HIPAA, Privacy, Confidentiality, Reasonable Safeguards of Information & 42 CFR Part 2 Presented to BHH ASOC Committee on 09/17/15 Patrick Garcia, MSW, MPA Mary Harnish, MFT, Dr. Noel M. Panlilio Compliance Officer Administration Division Director Compliance & Privacy Manager Behavioral Health Services Dept. Mental Health Services Substance Use Treatment Services Pat.Garcia@hhs.sccgov.org Mary.Harnish@hhs.sccgov.org Noel.Panlilio@hhs.sccgov.org (408) 793-1809 (408) 885-5784 (408) 755-7850
Multiple overlapping privacy regulations • Regulations change over time, and Federal, State, and Local regulations may overlap. Current laws include: • HIPAA • WIC Sections 5328, 5150-5344 • 42 C.F.R. Whenever there are multiple standards to apply, ALWAYS follow the more restrictive standard.
What is HIPAA? • The Health Insurance Portability and Accountability Act is a Federal Law that: • Protects the Privacy of patient information • Provides for electronic and physical security of protected health information (PHI) • Requires “minimum necessary use, and disclosure” • Specifies patient rights to approve or deny the access and use of their medical information.
What Qualifies As PHI? • PHI can be any verbal, written, recorded, or electronic information that identifies or can be used to identify a patient such as: • Name • Address • Social Security or Drivers License number • Physical characteristics • Diagnosis • Date of Service • Type of Treatment • Etc. Anything that can be used to identify the individual is PHI and must be kept confidential!
What is ePHI? • ePHI is protected health information that is created, received, stored, or transmitted electrically. • Any PHI when stored electronically becomes ePHI • ePHI includes information on laptops, memory sticks, smart phones, PDA, email, and other electronic storage devices.
WHY DOES THIS MATTER TO YOU?
BECAUSE YOU ALREADY AGREED TO DO IT! • As part of being hired, you were provided with the Compliance Plan Policy (#412-101) • The end of the policy includes the BHSD code of conduct. • On the day you were hired you read and signed it, agreeing to abide by HIPAA and other requirements. • Policies require sanctions for staff who do not comply • And if that’s not enough… • You may face fines of up to $25,000 per violation, misdemeanor charges, potential legal action by the patient, formal notification to licensing boards, and disciplinary action from your employer. • SEE PRIVACY DO’s and DON’Ts HANDOUT
How Does HIPAA Work? HIPAA regulations protect Private Health Information in 4 ways: • Security Standards (Physical, Technical, and Administrative safeguards, electronic patient information.) • Privacy Standards (Protection of individual health information, and patients rights) • Transactions Standards (electronic billing claims management) • National Provider Identifier Standards (a unique identifier for healthcare providers)
WHO CAN WE DISCLOSE PHI TO
Minimum Necessary Access • A minimum necessary amount of PHI is accessible to persons needing to know based on: • Job Function • Behavioral Practices • Control Access • You may assume minimum necessary information is being requested when it is: • A request for PHI from another health care provider or health plan • The request from a business associate or public official AND the request states that it is the minimum necessary
Minimum Necessary does not apply for • Disclosure to a Provider for treatment of a mutual patient. • Use or disclosures to a patient’s personal representative. • Disclosures to the Department of Health & Human Services. • Use in preparation for and for disclosures required by law.
Permitted Use and Disclosure Without Consent • Under HIPAA, you may use or disclose PHI without patient authorization or consent to: • The individual patient • For Treatment, payment, or health care operations (TPO) • HIPAA allows disclosure of PHI with conditions for: • Incidental Occurrences • Public Good disclosure
Disclosure Without Consent – Incidental Disclosures • HIPAA permits incidental disclosures if we first • Disclose only the minimum amount of PHI necessary to accomplish the purpose of the disclosure • Take reasonable measures to safeguard PHI. • Examples of incidental disclosures include: • Seeing PHI while conducting IS maintenance • Overhearing telephone conversations
Disclosure Without Consent – Public Good • Disclosures that do not require consent include: • Reporting professional misconduct to a licensing agency • Disclosures to Federal, Medicare, CDC, or other entities as required • Public Health Activities such as communicable diseases • Disclosures required by law (i.e. court order) • Reporting victims of abuse, neglect, or domestic violence • Health oversight activities • Judicial and Administrative proceedings • To avert a serious threat to health or safety (e.g. Tarasoff)
Permitted Use and Disclosure with Consent • Patient Authorization / Consent are Required for: • Access, use, or disclosures to certain permitted persons or entities for non-TPO activities • Disclosures to a third party specified by the patient
The HIPAA Privacy Rule – Areas Requiring Protection • Several functions occur in any healthcare facility where reasonable Administrative, Technical, and Physical safeguards must be practiced including: • Workplace Conversations • Workstation Activities • Disposal and Recycling • Emailing • Faxing • Computer and Equipment use • Password protections
Patients Rights • Under HIPAA, patients have the rights to • Right to access record with reasonable period of time. This includes the right to a copy of the file (P&P 210) • A Notice of Privacy Practices (P&P 244) • Right to request a modification of the record or to insert a statement disputing the record if the Program refuses the request (P&P 212 ) • Right to confidential communication (P&P 244) • Right to request restriction of disclosures (P&P 244) • Right to an accounting of disclosures of client PHI (P&P 245) • Right to complain about violations of privacy/confidentiality (P&P 222)
Patients Rights – Access to Records • Procedure • The client fills out a form requesting access • Staff take the completed for to the program manager • The manager communicates the decision to allow or deny access in a timely manner • Copies of the request and program response are forwarded to the Custodian of Records • Arrangements are made for the client to have access to her/his record which may include making a copy of the record
Patients Rights – Notice of Privacy Practice • A Notice of Privacy Practice must be provided to all clients upon intake and/or admission describing • How we will use and disclose client PHI • What rights the client has in respect to the PHI • Where and how the client may access their PHI • Where and how they can file a complaint if they feel their rights have been violated
Complaint Process • Clients have a right to file a complaint if they feel their PHI is inappropriately used and disclosed. • Any client wishing to file a HIPAA/Privacy complaint may be referred to the Mental Health Services Compliance and Privacy Manager, Mary Harnish at (408) 885-5784 • They may also complain to the Office of Civil Rights @ OCRComplaint@hhs.gov
Overview: 42 CFR Part 2 • What is 42 C.F.R. Part 2? • Regulations implementing Federal drug and alcohol confidentiality law (42 U.S.C. § 290dd-2) 21
Overview: 42 CFR Part 2 • Generally, • Disclosure of information that identifies patient (directly or indirectly) as having a current or past drug or alcohol problem (or participating in a drug/alcohol program) is generally prohibited • Unless • Patient consents in writing or • Another exception applies 22
Overview: 42 CFR Part 2 • What is 42 C.F.R. Part 2? • Federal law • Governs confidentiality of alcohol and drug treatment and prevention information • Regulations implement statutes enacted in 1970s • Purpose of law: • Privacy protections encourage people to seek treatment (stigma) 23
Overview: 42 CFR Part 2 • Generally, • This is true even if the person seeking the information • Already has it • Has other ways to get it • Has some kind of official status • Has obtained a subpoena or warrant • Is authorized by State law 24
Overview: 42 CFR Part 2 • Who is covered? • Drug/alcohol treatment and prevention “ programs ” that are • Federally assisted must follow 42 C.F.R. Part 2 25
Overview: HIPAA and 42 CFR Part 2 HIPAA 42 C.F.R. Part 2 Health care provider, health plan, health care clearinghouse Program + + Transmits health information electronically Federally assisted (covered transactions) = Covered by HIPAA = Covered by 42 C.F.R. Part 2 26
Overview: HIPAA and 42 CFR Part 2 • Who must comply with both? • The vast majority of alcohol/drug treatment programs are covered by both • What happens if both apply? • General rule: Follow the law that gives patients more privacy protections • How does State law fit in? • Same general rule: Follow the law that gives patients more privacy protections 27
Recommend
More recommend
