4/28/2015 1 confidentiality of medical information public health nursing and professional...

04/18/23 1

Confidentiality of Medical Information

Public Health Nursing and

Professional Development Unit

Eunice B. Inman, RN, BSN Pamela Serrell, RN, BSN

Ellen Shope, RN, BSN Lynn Conner, RN, BSN

Gay G. Welsh, RN, BSN, MPH

04/18/23 2

Introduction

Objectives for this presentation include: Identify laws that require NC Local Health

Departments to keep patient information confidential.

Identify which information is confidential. Describe when confidential information

may be disclosed. Describe how best to document

disclosures of confidential information.

04/18/23 3

Introduction

This presentation is meant to introduce an overview of confidentiality laws and how those laws address some of the issues that arise in NC local health departments.

It is not meant to be comprehensive. Please consult an attorney if you need more information or advice for a specific situation.

04/18/23 4

Vocabulary

Confidential

as defined by

Webster is

private, secret.

04/18/23 5

Confidentiality

The general ethic in the provision of health care is that a

patient’s secrets uttered in confidence must be

safeguarded by the physician, other health care

providers, and the agency’s workforce (employees,

volunteers, trainees, and other persons whose

conduct, in the performance of their duties, is under

the direct control of the agency, whether or not they

are paid by the agency).

04/18/23 6

Laws Affecting LHDs in NC

HIPAA Privacy Rule (45 CFR Parts 160 & 164):

Federal law that governs when covered entities –

a term that includes most health care providers,

including LHDs – may and may not use and

disclose PHI without a client’s permission. (Other

federal and NC laws must also be considered in conjunction

with HIPAA requirements.)

04/18/23 7

HIPPA Privacy Rule…cont.

Requires covered entities to have written policies & procedures designed to comply with the Privacy Rule.

Requires the implementation of administrative, technical, and physical safeguards to protect the privacy of individually identifiable health information.

Requires mitigation, to the extent possible, when breaches occur that violate the Privacy Rule or the covered entities’ policies/procedures when the breach is known by the covered entity.

04/18/23 8

HIPAA Privacy Rule…cont. HIPAA Definitions:

PHI = Protected Health Information: Individually identifiable health information (IIHI)

that is transmitted electronically or maintained in any form or medium by a covered entity.

T = Treatment activities of a healthcare provider:

Includes provision, coordination, management of health care & related services, referrals, consultations, etc.

04/18/23 9

HIPAA Privacy Rule…cont.

P = Payment for treatment Includes reimbursement for services, benefit

coverage, eligibility, billing, collections, etc. O = Health Care Operations that support

the activities of healthcare provider Includes QI, credentialing, financial and medical

review audits, business management, etc. Please refer to the HIPAA Privacy Rule for

more detailed explanations.

04/18/23 10

ARRA - American Recovery & Reinvestment Act

ARRA = Federal Law Effective 02/18/09 primarily found at 45 CFR Part 164,

Subpart D (45 CFR 164.400 - 164.414) Contains the HITECH Act that exceeds

HIPAA in protecting PHI.

04/18/23 11


Within ARRA is the Health Information Technology for Economic & Clinical Health Act (HITECH Act)

Broadens and supplements HIPAA privacy and security requirements, and various state privacy breach notifications.

Safeguards PHI above and beyond current HIPAA requirements.

Extends requirements to certain non-covered entities, covered entities, and to business associates of covered entities

Includes breach notification requirements for a privacy breach.

04/18/23 12


AARA & HITECT Act (continued) HITECH Act may be found at:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html

Guidance for managing breaches: http://www.sog.unc.edu/node/1040 under Security Breaches.

04/18/23 13

NC Identity Theft Protection Act

NC Identity Theft Protection Act (GS 75-60, Article 2A) NC law requiring private businesses and government agencies

to protect personally identifying information that could be used for identity theft.

Includes specific actions private businesses and government agencies must take when experiencing a security breach involving personally identifying information that is not encrypted (not necessarily electronic encryption).

Requires notifications of breaches to individuals, media, and NC Attorney General’s Office in specific situations.

04/18/23 14

NC Identity Theft Protection Act

NC Identity Theft Protection Act found at: http://www.ncga.state.nc.us/EnactedLegislation/

Statutes/HTML/ByArticle/Chapter_75/Article_2A.html

Guidance may be found at http://www.sog.unc.edu/node/1045 Scroll down to “What does The Identity Theft Act

Mean for Local Health Departments.”

04/18/23 15

Other NC State Laws re Confidentiality

Public Health Patient Confidentiality Law (GS 130A-12): (revised, effective 01/01/12)

NC law that applies only to LHDs, DHHS & DEHNR Medical records held by either are confidential and

are not subject NC’s public records law. Disclosure of information only may occur with

appropriate authorization or as required by federal or state law.

04/18/23 16

Other NC State Laws re Confidentiality

Privilege Laws: (GS 8-53 and GS 8-53.13)NC laws meant to prevent information from being introduced into

court proceedings against the patient’s will. GS 8-53 – Communications between patients and

their physicians (and others working under the direction of the physician) are privileged.

GS 8-53.13 – Communications between patients and nurses are privileged.

Privileged information may be introduced in two circumstances: The patient gives permission for the disclosure The judge orders the disclosure after finding that it is

necessary for the proper administration of justice.

04/18/23 17

Laws Protecting Specific Situations

Title X Family Planning: (45 CFR59.11) Federal law that requires providers to keep information about

Title X Clients confidential and disclose it only with the client’s documented consent (permission), unless the disclosure is necessary to provide services to the client or is required by law.

04/18/23 18

Law Protecting Specific Situations

Communicable Disease Confidentiality: (GS 130A-143) (revised, effective 01/01/12)

State Law that applies to information or records that identify a person who has or may have a reportable communicable disease or condition. Such information may be disclosed only when the disclosure fits into one of eleven circumstances specified in the statute. (Please consult the statute for these.)

04/18/23 19


Family Education Rights & Privacy Act: Under FERPA school nurses must protect access to

and disclosure of student education records. FERA may be found at:

Title 34, Part 99--Family Educational Rights and Privacy Schools may also fall under HIPAA.

Helpful Q&A re HIPAA & FERPA in schools may be found at: http://www.sog.unc.edu/node/832

04/18/23 20


Employees working with aspects of mental health or substance abuse clients may be subject to laws affecting those services. Please consult appropriate sources for legal

resources applicable to these services.

04/18/23 21

Pharmacy Records Law

Availability of pharmacy records

(G.S 90-85.36): Pharmacy, whether written or electronic, orders are

not public records and may only be provided to the following persons. Persons for whom the prescription was written Parent, Guardian or Persons standing in loco parentis

of a minor child or disabled adult Pharmacy owner & Pharmacist filling the prescription Healthcare provider writing the prescription or

otherwise treating the patient

04/18/23 22

Pharmacy Records Law

(List continued…) Anyone presenting an authorization for the

release or subpoena for pharmacy information Includes researchers

Any business entity responsible for paying for the medical care of the person for whom the prescription was written

Pharmacy Board members HIPAA covered entity or non-covered health

care provider for TPO purposes

04/18/23 23

Licensure Laws

Components of Nursing Practice for the Registered Nurse (21 NCAC 36 .0224):

(g)(4) is the specific section of administrative code that says the nurse must uphold confidentiality.

(g) Collaborating involves communicating and working cooperatively with individuals whose services may have a direct or indirect effect upon the client's health care and includes:

(4) safeguarding confidentiality.

04/18/23 24

Licensure Laws

Components of Nursing Practice for the

Licensed Practical Nurse (21 NCAC 36.0225):

(g)(3) is the specific section of administrative code that says the LPN must uphold confidentiality as delegated by the registered nurse.

(g) Collaborating involves communicating and working cooperatively with individuals whose services may have a direct or indirect effect upon the client's health care and includes:

(3) safeguarding confidentiality.

04/18/23 25

Ethics and Policies

ANA Code of Ethics: Interpretive Statement,

Provision 3.2

“…the nurse has the duty to maintain confidentiality of all patient information.”

To do less Jeopardizes the patient’s welfare Destroys trust in the nurse/patient relationship

which jeopardizes the nurse’s ability to provide quality care.

04/18/23 26

Ethics and Policies

AMA Code of Ethics: Opinion 5.05 Confidentiality

The information disclosed to a physician by a patient should be held in confidence.

The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services.

The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication.

04/18/23 27

Ethics and Policies

Local Health Department Policy & Procedure:Safeguards Policies – covered entities must have in place

appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

Safeguard policies/procedures include, but are not limited to: Policy sets forth guidance to safeguard and maintain the

integrity of the designated record set (financial and medical records as defined by HIPAA) and how best to protect the rights of clients while affording the providers of care appropriate access.

04/18/23 28

Which Information is Confidential?

Agency Confidentiality Policy – Affirms the agency’s resolve to abide by the laws presented.

Any IIHI about a client is confidential – assume that it is all confidential.

It is not just the medical status or treatment information that is protected.

Even the fact that they are a client is protected. Any (IIHI) individually identifiable health information the

LHD has on a person who is not a client is most likely confidential.

Example: blood lead information cared for by a local pediatrician and environmental health is doing a home investigation.

04/18/23 29


Individually Identifiable Health information(IIHI) includes:

the client’s demographic information (name, address, age, date of birth, etc.).

information that is created or received by a health care provider, health plan, employer, or health care clearinghouse.

information related to the past, present, or future physical or mental health condition of the individual, provision of health care, or the past, present, or future payment for the provision of health care.

any information that identifies the client, or to which there is reasonable basis to believe that the information can be used to identify the client.

04/18/23 30


Protected Health Information includes: IIHI that is transmitted electronically or maintained

in any form or medium by the covered entity. And everything else mentioned if not addressed in

laws for specific services.

04/18/23 31

When may LHDs Disclose Patient Information?

With the client’s (or personal representative’s)

permission. Permission must be in the proper format.

In most cases the permission must be in writing. Must be on an appropriate HIPAA compliant

authorization form.

04/18/23 32


Under certain circumstances without the

client’s (or personal representative’s)

permission as specified by law. Broadly these include:

Treatment, payment and healthcare operations as defined by HIPAA, G.S. 130A-12,

& G.S. 130A-143. Please consult your HIPAA Officer or

County Attorney regarding these definitions.

04/18/23 33


When it is required by another law. The following slides will address these.

Subpoenas & other court orders Response guidance for LHDs from the NC

School of Government may be found at: http://shopping.netsuite.com/s.nl/c.433425/it.I/id.218/.f?sc=7&category=49

04/18/23 34

Laws requiring disclosure of info.

NC law requires the disclosure of confidential information or records for specific purposes for each of the following: (The following is a partial list of those who may demand records or information.) HIPAA covered entities must verify the identity of

the individual demanding the information and their authority to obtain the information.

G.S. 130A-385: Chief medical examiner or county medical examiner when a death is under investigation.

G.S. 130A-209: Diagnoses of cancer to central cancer registry

04/18/23 35


List … cont. GS 7B-301: Any person or institution must report

known or suspected child abuse/neglect or child deaths believed to be due to maltreatment to DSS.

GS 7B-302: Records or information relevant to the investigation of known or suspected cases of child abuse or neglect may be released to director of social services

GS 7B-601: or guardian ad litem representing the child GS 7B-1413: The N.C. Child Fatality Prevention

Team, a community child protection team, and N.C. Child Fatality Task Force may review information they deem relevant to their task.

04/18/23 36


List … cont. GS 108A-102: Report suspected abuse of elderly or

disabled adults to Social Services Director. GS 130A-5 and 130A-15: NC Secretary of HHS may see

patient records when the patient’s physician and a DHHS physician agree that there is a “clear danger to public health” and other health hazards.

GS 130A-135 et seq.: Outbreaks of reportable communicable diseases.

G.S. 130A-144: Local Health Directors or State Health Director may demand medical records pertaining to the diagnosis, treatment, or prevention of communicable disease.

04/18/23 37


List … cont. G.S. 51-2: Disclose relevant medical information of

minors seeking to marry to court appointed guardian ad litem.

G.S.90-21.20: Report wounds/injuries to law enforcement if there appears to be criminal violence involved.

G.S. 130A-153 and 10A NCAC 41A.0406: Disclosures of immunizations to specific providers, schools, etc.

04/18/23 38


List … cont. G.S. 130A-456: Physicians must be report occupational

injuries on farms and other reportable occupational diseases and illnesses to DHHS.

G.S. 130A-458: Persons in charge of laboratories that provide diagnostic services must report findings related to reportable occupational diseases and illnesses to DHHS.

04/18/23 39


List … cont. G.S. 130A-476(b): Authorizes State Health Director to

issue temporary order requiring health care providers to report specifically requested medical information to local health director or State Health Director to investigate a possible bioterrorist incident.

State and federal auditors of programs such as Medicaid may review patient records under applicable state and federal regulations.

04/18/23 40

Other exceptions requiring disclosure.

Responding to a court order, subpoena, warrant,

& other law enforcement and judicial requests:

Response guidance for LHDs from NC SOG may be found at:

http://shopping.netsuite.com/s.nl/c.433425/it.I/id.218/.f?sc=7&category=49 LHDs may disclose information without a patient’s

permission upon receipt of a proper court order provided only the PHI disclosed is expressly authorized by the court order.

A subpoena must never be ignored; however, depending on the type of subpoena, automatic disclosure of information is not always appropriate. (Consult the above guidance and local attorney.)

04/18/23 41

Other exceptions requiring disclosure.

Health department should have a carefully crafted policy for handling subpoenas, court orders and law enforcement & judicial requests.

All the above requests should be brought to the attention of the health director immediately.

Consulting the LHD Attorney about the above types of legal requests prior to disclosing information is a good idea.

04/18/23 42

Obtaining Consent For TPO

"Consent" as defined by HIPAA means that the client is giving the covered entity permission to use and disclose their protected health information for treatment, payment, and other health care operations.

Obtaining “consent for TPO” is optional under HIPAA and is no longer required by NC law (G.S.130A-12(3), revised, effective 01/01/12.)

04/18/23 43

Obtaining Consent For TPO

“Consent”…cont.It is no longer recommended that local health

departments obtain “consent for TPO.” Continuing to obtain “consent for TPO” may result

in barriers to care in specific circumstances and lost reimbursement if a client refuses to sign the consent for TPO as the mandated services are still required to be provided.

04/18/23 44

Verification Requirements

Prior to disclosing requested PHI to a person

or entity the HIPAA Privacy Rule requires

covered entities to verify two things: the requesting person’s identity (personal identity or

as an appropriate designee of a requesting entity). the requesting person’s authority to receive the

information.

Covered entities must have internal Verification Policies & Procedures and must have trained their staff on the policy/procedure.

04/18/23 45

Obtaining Permission to Disclose Information (Authorization)

HIPAA Authorization Forms: Must contain specific elements. Must be used for disclosures outside the

realm of TPO. Please see the following references:

IOG: http://www.sog.unc.edu/node/818 DPH: http://publichealth.nc.gov/lhd/

See “Problem Oriented Health Record” topic and select DHHS Form 4056.

04/18/23 46

Obtaining Permission for Treatment

"Consent for Treatment" Obtaining informed consent to treat a patient is an entirely

different legal obligation as opposed to obtaining “consent for TPO,” which is not a legal obligation.

“Consent for Treatment” means that the client is giving permission to the health care provider to provide medical care and treatment to the client. (G.S. 90-21.13)

Obtaining “consent for TPO,” which is no longer recommended, means the client is giving the covered entity permission to use and disclose their PHI for treatment and payment activities as well as health care operations.

Health departments still need informed consent to treat a patient.

04/18/23 47

Obtaining Permission for Treatment

GS 90-21.13: Informed consent to healthcare or procedure.

Valid consent means that a reasonable person under all the surrounding circumstances would be: mentally and physically competent to give consent. able to understand the implications, risks and hazards of

the treatment or procedure. consent voluntarily to the treatment or procedure, and

without coercion from the requestor.

04/18/23 48

Documenting Disclosures

When information is disclosed with client’sconsent (via HIPAA compliant authorization) Put copy of signed authorization in client’s record. HIPAA requires that the client be given a copy of the signed authorization. Make a note in the record when the information is

actually released.Disclosures made with the client’s authorization are not required to

be included in the Accounting of Disclosures.

(The client has the right to ask for an accounting of disclosures. See http://www.sog.unc.edu/node/818 for guidance on accounting of disclosure requirements.)

04/18/23 49

Documenting Disclosures

When information is disclosed without permissiowhen meeting a legal requirement to disclose,documentation in the client’s record should include:

the date and the fact of its disclosure, to whom it was disclosed why it was disclosed the name of staff member that disclosed the information the signature/initials of the staff member recording the

documentation in the record

-Disclosures made without client authorization are required to be included in the Accounting of Disclosures.

04/18/23 50

Questions

Now a few minutes for questions.

4/28/2015 1 confidentiality of medical information public health nursing and professional...

Documents

protected health information

health care providers

provision of health

health care operations

hipaa privacy rulecont

nc hipaa privacy rule

mph slide

nc local health departments