent or lessen a serious or imminent threat to someone’s health or safety.

42 C.F.R. Part 2 restricts the communications the program or its personnel may make to a law enforcement agency or a court or anyone else.

74

Duty to Warn (cont.)

Is there a duty to warn in South Carolina?

Yes, a common law duty exists.“ When the defendant stands in some special

relationship to the person whose conduct needs to be controlled, a duty of care may be imposed upon the defendant to protect threatened third parties from harm.”

75

How Do I Warn?

Ways to make reports: By obtaining a court order Via anonymous and other non-patient

identifying reporting. Cell phone call is notnot anonymous!

76

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).

(h) Audit and Evaluation

77

Audit and Evaluation

Under both HIPAA and 42 C. F.R. Part 2, government agencies that fund or regulate a program, private agencies that provide financial assistance, or third party payments to a program, and peer review organizations that review utilization or quality control

. . . may have access to program records without patient consent in order to conduct an audit or evaluation.

78

Audit and Evaluation (cont.)

Redisclosure of Patient Information:

Program must require that auditor agree in writing that it will only redisclose informationa. back to the program itselfb. pursuant to a court order to investigate or

prosecute the program (not a patient), orc. to a government agency overseeing a Medicaid or Medicare audit or evaluation

79

Audit and Evaluation (cont.)

Scenario:Bay State Medicaid program audits Charles River Alcohol Treatment Center on an annual basis to make sure it is complying with Medicaid laws. Bay State Medicaid suspects that Steve, a resident, may not actually qualify for Medicaid because he is working two jobs. After it completes an audit, Bay State asks Charles River for Steve’s file to check whether there is any information about his income in the file. Can Charles River turn over the file?

80

Audit and Evaluation (cont.)

Answer:

81

PART III:

42 C.F.R. Part 2: Exceptions to General Privacy Rule That HaveHave Changed with HIPAA

82

42 C.F.R. Part 2: Exceptions to General Privacy

Rule That Have Changed with HIPAA

1. Consent

2. Qualified Service Organization Agreements

3. No Patient-Identifying Information

4. Notice

5. Research

6. New Patient Rights

7. New Administrative Requirements

83

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)

1. Consent

84

Consent

While there are situations in which HIPAA allows disclosure without consent, most are prohibited under 42 C.F.R. Part 2unless written consent is obtained.

HIPAA adds certain requirements to content and use of consent form.

85

Consent: What stays the same?

Specific Consent Drafted as narrowly as possible, who will use or

disclose the PHI, for how long & for what purpose

Redisclosure Written notice of prohibition on redisclosure

86

Consent: What stays the same (cont.)

RevocationOral revocation is still valid.

Although HIPAA requires written revocation, HSS has stated that oral revocations must be honored.

87

Consent: What Changes?

Consent Elementsconsent forms MUST contain all

elements required by 42 C.F.R. Part 2 plus an additional element required by HIPAA (see next slide).

88

42 C.F.R. Part 2 requirements:1.Name of Program2.Name of Recipient3.Name of Patient4.Purpose/Need5.Extent/Nature6.Revocation Statement7.Expiration (date or event)8.Signature of Patient9.Date10. Program’s ability to condition

treatment, payment, enrollment or eligibility on the patient’s agreeing to sign the consent

HIPAA HIPAA RequirementRequirement::Written Notice Written Notice

of of Prohibition on Prohibition on RedisclosureRedisclosure

Consent: 10 Elements Required on Form

&

89

Consent/Authorization – general matters

Consent/Authorization must explain the purpose and description of the information for disclosure.

Must be limited to minimum necessary information and time period (or event or condition) required.

90

Consent/Authorization: general matters (cont.)

Scenario:

Celine has signed a consent form authorizing John Jay Drug Treatment Program to turn over all her records to Nassau Community College Health Center. John Jay’s file has records that came from Staten Island Medical Associates. Can/should John Jay turn over the Staten Island records to Nassau Community College?

91

Consent/Authorization: general matters (cont.)

Answer:

92

Consent/Authorization: general matters (cont.)

Consent/Authorization does not FORCE a program to make a disclosure . . .

. . . unless a subpoena or court order requires it

93

Consent/Authorization: general matters (cont.)

Consent/Authorization that is expired, deficient or known to be revoked, false or invalid must be REFUSED.

94

Criminal Justice System Referrals

42 C.F.R. Part 2 has special rules when person’s participation in a treatment program is an official condition of the disposition of the criminal case.

The special rules concerning criminal justice system (CJS) referrals apply only to individuals involved in the criminal justice system.

95

Criminal Justice System Referrals (cont.)

Best Practice:

A program should routinely ask for a court order for every patient mandated into the

program by the criminal justice system.

96

Criminal Justice System Referrals (cont.)

Best Practice:

Have judge or referring agency require that proper CJS consent form be signed before an individual is referred to treatment.

97

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)

2. QSO/BA Agreements

98

QSO/BA Agreements

Business Associate [BA] (HIPAA)

Qualified Service Organization [QSO] (42 C.F.R. Part 2)

=

99

QSO/BA Agreements (cont.)

What is a QSO/BA agreement?

100

QSO/BA Agreements (cont.)

Answer:

A written agreement that allows programs to disclose information without the patient’s consent to an outside organization that provides services to the program or to the program’s patients.

101

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)

(3) No Patient-Identifying Information

102

No Patient-Identifying Information

Both HIPAA and 42 C.F.R. Part 2 permit programs to communicate information that is not “patient-identifying.” Each has a different definition of what that term means, though.

42 C.F.R. Part 2 definition of the term includes:-- name-- address-- Social Security number-- other information from which patient’s identity can be determined either directly or by reference to other public information.

103

No Patient-Identifying Information (cont.)

HIPAA definition is broader. It includes all categories set forth in 42 C.F.R. Part 2 and more, including:

-- birth date

-- admission date

-- discharge date

-- telephone or fax number

-- e-mail address

-- medical record identifier number

-- fingerprints

-- photographs.

104

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)

(4) Privacy Notice

105

Privacy Notice 42 C.F.R. Part 2 and HIPAA require

programs to provide patients with a Privacy Notice. HIPAA also requires that programs: Give patients written summary of the law at first

delivery of service. Get written acknowledgment that patient received

notice and maintain copy. Post notice in clear and prominent location.

106

Privacy Notice (cont.)

Scenario:

Fulton Drug Treatment Services contracts with the Fulton County Jail to provide treatment to inmates. Must the program provide privacy notices to inmates?

107

Privacy Notice (cont.)

Answer:

108

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)

(5) Research

109

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)

(6) New Rights for Patients

110

HIPAA:New Rights For Patients

HIPAA Provides Patients with the Right to:

Access Records Request an Amendment Receive an Accounting Request Restrictions Receive Confidential Communications

111

Patient’s Right to Access Records (cont.)

Scenario:

JoAnne is moving to Chicago and asks for copies of all her records on file with Delta Alcohol Treatment Program. The records include notes taken by a psychologist that include opinions about JoAnne’s mental state, including the opinion that she suffers from an exaggerated sense of her own importance and has a martyr complex. Must Delta turn over these notes to JoAnne along with the rest of the records?

112

Patient’s Right to Access Records (cont.)

Answer:

113

42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)

(7) New Administrative Requirements

114

COSIG Confidentiality Training

Questions?

115

SCDMH Records/Info (44-22-100)

Section 44-22-100 of the S.C. Code protects the confidentiality of a SCDMH patient/former patient or “individual whose commitment has been sought” (e.g. emergency admission/judicial commitment papers.)

Usually, HIPAA (psychiatric) and 42 CFR Part 2 (A&D e.g. Morris Village) are more restrictive than 44-22-100.

Non-A&D: while HIPAA allows release by subpoena, 44-22-100 limits such release to law enforcement, another agency or when furthering the patient/family’s welfare.