   |
|
|
John Petrila, J.D., LL.M.
Professor, University of South Florida
petrila@fmhi.usf.edu
November 13, 2006
TAPA Easy Access Net Teleconference
“Privacy” Foils Police
* Man assaulted wife, tried to burn down house
* Checked into hospital
* Police serve arrest warrant
* Hospital will not acknowledge suspect is a patient
* Hospital: “I don’t think we’re trying to be antagonistic toward law enforcement”
HIPAA Law Handcuffs Hospitals and Police
* “Area police agencies said the federal privacy laws have led to potentially dangerous people being released without their knowledge”
* Police “…agreed that hospital staff members are just following the new rules”
Fact or Myth?
* What does HIPAA really say?
* “…a covered entity may disclose protected health information in response to a law enforcement official’s request…for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person…”
* Section 164.512(f)(2)(i)
The ACLU
* Question: Can the police get my medical information without a warrant?
* Answer: “Yes”
The Power of Myth
* HIPAA is the most misunderstood law in the country
* It presents no barrier to cross-systems collaboration
* It has become a major barrier to cross-systems collaboration
The Big Myths
* Myth 1: HIPAA applies to everyone
* Myth 2: All disclosures require consent
* Myth 3: No one has access without consent
* Myth 4: HIPAA eliminates state laws on confidentiality
More Big Myths
* Myth 5: Even staff from the same agency cannot share information
* Myth 6: I should not write anything down, because my client will see it
* Myth 7: If I violate HIPAA I will be severely punished, perhaps even executed
* Myth 8: Cross-systems collaboration is a great idea, too bad HIPAA makes it impossible
Today’s Presentation
* What is covered?
* Who is covered?
* What exceptions exist?
* A note on the security regulations
Applicable Laws
* Health Insurance Portability and Accountability Act of 1996 (HIPAA)
* Federal regulations on substance abuse treatment (42 CFR)
* State statutes
* State court decisions
HIPAA
* Portability of insurance
* Privacy
* National standards for electronic security
* State law applies if more protective of privacy than HIPAA
What Is Covered?
Protected Health Information
* Any oral or recorded information relating to
* the past, present, or future physical or mental health of an individual;
* the provision of health care to the individual;
* or payment for health care
PHI Must Be “Individually Identifiable”
* a subset of “health information,” including demographic information
* (1) that is created or received by a covered entity
* (2) that relates to the person’s condition; treatment; or payment for care;
* (3) that identifies the individual, or might reasonably be used to identify the individual.
Exception for Psychotherapy Notes
* Notes in any medium documenting or analyzing the contents of a conversation during a private counseling session
* Requires specific patient authorization to disclose
* Payment cannot be denied for non-disclosure
42 CFR 2.11
* Records: Any information whether recorded or not relating to a patient received or acquired by the program
* Any information identifying a patient as alcohol or drug abuser, obtained by program for diagnosis, referral, or treatment
Who Does HIPAA Cover?
* Health plans
* Health care clearinghouses
* Health care providers who transmit health information in electronic form
Who Is Not Covered?
* The police
* Accrediting agencies
* The courts
* Jails
Police
* May have access
* To identify or locate a suspect, fugitive, witness, or missing person
* When crime committed on premises of a covered entity
* In medical emergencies in connection with a crime
* Police may also identify injured parties
Courts and Judicial Officers
* Courts are not covered entities
* Prosecuting attorneys and defense attorneys are not covered entities
* “Standing orders” are recommended
Jails/Correctional Facilities
* Jails are usually not covered entities
* Health care provider to the jail may be a covered entity
* Special rules exist regarding PHI and correctional facilities
Does HIPAA Require Consent for Standard Releases?
• Consent is not necessary for
• Treatment (including for after-care)
• Payment
• Health care operations
• 42 CFR permits intra-program exchange and disclosures to qualified service organizations
• 42 CFR requires written consent for most disclosures
• State law may be more protective than HIPAA
May An Individual Ever Object?
* Facility directories (no specific medical information maintained)
* Notification of family, relative, friend
* In event of emergency, or incapacity of person, best professional judgment rule applies (164.510)
Are Other Disclosures Permitted? (164.512)
* In general, HIPAA permits broad disclosure
* Principle of “minimum necessity”
* 42 CFR has a similar principle (information required to carry out the purpose of disclosure)
Permitted Disclosure: Public Health Activities
* Disclosure of PHI permitted to enable public health activities such as
* Disease prevention and control
* Child abuse or neglect (state law and federal substance use law also permits)
* To investigate work-related injury (with notice to employee)
* 42 CFR permits disclosure of cause of death
Permitted Disclosure: Victims of abuse or neglect
* If reasonable belief that person is victim of abuse, neglect, or domestic violence
* Individual either agrees, or
* State law permits, and covered entity believes necessary to prevent serious harm to individual or others, or
* Person lacks capacity and law enforcement represents PHI required for “immediate enforcement activity”
Permitted Disclosure: Judicial/Administrative Proceedings
* PHI may be disclosed in response to
* Judicial order
* Subpoena without court order in some circumstances
* 42 CFR requires court order
* In general state law will require court order
Permitted Disclosure: Law Enforcement
* Court order/grand jury subpoena/administrative summons
* Information sought is relevant and material
* Request is specific and limited in scope
* De-identified information not reasonable
* 42 CFR is more restrictive
Permitted Disclosure: Law Enforcement (cont)
* For identification and location
* Information about victims of a crime
* Individual agrees to disclosure or
* Individual lacks capacity and
* Law enforcement requests info necessary to determine whether law has been violated (but not by victim)
* Info won’t be used against the victim
* Covered entity determines is in victim’s best interest
* No comparable provision in 42 CFR
Permitted Disclosure: Threat to Health or Safety
* If necessary to prevent or lessen a serious threat to the health or safety of individual or public
* To a person able to prevent the threat, including the victim
* Is necessary for law enforcement to apprehend the person
* Most state laws makes disclosure discretionary
* To protect an identified potential victim
* No liability as long as good faith and no gross negligence
Permitted Disclosure: Court-Ordered Exams
* Courts are not covered entities
* Payment from the court is not a HIPAA transaction
* An “assessment” is “treatment” within HIPAA
* If the examiner is covered by HIPAA, the exam is covered by HIPAA (see hybrid entity exception)
* Courts can use standard language in order to compel disclosure
* State laws typically permit
Permitted Disclosures: Correctional Facilities
* PHI can be disclosed without consent to provide health care to the inmate, or for the health and safety of other inmates or correctional officials (HIPAA)
* If the person is released, e.g. on parole, then HIPAA rules apply
* No similar provision in 42 CFR
Individual Right of Access
* Key provision, designed for accuracy
* Must allow inspection or copy in form requested within 30 days of request (30 day extension permitted; 60 days if not on-site)
* HIPAA has appeals processes
May Deny Access
* Psychotherapy notes
* Information compiled in anticipation of legal proceeding
* Inmate request, if harm may occur
* Research-related information until end of research
* If a 3rd party (not a health care provider) gave information on promise of confidentiality
May Deny Access with Opportunity for Review
* If reasonably likely access would cause harm to the individual or others
* Requested information refers to a 3rd party who may be endangered
* Request is by a personal representative and disclosure would be reasonably likely to cause harm
Will I Go To Jail?
* Primary enforcement by the Office of Civil Rights of HHS
* No private cause of action
* Penalties
* Civil: $100 per violation / $25,000 per year
* Criminal: $50,000 and up to one year (false pretenses double the fine/up to five years)
* There is no bite here, and barely a bark
* 17,000 complaints
* No enforcement to date
* DOJ has ruled that only covered entities are criminally liable
Multi-System Tools
* Uniform consent form
* Business Associate Agreements
* Patient Safety Organizations
* Standard Judicial Orders
Uniform Consent Form
* Essential tool
* Individual consents to use within a treatment system
* All providers are on the form
* Other requirements may be met as well
Business Associate Agreements
* Used for those providing ancillary services to a covered entity
* 42 CFR permits qualified service organization agreements
Patient Safety Organization
* Permits DHHS Secretary to certify these organizations
* Designed to permit privileged exchange of information within the PSO
* Relevant information includes
* Efforts to improve patient safety and quality
* Collection and analysis of patient safety work product
* Development and dissemination of patient safety information, e.g. protocols, best practices, etc
* Use of such information to encourage “a culture of safety and of providing feedback and assistance to effectively minimize patient risk”
* Public Law 109-41, Section 921-925.
Standard Judicial Order
* Courts are not covered entities
* Courts may seek PHI
* Best solution is a standard order
The Security Regulation
An electronic system is “interconnected set[s] of information resources under the same direct management control that share common functionality. A system normally includes hardware, software, information, data, applications, communications and people." (45 CFR 164.304)
Exemptions include
* Paper to paper faxes
* Voice mails
* Video conferencing
Requirements (164.308)
* Security management
* Assigned security responsibility
* Workforce security
* Information access management
* Security awareness and training
* Security incident procedures
* Contingency plan
* Evaluation
Fact or Myth?
* Myth 1: HIPAA applies to everyone
* Myth 2: All disclosures require consent
* Myth 3: No one has access without consent
* Myth 4: HIPAA eliminates state laws on confidentiality
Fact or Myth?
* Myth 5: Even staff from the same agency cannot share information
* Myth 6: I should not write anything down, because my client will see it
* Myth 7: If I violate HIPAA I will be severely punished, perhaps even executed
* Myth 8: Cross-systems collaboration is a great idea, too bad HIPAA makes it impossible
Summary
* HIPAA, state law, and federal regulations on substance use confidentiality are more similar than not
* HIPAA does not block all exchanges of information
* The principle of “minimal necessity” is critical
* In a conflict, the most protective law applies
* Inter-system sharing of information is possible
Some Useful Sites
* www.hhs.gov/ocr/hipaa/ (Office of Civil Rights FAQs)
* http://hipaablog.blogspot.com/ (news stories about HIPAA)
* www.hipaa.samhsa.gov/download2/SAMHSAHIPAAComparisonClearedPDFVersion.pdf (comparison of HIPAA and 42 CFR)
* http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/index.html (introduction to security regulations)
* www.courtinfo.ca.gov/jc/documents/reports/0405itema12.pdf (information on standard court orders in California Probate Court)
* www.ncsconline.org/WC/Publications/CS_PriPubHIPPA96Pub.pdf (analysis of HIPAA and the courts, including a standing judicial order)
| Gains@prainc.com | The CMHS National GAINS Center | GainsTAPA@prainc.com |
| 800.311.GAIN | 866.518.TAPA | |
Funded by the Center for Mental Health Services of the Substance Abuse and Mental Health Services Administration < Privacy Policy > For Alternative Access to Web Documents : Email gains@prainc.com  USA.gov is the U.S. government's official web portal to all federal, state and local government web resources and services. |
||
