confidentiality 42 cfr part 2 & hipaa lynn m. eldridge, med division of behavioral health...

Confidentiality42 CFR Part 2 & HIPAA

Lynn M. Eldridge, MEd

Division of Behavioral Health

[email protected]

Confidentiality42 CFR Part 2 & HIPAA

• This is not legal advice.

• Please consult your agency’s attorney or legal department for legal advice involving any confidentiality questions.

42 CFR Part 2

• Code of Federal Regulations

• Therefore it is a Federal Law

• Two separate laws developed in 1970 & 1972

• Two regulations combined in 1992.

42 CFR Part 2Purpose

• Purpose:

To encourage substance abusers to seek treatment, who might otherwise be deterred for fear that their substance abuse treatment would become public information.

To Whom the Regulations Apply

• 42 CFR Part 2 Regulations Apply to:

* AOD programs that are federally conducted, regulated or assisted in any way, directly or indirectly.

* Generally, to recipients of AOD patient identifiable information from anyone subject to these regulations.

The General Rule

• Information Protected Under the Rule:

“Patient Identifying Information”

-Information, recorded or unrecorded, that could potentially link an individual, by name or otherwise, to a substance abuse treatment program.

The General Rule

• Information Protected Under the Rule:

- Protection to anyone who has applied for or been given substance abuse treatment services, and anyone checking on eligibility to get into a program.

The General Rule

• Disclosure Prohibited Under the Rule:

-Direct communications of PII

-Verifications of PII

Example

• Becki: referred by PO. Never called never showed to office, Program XYZ hasn’t heard of her.

• Susan: referred by PO. Called, gave name but never made an appointment.

• Bea: referred by PO. Called, gave name, made appointment, showed up for appoint. No release.

• Lynn: referred by PO. Showed for appointment, signed releases.

Exceptions

• Exceptions permit only LIMITED disclosures, which are disclosures of only so much information as is necessary to carry out the purpose of the disclosure.

Exceptions-Written Consent

Required Elements in a Written Consent:

1. Who can disclose PII

2. To whom disclosure can be made

3. Name of the patient

4. Purpose of disclosure

5. What can be disclosed

6. Signature of patient

Exceptions-Written Consent

7. Date consent was signed

8. Right to revoke & exception (but a criminal justice system consent can be irrevocable)

9. Expiration date, event, or condition

Signature Requirements

• If the patient is a minor, the patient must sign the consent form, and:

a) If state law requires parental consent, parents signature will also be required.

b) If state law permits the minor to be treated without parental consent, the minor’s signature alone will authorize disclosure.

Signature Requirements

• If the patient has died, the executor of his/her estate or if there is none, the spouse or surviving next of kin may sign.

• If the patient is incompetent, a person appointed by a court to oversee his/her affairs may sign.

Exceptions Without Consent

1. Internal Communications:

a) Within a program, and

b) between a program and an entity that has administrative control over the program.


• Internal Communications:

* Allows for communication between and among program personnel, who have a need for the information in connection with their duty to diagnose, treat, or refer for treatment substance abusers.


• Internal Communications:

*Redisclosure by program personnel and/or the administrative entity is PROHIBITED, except as permitted within these regulations.


2. Anonymous Disclosures:

Disclosures which do not communicate PII that in any way links a patient to a substance abuse program.


3. Qualified Service Organization Agreement (QSOA):

Written agreement between an AOD program and an outside Service Organization (SO):


- Disclosures of PII are permitted between the AOD program and the SO. (SO may NOT be a law enforcement agency or another AOD program that provides the same or similar services.)


- Permissible disclosures are limited to the extent that the PII being exchanged must be needed by the SO to provide the agreed-upon services to the program.


Required Promises in the Written QSOA:

-The SO must acknowledge that it is bound by Federal confidentiality regulations;

- The SO must promise not to redisclose PII to which it becomes privy; and

-The SO promises to resist unauthorized efforts to gain access to any PII


4. Medical Emergency

Three Keys needed to invoke this exception:

1) Disclosure can be made to medical personnel only;

2) Condition must be present which poses immediate threat to the health of the individual; and


4. Medical Emergency Con’t.:

3) A need for immediate medical intervention must exist.


4. Medical Emergency Cont:

If you invoke the medical emergency exception, you must document the following:

-The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;


- The name of the individual making the disclosure;

- The date and time of the disclosure; and

- The nature of the emergency


5. Research Exception:

PII can be disclosed to researchers conducting scientific research, if the program director determines the researcher:

- Is qualified to do the research.

- Has a protocol securing the privacy and redisclosure of PII; and


5. Research Exception:

- Has a satisfactory written statement indicating that at least three others have reviewed the protocol and deemed it safe enough to protect the patient’s confidentiality in light of the potential research benefits.


6. Audit and Evaluation Exception:

Permits regulatory agencies, funders, third-party payers, and peer review organizations to monitor AOD programs to ensure that they are complying with regulatory mandates and are properly accounting for and disbursing all funds received.


6. Audit and Evaluation Exception Cont:

- Time-limited disclosure

- Written agreement is necessary to protect PII

- Programs must have secure facilities and record keeping practices to protect such information when not being used.


7. Authorizing Court Order:

A Federal, State, or local court may authorize a program to make a disclosure that would otherwise be prohibited, but a unique kind of court order is required in which special procedures are followed and particular criteria are met.



* A subpoena, search warrant, or arrest warrant (a compelling legal document), in and of itself, even if signed by a judge, is NOT sufficient to permit or require disclosure of PII.



* A court is not entitled to a patient’s AOD treatment information merely because it ordered the patient to treatment. Programs can only disclose PII if the court issues the unique type of order as outlined in the regulations.


7. Court order contNon-Criminal Case Procedures:* Applicant must use fictitious name for patient.* Notification must be given to patient whose information is sought and to the program that has the information, giving each an opportunity to file a written response or appear in person to dispute.


7. Court OrderNon-Criminal:

* Court must find “good cause” for the disclosure:a) there is no other effective way to obtain the PIIb) The public interest and need for disclosure outweigh potential injury to the patient, the patient’s relationship to the


7. Court OrderNon-Criminal

and the program’s ongoing treatment services.* If the court grants disclosure, it must LIMIT disclosure to only the essential parts of the record and to only persons who have a need for the PII, and it must PROTECT against redisclosure.


Criminal Case Procedures:

Investigation or Prosecution of Patient:

* Applicant must use fictitious name for patient.

*Notification must be given to program, not patient.

*Program must have opportunity to be represented by counsel and address the court on whether criteria for a court order are met.


Investigation or Prosecution of Patient:*Proceedings must be sheltered from public.*To grant a court order, court must find:

a) That crime is extremely dangerous;

b) Records are reasonably likely to reveal substantially valuable information to investigation or prosecution;


Investigation or Prosecution of Patient:

*Proceedings must be sheltered from public cont:

c) No other available effective ways of obtaining the PII; and

d) That public has interest and need for disclosure that outweigh injury to the patient, patient-program relationship, and program’s ability to provide services.


Investigation or Prosecution of Patient Cont:

* If court order is granted, it must be LIMITED disclosure to necessary parts of record and LIMIT disclosure and use to law enforcement personnel with need for it.


Criminal Procedures:Investigation or Prosecution of Program:

- Any agency having jurisdiction over the program or its activities may apply for such a court order.- Application must be filed separately or as a part of a pending civil or criminal action against the program or person holding the records, if records are needed to provide material evidence.- Same procedures are required as for civil cases, except no notice at all is required for program or patients.


Criminal Procedures:If Confidential communications are sought additional criteria required:No disclosure can be made unless:- It is necessary to protect against the threat to life or serious bodily injury.- It is necessary to investigate or prosecute an extremely serious crime; or-It is connected with a proceeding in which the patient has already presenting evidence concerning the confidential communication.


8. Patient threat/crime on Program Premises or Against Program Personnel:

-To Law Enforcement

- Disclosure is limited to the incident, including the patient’s name, address last known whereabouts, and status.

-The program is not permitted to report on a patient’s other crimes.


9. Reporting Suspected Child Abuse and Neglect:

-Must be in compliance with state reporting laws/requirements.

-Program staff can make reports & confirm in writing:

a) Name

b) Address

c) Nature of suspected abuse/neglect

d) How the reporter became aware of it.


9. Reporting Suspected Child Abuse and Neglect:

But, other exceptions must be invoked in order to disclose further PII in the investigation of such reports

Restrictions on Redisclosure

Anyone who receives PII under any of the permissible exceptions to the AOD Confidentiality Rule is subject to the rule. And in order for the recipient of the PII to redisclose that information, the recipient will need to find his/her/its own exception to the rule.

Restrictions on Use

Except as permitted by a court order, information subject to these regulations may not be used to initiate, substantiate or investigate criminal charges against a patient.

Administrative Requirements

• Programs must provide written notice of confidentiality requirements to a patient at time of admission or as soon as patient is capable of rational communication.

• Records must be maintained in a secure room, locked file cabinet, safe, or other similar container when not in use.

• Programs must adopt written procedures regulating and controlling access to and use of written records.

Relationship to State Laws

• More protective State laws remain in effect.

• No State law can either authorize or compel any disclosure prohibited by the Federal AOD Confidentiality Rule.

Penalties

• Enforcement: US Attorney for the judicial district in which the violation occurs;

• $500 for the first violation and up to $5,000 for each subsequent offense;

• Professionals in violation may risk suspension or loss of their professional license/certification to provide services;

• Programs in violation can risk loss of their State certification or accreditation and/or Federal funding.

Health Insurance Portabilityand Accountability Act (HIPAA)

Important: This is not legal advice and is a brief and incomplete summary of the HIPAA regulations. Legal consultation should be sought when determining how to be HIPAA compliant.

(Exerts taken from the American Psychological Association Practice Organization, March 2002 Edition. “Getting Ready for HIPAA: What you need to know now.”)


What is HIPAA?1) Federal law signed into effect in August 1996, became effective April 14, 2001, and all agencies were to become compliant by April 14, 2003.2) The act was designed to protect Americans who were previously ill from losing their health insurance when they changed jobs or residences.


3) To assist in streamlining the health care system through the adoption of consistent standards for transmitting uniform electronic health care claims.4) Provides a privacy and confidentiality rule regarding health records.5) HIPAA provides for the “transaction” rule, which requires standard formatting of electronic transactions for specified financial and administrative purposes.


Penalties for not following HIPAA:1) Administrative action by the Health and Human Services Office for Civil Rights;2) Individual person civil penalties of not more than $100 per violation, not to exceed $25,000 during any calendar year;3) Fines up to $250,000, Imprisonment for up to 10 years or both for knowingly violating “wrongful disclosure of individually identifiable health information.”


• To Whom does HIPAA apply?

1) Health Care Providers

2) Health Plans

3) Health Care Clearinghouses

4) Also applies to those doing business with HIPAA covered entities.


• What kind of Information is protected by HIPAA?1) Health information: oral, recorded, created or used by health care professionals.2) Anything that identifies or can be used to identify an individual3) An individual becomes protected when their health information is transmitted or maintained in any form or medium. Relates to past, present or future physical/mental health condition.4) Psychotherapy Notes, recorded in any medium.


• Electronic Transmission:

1) Mode of electronic transmission includes: internet, extranets, leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact-disk media.


• Electronic Transmission Cont:2) Faxes should be treated as if HIPAA applies:

- If original fax is generated on a computer or sent via the computer rather than fax machine, then an electronic copy of the document exists even if the document has been erased.- When a therapist receives a fax, he/she has no way of knowing whether it has been created, stored, or sent electronically.


Releasing of Information:

CONSENT! CONSENT! CONSENT!


• Releasing Information w/o Consent:1) Court Order2) Order from an administrative tribunal (Social Security Administration)3) Reporting disease4) Reporting of Child abuse/neglect5) To prevent/lessen a serious & imminent threat to the health or safety of a person or the public. Release can only be made to those person(s) who can reasonably prevent or lessen the threat


• Minimum Necessary Standard:

Limits on Uses:

A program is required to identify who, within its workforce, needs access to what categories of personal health information to carry out their duties, and any conditions appropriate to such access.



Need P&P’s for routine and recurring disclosures and requests that limit PHI to only the amount reasonably necessary to achieve the purpose of the disclosure or request.



Need P&P’s for non-routine/no-recurring disclosures and requests that look at each individually and what the criteria is.


The Privacy Rule

The Privacy Rule permits uses and disclosures for “treatment, payment and health care operations” as well as certain other disclosures without the individual’s prior written authorization. Disclosures not otherwise specifically permitted or required by the Privacy Rule must have an authorization that meets certain requirements. With certain exceptions, the Privacy Rule generally requires that uses and disclosures of PHI be the minimum necessary for the intended purpose of the use or disclosure.

• Part 2 Consent 11 and Privacy Rule Authorization

42 CFR Part 2

Programs may not use or disclose any information about any patient unless the patient has consented in writing (on a form that meets the requirements established by the regulations) or unless another very limited exception specified in the regulations applies. Any disclosure must be limited to the information necessary to carry out the purpose of the disclosure.

https://www.nachc.com/.../SAMHSAs%2042%20CFR%20Part2-HIPAAC...

Part 2 & HIPAA

Which “wins”?

•Generally, the more recently enacted, HOWEVER:

•Not if earlier law has a more narrow, precise, or specific subject

•Not if later law addresses an issue on which an earlier law was silentwww.ehcca.com/presentations/HIPAA10/6_04.ppt

Part 2 & HIPAA

• Many HIPAA provisions PERMIT something but don’t mandate it.

• 42 CFR Part 2 PROHIBITS all disclosures unless specifically allowed by the regulation.

www.ehcca.com/presentations/HIPAA10/6_04.ppt

Examples of “rule conflict”

Disclosure for Payment

•HIPAA PERMITS disclosure with out patient consent for the purpose of payments.

•42 CFR Part 2 PROHIBITS these disclosures with out patient consent.

•SUD providers must follow 42 CFR Part 2.www.ehcca.com/presentations/HIPAA10/6_04.ppt


Patient Rights & Administrative Requirements

*HIPAA imposes several new administrative requirements and establishes new patient rights.

*These are not included in 42 CFR Part 2.

SUD providers must follow HIPAA.www.ehcca.com/presentations/HIPAA10/6_04.ppt


Re-disclosure of Information

•HIPAA is silent on this topic.

•42 CFR Part 2 requires that a statement prohibiting re-disclosure accompanies the patient information that is disclosed.

•SUD providers must follow 42 CFR Part 2.www.ehcca.com/presentations/HIPAA10/6_04.ppt


Disclosure to Public Health•HIPAA permits disclosure to a public health authority for disease prevention or control, or to a person who may have been exposed to or at risk of spreading a disease or condition.•42 CFR Part 2 prohibits these disclosures unless there is an authorization, court order, or the disclosure is done with out revealing patient information.•SUD providers must follow 42 CFR Part 2.www.ehcca.com/presentations/HIPAA10/6_04.ppt


Right to Access Records•HIPAA REQUIRES a covered program to give an individual access to his/her own health information (with few exceptions). •42 CFR Part 2 gives programs DISCRETION to decide whether to permit patients to view or obtain copies of their records, unless they are governed by a state law that gives right to access.•SUD providers must follow HIPAA.www.ehcca.com/presentations/HIPAA10/6_04.ppt


Additional Points:

1) An individual can request and receive a list of all disclosures of any personal health information made in the previous 6 years.

2) Need to keep a list of all disclosures made. Tracking began on April 14, 2003.


• Parent has to give consent for medical treatment (except where 42 CFR Part 2 applies) of a minor except for the following:

1) Pregnancies or appointments relating to the pregnancy;

2) Contraception information;

3) STD Testing and Results

The child must give consent to release the above.

confidentiality 42 cfr part 2 & hipaa lynn m. eldridge, med division of behavioral health...

Documents

parental consent

program xyz

program personnel

date consent

public information

consent form

regulations apply42

confidentiality42 cfr