understanding hipaa and 42-cfr part 2 laws goals of ...€¦ · 29/2/2016 · understanding hipaa...
TRANSCRIPT
1
Promoting Meaningful Information Sharing:
Understanding HIPAA and 42-CFR Part 2 Laws
Goals of Forum: 1. Ensure accurate information on HIPAA and
42-CFR laws. 2. Understand current interpretations and
practices regarding HIPAA and 42-CFR laws. 3. Identify ways to build common practices
across and within Denver and Colorado agencies.
4. Discuss how Wellness Recovery Action Plans (WRAP) can be used across systems in a digital form.
Wellness Recovery Action Plans (WRAP)
Guest Speaker: Jennifer Hill
The HIPAA Privacy Rule and
Law Enforcement
Presented by the
Office for Civil Rights,
U.S. Department of Health and
Human Services
February 23, 2016
Objective
Learn when and how the Privacy Rule may
permit law enforcement officials to obtain
medical information about a suspect or victim
Introduction
What is HIPAA?
Health Insurance Portability and
Accountability Act of 1996 (Subtitle F –
Administrative Simplification) 45 CFR Parts 160, 162, and 164
Encouraged the development of (electronic)
health information technologies (transactions)
Easier information sharing created security
and privacy concerns
6
OCR Enforcement
OCR enforces traditional civil rights laws
Privacy , Security, and Breach Notification Rules
OCR enforces these laws through:
Complaint investigations
Compliance reviews
Technical assistance
Voluntary resolution agreements
Civil monetary penalties
2
Who is covered by the Privacy Rule?
Under HIPAA, there are 3 types of covered entities (CEs):
1. Health Plans;
2. Health Care Clearinghouses; and
3. Health Care Providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA (standard transaction)
Business associates
Who is NOT covered?
The rule does not apply to many organizations that
hold health information – e.g., life insurers, worker’s
compensation carriers, automobile insurers, disability
insurers.
Most state and local police or other law enforcement
agencies
Many state agencies such as child protective services
Most schools and school districts
The rule does not directly apply to employers, etc.
What information is covered?
Protected health information (PHI) is:
- Individually identifiable health information
- Transmitted or maintained in any form or
medium
Held or transmitted by covered entities or their
business associates
What is NOT covered?
The definition of PHI excludes:
De-identified information
Employment records
Education records covered by FERPA and
student health records of certain postsecondary
education clinics
Medical information for an individual deceased
more than 50 years
HIPAA generally applies uniformly to all PHI, including mental
health information.
An exception exists for psychotherapy notes, which receive special
protections.
Psychotherapy notes:
1. document the content of a counseling session;
2. are maintained separately from the medical record; and
3. excludes medications, dates and times of treatment, treatment modalities and
frequencies, clinical test results, and summary clinical information.
HIPAA Protections for Mental Health
Information
11
Patients and personal representatives do not have a
right to access psychotherapy notes under HIPAA.
Generally, separate written authorization is required
to disclose psychotherapy notes to a third party.
An exception: authorization is not required to
disclose psychotherapy notes to prevent serious
and imminent threats and for mandatory reporting,
such as reporting of abuse.
Psychotherapy Notes ̶ Access and Disclosure
12
3
Required Disclosures
To individual when individual requests to view
or receive a copy of his/her PHI as provided in
section 164.524 (Access) and when individual
request an accounting of the disclosures of
his/her PHI as provided in section 164.528
(Accounting)
To HHS, to investigate or determine compliance
with Privacy Rule
Examples of Permitted Uses
and Disclosures
Individual
Treatment, Payment
and Health Care
Operations (TPO)
Opportunity to Agree
or Object
Public priority
Incidental
Authorized
Valid Authorizations
If a disclosure is not otherwise permitted or
required by the Privacy Rule, an individual’s
written authorization is required
Authorizations must include certain elements
to be valid: Description of PHI to be released
Who will disclose the PHI
Who will receive the PHI
Purpose of the disclosure
Expiration date or expiration event
Signature of patient, with date
Required statements (revocation, no conditioning, potential for
re-disclosure)
Right to revoke in writing; and the exceptions and
instructions regarding the procedure, or a reference to
the Notice if this information is there
A statement about the covered entity’s ability/inability
to condition the authorization on treatment, payment,
eligibility, or enrollment
A statement that once disclosed, the PHI may no
longer be protected by the HIPAA Privacy Rule, or an
alternative statement if the disclosure is to another
covered entity
If use or disclosure is for marketing purposes, and the
covered entity will receive remuneration, a statement
must be included to that effect
Public priority uses and disclosures
of information
Covered entities may use or disclose PHI without
authorization if the use or disclosure comes within one
of the listed exceptions & follows its conditions:
As required by law
For public health activities
About victims of abuse, neglect, or domestic
violence
For health oversight activities
For judicial and administrative proceedings For law enforcement
Public priority uses and disclosures
of information (cont.)
About decedents (to coroners, medical examiners, funeral directors)
To facilitate cadaveric organ donation and transplants
For research
To avert a serious threat to health or safety
For specialized government functions (military, veterans, national security, protective services, State Dept., correctional facilities)
For workers’ compensation, as authorized by law
4
Uses and Disclosures required by
law (164.512(a))
The rule permits uses and disclosures by covered
entities to the extent that the use or disclosure is
required by law*
Minimum necessary requirements do not apply
*Subject to requirements for disclosures about victims of
abuse, neglect or domestic violence (164.512(c)), for judicial
and administrative proceedings (164.512(e)), and for law
enforcement (164.512(f)).
Disclosures for judicial and administrative
proceeding – order of a court or
administrative tribunal (164.512(e)(1)(i))
The rule permits a covered entity to disclose PHI in
response to an order of a court or administrative
tribunal provided that the covered entity discloses
only the PHI expressly authorized by such order.
• Covered entity may disclose the information
requested without additional process
• Minimum necessary requirements do not
apply
Disclosures for judicial and administrative
proceedings – subpoena, discovery request, or
other lawful process (164.512(e)(1)(ii))
The rule permits covered entities to disclose PHI in
response to a subpoena, discovery request, or other
lawful process, that is not accompanied by an order of a
court if the covered entity receives satisfactory assurances
that reasonable efforts have been made to-
Provide written notice to the individual(s); or
Secure a qualified protective order.
Disclosures for judicial or administrative
proceedings -- notice (164.512(e)(1)(iii))
A covered entity must receive from the party seeking
the PHI a written statement and documentation that –
A good faith attempt was made to provide notice
(mail to last known address is acceptable);
The notice provided sufficient information to enable
individual to object to production; and
Time for objections has run, and –
No objections were filed; or
Objections filed were resolved, are consistent
with disclosures being sought.
Disclosures for judicial or administrative
proceedings -- qualified protective order
(164.512(e)(1)(iv) and (v))
A covered entity must receive from the party seeking the
PHI a written statement and documentation that –
The parties have stipulated and submitted to the
court/tribunal a qualified protective order; or
The party has requested a qualified protective order.
A qualified protective order is an order or stipulation that –
Prohibits disclosure of the PHI for purposes other than
the proceeding; and
Requires the return or destruction of the PHI at the end
of the proceeding.
Subpoena, discovery request, or
other lawful process (cont.)
With respect to subpoenas, discovery requests,
etc., the covered entity may itself undertake to
satisfy the notice/protective order requirements.
Minimum necessary requirements apply
(continued)
5
Disclosures for law enforcement
purposes (164.512(f)(1))
A CE may disclose PHI to law enforcement
officials for law enforcement purposes in the
following 6 circumstances:
1. As required by law;
Law, including laws related to reporting of
gunshot wounds, other physical injuries
Court order; court ordered warrant; court
subpoena or summons
Grand jury subpoena
Disclosures for law enforcement
purposes – required by law (cont.)
Written administrative request, if –
The PHI is relevant/material to a
legitimate law enforcement inquiry;
The request is specific and limited in
scope as reasonably practicable; and
De-identified information could not
reasonably be used.
Law Enforcement Purposes – ID
certain persons (164.512(f)(2))
2. To ID or locate a suspect, fugitive, material witness or
missing person, in response to a law enforcement
official’s request, a CE may disclose:
-- name, address, SSN
-- date & place of birth
-- type of injury, date & time of treatment
-- ABO blood type & Rh factor
-- date & time of death (if applicable)
-- a description of distinguishing physical
characteristics.
Disclosure about victims of crime
(164.512(f)(3))
3. In response to a law enforcement official’s request for
information about a victim or a suspected victim of a crime, a
CE may disclose PHI if the individual agrees, or the victim is
unable to agree due to incapacity or other emergency
circumstance provided that certain conditions are met.
Note: This provision does not apply if the individual is a victim
of abuse, neglect or domestic violence. (164.512(b)(ii) and (c))
Disclosures about decedents
(164.512(f)(4))
4. A covered entity may disclose PHI about an
individual who has died to a law enforcement
official for the purpose of alerting law
enforcement of the death if the covered entity
has a suspicion that such death may have
resulted from criminal conduct.
Disclosure about Crime on Premises
(164.512(f)(5))
5. A covered entity may disclose PHI to law
enforcement officials that the covered entity
believes in good faith constitutes evidence of
criminal conduct that occurred on the covered
entity’s premises.
6
Reporting crime in medical
emergencies (164.512(f)(6)) 6. Covered health care providers providing emergency
health care not occurring on its premises may disclose
PHI when necessary to alert law enforcement to:
-- the commission & nature of a crime,
-- the location of such crime or of the victim(s)
of such crime, &
-- the identity, description, & location of the
perpetrator of such crime.
Note: This provision does not apply if the medical
emergency appears to be the result of adult abuse,
neglect or domestic violence.
Additional permitted disclosures:
Disclosures to avert a serious threat to health
or safety. 164.512((j).
Disclosures of PHI of inmates. 164.512(k)(5).
Verification Requirements A CE is required to verify the ID of the person
requesting PHI under these exceptions and
his/her authority to have access to PHI
A CE may rely, if reasonable under the circumstances, on the
following to verify ID of a public official:
- In person: agency badge or other credentials
- In writing: on appropriate government letterhead
A CE may rely, if reasonable under the circumstances, on the
following to verify authority of a public official:
- A written statement of the legal authority or an oral statement
if a written statement would be impracticable
- A warrant, subpoena, order, or other legal process issued by a
grand jury or a judicial or administrative tribunal
Express Permission to Report to NICS Final rule 1/6/16
Disclosers
CEs with lawful authority to order involuntary
commitments or other formal adjudications that result
in individuals being subject to the Federal Mental
Health prohibitor
Recipients
NICS
State-designated repository
Information
Demographic and other information needed
Not diagnostic or clinical
OCR HIPAA Privacy Contacts
OCR Rocky Mountain Region:
1961 Stout Street, Room 08-148
Denver, Colorado 80294
303-844-7915
Hyla Schreurs, J.D., Supervisory EOS
303-844-7508
http://www.hhs.gov/ocr/hipaa/
Full text of Privacy, Security, and Breach Rules
HIPAA Privacy Rule summary
Covered entity "decision tool" to assist individuals and
entities in making these determinations
Over 200 frequently asked questions
Fact sheets
Information about the OCR enforcement program
36
OCR Web Site
7
Disclaimer
OCR does not control or guarantee the
accuracy, legality, relevance, timeliness, or
completeness of information contained in the
legal documents or technical assistance
documents provided today, other than those
provided by OCR. Kate Tipping, JD
Public Health Advisor, Health Information Technology
Center for Substance Abuse Treatment
Substance Abuse and Mental Health Services Administration
42 CFR Part 2 and Criminal Justice
Promoting Meaningful Information Sharing: HIPAA and 42 CFR Part 2 Forum February 23, 2016
39
CJ Behavioral Health is Public Health
MH/SUDs and CJ involvement (CJI) are interlinked public health & safety issues.
Addressing MH/SUDs can reduce CJI, simultaneously improving public health and safety while reducing related economic burdens.
Public Health
& Safety
MH/SUDs CJI
40
CJ Referrals Make a Difference in Treatment Completion
According to SAMHSA TEDs data, CJ referral to treatment was consistently one of the strongest predictors of treatment completion or transfer to further treatment.
Secondary statistical analysis of data from a clinical study found that individuals entering court –ordered treatment were over 10Xs more likely to complete treatment compared to offenders who entered treatment voluntarily.
SAMHSA, OAS, TEDS data (4/25/12); and Coviello, DM et al. 2013.Does mandating offenders to treatment improve completion rates? J Substance Abuse Treatment. 44:417-425. 40
41
SAMHSA’s Strategic Initiative - Health IT
Goal: Widespread Implementation of HIT Systems that Support Quality Integrated Behavioral Health Care for All Americans
• Ensure that behavioral health provider networks fully participate in the adoption of Health IT
• Support the behavioral health aspects of Health IT based on the standards and systems promoted by the Office of the National Coordinator for Health IT
• Support linkage with systems relevant to behavioral health that support prevention, treatment, wellness and recovery (Criminal justice, HUD, education, public health, recovery oriented systems of care, and other human services)
42
Importance of Criminal Justice Behavioral Health Information Sharing
Identifying target population for intervention
Providing better clinical care
Risk assessment
Assessing outcomes
Program evaluation
Coordinating services for re-entry
Payment and billing
8
Privacy Regulations (42 CFR Part 2)
44
Confidentiality and Trust
In order to achieve any level of systemic durability and success, Health IT must be trustworthy and developers and managers must warrant & sustain trusting relationships with all participants, especially the public consumer.
Privacy is not an area for compromise
Confidentiality should never be a shortcut
Security should not be a second thought
or an afterthought
45
Privacy Regulations
Not meant to prevent information sharing but to set the standards for how to share
Federal laws are a baseline, states may adopt more strict regulations
Most states have laws that are stricter than HIPPA, few have laws that are stricter than Part 2
State laws vary widely, presenting challenges for developing unified policy solutions or solutions that work across states, also difficult for technology vendors to develop functionality
46
Why Confidentiality?
Reduce negative attitudes
Fostering trust
Preserving privacy
Encouraging help-seeking behavior
It is an important, but not absolute, legal and ethical principle
Balance between a patients legitimate desire to maintain privacy of sensitive information and permitting sharing of information that will improve treatment or public health or safety
47
Critical Privacy Questions
Federal and state regulations provide the ground rules. Careful analysis determines how the rules are applied to ensure effective treatment of substance use and mental health disorders.
• Who needs what information when?
• Who determines who needs what Information when?
• How should psychotherapy notes and other ultra-sensitive information be treated?
• How should HIT systems be designed to allow patients to control disclosure and re-disclosure of sensitive information
48
42 CFR Part 2
The purpose of the statute and regulations prohibiting disclosure of records relating to substance abuse treatment, except with the patient's consent or a court order after good cause is shown, is to encourage patients to seek substance abuse treatment without fear that by doing so their privacy will be compromised.
Source: State of Florida Center for Drug-Free Living , Inc.,842 So.2d 177 (2003) at 181.
9
49
Applicability
Applies to: Federally assisted individual or entity that “holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or treatment referral”
Unit within a general medical facility that holds itself out as providing diagnosis, treatment or treatment referral
Medical personnel in a general medical facility whose primary function is the provision of alcohol or drug abuse diagnosis, treatment or referral for treatment and who are identified as such providers. 50
Disclosure
Patient consent must be obtained before sharing information from a substance abuse treatment facility that is subject to 42 CFR Part 2
Disclosure:
• “A communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the record of a patient…” (42 CFR 2.11)
• Even acknowledging that an individual is (or was) a patient at a Part 2 facility is a breach of the regulations
Source: 42 CFR Part 2
51
Revocation of Consent
“The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent is given.”
Source: 42 CFR Part 2 52
Restrictions on Redisclosure and Use
“A person who receives patient information under this section may redisclose and use it only to carry out that person’s conditional release or other action in connection with which the consent was given.”
Source: 42 CFR Part 2
53
Exceptions
Limited exceptions for disclosure without consent :
• Medical emergencies
• Child abuse reporting
• Crimes on program premises or against program personnel
• Communications with a qualified service organization of information needed by the organization to provide services to the program
• Research
• Court order
• Audits and evaluations
Source: 42 CFR Part 2
Privacy Regulation (42 CFR Part 2) and
Criminal Justice
10
55
Permitted Disclosure (42 CFR Part 2)
Generally cannot disclose information without subpoena and court order - arrest/search warrant not sufficient
Can disclose for crime committed by patients on program premises or against program personnel or a threat to commit such a crime
Addiction treatment records may not be used to initiate/substantiate criminal charges (42 CFR 2.1) but can be used for revocations
56
Permitted Disclosure (42 CFR Part 2)
Disclosures by a treatment entity providing services to a court-ordered patient (post-adjudication, 42 CFR 2.35)
Diagnosis made “solely for the purpose of providing evidence for use by law enforcement authorities”
If facility is not identified publicly as only an alcohol or drug abuse facility, patient’s presence may be acknowledged if do not reveal alcohol or drug abuse (42 CFR 2.13)
57
Permitted Disclosure (42 CFR Part 2)
A program may disclose information about a patient to those persons within the criminal justice system which have made participation in the program a condition of the disposition of any criminal proceedings against the patient or of parole or other release from custody if • Disclosure only to those who need the information for
monitoring/supervision • Written consent of the patient (but revocation rule does
not apply)
58
State Laws
State laws often provide additional protections for HIV infection, mental health information, genetics, drug and alcohol abuse, minors, domestic violence.
Mental health records are treated as ultra-sensitive in many jurisdictions.
Each state approaches the confidentiality of mental health records from their own perspective
Health IT systems have to recognize this variability in state statutes and regulations.
59
Resources
To help providers in the behavioral health field better understand privacy issues related to Health IT, SAMHSA, in collaboration with ONC has created two sets of Frequently Asked Questions (FAQs).
• These FAQs can be accessed at: http://www.samhsa.gov/healthprivacy/docs/EHR-FAQs.pdf and
• http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf
Contact: [email protected]
Questions and Comments
11
Realize the Power of Information Realize the Power of Information
February 23, 2016 Denver, CO
Bob May Assistant Director IJIS Institute
Realize the Power of Information Realize the Power of Information
• Non-Profit Organization • Dedicated to joining forces with the technology
industry to unite the public and private sectors for improving mission-critical information sharing and safeguarding across justice, public safety, corrections and homeland security communities.
Realize the Power of Information Realize the Power of Information
• Improve public safety and the justice process • Provide for continuity of care for justice involved
individuals • Bridge the gaps in information sharing of:
• medical history
• mental health/program assessment information
• drug prescription history
• threat assessment levels
• behavioral issues
Realize the Power of Information Realize the Power of Information
Receipt and sharing of PHI is critical for individuals entering or leaving the corrections environment for purposes of classification, treatment, and continuation of care. These include: • Intake assessments
• to determine the individual’s level of risk (to him- or herself, other inmates, and corrections personnel);
• establishment of a treatment plan and engagement in appropriate treatment programs; updated treatment plans; and
• engagement in medical, mental health, or substance abuse treatment in the community upon release.
Realize the Power of Information Realize the Power of Information
. • Informing medical, mental health, or substance abuse
treatment providers about a defendant’s, probationer’s, or parolee’s treatment history.
• Compliance with conditions of pre-trial, probation, or parole, and/or court orders, during which medical, mental health, or substance abuse treatment providers may need to share program completion status and treatment progress with pre-trial, probation, and parole officials and/or courts for reporting purposes.
Realize the Power of Information Realize the Power of Information
Health information can help officers assess how to interact with an individual in ways that will produce safer and more positive outcomes, including how to de-escalate a situation effectively and provide a link to services when appropriate.
12
When a correctional institution or law enforcement agency has custody of an individual, HIPAA permits access to PHI without consent if the information is necessary to:
(1) provide health care to the individual;
(2) ensure the health and safety of the inmate or
others housed or working in the facility;
(3) protect the health and safety of any law
enforcement officer transporting an inmate
between facilities;
(4) protect those involved in the transfer or transporting of the individual;
(5) promote law enforcement on the premises of
the correctional institution; or
(6) maintain and administer safety, security, and good order in the correctional facility. See 45 CFR
164.512(j)(1)(ii)(B)).
The lawful custody exception, however, no longer applies once a person is released from custody, including on probation or parole.
Generally, without consent, police officers need a court order to obtain PHI from a substance use treatment provider, except for a medical emergency or a crime committed on the premises of the treatment facility.
Absent consent, a court order will generally be required to receive PHI from a substance use program, §§.2.61-67. Court orders are granted only when disclosure is needed to protect against an existing threat to life or serious bodily injury or is necessary for further investigation of a serious crime.
Prosecutors, defenders, and the courts—Courts and lawyers are not federally assisted programs; however, court appearances are frequently used to divert people from incarceration to treatment programs.
When drug courts or diversion programs make referrals to treatment providers as a conditional disposition a provision allows programs to share PHI with the court (or other entity tasked with monitoring progress), with the individual’s consent, § 2.35.
Courts have upheld that it is constitutional to require confidentiality waivers as a condition of participating in a drug court.
13
42 CFR Part 2 does NOT permit PHI about substance abuse to flow to or from a correctional facility without an individual’s consent.
Community Corrections
Probation and parole officers are not federally assisted programs and therefore can disclose PHI they learn by interviewing clients to others.
They cannot request and receive PHI from programs without prior, valid consent.
If a probation or parole officer needs PHI, the courts can require a waiver of confidentiality for both substance use and mental health information as a condition of release from prison or probation.
Health information can help officers assess how to interact with an individual in ways that will produce safer and more positive outcomes, including how to de-escalate a situation effectively and provide a link to services when appropriate.
Law enforcement officials are not “covered entities” under HIPAA.
They also are not a “federally assisted program” within the meaning of 42 CFR Part 2.
Post-booking diversion programs
Therapeutic courts
Courts are neither “covered entities” within HIPAA nor “federally assisted programs” within 42 CFR Part 2.
Because of the significant role courts play in directing defendants to treatment and in overseeing compliance with treatment conditions, both HIPAA and 42 CFR Part 2 are relevant to information sharing by and with courts.
HIPAA defines a correctional institution as “any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program” operated by or under contract to federal, state, municipal, or Native American tribal government.
The institution must exist for the confinement or rehabilitation of people charged with or convicted of an offense.*
They also are not a “federally assisted program” within the meaning of 42 CFR Part 2.
*The status of correctional institutions as “covered entities” is not established clearly in the regulations. For a discussion of this debate, see http://www.nga.org/cda/files/HIPAACor rectionsAJA.PDF.
Corrections are generally not “covered entities” under HIPAA unless they declare themselves as such.
They are not “health plans” because HIPAA excludes from the definition of “health plan” (a government-funded program whose principal purpose is something other than providing or paying for the cost of health care).
Clinical staff who work for a correctional facility meet the definition of “health provider” under HIPAA, whether employed directly by the correctional facility or under contract.
If a correctional facility contracts for health-care services, the provider of those services will determine independently whether it is a covered entity (and in most cases will consider itself such).
Many correctional facilities, as well as state departments of corrections, have defined themselves as covered entities.*
Because 42 CFR Part 2 does not contain provisions specifically addressing correctional institutions, the general rules about consent will apply.
14
Probation and parole officers are not “covered entities” under HIPAA, nor are they “federally assisted programs” within the meaning of that term in 42 CFR Part 2.
Their access to information may be affected by provisions in each.
Realize the Power of Information Realize the Power of Information
A program may disclose information about a patient to those persons within the criminal justice system which have made participation in the program a condition of the disposition of any criminal proceedings against the patient or of parole or other release from custody if: • Disclosure only to those who need the
information for monitoring/supervision • Written consent of the patient (but the
revocation rule does not apply) Source: [email protected]
Realize the Power of Information Realize the Power of Information
Fact: HIPAA does not require consent for disclosures or uses that are • necessary to carry out treatment, • payment, or • health care operations However: 42 CFR Part 2 does require consent unless one of the limited exceptions apply Source: [email protected]
Realize the Power of Information Realize the Power of Information
Fact: HIPAA permits disclosures for: • Public health activities • Victim of abuse or neglect • Judicial/Administrative proceedings • Law enforcement • Threats to health or safety • Court-ordered examinations • Correctional facilities • Through business agreements Source: [email protected]
Realize the Power of Information Realize the Power of Information
Fact: 42 CFR Part 2 permits disclosures: • Public health research • Child abuse reporting • Crimes on premises or against staff • Criminal justice system if treatment is made a
condition of parole or release • To other systems with patient consent or a
qualified service organization agreement (QSOA)
Source: [email protected]
Realize the Power of Information Realize the Power of Information
Fact: Both HIPAA and 42 CFR Part 2 permit intra-agency exchanges of information Source: [email protected]
15
Realize the Power of Information Realize the Power of Information
IJIS and Urban Institute
Opportunities for Information Sharing to Enhance Health and Public Safety
Outcomes
Global Strategic Solutions Work Group
Prioritizing Justice-to-Health Exchanges Task Team Final Report
Global Standards Council – Justice /Health
Aligning Justice-To-Health Priority Exchanges Task Team Final Report
Realize the Power of Information Realize the Power of Information
Bob May Assistant Director
Program and Technology Services IJIS Institute
(571) 353-7597
Electronic Health Data Exchange
Toria Thompson
Behavioral Health information Exchange Coordinator, CORHIO
87 © 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
Disclaimer
• The following slides are for educational purposes only.
• You should seek legal advice regarding your specific situation and compliance obligations.
88 © 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
HIPAA Rules Regarding Electronic Exchange
89
PRIVACY RULE - The HIPAA Privacy Rule governs the use and disclosure of personally identifiable health information.
SECURITY RULE - The HIPAA Security Rule imposes requirements on Covered Entities with respect to the protection of electronic PHI (ePHI)
HIPAA FINAL OMNIBUS RULE – In 2013, HHS and OCR announced a final rule that implements a number of provisions of the HITECH Act called the Omnibus Rule. The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
Breach Statistics
90
“For many years, the top cause of lost or stolen patient data was a health care organization employee losing a device or having one stolen. In 2014, for the first time, the top cause was a criminal attack.”
Source - http://www.forbes.com/sites/laurashin/2015/05/29/why-medical-identity-theft-is-rising-and-how-to-protect-yourself/
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
16
HIPAA Rules Regarding Electronic Exchange
• Email: The Security Rule requires covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic personal health information (PHI) sent and received over email communications.
• Encryption: The standard for transmission security (§ 164.312(e)) has been updated to enforce the use of encryption.
91
A Massachusetts hospital was recently fined $218k for using a cloud-based file sharing service. Although there was no evidence of an actual breach, the methods that the hospital's employees used for sharing the electronic protected health information were deemed risky enough to warrant a fine.
a Texas-based facility recently announced it experienced a breach due to a phishing scam. In December 2014, an employee at the facility opened a fraudulent email from a hacker, which exposed the system to further attack. An investigation into the breach determined that approximately 39,000 patients’ PHI was compromised by the attack.
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
What Constitutes PHI?
• Name
• Address • All elements (except years) of
dates related to an individual
• Telephone numbers • FAX number
• Email address
• Social Security number
• Medical record number • Health plan beneficiary number
• Account number • Certificate/license number
• Vehicle identifiers • Device identifiers Web URLs
• IP address
• Biometric identifiers, including finger or voice prints
• Full-face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual:
Protected health information (PHI) is individually identifiable information that is: 1. transmitted by electronic media; 2. maintained in electronic media; or 3. transmitted or maintained in any other form or medium (includes paper and oral
communication).
92 © 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
How do I handle PHI and Confidential Information? • Do not send PHI in unencrypted email
• If you receive an email containing PHI, delete it immediately, including from your trash folder and inform the sender to not send that data or encrypt it.
• Never store PHI or confidential data on a non-encrypted laptop or location, i.e. USB drives.
• Apply the “Minimum Necessary” standard
• Access only the necessary PHI required to do your job
• Limit the sharing of information to only those who need to know to perform their job
• Secure laptop and other devices, taking reasonable precautions to prevent theft
• Setup your Wi-Fi to stay safe on public networks
• Turn off Sharing.
• Enable your computer’s Firewall
• Use HTTPS when possible
• Turn off Wi-Fi when not in use.
• Create complex passwords
• Never share your password with others.
• When choosing a password, make sure that it is something not easily guessed.
93 © 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
Example Email Policy for Transmission of PHI Internally
94
ABC Health System’s Email Policy: • You must never send or receive email containing PHI from any device EXCEPT an
Organization managed computer or an organization managed smartphone • Limit the information you include in an email to the minimum necessary for your clinical purpose. • Whenever possible, avoid transmitting highly sensitive PHI (for example, mental health, substance abuse, or HIV
information) by email. • Never use automatic forwarding with your email account. • Never send PHI by email unless you have verified the recipient’s address (for example, from a directory or a
previous email) and you have checked and double-checked that you have entered the address correctly. • Always include the following privacy statement notifying the recipient of the insecurity of email and providing a
contact to whom a recipient can report a misdirected message – Recommended Privacy statement: Please be aware that e-mail communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax, or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately with a copy to [email protected] and destroy this message.
Use of Email to Transmit Protected Health Information (PHI): Sending Protected Health Information (PHI) by email exposes the PHI to two risks: 1. The email could be sent to the wrong person, usually because of a typing mistake
or selecting the wrong name in an auto-fill list. 2. The email could be captured electronically en route.
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
Example Email Policy for Transmission of PHI with External Entities
Sending email containing PHI outside of ABC Health System: You may exchange PHI by email outside the ABC Health System network, so long as you follow the rules above AND so long as one of the circumstances below applies:
• The email is encrypted through a secure messaging system such as via Epic or MyChart or ABC Health Systems secure file transfer application (http://www.ABCHealth.org/its/email/transfer.html). Note: Standard ABC Health System e-mail, such as Outlook, is NOT encrypted. OR
• The email is being sent to a non-ABC Health System clinician, research collaborator, or collaborating institution, AND it contains information urgently needed for patient care AND the patient identifiers are limited to name, date of birth, medical record number, or phone number, as needed OR
• The email is being sent to a non-ABC Health System Clinician, research collaborator, or collaborating institution, AND it must be transmitted in a timely manner, AND it contains no direct identifiers (name, address, Social Security number, date of birth, phone/fax numbers, or patient email address) and no highly sensitive PHI (for example, mental health, substance abuse, or HIV-related information). Note: Less direct identifiers such as medical record number or initials (for example, “Mr. S”) may be included OR
• The patient or research subject has agreed to the use of email by completing a Consent for Email Communication form (available at http://HIPAA.ABCHealth.org/resources/docs/email-communication.pdf
95 © 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
HIPAA Compliant Email
1. Myth: All email service providers have secure servers. Emails sent from free services like Gmail, AOL, and Yahoo are not encrypted. Gmail does have a business product that provides encryption.
2. Myth: It’s necessary to encrypt any and all emails. Encrypting interagency communication is not required by HIPAA as long as the server is secure enough to not be penetrated by an external source.
3. Myth: Even with patient acknowledgement and authorization you have to encrypt or secure the server. If you have a signed authorization from the patient indicating their desire to receive correspondence via email, and you’ve educated them about the inherent risks of unsecure email, you do not need to encrypt.
Some HIPAA Compliant Email Vendors Myths about email for HIPAA
96 © 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
The above list is for reference only and does not imply CORHIO endorsement
17
HIPAA Compliant Email: Process w/ Outlook 365
97
CORHIO emails a file containing PHI to Dr. John’s office using Microsoft Outlook 365
placing “CORHIOEncrypt” in subject
Dr. John’s office receives an email saying that there is an encrypted
message for them.
Step 1 Step 2
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
HIPAA Compliant Email: Process w/ Outlook 365
98
Step 3 Step 4
Dr. John’s office opens the link and is taken to a webpage where they can sign
in or ask for a one-time passcode
After successfully authenticating, they are taken to the email message in the browser and will be required to log in
each time they want to view it..
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
Direct Email Exchange
[email protected] [email protected]
Direct – or direct exchange – is a basic type of health information exchange (HIE) that allows a health care provider to securely send patient information directly to another specified health care provider, or even a patient.
• Emails are sent over the Internet in an encrypted, secure way and is commonly
compared to sending a “secure email.”
• Your Direct email address is provided by a health information service provider (HISP).
• CORHIO is a HISP and can provide you with a Direct email account and connect you to other providers who are not part of you HISP. Your EHR vendor may also provide HISP services.
• Because the HISP pre-authenticates each provider before issuing a direct email address, the need to “log in” or “authenticate” your identity each time you receive an email is not necessary with Direct. This makes it easier to use.
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
99
Pros and Cons of Direct Email
Advantages
• Permits users of a Direct-enabled EHR to send and receive point-to-point messages and attached files from any other certified EHR regardless of operating system.
• Facilitates secure communication with providers and patients using Internet-based software and devices of almost any kind.
• Works well when you are referring a patient to another known provider and coordinating care in advance of a provider visit.
• For sensitive information, such as protected behavioral health notes, Direct messaging ensures that patient data is sent only to a pre-selected, authorized provider and is not available to access in a query-based HIE application.
Limitations
• Direct does not support a model of “pulling” information, or query-based exchange. Therefore Direct is not a complete interoperability package. Also, it does not populate data into the community health record.
• Similar to faxing medical records, information exchanged via Direct may result in members of a patient’s broader care team being inadvertently excluded from important communications.
• Direct may be less efficient and effective than other forms of HIE when coordinating care for patients with complex medical histories, comorbidities, or who are visiting several different specialists over the course of a year.
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
100
How HIE Works
Paper & phone based with some limited electronic connections
One electronic connection to the HIE to access/share patient information across
the state
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
101
102 © 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
Community Health Record
Hospitals
Public Health Departments Laboratories
Radiology Centers
Newborn Screening
Results
Hospital ADT info
Lab Results Pathology Reports Radiology Reports
Consult Reports
Transcription Notes Lab/Rad
Reportable Conditions
Immunizations
Immunizations
CORHIO’s Current Capabilities
18
CORHIO and QHN: Colorado’s two HIEs
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
103
CORHIO: By the Numbers
50 Hospitals (data senders and receivers)
• 11 more underway! • Participating hospitals represent
93% of all hospital beds in the region
184 Long-Term, Post-Acute Care & Behavioral Health Facilities
(data receivers)
• One of the highest LTPAC connection rates in the country!
3,900+ Office Based Physicians/Providers
(data receivers)
• 8,300+ total users! • SCL now sending ambulatory data
for six ambulatory clinics.
4,000,000+ Patients (unique patients)
• Represents 80% of Colorado’s total population!
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
104
QHN: By the Numbers
14 Hospitals
• 85% connected • QHN continues discussions with other
hospitals in the western Colorado medical trade area not connected
5 Long-Term & 1 Behavioral Health
• 43 Long-term care, home health, hospice, Rehab, Transition of Care facilities & Case management services
• Mind Springs Health is piloting sending BH CCDs to QHN for exchange
193+ Practices/ Organizations have Interface with QHN
• 93%+ of medical providers on western slope
• 1,042+ users • 55 practices have bi-directional interface
(data senders & receivers)
661,000+ Patients (unique patients)
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
105
CORHIO Services Available Today
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
106
Patient Care 360 – Provider Portal (Query)
Results Delivery (Push into EHR)
CORHIO Future
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
107
CORHIO Provider Portal
(Patient Care 360)
Protected, non-HIPAA Sharable Data
Sharable only via Consent
Substance Use Tx
Provider
Community Mental Health Center
HIV Clinic
Patient Consent Portal
Ambulatory & LTPAC
CCD
ONC Advance Interoperability Grant
QHN Future ONC Advance Interoperability Grant
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
108
Pull:
Process:
Reports are “pushed” from MSH to HIE “wrapped” and housed in the longitudinal health record in a sequestered repository under a special Consent Date Notice. This notice indicates the provider must have written patient consent prior to “breaking-the-glass”.
Provider practice retains patient consent form.
Provider obtains patient consent, using established community-wide HIE consent form, to view BH results in longitudinal health record.
MSH Acquires Patient Consent
QHN HIE
Pulled by providers from longitudinal record
Provider obtains and retains patient consent
19
Questions?
© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not
For Redistribution
109
Toria Thompson
Behavioral Health Information Exchange
Coordinator, CORHIO
303-746-3161
If you have questions, please contact
me at:
110
Table Top Scenarios
Type of Confidential Data:
Medical/Mental Health (HIPAA)
Who has the information? • Covered Entity? (Y/N)
Who wants the information? • Covered Entity? (Y/N)
Patient Release? (Y/N)
Business Associate Agreement? (Y/N)
Exceptions?
Type of Confidential Data:
Substance Abuse (42 CFR Part 2)
Who has the information? • Federally Assisted Program (Y/N)
Who wants the information? • Federally Assisted Program (Y/N)
Patient Release? (Y/N)
Qualified Service Organization? (Y/N)
Exceptions?
Considerations
111
HIPAA/42 CFR Part 2 Scenario #1
A probation officer requests treatment information from a Community Mental Health Center (which is also a licensed substance use
treatment agency). The person in treatment has not consented to the release.
Can the CMHC release the information?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002). 112
HIPAA/42 CFR Part 2 Scenario #2
A health care provider knows that a patient, diagnosed with a serious mental illness and a
substance use disorder, has stopped taking their prescribed medication(s), can the provider tell:
the patient’s partner/spouse?
the patient’s probation/parole officer?
the patient’s mental health/drug court program?
113
HIPAA/42 CFR Part 2 Scenario #3*
Can a jail or state prison share a patient’s medical, mental health, and substance use
treatment information to an outside health-care agency/ provider prior to the person being released to provide a continuum of service?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002). 114
HIPAA/42 CFR Part 2 Scenario #4
Sam, a patient in XYZ Drug Treatment Program, is involved in a major heroin distribution ring and has been distributing drugs to other patients.
Can XYZ Drug Treatment Program tell the police and release information to the prosecutor?
20
115
HIPAA/42 CFR Part 2 Scenario – Health Care Providers
A police officer comes to a hospital and requests protected health information (PHI) regarding
Patient A. Patient A is unconscious.
Can the hospital release Patient A’s PHI to the police officer?
116
HIPAA/42 CFR Part 2 Scenario – Health Care Providers
A mental health treatment provider treats an individual who participates in a community
corrections program.
Can the provider give PHI to a community corrections officer to determine whether the person is complying with conditions of probation?
Can the provider disclose substance use treatment information (e.g., UA results)?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002).
117
HIPAA/42 CFR Part 2 Scenario – Health Care Providers
A law enforcement officer brings a patient to a hospital or other mental health facility to be placed on a psychiatric hold (72 hour mental health hold), and requests to be notified if or
when the patient is released.
Can the facility release that notification to the officer?
118
HIPAA/42 CFR Part 2 Scenario – Health Care Providers
Betty, a patient at ABC drug treatment program, overdoses and lapses into a coma.
Can ABC drug treatment program disclose Betty’s information to the Emergency Room (ER) of a local hospital so it can treat her overdose?
If so, can the ER doctor inform Betty’s family that she is in treatment at ABC drug treatment program?
119
HIPAA/42 CFR Part 2 Scenario – Health Care Providers
During a treatment session, a person on probation discloses that she used an illegal drug
over the weekend.
Can the treatment agency share this information with the probation officer? Mental health court team? Or do they need to discover it for themselves from a urinalysis test?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002). 120
HIPAA/42 CFR Part 2 Scenario – Community Agency
A street outreach worker contacts a Jim, who is homeless. Jim states that he has a long history of mental and physical health problems and heavy
alcohol use, and has been off his psychiatric medication for several months and states he is
depressed and thinks about suicide.
Can the outreach worker report this information to health care providers? Housing or social service providers?
21
121
HIPAA/42 CFR Part 2 Scenario* - Problem Solving Court
When a court orders an individual to receive mental health treatment in the community as a condition of community supervision, what information can the probation officer share
with the court?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002). 122
HIPAA/42 CFR Part 2 Scenario* - Problem Solving Court
A healthcare provider, working under the auspices of the court, screens a person for admission to a mental health court program. During screening,
the individual reveals details about her prior history of mental health and substance use treatment.
Can this information be shared with the members of the mental health court team if the client has not given permission to share this information?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002).
123
HIPAA/42 CFR Part 2 Scenario* - Corrections
Can correctional facilities access medication information from a pharmacy without a signed
release?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002). 124
HIPAA/42 CFR Part 2 Scenario* - Corrections
A jail treats an inmate for mental illness.
Can the jail share this information with the prosecution, defense counsel, and the court?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002).
125
HIPAA/42 CFR Part 2 Scenario* - Corrections
Can information be shared from within a correctional facility to a parole board making
release decisions?
*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with
HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of
Justice Assistance Grant No. 2008-MO-BX-K002).