Embed Size (px)
Citation preview
Presented to Behavioral Health Board on 2/8/16
HIPAA, Privacy, Confidentiality,
Reasonable Safeguards of
Information & 42 CFR Part 2
Mary Harnish, MFT,
Compliance & Privacy Manager
Mental Health Services
(408) 885-5784
Patrick Garcia, MSW, MPA
Administration Division Director
Behavioral Health Services Dept.
(408) 793-1809
Dr. Noel M. Panlilio
Compliance Officer
Substance Use Treatment Services
(408) 755-7850
Multiple overlapping privacy regulations
• Regulations change over time, and Federal, State, and
Local regulations may overlap. Current laws include:
• HIPAA
• WIC Sections 5328, 5150-5344
• 42 C.F.R.
Whenever there are multiple standards to apply, ALWAYS follow the more
restrictive standard.
What is HIPAA?
• The Health Insurance Portability and Accountability Act is a Federal Law
that:
• Protects the Privacy of patient information
• Provides for electronic and physical security of protected health information (PHI)
• Requires “minimum necessary use, and disclosure”
• Specifies patient rights to approve or deny the access and use of their medical
information.
What Qualifies As PHI?
• PHI can be any verbal, written, recorded, or electronic information that identifies or can be used to identify a patient suchas:
• Name
• Address
• Social Security or Drivers License number
• Physical characteristics
• Diagnosis
• Date of Service
• Type of Treatment
• Etc.
Anything that can be used to identify the individual is PHI and must be kept confidential!
What is ePHI?
• ePHI is protected health information that is created, received, stored, or
transmitted electrically.
• Any PHI when stored electronically becomes ePHI
• ePHI includes information on laptops, memory sticks, smart phones, PDA, email, and
other electronic storage devices.
WHY DOES THIS MATTER TO YOU?
BECAUSE YOU ALREADY AGREED TO
DO IT!
• As part of being hired, you were provided with the Compliance Plan Policy (#412-101)
• The end of the policy includes the BHSD code of conduct.
• On the day you were hired you read and signed it, agreeing to abide by HIPAA and other requirements.
• Policies require sanctions for staff who do not comply
• And if that’s not enough…
• You may face fines of up to $25,000 per violation, misdemeanor charges, potential legal action by the patient, formal notification to licensing boards, and disciplinary action from your employer.
• SEE PRIVACY DO’s and DON’Ts HANDOUT
How Does HIPAA Work?
HIPAA regulations protect Private Health Information in 4 ways:
• Security Standards (Physical, Technical, and Administrative safeguards, electronic patient
information.)
• Privacy Standards (Protection of individual health information, and patients rights)
• Transactions Standards (electronic billing claims management)
• National Provider Identifier Standards (a unique identifier for healthcare providers)
WHO CAN WE DISCLOSE PHI TO
Minimum Necessary Access
• A minimum necessary amount of PHI is accessible to persons needing to know based on:
• Job Function
• Behavioral Practices
• Control Access
• You may assume minimum necessary information is being requested when it is:
• A request for PHI from another health care provider or health plan
• The request from a business associate or public official AND the request states that it is the minimum necessary
Minimum Necessary does not apply for
• Disclosure to a Provider for treatment of a mutual patient.
• Use or disclosures to a patient’s personal representative.
• Disclosures to the Department of Health & Human Services.
• Use in preparation for and for disclosures required by law.
Permitted Use and Disclosure Without Consent
• Under HIPAA, you may use or disclose PHI without patient authorization or consent to:
• The individual patient
• For Treatment, payment, or health care operations (TPO)
• HIPAA allows disclosure of PHI with conditions for:
• Incidental Occurrences
• Public Good disclosure
Disclosure Without Consent – Incidental
Disclosures
• HIPAA permits incidental disclosures if we first
• Disclose only the minimum amount of PHI necessary to accomplish the purpose of the disclosure
• Take reasonable measures to safeguard PHI.
• Examples of incidental disclosures include:
• Seeing PHI while conducting IS maintenance
• Overhearing telephone conversations
Disclosure Without Consent – Public Good
• Disclosures that do not require consent include:
• Reporting professional misconduct to a licensing agency
• Disclosures to Federal, Medicare, CDC, or other entities as required
• Public Health Activities such as communicable diseases
• Disclosures required by law (i.e. subpoena)
• Reporting victims of abuse, neglect, or domestic violence
• Health oversight activities
• Judicial and Administrative proceedings
• Research purposes
• To avert a serious threat to health or safety (e.g. Tarasoff)
• Law enforcement
Permitted Use and Disclosure with Consent
• Patient Authorization / Consent are Required for:
• Access, use, or disclosures to certain permitted persons or entities for non-TPO
activities
• Disclosures to a third party specified by the patient
The HIPAA Privacy Rule – Areas Requiring
Protection
• Several functions occur in any healthcare facility where reasonable Administrative, Technical, and Physical safeguards must be practiced including:
• Workplace Conversations
• Workstation Activities
• Disposal and Recycling
• Emailing
• Faxing
• Computer and Equipment use
• Password protections
Patients Rights
• Under HIPAA, patients have the rights to
• Right to access record with reasonable period of time. This includes the right to a copy of the file (P&P 412-313)
• A Notice of Privacy Practices (P&P 244)
• Right to request a modification of the record or to insert a statement disputing the record if the Program refuses
the request (P&P 212 )
• Right to confidential communication (P&P 244)
• Right to request restriction of disclosures (P&P 244)
• Right to an accounting of disclosures of client PHI (P&P 245)
• Right to complain about violations of privacy/confidentiality (P&P 412-310)
Patients Rights – Access to Records
• Procedure
• The client fills out a form requesting access
• Staff take the completed for to the program manager
• The manager communicates the decision to allow or deny access in a timely manner
• Copies of the request and program response are forwarded to the Custodian of
Records
• Arrangements are made for the client to have access to her/his record which may
include making a copy of the record
Patients Rights – Notice of Privacy Practice
• A Notice of Privacy Practice must be provided to all clients upon intake and/or
admission describing
• How we will use and disclose client PHI
• What rights the client has in respect to the PHI
• Where and how the client may access their PHI
• Where and how they can file a complaint if they feel their rights have been violated
Complaint Process
• Clients have a right to file a complaint if they feel their PHI is inappropriately used and disclosed.
• Any client wishing to file a HIPAA/Privacy complaint may be referred to the Mental Health Services Compliance and Privacy Manager, Mary Harnish at (408) 885-5784
• They may also complain to the Office of Civil Rights @ [email protected]
•What is 42 C.F.R. Part 2?
• Regulations implementing Federal drug and alcohol
confidentiality law (42 U.S.C. § 290dd-2)
Overview: 42 CFR Part 2
21
• Generally,
• Disclosure of information that identifies patient (directly or indirectly) as having a current or past drug or alcohol problem (or participating in a drug/alcohol program) is generally prohibited
• Unless
• Patient consents in writing or
• Another exception applies
Overview: 42 CFR Part 2
22
• What is 42 C.F.R. Part 2?
• Federal law
• Governs confidentiality of alcohol and drug treatment and prevention information
• Regulations implement statutes enacted in 1970s
• Purpose of law:
• Privacy protections encourage people to seek treatment (stigma)
Overview: 42 CFR Part 2
23
• Generally,
• This is true even if the person seeking the information
• Already has it
• Has other ways to get it
• Has some kind of official status
• Has obtained a subpoena or warrant
• Is authorized by State law
Overview: 42 CFR Part 2
24
• Who is covered?
• Drug/alcohol treatment and prevention “programs”
that are
• Federally assisted
must follow 42 C.F.R. Part 2
Overview: 42 CFR Part 2
25
HIPAA
Health care provider, health plan, health care clearinghouse
+
Transmits health information electronically
(covered transactions)
= Covered by HIPAA
Overview: HIPAA and 42 CFR Part 2
26
42 C.F.R. Part 2
Program
+
Federally assisted
= Covered by 42 C.F.R. Part 2
• Who must comply with both?
• The vast majority of alcohol/drug treatment programs are covered by both
• What happens if both apply?
• General rule: Follow the law that gives patients more privacy protections
• How does State law fit in?
• Same general rule: Follow the law that gives patients more privacy protections
Overview: HIPAA and 42 CFR Part 2
27
Overview: HIPAA and 42 CFR Part 2
28
PURPOSE HIPAA 42 CFR
Disclosure of
information for the
purpose of
payment
No patient consent
required
Patient consent required
Medical treatment
and/or emergency
Permits disclosure
without patient consent
when providing
treatment or its
healthcare operations or
for the treatment
activities of another
healthcare provider
Permits disclosure only to medical
personnel who have a need for
information for the purpose of
treating a condition that poses an
immediate threat to the health of any
individual and that requires immediate
medical intervention.
Law Enforcement Permits disclosures
without consent if
officer has arrest or
search warrant
Requires a Court Order, except if the
purpose is related to a patient's
commission of a crime on the
premises of a program or against
program personnel or to a threat to
commit such a crime. Even then, only
the information that is necessary to
treat the emergency condition should
be disclosed.
• Ten Exceptions
1. Written consent
2. Internal communications
3. No patient-identifying information
4. Medical emergency
5. Court order
6. Crime on program premises/against program personnel
7. Research
8. Audit/Evaluation
9. Reporting child abuse/neglect
10. Qualified service organization agreement
Overview: 42 CFR Part 2Exceptions to Rule Prohibiting Disclosures
29
• SCVHHS Departments Business Associate Agreement:
• Agreement comprised of multiple County Departments:
• Valley Medical Center and Clinics (VMC)
• Mental Health Department (MHD)
• Department of Alcohol and Drug Services (DADS)
• Public Health Department (PHD)
• Custody Health Services
• Valley Health Plan (VHP)
Business Associate Agreement
30
• SCVHHS Departments Business Associate Agreement: Why ?
Health care reform is changing the landscape in which healthcare is delivered, organized, and paid for.
A key feature of emerging environment is integration and coordination of care, including integration of primary and behavioral (addiction and mental) health care.
The adoption and use of health information technology is essential to achieving health reform goals.
Business Associate Agreement
31
• SCVHHS Departments Business Associate Agreement:
• BAA executed on 02/08/13
• Protect privacy and provide security of PHI disclosure in compliance with:
• HIPAA
• HITECH Act
• CA Welfare & Institutions Code
• 42 CFR Part 2
• Other Applicable Laws
Business Associate Agreement
32
• SCVHHS Departments Business Associate Agreement:
• Permitted Uses:
• Integrated Care, Coordinating Mutual Referrals and services for patients of SCVHHS Departments
• Administrative oversight, billing and compliance related activities
• Analysis and evaluation of services provided
• Entering data into and maintaining an integrated SCVHHS electronic health record
Business Associate Agreement
33
• SCVHHS Departments Business Associate Agreement:
• With Health Link Implementation date on May 4, 2013, SCVHHS Staff are trained on:
• HIPAA
• Confidentiality 42 CFR Part 2
• CA Welfare and Institutions Code
• Trainings are in the County’s E-Learning Modules
Business Associate Agreement
34
QUESTIONS
