Embed Size (px)
Citation preview
Honberg on HIPAA
The Myths of HIPAAUnderstanding the Rules and
Guidelines
Presentation by Ron Honberg
National Director, Policy and Legal Affairs, NAMI
Family to Family Institute, NAMI Convention
June 18, 2005
Honberg on HIPAA
Can Privacy and Quality Health Care be Reconciled?
“Civilization is the progress towards a society of privacy.”
Ayn Rand, The Fountainhead (1943)
Honberg on HIPAA
Major NAMI Concerns About Medical Privacy
• Protecting sensitive information about mental health treatment
• Affording consumers control over own medical information
• Providing families/caregivers with access to essential information.
• Increasing efficiencies in communicating vital medical information
Honberg on HIPAA
History• 1996 - Health Insurance Portability and
Accountability Act (HIPAA) enacted• “Administrative Simplification” Provisions
– Congress directed to enact legislation establishing standards for the electronic exchange, privacy and security of health information.
– If Congress unable to do so within 3 years, responsibility shifted to Secretary of HHS
Honberg on HIPAA
History, continued• Three year deadline for Congressional action expires
• Nov. 3, 1999 - HHS Secretary Shalala issues proposed rule
• 52,000 comments submitted from various stakeholders (including NAMI)
• 12/28/2000 - Final rule published
• 2/2001 - Moratorium placed on final rule
• 8/14/2002 - Modified final rule published
Honberg on HIPAA
Who is Covered by HIPAA?• Public and private health plans (private insurance,
Medicaid and Medicare, VA, etc.)• Health providers who transmit records
electronically– Paper records not applicable, unless provider
transmits some records electronically.• Health care clearinghouses, e.g. billing services,
community health management information systems, etc.
Honberg on HIPAA
What Information is Protected?• Information that concerns an individual’s past,
present or future physical or mental health, health care treatment, or payment for the provision of healthcare.
• Information that identifies the individual or can reasonably be used to identify the individual (e.g. date of birth, SSN).
• If common identifiers removed (“de-identified”), covered entity has no way of recovering that information, HIPAA does not apply.
Honberg on HIPAA
Scenario I• Dr. Freud, a psychiatrist from Tulsa, contacts Dr. Kildare,
a family doctor in Oklahoma City. Dr. F. has begun treating Sally, a woman with schizophrenia, who is a long time patient of Dr. K. Dr. F. requests information from Dr. K. about her medical history, current medications, and her capacity for adhering to a medication regimen.
However, he does not include a signed consent form with this request. Should Dr. K. provide Dr. F. with the requested information?
Honberg on HIPAA
Signed Consent is Optional• PHI may be disclosed without signed authorization
for:
– Treatment
– Payment
– Health care operations (e.g. administration, credentialing, quality assurance, medical audits, etc.).
• However, providers have the option of obtaining consent.
Honberg on HIPAA
Notice of Privacy Practices Required• Provided one time, generally at beginning of health care
relationship.• Must include:
– Description of potential disclosures– Posted in “clear and prominent” places– Electronically available on website
• Differs from authorization (consent), which is required each time PHI is released.
• Reasonable effort to obtain patient’s signature required .– However, cannot condition provision of treatment on
signature.
Honberg on HIPAA
Psychotherapy Notes Exception
• Disclosure of psychotherapy notes requires specific consent.
• Psychotherapy notes are notes separated from the rest of the medical record pertaining to the details of therapy/counseling sessions.
• Psychotherapy notes do not include information about medications, clinical test results, and summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.
Honberg on HIPAA
Some Disclosures Require Signed Authorizations
• Psychotherapy notes• Disclosures to an employer of the results of a pre-
employment medical exam.• Disclosures to a life insurer or another insurer (with the
exception of a submission for payment for a specific medical service).
• Marketing products or services– Exceptions: communications by health plans or
providers with individuals already receiving services (health information, alternative therapies, etc.)
Honberg on HIPAA
Relationship of HIPAA to State Laws
• In general, if laws are incompatible, HIPAA preempts state law.
• But, exception to general rule of preemption may apply if the state law provides greater privacy protections than the HIPAA rule.
• HHS makes determination, in response to a request from State or other entity or person.
• Fed HIPAA rule is a “floor”, not a “ceiling”.
Honberg on HIPAA
Pa. Stat. Ann. Title 50, Sec. 7111 • Documents concerning inpatient treatment,
involuntary outpatient treatment, are confidential.• Cannot be disclosed without written consent,
except disclosure permitted::– to treatment providers;– county administrator– court in course of legal proceedings for
involuntary treatment or evaluation; • Copy of all pertinent records must accompany
patient when transferred from one facility to another. (Title 50, Sect. 4602).
Honberg on HIPAA
Scenario II
• Charlie Jones, who has a long history of bipolar disorder, was hospitalized in Denver 10 days ago after a suicide attempt. Charlie is being discharged to move in with his brother, Brian, who lives in Colorado Springs. While Brian knows about his brother’s history of bipolar disorder, he is not aware that his brother recently attempted suicide. The psychiatrist who has treated him at the hospital feels that he is ready for discharge, but knows that he is still struggling with symptoms. Should the psychiatrist inform Brian about the suicide attempt and the need for follow-up care and monitoring?
Honberg on HIPAA
Communications with Caregivers• A covered entity may rely on an individual’s informal
permission to disclose information to family or friends who function as caregivers.
• Hospital similarly may inform family/friends that person is there, general condition, etc.
• Person must be informed, have opportunity to agree or object.
• Several states, e.g. Vermont, Maine, and Ohio, have enacted legislation specifically permitting disclosures to family members and caregivers.
Honberg on HIPAA
Lack of Capacity to Consent (Formally or Informally)
• If emergency exists and/or person lacks capacity to agree or object, a provider may disclose health information to caregivers if it is in the individual’s best interests based on the professional judgement of the provider.
• HIPAA rule states that designated surrogate should be vested with authority to make decisions in cases of incapacity. Rule is not clear whether a formal determination of incapacity is necessary.
Honberg on HIPAA
Honberg on HIPAA
Scenario III• John, who has a history of schizophrenia, has been arrested
in Nashville and is being held on trespassing charges. He calls his mother in California, a clinical psychologist, and tells her where he is. Concerned that he is a suicide risk (he has a history of suicide attempts), she calls the jail and tries to inform them about her son’s mental illness and potential suicidality. The chief medical officer at the jail refuses to talk to her, citing privacy concerns. John subsequently hangs himself. Under HIPAA, was it permissible for the medical officer to speak with his mother?
Honberg on HIPAA
Communicating Information to Providers
• Covered entities (including treatment providers) are not precluded under HIPAA from accepting information from families or others knowledgeable about the individual and his/her treatment needs.
• Unless the individual objects, the jail in this case would also not be precluded from responding to the mother’s questions.
Honberg on HIPAA
Law Enforcement and Criminal Justice • Rule permits (does not require) disclosure to law
enforcement in certain cases, including:
– Required by law (e.g. court order or subpoena)
– to identify or locate a suspect, fugitive, missing person, etc.
– to provide information about a crime victim
– to inform law enforcement of a person’s death
– When a covered entity believes that PHI is evidence of a crime
Honberg on HIPAA
Judicial and Administrative Proceedings• Covered entities may disclose when request is pursuant to a
court order or from an administrative tribunal.• Jaffee v. Redmond, 518 U.S. 1 (1996). - Supreme Court
recognized psychotherapist-patient privilege. – “Effective psychotherapy depends upon an atmosphere of
confidence and trust.”• Absent compelling evidence of the evidentiary value of
disclosure, the privilege will be protected.• Court explicitly states that privilege applies to psychiatrists,
psychologists and social workers.
Honberg on HIPAA
Scenario IV• Mary has received services from a Community Mental
Health Center in Denver intermittently over the years. Recently, she graduated from law school and is now applying for admission to the Colorado Bar. The Bar application includes a question inquiring about hospitalizations for treatment of serious mental illnesses during the past five years. Applicants who answer affirmatively must provide further documentation from a psychiatrist or psychologist establishing that they are capable of practicing law.
Honberg on HIPAA
Scenario IV, cont.
• Mary is concerned that her psychiatric records at the CMHC are inaccurate and that the Center may therefore provide information that could harm her chances to be admitted to the Bar. She contacts the CMHC and requests that she be permitted to inspect her records. Is the CMHC obligated to let her do so?
Honberg on HIPAA
Access to One’s Own Records• Individuals generally have the right under HIPAA to
review and obtain a copy of their own records.
– Psychotherapy notes may be excepted, if maintained as a separate part of the record.
• Individuals may be denied access if the provider believes that access could be harmful.
– But, provider must provide justification, and the individual who has requested the information can seek independent review.
Honberg on HIPAA
Amending One’s Records• Under HIPAA, individuals also have the right to request
amendments to their records to correct inaccuracies.
• If a request is accepted, the covered entity must make “reasonable” efforts to provide the amended version requested by the individual.
• If a request is denied, the covered entity must provide a written explanation and the individual must be allowed to insert a statement of disagreement into the record.
Honberg on HIPAA
Scenario V
• Rick is employed by the ACME Accounting Firm. Last year, following the death of his mother, he experienced a bout with severe depression and sought help from the Employee Assistance Program offered by his employer. He was subsequently referred to a psychologist for counseling and prescribed anti-depressant medications. His treatment was covered under ACME’s self-insured health plan. Now, Rick is concerned that his employer may have access to information about his depression and drinking. Is he protected by HIPAA?
Honberg on HIPAA
Disclosures to Employers
• In general, medical information may not be disclosed to employers, with the following exceptions:
– In cases involving work related illnesses or injuries (workers compensation cases).
– To comply with employer duties under OSHA or similar State laws.
• Covered entities that make such disclosures must notify employee in writing.
Honberg on HIPAA
Disclosures to Employers, cont.• Generally, employers are not “covered entities” and
therefore are not subject to the requirements of the rule.– Exception - Records maintained by an employer in
its capacity as a health care provider are covered (e.g. a hospital).
• ADA requires employers to protect medical information, e.g. results of medical exams should be kept confidential and in separate medical files.
Honberg on HIPAA
More Information!
Honberg on HIPAA
“Business Associates”• Person or organization that carries out activities on
behalf of a covered entity and has access to PHI. (Can include auditor, attorney, management consultant, etc.).
• Does not include entities who collaborate in providing treatment.
• Provider who knows of breach of privacy by business associate required to take reasonable steps to “cure” the breach.– If unsuccessful, must report breach to the HHS
Secretary.
Honberg on HIPAA
Administrative Requirements• Covered entities must develop and implement written
privacy policies and procedures.• Covered entities must designate a privacy official
“responsible for developing and implementing its privacy policies and procedures, and a person or office responsible for providing information and handling complaints.”
• Covered entities must train its workforce on privacy policies and procedures.
Honberg on HIPAA
HIPAA and Research
• PHI may be disclosed under three circumstances:
– If information is not PHI. (Rule identifies 18 elements that must be removed from information disclosed).
– If person signs a valid authorization form.
– When authorization requirement is waived by an IRB or a “Privacy Board.”
Honberg on HIPAA
Enforcement and Remedies
• Civil penalty of $100 per willful violation, with total not to exceed $25,000 per year.
• Criminal penalties, including fine and imprisonment, for person who knowingly obtains and discloses PHI.
• Criminal sanctions enforced by the U.S. Department of Justice.
Honberg on HIPAA
• Read notice of privacy practices carefully. – Rule requires covered entities to provide clear and
comprehensive information about privacy practices.• Ask questions. Make sure you understand who will share
information.• Recognize that sharing information can be positive,
particularly in the treatment context.• Do not accept a simple “no” answer to requests to see
medical records.
Recommendations for Consumers and Family Members
Honberg on HIPAA
Recommendations for Providers• Read rule carefully (or ask attorney to prepare a
summary).
• Learn your state’s medical privacy rules and how they interface with the federal rules.
• Take common sense steps to protect privacy, e.g. make sure that staff is not careless with records.
• Appoint a privacy officer (rule requires).
• Review relationships with “business partners” and make sure that they are apprised about privacy rules.
Honberg on HIPAA
Questions and Comments
“I wish I had an answer to that, because I’m tired of answering that question.”
Yogi Berra
