Understanding HIPAA and 42-CFR Part 2 Laws Goals of ...€¦ · 29/2/2016 · Understanding HIPAA...

1

Promoting Meaningful Information Sharing:

Understanding HIPAA and 42-CFR Part 2 Laws

Goals of Forum: 1. Ensure accurate information on HIPAA and

42-CFR laws. 2. Understand current interpretations and

practices regarding HIPAA and 42-CFR laws. 3. Identify ways to build common practices

across and within Denver and Colorado agencies.

4. Discuss how Wellness Recovery Action Plans (WRAP) can be used across systems in a digital form.

Wellness Recovery Action Plans (WRAP)

Guest Speaker: Jennifer Hill

The HIPAA Privacy Rule and

Law Enforcement

Presented by the

Office for Civil Rights,

U.S. Department of Health and

Human Services

February 23, 2016

Objective

Learn when and how the Privacy Rule may

permit law enforcement officials to obtain

medical information about a suspect or victim

Introduction

What is HIPAA?

Health Insurance Portability and

Accountability Act of 1996 (Subtitle F –

Administrative Simplification) 45 CFR Parts 160, 162, and 164

Encouraged the development of (electronic)

health information technologies (transactions)

Easier information sharing created security

and privacy concerns

6

OCR Enforcement

OCR enforces traditional civil rights laws

Privacy , Security, and Breach Notification Rules

OCR enforces these laws through:

Complaint investigations

Compliance reviews

Technical assistance

Voluntary resolution agreements

Civil monetary penalties

2

Who is covered by the Privacy Rule?

Under HIPAA, there are 3 types of covered entities (CEs):

1. Health Plans;

2. Health Care Clearinghouses; and

3. Health Care Providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA (standard transaction)

Business associates

Who is NOT covered?

The rule does not apply to many organizations that

hold health information – e.g., life insurers, worker’s

compensation carriers, automobile insurers, disability

insurers.

Most state and local police or other law enforcement

agencies

Many state agencies such as child protective services

Most schools and school districts

The rule does not directly apply to employers, etc.

What information is covered?

Protected health information (PHI) is:

- Individually identifiable health information

- Transmitted or maintained in any form or

medium

Held or transmitted by covered entities or their

business associates

What is NOT covered?

The definition of PHI excludes:

De-identified information

Employment records

Education records covered by FERPA and

student health records of certain postsecondary

education clinics

Medical information for an individual deceased

more than 50 years

HIPAA generally applies uniformly to all PHI, including mental

health information.

An exception exists for psychotherapy notes, which receive special

protections.

Psychotherapy notes:

1. document the content of a counseling session;

2. are maintained separately from the medical record; and

3. excludes medications, dates and times of treatment, treatment modalities and

frequencies, clinical test results, and summary clinical information.

HIPAA Protections for Mental Health

Information

11

Patients and personal representatives do not have a

right to access psychotherapy notes under HIPAA.

Generally, separate written authorization is required

to disclose psychotherapy notes to a third party.

An exception: authorization is not required to

disclose psychotherapy notes to prevent serious

and imminent threats and for mandatory reporting,

such as reporting of abuse.

Psychotherapy Notes ̶ Access and Disclosure

12

3

Required Disclosures

To individual when individual requests to view

or receive a copy of his/her PHI as provided in

section 164.524 (Access) and when individual

request an accounting of the disclosures of

his/her PHI as provided in section 164.528

(Accounting)

To HHS, to investigate or determine compliance

with Privacy Rule

Examples of Permitted Uses

and Disclosures

Individual

Treatment, Payment

and Health Care

Operations (TPO)

Opportunity to Agree

or Object

Public priority

Incidental

Authorized

Valid Authorizations

If a disclosure is not otherwise permitted or

required by the Privacy Rule, an individual’s

written authorization is required

Authorizations must include certain elements

to be valid: Description of PHI to be released

Who will disclose the PHI

Who will receive the PHI

Purpose of the disclosure

Expiration date or expiration event

Signature of patient, with date

Required statements (revocation, no conditioning, potential for

re-disclosure)

Right to revoke in writing; and the exceptions and

instructions regarding the procedure, or a reference to

the Notice if this information is there

A statement about the covered entity’s ability/inability

to condition the authorization on treatment, payment,

eligibility, or enrollment

A statement that once disclosed, the PHI may no

longer be protected by the HIPAA Privacy Rule, or an

alternative statement if the disclosure is to another

covered entity

If use or disclosure is for marketing purposes, and the

covered entity will receive remuneration, a statement

must be included to that effect

Public priority uses and disclosures

of information

Covered entities may use or disclose PHI without

authorization if the use or disclosure comes within one

of the listed exceptions & follows its conditions:

As required by law

For public health activities

About victims of abuse, neglect, or domestic

violence

For health oversight activities

For judicial and administrative proceedings For law enforcement

Public priority uses and disclosures

of information (cont.)

About decedents (to coroners, medical examiners, funeral directors)

To facilitate cadaveric organ donation and transplants

For research

To avert a serious threat to health or safety

For specialized government functions (military, veterans, national security, protective services, State Dept., correctional facilities)

For workers’ compensation, as authorized by law

4

Uses and Disclosures required by

law (164.512(a))

The rule permits uses and disclosures by covered

entities to the extent that the use or disclosure is

required by law*

Minimum necessary requirements do not apply

*Subject to requirements for disclosures about victims of

abuse, neglect or domestic violence (164.512(c)), for judicial

and administrative proceedings (164.512(e)), and for law

enforcement (164.512(f)).

Disclosures for judicial and administrative

proceeding – order of a court or

administrative tribunal (164.512(e)(1)(i))

The rule permits a covered entity to disclose PHI in

response to an order of a court or administrative

tribunal provided that the covered entity discloses

only the PHI expressly authorized by such order.

• Covered entity may disclose the information

requested without additional process

• Minimum necessary requirements do not

apply

Disclosures for judicial and administrative

proceedings – subpoena, discovery request, or

other lawful process (164.512(e)(1)(ii))

The rule permits covered entities to disclose PHI in

response to a subpoena, discovery request, or other

lawful process, that is not accompanied by an order of a

court if the covered entity receives satisfactory assurances

that reasonable efforts have been made to-

Provide written notice to the individual(s); or

Secure a qualified protective order.

Disclosures for judicial or administrative

proceedings -- notice (164.512(e)(1)(iii))

A covered entity must receive from the party seeking

the PHI a written statement and documentation that –

A good faith attempt was made to provide notice

(mail to last known address is acceptable);

The notice provided sufficient information to enable

individual to object to production; and

Time for objections has run, and –

No objections were filed; or

Objections filed were resolved, are consistent

with disclosures being sought.

Disclosures for judicial or administrative

proceedings -- qualified protective order

(164.512(e)(1)(iv) and (v))

A covered entity must receive from the party seeking the

PHI a written statement and documentation that –

The parties have stipulated and submitted to the

court/tribunal a qualified protective order; or

The party has requested a qualified protective order.

A qualified protective order is an order or stipulation that –

Prohibits disclosure of the PHI for purposes other than

the proceeding; and

Requires the return or destruction of the PHI at the end

of the proceeding.

Subpoena, discovery request, or

other lawful process (cont.)

With respect to subpoenas, discovery requests,

etc., the covered entity may itself undertake to

satisfy the notice/protective order requirements.

Minimum necessary requirements apply

(continued)

5

Disclosures for law enforcement

purposes (164.512(f)(1))

A CE may disclose PHI to law enforcement

officials for law enforcement purposes in the

following 6 circumstances:

1. As required by law;

Law, including laws related to reporting of

gunshot wounds, other physical injuries

Court order; court ordered warrant; court

subpoena or summons

Grand jury subpoena

Disclosures for law enforcement

purposes – required by law (cont.)

Written administrative request, if –

The PHI is relevant/material to a

legitimate law enforcement inquiry;

The request is specific and limited in

scope as reasonably practicable; and

De-identified information could not

reasonably be used.

Law Enforcement Purposes – ID

certain persons (164.512(f)(2))

2. To ID or locate a suspect, fugitive, material witness or

missing person, in response to a law enforcement

official’s request, a CE may disclose:

-- name, address, SSN

-- date & place of birth

-- type of injury, date & time of treatment

-- ABO blood type & Rh factor

-- date & time of death (if applicable)

-- a description of distinguishing physical

characteristics.

Disclosure about victims of crime

(164.512(f)(3))

3. In response to a law enforcement official’s request for

information about a victim or a suspected victim of a crime, a

CE may disclose PHI if the individual agrees, or the victim is

unable to agree due to incapacity or other emergency

circumstance provided that certain conditions are met.

Note: This provision does not apply if the individual is a victim

of abuse, neglect or domestic violence. (164.512(b)(ii) and (c))

Disclosures about decedents

(164.512(f)(4))

4. A covered entity may disclose PHI about an

individual who has died to a law enforcement

official for the purpose of alerting law

enforcement of the death if the covered entity

has a suspicion that such death may have

resulted from criminal conduct.

Disclosure about Crime on Premises

(164.512(f)(5))

5. A covered entity may disclose PHI to law

enforcement officials that the covered entity

believes in good faith constitutes evidence of

criminal conduct that occurred on the covered

entity’s premises.

6

Reporting crime in medical

emergencies (164.512(f)(6)) 6. Covered health care providers providing emergency

health care not occurring on its premises may disclose

PHI when necessary to alert law enforcement to:

-- the commission & nature of a crime,

-- the location of such crime or of the victim(s)

of such crime, &

-- the identity, description, & location of the

perpetrator of such crime.

Note: This provision does not apply if the medical

emergency appears to be the result of adult abuse,

neglect or domestic violence.

Additional permitted disclosures:

Disclosures to avert a serious threat to health

or safety. 164.512((j).

Disclosures of PHI of inmates. 164.512(k)(5).

Verification Requirements A CE is required to verify the ID of the person

requesting PHI under these exceptions and

his/her authority to have access to PHI

A CE may rely, if reasonable under the circumstances, on the

following to verify ID of a public official:

- In person: agency badge or other credentials

- In writing: on appropriate government letterhead

A CE may rely, if reasonable under the circumstances, on the

following to verify authority of a public official:

- A written statement of the legal authority or an oral statement

if a written statement would be impracticable

- A warrant, subpoena, order, or other legal process issued by a

grand jury or a judicial or administrative tribunal

Express Permission to Report to NICS Final rule 1/6/16

Disclosers

CEs with lawful authority to order involuntary

commitments or other formal adjudications that result

in individuals being subject to the Federal Mental

Health prohibitor

Recipients

NICS

State-designated repository

Information

Demographic and other information needed

Not diagnostic or clinical

OCR HIPAA Privacy Contacts

OCR Rocky Mountain Region:

1961 Stout Street, Room 08-148

Denver, Colorado 80294

303-844-7915

Hyla Schreurs, J.D., Supervisory EOS

303-844-7508

http://www.hhs.gov/ocr/hipaa/

Full text of Privacy, Security, and Breach Rules

HIPAA Privacy Rule summary

Covered entity "decision tool" to assist individuals and

entities in making these determinations

Over 200 frequently asked questions

Fact sheets

Information about the OCR enforcement program

36

OCR Web Site

http://www.hhs.gov/ocr/hipaa/

7

Disclaimer

OCR does not control or guarantee the

accuracy, legality, relevance, timeliness, or

completeness of information contained in the

legal documents or technical assistance

documents provided today, other than those

provided by OCR. Kate Tipping, JD

Public Health Advisor, Health Information Technology

Center for Substance Abuse Treatment

Substance Abuse and Mental Health Services Administration

42 CFR Part 2 and Criminal Justice

Promoting Meaningful Information Sharing: HIPAA and 42 CFR Part 2 Forum February 23, 2016

39

CJ Behavioral Health is Public Health

MH/SUDs and CJ involvement (CJI) are interlinked public health & safety issues.

Addressing MH/SUDs can reduce CJI, simultaneously improving public health and safety while reducing related economic burdens.

Public Health

& Safety

MH/SUDs CJI

40

CJ Referrals Make a Difference in Treatment Completion

According to SAMHSA TEDs data, CJ referral to treatment was consistently one of the strongest predictors of treatment completion or transfer to further treatment.

Secondary statistical analysis of data from a clinical study found that individuals entering court –ordered treatment were over 10Xs more likely to complete treatment compared to offenders who entered treatment voluntarily.

SAMHSA, OAS, TEDS data (4/25/12); and Coviello, DM et al. 2013.Does mandating offenders to treatment improve completion rates? J Substance Abuse Treatment. 44:417-425. 40

41

SAMHSA’s Strategic Initiative - Health IT

Goal: Widespread Implementation of HIT Systems that Support Quality Integrated Behavioral Health Care for All Americans

• Ensure that behavioral health provider networks fully participate in the adoption of Health IT

• Support the behavioral health aspects of Health IT based on the standards and systems promoted by the Office of the National Coordinator for Health IT

• Support linkage with systems relevant to behavioral health that support prevention, treatment, wellness and recovery (Criminal justice, HUD, education, public health, recovery oriented systems of care, and other human services)

42

Importance of Criminal Justice Behavioral Health Information Sharing

Identifying target population for intervention

Providing better clinical care

Risk assessment

Assessing outcomes

Program evaluation

Coordinating services for re-entry

Payment and billing

8

Privacy Regulations (42 CFR Part 2)

44

Confidentiality and Trust

In order to achieve any level of systemic durability and success, Health IT must be trustworthy and developers and managers must warrant & sustain trusting relationships with all participants, especially the public consumer.

Privacy is not an area for compromise

Confidentiality should never be a shortcut

Security should not be a second thought

or an afterthought

45

Privacy Regulations

Not meant to prevent information sharing but to set the standards for how to share

Federal laws are a baseline, states may adopt more strict regulations

Most states have laws that are stricter than HIPPA, few have laws that are stricter than Part 2

State laws vary widely, presenting challenges for developing unified policy solutions or solutions that work across states, also difficult for technology vendors to develop functionality

46

Why Confidentiality?

Reduce negative attitudes

Fostering trust

Preserving privacy

Encouraging help-seeking behavior

It is an important, but not absolute, legal and ethical principle

Balance between a patients legitimate desire to maintain privacy of sensitive information and permitting sharing of information that will improve treatment or public health or safety

47

Critical Privacy Questions

Federal and state regulations provide the ground rules. Careful analysis determines how the rules are applied to ensure effective treatment of substance use and mental health disorders.

• Who needs what information when?

• Who determines who needs what Information when?

• How should psychotherapy notes and other ultra-sensitive information be treated?

• How should HIT systems be designed to allow patients to control disclosure and re-disclosure of sensitive information

48

42 CFR Part 2

The purpose of the statute and regulations prohibiting disclosure of records relating to substance abuse treatment, except with the patient's consent or a court order after good cause is shown, is to encourage patients to seek substance abuse treatment without fear that by doing so their privacy will be compromised.

Source: State of Florida Center for Drug-Free Living , Inc.,842 So.2d 177 (2003) at 181.

9

49

Applicability

Applies to: Federally assisted individual or entity that “holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or treatment referral”

Unit within a general medical facility that holds itself out as providing diagnosis, treatment or treatment referral

Medical personnel in a general medical facility whose primary function is the provision of alcohol or drug abuse diagnosis, treatment or referral for treatment and who are identified as such providers. 50

Disclosure

Patient consent must be obtained before sharing information from a substance abuse treatment facility that is subject to 42 CFR Part 2

Disclosure:

• “A communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the record of a patient…” (42 CFR 2.11)

• Even acknowledging that an individual is (or was) a patient at a Part 2 facility is a breach of the regulations

Source: 42 CFR Part 2

51

Revocation of Consent

“The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent is given.”

Source: 42 CFR Part 2 52

Restrictions on Redisclosure and Use

“A person who receives patient information under this section may redisclose and use it only to carry out that person’s conditional release or other action in connection with which the consent was given.”


53

Exceptions

Limited exceptions for disclosure without consent :

• Medical emergencies

• Child abuse reporting

• Crimes on program premises or against program personnel

• Communications with a qualified service organization of information needed by the organization to provide services to the program

• Research

• Court order

• Audits and evaluations


Privacy Regulation (42 CFR Part 2) and

Criminal Justice

10

55

Permitted Disclosure (42 CFR Part 2)

Generally cannot disclose information without subpoena and court order - arrest/search warrant not sufficient

Can disclose for crime committed by patients on program premises or against program personnel or a threat to commit such a crime

Addiction treatment records may not be used to initiate/substantiate criminal charges (42 CFR 2.1) but can be used for revocations

56


Disclosures by a treatment entity providing services to a court-ordered patient (post-adjudication, 42 CFR 2.35)

Diagnosis made “solely for the purpose of providing evidence for use by law enforcement authorities”

If facility is not identified publicly as only an alcohol or drug abuse facility, patient’s presence may be acknowledged if do not reveal alcohol or drug abuse (42 CFR 2.13)

57


A program may disclose information about a patient to those persons within the criminal justice system which have made participation in the program a condition of the disposition of any criminal proceedings against the patient or of parole or other release from custody if • Disclosure only to those who need the information for

monitoring/supervision • Written consent of the patient (but revocation rule does

not apply)

58

State Laws

State laws often provide additional protections for HIV infection, mental health information, genetics, drug and alcohol abuse, minors, domestic violence.

Mental health records are treated as ultra-sensitive in many jurisdictions.

Each state approaches the confidentiality of mental health records from their own perspective

Health IT systems have to recognize this variability in state statutes and regulations.

59

Resources

To help providers in the behavioral health field better understand privacy issues related to Health IT, SAMHSA, in collaboration with ONC has created two sets of Frequently Asked Questions (FAQs).

• These FAQs can be accessed at: http://www.samhsa.gov/healthprivacy/docs/EHR-FAQs.pdf and

• http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf

Contact: [email protected]

Questions and Comments

http://www.samhsa.gov/healthprivacy/docs/EHR-FAQs.pdf



http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf




mailto:[email protected]

11

Realize the Power of Information Realize the Power of Information

February 23, 2016 Denver, CO

Bob May Assistant Director IJIS Institute


• Non-Profit Organization • Dedicated to joining forces with the technology

industry to unite the public and private sectors for improving mission-critical information sharing and safeguarding across justice, public safety, corrections and homeland security communities.


• Improve public safety and the justice process • Provide for continuity of care for justice involved

individuals • Bridge the gaps in information sharing of:

• medical history

• mental health/program assessment information

• drug prescription history

• threat assessment levels

• behavioral issues


Receipt and sharing of PHI is critical for individuals entering or leaving the corrections environment for purposes of classification, treatment, and continuation of care. These include: • Intake assessments

• to determine the individual’s level of risk (to him- or herself, other inmates, and corrections personnel);

• establishment of a treatment plan and engagement in appropriate treatment programs; updated treatment plans; and

• engagement in medical, mental health, or substance abuse treatment in the community upon release.


. • Informing medical, mental health, or substance abuse

treatment providers about a defendant’s, probationer’s, or parolee’s treatment history.

• Compliance with conditions of pre-trial, probation, or parole, and/or court orders, during which medical, mental health, or substance abuse treatment providers may need to share program completion status and treatment progress with pre-trial, probation, and parole officials and/or courts for reporting purposes.


Health information can help officers assess how to interact with an individual in ways that will produce safer and more positive outcomes, including how to de-escalate a situation effectively and provide a link to services when appropriate.

12

When a correctional institution or law enforcement agency has custody of an individual, HIPAA permits access to PHI without consent if the information is necessary to:

(1) provide health care to the individual;

(2) ensure the health and safety of the inmate or

others housed or working in the facility;

(3) protect the health and safety of any law

enforcement officer transporting an inmate

between facilities;

(4) protect those involved in the transfer or transporting of the individual;

(5) promote law enforcement on the premises of

the correctional institution; or

(6) maintain and administer safety, security, and good order in the correctional facility. See 45 CFR

164.512(j)(1)(ii)(B)).

The lawful custody exception, however, no longer applies once a person is released from custody, including on probation or parole.

Generally, without consent, police officers need a court order to obtain PHI from a substance use treatment provider, except for a medical emergency or a crime committed on the premises of the treatment facility.

Absent consent, a court order will generally be required to receive PHI from a substance use program, §§.2.61-67. Court orders are granted only when disclosure is needed to protect against an existing threat to life or serious bodily injury or is necessary for further investigation of a serious crime.

Prosecutors, defenders, and the courts—Courts and lawyers are not federally assisted programs; however, court appearances are frequently used to divert people from incarceration to treatment programs.

When drug courts or diversion programs make referrals to treatment providers as a conditional disposition a provision allows programs to share PHI with the court (or other entity tasked with monitoring progress), with the individual’s consent, § 2.35.

Courts have upheld that it is constitutional to require confidentiality waivers as a condition of participating in a drug court.

13

42 CFR Part 2 does NOT permit PHI about substance abuse to flow to or from a correctional facility without an individual’s consent.

Community Corrections

Probation and parole officers are not federally assisted programs and therefore can disclose PHI they learn by interviewing clients to others.

They cannot request and receive PHI from programs without prior, valid consent.

If a probation or parole officer needs PHI, the courts can require a waiver of confidentiality for both substance use and mental health information as a condition of release from prison or probation.

Health information can help officers assess how to interact with an individual in ways that will produce safer and more positive outcomes, including how to de-escalate a situation effectively and provide a link to services when appropriate.

Law enforcement officials are not “covered entities” under HIPAA.

They also are not a “federally assisted program” within the meaning of 42 CFR Part 2.

Post-booking diversion programs

Therapeutic courts

Courts are neither “covered entities” within HIPAA nor “federally assisted programs” within 42 CFR Part 2.

Because of the significant role courts play in directing defendants to treatment and in overseeing compliance with treatment conditions, both HIPAA and 42 CFR Part 2 are relevant to information sharing by and with courts.

HIPAA defines a correctional institution as “any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program” operated by or under contract to federal, state, municipal, or Native American tribal government.

The institution must exist for the confinement or rehabilitation of people charged with or convicted of an offense.*

They also are not a “federally assisted program” within the meaning of 42 CFR Part 2.

*The status of correctional institutions as “covered entities” is not established clearly in the regulations. For a discussion of this debate, see http://www.nga.org/cda/files/HIPAACor rectionsAJA.PDF.

Corrections are generally not “covered entities” under HIPAA unless they declare themselves as such.

They are not “health plans” because HIPAA excludes from the definition of “health plan” (a government-funded program whose principal purpose is something other than providing or paying for the cost of health care).

Clinical staff who work for a correctional facility meet the definition of “health provider” under HIPAA, whether employed directly by the correctional facility or under contract.

If a correctional facility contracts for health-care services, the provider of those services will determine independently whether it is a covered entity (and in most cases will consider itself such).

Many correctional facilities, as well as state departments of corrections, have defined themselves as covered entities.*

Because 42 CFR Part 2 does not contain provisions specifically addressing correctional institutions, the general rules about consent will apply.

14

Probation and parole officers are not “covered entities” under HIPAA, nor are they “federally assisted programs” within the meaning of that term in 42 CFR Part 2.

Their access to information may be affected by provisions in each.


A program may disclose information about a patient to those persons within the criminal justice system which have made participation in the program a condition of the disposition of any criminal proceedings against the patient or of parole or other release from custody if: • Disclosure only to those who need the

information for monitoring/supervision • Written consent of the patient (but the

revocation rule does not apply) Source: [email protected]


Fact: HIPAA does not require consent for disclosures or uses that are • necessary to carry out treatment, • payment, or • health care operations However: 42 CFR Part 2 does require consent unless one of the limited exceptions apply Source: [email protected]


Fact: HIPAA permits disclosures for: • Public health activities • Victim of abuse or neglect • Judicial/Administrative proceedings • Law enforcement • Threats to health or safety • Court-ordered examinations • Correctional facilities • Through business agreements Source: [email protected]


Fact: 42 CFR Part 2 permits disclosures: • Public health research • Child abuse reporting • Crimes on premises or against staff • Criminal justice system if treatment is made a

condition of parole or release • To other systems with patient consent or a

qualified service organization agreement (QSOA)

Source: [email protected]


Fact: Both HIPAA and 42 CFR Part 2 permit intra-agency exchanges of information Source: [email protected]






15


IJIS and Urban Institute

Opportunities for Information Sharing to Enhance Health and Public Safety

Outcomes

Global Strategic Solutions Work Group

Prioritizing Justice-to-Health Exchanges Task Team Final Report

Global Standards Council – Justice /Health

Aligning Justice-To-Health Priority Exchanges Task Team Final Report


Bob May Assistant Director

Program and Technology Services IJIS Institute

(571) 353-7597

[email protected]

Electronic Health Data Exchange

Toria Thompson

Behavioral Health information Exchange Coordinator, CORHIO

87 © 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not

For Redistribution

Disclaimer

• The following slides are for educational purposes only.

• You should seek legal advice regarding your specific situation and compliance obligations.


For Redistribution

HIPAA Rules Regarding Electronic Exchange

89

PRIVACY RULE - The HIPAA Privacy Rule governs the use and disclosure of personally identifiable health information.

SECURITY RULE - The HIPAA Security Rule imposes requirements on Covered Entities with respect to the protection of electronic PHI (ePHI)

HIPAA FINAL OMNIBUS RULE – In 2013, HHS and OCR announced a final rule that implements a number of provisions of the HITECH Act called the Omnibus Rule. The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

© 2016 Colorado Regional Health Information Organization (CORHIO) - All Rights Reserved CORHIO Proprietary - Not

For Redistribution

Breach Statistics

90

“For many years, the top cause of lost or stolen patient data was a health care organization employee losing a device or having one stolen. In 2014, for the first time, the top cause was a criminal attack.”

Source - http://www.forbes.com/sites/laurashin/2015/05/29/why-medical-identity-theft-is-rising-and-how-to-protect-yourself/


For Redistribution

http://www.ijis.org/docs/Opportunities_for_Information_Sharing_to_Enhance_Health_and_Public_Safety_Outcomes_20130403.pdf



http://it.ojp.gov/j2hreport






http://it.ojp.gov/gist/171/Aligning-Justice-to-Health-Priority-Exchanges-Task-Team-Final-Report








http://www.forbes.com/sites/laurashin/2015/05/29/why-medical-identity-theft-is-rising-and-how-to-protect-yourself/





















16

HIPAA Rules Regarding Electronic Exchange

• Email: The Security Rule requires covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic personal health information (PHI) sent and received over email communications.

• Encryption: The standard for transmission security (§ 164.312(e)) has been updated to enforce the use of encryption.

91

A Massachusetts hospital was recently fined $218k for using a cloud-based file sharing service. Although there was no evidence of an actual breach, the methods that the hospital's employees used for sharing the electronic protected health information were deemed risky enough to warrant a fine.

a Texas-based facility recently announced it experienced a breach due to a phishing scam. In December 2014, an employee at the facility opened a fraudulent email from a hacker, which exposed the system to further attack. An investigation into the breach determined that approximately 39,000 patients’ PHI was compromised by the attack.


For Redistribution

What Constitutes PHI?

• Name

• Address • All elements (except years) of

dates related to an individual

• Telephone numbers • FAX number

• Email address

• Social Security number

• Medical record number • Health plan beneficiary number

• Account number • Certificate/license number

• Vehicle identifiers • Device identifiers Web URLs

• IP address

• Biometric identifiers, including finger or voice prints

• Full-face photographic images and any comparable images

• Any other unique identifying number, characteristic, or code

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual:

Protected health information (PHI) is individually identifiable information that is: 1. transmitted by electronic media; 2. maintained in electronic media; or 3. transmitted or maintained in any other form or medium (includes paper and oral

communication).


For Redistribution

How do I handle PHI and Confidential Information? • Do not send PHI in unencrypted email

• If you receive an email containing PHI, delete it immediately, including from your trash folder and inform the sender to not send that data or encrypt it.

• Never store PHI or confidential data on a non-encrypted laptop or location, i.e. USB drives.

• Apply the “Minimum Necessary” standard

• Access only the necessary PHI required to do your job

• Limit the sharing of information to only those who need to know to perform their job

• Secure laptop and other devices, taking reasonable precautions to prevent theft

• Setup your Wi-Fi to stay safe on public networks

• Turn off Sharing.

• Enable your computer’s Firewall

• Use HTTPS when possible

• Turn off Wi-Fi when not in use.

• Create complex passwords

• Never share your password with others.

• When choosing a password, make sure that it is something not easily guessed.


For Redistribution

Example Email Policy for Transmission of PHI Internally

94

ABC Health System’s Email Policy: • You must never send or receive email containing PHI from any device EXCEPT an

Organization managed computer or an organization managed smartphone • Limit the information you include in an email to the minimum necessary for your clinical purpose. • Whenever possible, avoid transmitting highly sensitive PHI (for example, mental health, substance abuse, or HIV

information) by email. • Never use automatic forwarding with your email account. • Never send PHI by email unless you have verified the recipient’s address (for example, from a directory or a

previous email) and you have checked and double-checked that you have entered the address correctly. • Always include the following privacy statement notifying the recipient of the insecurity of email and providing a

contact to whom a recipient can report a misdirected message – Recommended Privacy statement: Please be aware that e-mail communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax, or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately with a copy to [email protected] and destroy this message.

Use of Email to Transmit Protected Health Information (PHI): Sending Protected Health Information (PHI) by email exposes the PHI to two risks: 1. The email could be sent to the wrong person, usually because of a typing mistake

or selecting the wrong name in an auto-fill list. 2. The email could be captured electronically en route.


For Redistribution

Example Email Policy for Transmission of PHI with External Entities

Sending email containing PHI outside of ABC Health System: You may exchange PHI by email outside the ABC Health System network, so long as you follow the rules above AND so long as one of the circumstances below applies:

• The email is encrypted through a secure messaging system such as via Epic or MyChart or ABC Health Systems secure file transfer application (http://www.ABCHealth.org/its/email/transfer.html). Note: Standard ABC Health System e-mail, such as Outlook, is NOT encrypted. OR

• The email is being sent to a non-ABC Health System clinician, research collaborator, or collaborating institution, AND it contains information urgently needed for patient care AND the patient identifiers are limited to name, date of birth, medical record number, or phone number, as needed OR

• The email is being sent to a non-ABC Health System Clinician, research collaborator, or collaborating institution, AND it must be transmitted in a timely manner, AND it contains no direct identifiers (name, address, Social Security number, date of birth, phone/fax numbers, or patient email address) and no highly sensitive PHI (for example, mental health, substance abuse, or HIV-related information). Note: Less direct identifiers such as medical record number or initials (for example, “Mr. S”) may be included OR

• The patient or research subject has agreed to the use of email by completing a Consent for Email Communication form (available at http://HIPAA.ABCHealth.org/resources/docs/email-communication.pdf


For Redistribution

HIPAA Compliant Email

1. Myth: All email service providers have secure servers. Emails sent from free services like Gmail, AOL, and Yahoo are not encrypted. Gmail does have a business product that provides encryption.

2. Myth: It’s necessary to encrypt any and all emails. Encrypting interagency communication is not required by HIPAA as long as the server is secure enough to not be penetrated by an external source.

3. Myth: Even with patient acknowledgement and authorization you have to encrypt or secure the server. If you have a signed authorization from the patient indicating their desire to receive correspondence via email, and you’ve educated them about the inherent risks of unsecure email, you do not need to encrypt.

Some HIPAA Compliant Email Vendors Myths about email for HIPAA


For Redistribution

The above list is for reference only and does not imply CORHIO endorsement

http://www.abchealth.org/its/email/transfer.html

http://hipaa.abchealth.org/resources/docs/email-communication.pdf



17

HIPAA Compliant Email: Process w/ Outlook 365

97

CORHIO emails a file containing PHI to Dr. John’s office using Microsoft Outlook 365

placing “CORHIOEncrypt” in subject

Dr. John’s office receives an email saying that there is an encrypted

message for them.

Step 1 Step 2


For Redistribution

HIPAA Compliant Email: Process w/ Outlook 365

98

Step 3 Step 4

Dr. John’s office opens the link and is taken to a webpage where they can sign

in or ask for a one-time passcode

After successfully authenticating, they are taken to the email message in the browser and will be required to log in

each time they want to view it..


For Redistribution

Direct Email Exchange

[email protected] [email protected]

Direct – or direct exchange – is a basic type of health information exchange (HIE) that allows a health care provider to securely send patient information directly to another specified health care provider, or even a patient.

• Emails are sent over the Internet in an encrypted, secure way and is commonly

compared to sending a “secure email.”

• Your Direct email address is provided by a health information service provider (HISP).

• CORHIO is a HISP and can provide you with a Direct email account and connect you to other providers who are not part of you HISP. Your EHR vendor may also provide HISP services.

• Because the HISP pre-authenticates each provider before issuing a direct email address, the need to “log in” or “authenticate” your identity each time you receive an email is not necessary with Direct. This makes it easier to use.


For Redistribution

99

Pros and Cons of Direct Email

Advantages

• Permits users of a Direct-enabled EHR to send and receive point-to-point messages and attached files from any other certified EHR regardless of operating system.

• Facilitates secure communication with providers and patients using Internet-based software and devices of almost any kind.

• Works well when you are referring a patient to another known provider and coordinating care in advance of a provider visit.

• For sensitive information, such as protected behavioral health notes, Direct messaging ensures that patient data is sent only to a pre-selected, authorized provider and is not available to access in a query-based HIE application.

Limitations

• Direct does not support a model of “pulling” information, or query-based exchange. Therefore Direct is not a complete interoperability package. Also, it does not populate data into the community health record.

• Similar to faxing medical records, information exchanged via Direct may result in members of a patient’s broader care team being inadvertently excluded from important communications.

• Direct may be less efficient and effective than other forms of HIE when coordinating care for patients with complex medical histories, comorbidities, or who are visiting several different specialists over the course of a year.


For Redistribution

100

How HIE Works

Paper & phone based with some limited electronic connections

One electronic connection to the HIE to access/share patient information across

the state


For Redistribution

101


For Redistribution

Community Health Record

Hospitals

Public Health Departments Laboratories

Radiology Centers

Newborn Screening

Results

Hospital ADT info

Lab Results Pathology Reports Radiology Reports

Consult Reports

Transcription Notes Lab/Rad

Reportable Conditions

Immunizations

Immunizations

CORHIO’s Current Capabilities

18

CORHIO and QHN: Colorado’s two HIEs


For Redistribution

103

CORHIO: By the Numbers

50 Hospitals (data senders and receivers)

• 11 more underway! • Participating hospitals represent

93% of all hospital beds in the region

184 Long-Term, Post-Acute Care & Behavioral Health Facilities

(data receivers)

• One of the highest LTPAC connection rates in the country!

3,900+ Office Based Physicians/Providers

(data receivers)

• 8,300+ total users! • SCL now sending ambulatory data

for six ambulatory clinics.

4,000,000+ Patients (unique patients)

• Represents 80% of Colorado’s total population!


For Redistribution

104

QHN: By the Numbers

14 Hospitals

• 85% connected • QHN continues discussions with other

hospitals in the western Colorado medical trade area not connected

5 Long-Term & 1 Behavioral Health

• 43 Long-term care, home health, hospice, Rehab, Transition of Care facilities & Case management services

• Mind Springs Health is piloting sending BH CCDs to QHN for exchange

193+ Practices/ Organizations have Interface with QHN

• 93%+ of medical providers on western slope

• 1,042+ users • 55 practices have bi-directional interface

(data senders & receivers)

661,000+ Patients (unique patients)


For Redistribution

105

CORHIO Services Available Today


For Redistribution

106

Patient Care 360 – Provider Portal (Query)

Results Delivery (Push into EHR)

CORHIO Future


For Redistribution

107

CORHIO Provider Portal

(Patient Care 360)

Protected, non-HIPAA Sharable Data

Sharable only via Consent

Substance Use Tx

Provider

Community Mental Health Center

HIV Clinic

Patient Consent Portal

Ambulatory & LTPAC

CCD

ONC Advance Interoperability Grant

QHN Future ONC Advance Interoperability Grant


For Redistribution

108

Pull:

Process:

Reports are “pushed” from MSH to HIE “wrapped” and housed in the longitudinal health record in a sequestered repository under a special Consent Date Notice. This notice indicates the provider must have written patient consent prior to “breaking-the-glass”.

Provider practice retains patient consent form.

Provider obtains patient consent, using established community-wide HIE consent form, to view BH results in longitudinal health record.

MSH Acquires Patient Consent

QHN HIE

Pulled by providers from longitudinal record

Provider obtains and retains patient consent

19

Questions?


For Redistribution

109

Toria Thompson

Behavioral Health Information Exchange

Coordinator, CORHIO

[email protected]

303-746-3161

If you have questions, please contact

me at:

110

Table Top Scenarios

Type of Confidential Data:

Medical/Mental Health (HIPAA)

Who has the information? • Covered Entity? (Y/N)

Who wants the information? • Covered Entity? (Y/N)

Patient Release? (Y/N)

Business Associate Agreement? (Y/N)

Exceptions?

Type of Confidential Data:

Substance Abuse (42 CFR Part 2)

Who has the information? • Federally Assisted Program (Y/N)

Who wants the information? • Federally Assisted Program (Y/N)

Patient Release? (Y/N)

Qualified Service Organization? (Y/N)

Exceptions?

Considerations

111

HIPAA/42 CFR Part 2 Scenario #1

A probation officer requests treatment information from a Community Mental Health Center (which is also a licensed substance use

treatment agency). The person in treatment has not consented to the release.

Can the CMHC release the information?

*Petrila, J & Fader-Towe, H. (2010) “Information Sharing in Criminal Justice–Mental Health Collaborations: Working with

HIPAA and Other Privacy Laws. Council of State Governments Justice Center, New York, NY. (Report funded by Bureau of

Justice Assistance Grant No. 2008-MO-BX-K002). 112


A health care provider knows that a patient, diagnosed with a serious mental illness and a

substance use disorder, has stopped taking their prescribed medication(s), can the provider tell:

the patient’s partner/spouse?

the patient’s probation/parole officer?

the patient’s mental health/drug court program?

113

HIPAA/42 CFR Part 2 Scenario #3*

Can a jail or state prison share a patient’s medical, mental health, and substance use

treatment information to an outside health-care agency/ provider prior to the person being released to provide a continuum of service?





Sam, a patient in XYZ Drug Treatment Program, is involved in a major heroin distribution ring and has been distributing drugs to other patients.

Can XYZ Drug Treatment Program tell the police and release information to the prosecutor?


20

115

HIPAA/42 CFR Part 2 Scenario – Health Care Providers

A police officer comes to a hospital and requests protected health information (PHI) regarding

Patient A. Patient A is unconscious.

Can the hospital release Patient A’s PHI to the police officer?

116


A mental health treatment provider treats an individual who participates in a community

corrections program.

Can the provider give PHI to a community corrections officer to determine whether the person is complying with conditions of probation?

Can the provider disclose substance use treatment information (e.g., UA results)?



Justice Assistance Grant No. 2008-MO-BX-K002).

117


A law enforcement officer brings a patient to a hospital or other mental health facility to be placed on a psychiatric hold (72 hour mental health hold), and requests to be notified if or

when the patient is released.

Can the facility release that notification to the officer?

118


Betty, a patient at ABC drug treatment program, overdoses and lapses into a coma.

Can ABC drug treatment program disclose Betty’s information to the Emergency Room (ER) of a local hospital so it can treat her overdose?

If so, can the ER doctor inform Betty’s family that she is in treatment at ABC drug treatment program?

119


During a treatment session, a person on probation discloses that she used an illegal drug

over the weekend.

Can the treatment agency share this information with the probation officer? Mental health court team? Or do they need to discover it for themselves from a urinalysis test?




HIPAA/42 CFR Part 2 Scenario – Community Agency

A street outreach worker contacts a Jim, who is homeless. Jim states that he has a long history of mental and physical health problems and heavy

alcohol use, and has been off his psychiatric medication for several months and states he is

depressed and thinks about suicide.

Can the outreach worker report this information to health care providers? Housing or social service providers?

21

121

HIPAA/42 CFR Part 2 Scenario* - Problem Solving Court

When a court orders an individual to receive mental health treatment in the community as a condition of community supervision, what information can the probation officer share

with the court?




HIPAA/42 CFR Part 2 Scenario* - Problem Solving Court

A healthcare provider, working under the auspices of the court, screens a person for admission to a mental health court program. During screening,

the individual reveals details about her prior history of mental health and substance use treatment.

Can this information be shared with the members of the mental health court team if the client has not given permission to share this information?




123

HIPAA/42 CFR Part 2 Scenario* - Corrections

Can correctional facilities access medication information from a pharmacy without a signed

release?





A jail treats an inmate for mental illness.

Can the jail share this information with the prosecution, defense counsel, and the court?




125


Can information be shared from within a correctional facility to a parole board making

release decisions?




Date post:	13-Oct-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Understanding HIPAA and 42-CFR Part 2 Laws Goals of ...€¦ · 29/2/2016 · Understanding HIPAA...

Documents