HIPAA and 42 CFR Part 2: Walking Through the Maze
Download
Report
Transcript HIPAA and 42 CFR Part 2: Walking Through the Maze
HIPAA and 42 CFR Part 2:
Walking Through the Maze
A Presentation to the Law and Community
Health Section
Joan M. Wilson
Assistant Attorney General
[email protected]
Why?
• Growing body of medical research
– High prevalence of individuals with cooccurring substance abuse and mental health
disorders
– Difficulty in accessing appropriate treatment in
separate mental health and substance abuse
systems
– Challenges to recovery when undiagnosed
disorders
Why?
• To remedy, the Substance Abuse and
Mental Health Services Administration
(SAMSHA) created the Co-Occurring
State Incentive Grant Program
– Alaska Department of Health and Social
Services is a recipient
• One of seven initial states
Why?
• Requirements of Grant– Infrastructure
Development in following areas
– Standardized Screening and Assessment
– Complementary Licensure and Credentialing
Requirements
– Service Coordination and Network Building
– Financial Planning
– Information Sharing
Why?
• Alaska Department of Health and Social
Services, Division of Behavioral Health
– DBH Grantees to Provide Integrated Care for
Coexisting Substance Abuse and Mental
Health Disorders
• Present Approach
– Substance abuse treatment facilities screen for mental
illness,
– Mental health facilities screen for substance abuse
– No wrong door policy
– Eventual treatment for both disorders in all locations
Mental Health Facilities
• Does Screening Alone Subject Entities to
the Substance Abuse Treatment
Regulations for the first time?
42 CFR PART 2
42 CFR Part 2
• Except under certain conditions, there is a
prohibition on disclosure of information
concerning a “patient” in a “federally
assisted” program
– Federal assistance
– Program
– Patient
42 CFR Part 2
• Federal assistance
– Includes federal block grants or other funds channeled
through state or local governments
• Medicaid
• COSIG Grant
– Includes certification for Medicare reimbursement
42 C.F.R. Part 2
• Program
– Individual or entity that holds itself out as
providing and does provide alcohol or drug
abuse diagnosis, treatment, counseling, or
referral for treatment
• Note does not say “referral for diagnosis”
– Could stand in the place of a program if State
law, regulation, or licensing requirement binds
the individual or entity to the standards of 42
C.F.R. Part 2
42 CFR Part 2
• Program, includes
– Individual or entity other than a general
medical care facility
– Identified Unit within a general medical facility
– Medical staff in a general medical facility
whose primary function is diagnosis,
treatment, or referral
42 CFR Part 2
• Patient
– An individual who has applied for or been
given diagnosis or treatment for alcohol or
drug abuse at a federally assisted program
42 CFR Part 2
• General Rule: Information that identifies
an individual as a patient of a program
may not be used or disclosed absent
patient authorization, unless an exception
for the use or disclosure applies
HIPAA Use and Disclosure Rule
• General rule: A covered entity and its
workforce, may not use or disclose PHI,
except —
– For TPO
– With individual permission
– To the individual
– As otherwise permitted or required
by HIPAA
Mental Health Programs
• Utilize screening tool
– Raises possible of substance abuse problem
– Refers to another organization for diagnosis
– Is it subject to the Substance Abuse
Treatment regulations?
Screening vs. Diagnosis
• From SAMSHA
– Information gathered by a program for purposes other
than a diagnosis, treatment, or referral for treatment is
not subject to the 42 C.F.R. Part 2 restrictions covered
– Screen or pre-screen procedures
• Identifying an Individual as possibly having a substance
abuse problem by use of a screening or prescreening
procedure that is not conducted as part of diagnosis or
treatment is not subject to the 42 CFR Part 2 restrictions
• SAMSHA Technical Assistance Publication Series 24,
“Welfare Reform and Abuse Treatment Confidentiality:
General Guidance for Reconciling Need to Know and
Privacy”
Key Benchmark for 42 CFR Part 2
• Diagnosis and treatment
– The act or process of deciding the nature of a
diseased condition by examination of the
symptoms
– A careful analysis of the facts meant to
explain something
– A decision based on such an examination or
analysis
Not there yet, But
HIPAA and 42 CFR Part 2
Uses and Disclosures Under
Both Regulations
HIPAA and 42 CFR Part 2
• HIPPA
– Providers who electronically transmit any
health information in a HIPAA covered
standard transaction
• 42 CFR Part 2
– Individual or entity that holds itself out as
providing and does provide alcohol or drug
abuse diagnosis, treatment, counseling, or
referral for treatment
Standard for Uses And Disclosures
• Apply the more restrictive standard
– Standards that provide greater privacy
protections
• Exceptions
– Disclosures to the individual whose health information is
at issue
– Disclosures to federal Department of Health and Human
Services for HIPAA compliance determinations
The Answer: 42 CFR Part 2
• General Rule: Information that identifies
an individual as a patient of a program
may not be used or disclosed absent
patient authorization, unless an exception
for the use or disclosure applies
With Authorization
Make consistent with both
regulations
•
Elements
Patient Name
Meaningful and specific description of information
Specific name or general description of Persons authorized to disclose
Name of individual or organization to receive
Purpose of disclosure
Expiration date/ event (no longer than reasonably necessary for purpose
•
Required statements:
– Right to revoke
– Whether authorization is a condition of treatment
– 42 CFR Part 2 re-disclosure statement
•
Obtain appropriate signature or signatures
copy to individual
Patient Authorization/Consent
• Statement to accompany disclosure
– This information has been disclosed to you from records
protected by Federal confidentiality rules (42 CFR Part 2). The
Federal rules prohibit you from making any further disclosure of
this information unless further disclosure is expressly permitted
by the written consent of the person to whom it pertains or is
otherwise permitted by 42 CFR part 2. A general authorization
for the release of medical or other information is NOT sufficient
for this purpose. The Federal rules restrict any use of the
information to criminally investigate or prosecute any alcohol or
drug abuse patient.
Patient Authorization/Consent
• Disclosures to the referring criminal justice
patient
– Patient has signed a written consent
– Disclosure only to individuals with a need to
monitor progress
– Reasonable duration of consent
– Expiration of consent may be no later than
final disposition
– Re-disclosure is permissible to carry out
duties with regard to conditional release
42 CFR Part 2
Exceptions to
Authorization
HIPAA Exceptions
To Authorization
Internal Communications
Treatment, Payment, Health
Care Operations
No Patient identifying
information
All other HIPAA exceptions
Medical emergency
Treatment
Court order
Court Order
Crime on premises
Law Enforcement
Child Abuse and neglect
reporting
Required by law
Research/audit, evaluation
Health Care Operations, Health
Oversight, and Research
QSO
Health Care Operations with
Business Associate Agreement
HIPAA Permitted Disclosures
Government and Other
Purposes
• As required by other laws
• Organ procurement
• Public health activities
• Research purposes, under
limited circumstances
• Victims of abuse, etc.
• Health oversight activities
• Workers’ compensation
• Law enforcement purposes
• Decedents - coroners
and medical examiners
• Imminent threat to health or
safety (to the individual or the
public)
• Specialized government
function
• Judicial and administrative
proceedings
Internal Communications and
Use of TPO
• Communications of patient identifying
information among personnel with a need to
know within a program or with an entity having
direct administrative control over the program
– Determine what uses or disclosures this will cover
– Do you need to disclose patient-identifying
information?
– Disclosure must be permissible under this or another
section
No Patient Identifying
Information
• Disclosure does not impliedly or expressly
indicate individual is or was a substance
abuse patient
• Disclosure does not impliedly or expressly
indicate an individual has applied for or
received substance abuse diagnosis,
treatment, counseling, or referral for
treatment
No Patient Identifying
Information
• Guidance from SAMSHA on “No Patient
Identifying Information”
– If a program can disclose a patient’s identifying
information without indicating “patient” status, 42 CFR
Part 2 is not violated
• Disclosures possible primarily when a program is part of a
larger entity and can use the larger entity’s name when
making the disclosure
• Program physician with separate office
• Anonymous disclosures (e.g. vulnerable adult abuse
reporting, duty to warn)
Technical Assistance Publication Series 18, “Checklist
for Monitoring Alcohol and Other Drug Confidentiality
Compliance”
No Patient Identifying
Information
• Key – Does the Disclosure identify an individual who has
applied for or been given diagnosis or treatment for
alcohol or drug abuse at a federally assisted program
– Can you give information without identifying self as substance
abuse treatment provider
• If so, Permitted Disclosures Under HIPAA can operate
– Required by Law Disclosures
– Public Health Activities
– Duty to Warn
• If not, consider anonymous disclosures
– Especially for duty to warn/threat of imminent harm
Medical Emergency
• Disclosure to medical personnel
– Treating a condition posing immediate threat
to health of individual
– Immediate intervention required
– Documentation required
Court Orders
• HIPAA’s More Permissive Provisions will
not Operate
– Subpoena alone not sufficient
– Court Order, including search warrant, alone
not sufficient
– Satisfactory Assurances?
• Inoperable
Court Orders -- Civil
• Motion for Release of Records filed in
court
– Fictitious name or
– Sealed proceeding
• Notice to patient and provider
– Opportunity to respond
Court Orders – Civil
• Hearing
• Criteria for order
– Other ways of obtaining information not
available or effective
– Public interest and need for disclosure
outweigh injury to patient, physician-patient,
and treatment
Court Orders – Civil
• Confidential communications
– Necessary to protect against an existing
threat, including child abuse
– Necessary to prosecute a serious crime, or
– Door opened
Court Orders - Civil
• Content of Order
– Limit disclosure to essential
– Limit recipients
• Order alone is not sufficient
– Subpoena is required
Court orders -- Criminal
• Motion, Notice, and Hearing like civil
• Criteria
– Extremely serious crime
– Reasonable likelihood of substantial value
– Other ways not effective
– Public interest weighing
– Independent representation for record holder
– Same criteria for confidential communications
Court Orders -- Criminal
• Content of order
– Limit disclosure to essential
– Limit recipients
• Order alone is not sufficient
– Subpoena is required
Court Orders – Criminal
• Additional criteria for investigation of a
program or use of undercover agents
– 42 C.F.R. 2.66 and 2.67
Crime on Premises
• From program to law enforcement
• Crime or threat of crime on premises
• Limited to circumstances, but can disclose
– Patient name
– Patient status
– Address or last known location
Emergencies and Crimes
• Medical Emergencies
– HIPAA Treatment Exception
• Crimes on Premises
– HIPAA Law Enforcement Exception
Mandated Reporting
• Child Abuse and Neglect
– Report according to state law
– Does not cover release of records
• Other Disclosures?
– Vulnerable Adult Abuse
– Gunshot wound or burn
– Birth of child
– Public Health Crisis
– Attended or unattended death
Child Abuse and Other Required
Reporting
• Child Abuse
– May Identify Patient Status
• Other Required Reports
• Remember required reports under state law only
permissive under HIPAA
– May Not Identify Patient Status
– If Cannot Report without identifying patient
• Consider anonymous reporting
• HIPAA Required Reports
– HIPAA preemption provisions specific to state law
– But, required report to HHS for HIPAA compliance likely
necessity (audit and evaluation)
– Access – same likely result
Audit and Evaluation Activities
• Disclosure is permissible if recipients agree in
writing on redisclosure restrictions
• Person who conducts an audit or evaluation on behalf of
federal, state, or local agencies providing financial assistance
to the program or authorized by law to regulate the program’s
activities
• Third party payer
• Peer review organization
• Otherwise qualified to conduct audit/evaluation activities (on
premises only)
• Special rules for Medicaid/Medicare audits (42 C.F.R.
2.53(c))
Audit, Evaluation, and Oversight
• Key Factors for 42 CFR compliance
– Get statement in writing on re-disclosure
restriction operations
• Feds and state should provide in request for
disclosure
• Some organizations may rise to level of BA (e.g.,
accreditation organizations)
• Third party payer disclosures could fall in here
– Do you need to identify patient status?
Qualified Service Organization
– Person that provides services to a program that has
entered into a written agreement acknowledging it is
bound by 42 CFR Part 2 and will resist judicial
disclosure (other than as permitted)
– Examples (operational services to organization, not
program to program for substance abuse treatment)
•
•
•
•
•
•
Data processing
Bill collecting
Dosage preparation
Laboratory Analysis
Professional services (legal, medical, accounting)
Services to prevent, treat child abuse, including training on
nutrition and child care or individual and group counseling
QSO’s and Business Associates
• Identify QSO status
• Identify Business Associate status
– e.g., laboratory analysis would fall under
treatment
– Written Agreement
• Bound by 42 CFR Part 2 disclosure and
judicial resistance provisions
• Other Business Associate provisions
42 CFR Part 2
• Minors
– If a minor has legal capacity to consent under
State law, no other consent is required
– If parental consent is required, need both
consents
– In states requiring parental consent
• Minor must consent to disclosure to parent or
• Provider must decide minor lacks capacity to make
rational choice
42 CFR Part 2
• Criteria for Examining lack of capacity
– Extreme youth
– Presence of mental or physical condition
– Minor’s situation poses substantial threat to
life and well-being of minor
– Communicating can reduce that threat
Minors– HIPAA and 42 CFR Part
2
• In Alaska,
– No state law on consent other than minors living
alone
– Parental Permission required to attend program
– No access to parent to records on request for service
absent
• Minor consent
• Lack of rational choice determination
– Also apply HIPAA personal representative analysis
(reason not to treat as pr)
Conclusion
• Very brief overview
• Staff of DBH Grantees Learning More
– Change Agent Training
• Other areas of concern?