Transcript here - Rhoads & Sinon

Reconciling Medical Record
Privacy and Security
Requirements Across Systems
October 10, 2006
Renee H. Martin
Tsoules, Sweeney & Martin, LLC
29 Dowlin Forge Road
Exton, PA 19341
Tel.: (610) 423-4200
Fax: (610) 423-4201
[email protected]
Overview
• Coordination of Care for Co-occurring
Problems and Illnesses
• IOM Report
• Barriers/Hindrances
– Cultural
– Financial
– Legal
HIPAA and pre-emption
PA Mental Health Law
Federal and State Substance Abuse
Copyright  Tsoules, Sweeney & Martin, LLC
2
Overview
(Continued)
• National Health Information Network
• Electronic Health Records
• Organizational approaches
Copyright  Tsoules, Sweeney & Martin, LLC
3
Coordination of Care - Paramount
• Mental and substance abuse and
illnesses rarely occur in isolation.
• Physical illnesses (heart disease,
diabetes, cancer, neurological
illnesses) frequently accompany mental
and substance abuse.
• Diverse providers often fail to detect
and treat these co-occurring problems.
Copyright  Tsoules, Sweeney & Martin, LLC
4
Barriers to
Collaboration/Coordination
• Separation of MH/Substance Abuse from
general health care
• Separation of MH/Substance Abuse from
each other
• Reliance on multiple systems and non-health
care sectors to secure MH/Substance Abuse
services (juvenile and criminal justice,
education, child welfare)
• Multiple and separately licensed and
regulated care providers
• Separate and multiple disclosure
confidentiality requirements
Copyright  Tsoules, Sweeney & Martin, LLC
5
Barriers to
Collaboration/Coordination
• Separate financial systems and
coverage
• Separate cultures
Copyright  Tsoules, Sweeney & Martin, LLC
6
Legal Parameters for Sharing
Healthcare Information
HIPAA Privacy Rule:
Generally: Permits (“Covered
Entities”) to release – without
patient authorization –
protected health information
(PHI) (except psychotherapy
notes) to another provider for
treatment, payment and health
care operations.
Copyright  Tsoules, Sweeney & Martin, LLC
7
Scope: Who is Covered?
• Limited to “covered entities”:
– Health care providers who transmit health
information in electronic transactions for
which the Secretary has adopted
standards
– Health plans
– Health care clearinghouses
– Sponsors of prescription drug discount
cards
• Business associate relationships
Copyright  Tsoules, Sweeney & Martin, LLC
8
Organizational Issues
• Hybrid Entities (designate health care
component(s))
• Organized Health Care Arrangements
(OHCAs) – multiple covered entities
can share PHI; e.g., clinically integrated
care settings (medical staff and
hospital).
– OHCAs hold themselves out to public as
joint arrangement
– OHCAs participate in joint activities that
include UR,Copyright
QAor
sharing of financial risk
Tsoules, Sweeney & Martin, LLC
9
Organizational Issues
• Affiliated Covered Entities – legally
separates CEs that are under common
ownership. One entity has the power
directly or indirectly to significantly
influence or direct actions of the other
or has ownership or equity interest of
5% or more in another.
– Must document relationship
– Adhere to Security requirements
Copyright  Tsoules, Sweeney & Martin, LLC
10
Business Associates
• Agents, contractors, others hired to do
work on behalf of covered entity that
requires use and disclosure of PHI to
Business Associate
• Covered entity must obtain satisfactory
assurances – usually through a
contract – that a business associate
will safeguard protected health
information, limit use and disclosure
Copyright  Tsoules, Sweeney & Martin, LLC
11
Preemption of State Law
General Rule
• State law will be preempted if a standard,
requirement, or implementation
specification of HIPAA Privacy Rule is
contrary to a provision of state law.
Copyright  Tsoules, Sweeney & Martin, LLC
12
Preemption of State Law
• “…contrary to a provision of State
law…”
– A covered entity would find it impossible
to comply with both the state and federal
requirements or
– The provision of state law is an obstacle
to compliance and enforcement of
HIPAA.
Copyright  Tsoules, Sweeney & Martin, LLC
13
Preemption of State Law (Cont'd.)
HIPAA Privacy Regulations
preempt
Pennsylvania laws and regulations
except:
State law relates to privacy of PHI
and is more stringent than HIPAA.
Copyright  Tsoules, Sweeney & Martin, LLC
14
What is "More Stringent"?
When state law is compared to the HIPAA
Privacy Regulations, the state law:
1. Restricts or prohibits a use/disclosure
permitted by HIPAA.
2. Permits greater rights of privacy in or to
access or amendment of PHI.
3. Provides more information to the Individual.
Copyright  Tsoules, Sweeney & Martin, LLC
15
What is "More Stringent"? (Cont'd.)
4. Narrower in scope or duration; reduces
coercive effect surrounding authorizations.
5. Provides for the retention or reporting of
more information or longer duration.
Copyright  Tsoules, Sweeney & Martin, LLC
16
HIPAA Privacy
Administrative Requirements
•
DOCUMENTED policies, procedures and systems
•
Designate privacy official and contact person
•
Implement administrative, technical and physical
safeguards
•
Privacy Training
•
Legal Documents – Notice of Privacy Practices;
Business Associate
•
Complaint mechanism
•
Human Resource enforcement policies
Copyright  Tsoules, Sweeney & Martin, LLC
17
HIPAA Preemption/Privacy Rule
Result:
PA mental health law generally
supersedes HIPAA and PA law applies
relative to use and disclosure of PHI.
PA law silent on many of these
administrative requirements. So must
look to and comply with many of these
administrative requirements.
Copyright  Tsoules, Sweeney & Martin, LLC
18
HIPAA Security Rule
• HIPAA Privacy covers what information
you protect – the use and disclosure of
PHI
• HIPAA Security covers how you protect
that information and when
– Adopt national standards for safeguards to
protect the confidentiality, integrity, and
availability of the data
Copyright  Tsoules, Sweeney & Martin, LLC
19
General Requirements
• Ensure
– Confidentiality: who can see the
information
– Integrity: the information has not been
altered in any way
– Availability: it can be accessed on a timely
basis
Copyright  Tsoules, Sweeney & Martin, LLC
20
General Requirements
• Applies to electronic protected health
information
– Note that privacy extends to oral and
written communications
• Applies to the electronic PHI that a
covered entity:
– Creates
– Maintains
– Transmits
Copyright  Tsoules, Sweeney & Martin, LLC
21
General Requirements
• Covered entities must:
– Protect against reasonably anticipated
threats or hazards to the security or
integrity of information
– Protect against reasonably anticipated
uses and disclosures as outlined in the
privacy rule
– Ensure compliance by workforce
– Develop business associate contracts as
appropriate
Copyright  Tsoules, Sweeney & Martin, LLC
22
Overarching Themes
• Security is technology neutral
– Outlines what needs to be done to protect
the information, but not how it should be
done
• Security is comprehensive
– Covers the technical, administrative, and
behavioral aspects of compliance
Copyright  Tsoules, Sweeney & Martin, LLC
23
Regulatory Approach
• Scalability (size) and flexibility
(implementation)
• Organizational approaches should
account for:
– Size
– Complexity
– Technical Infrastructure
– Cost
– Potential Security Risks
Copyright  Tsoules, Sweeney & Martin, LLC
24
Regulatory Approach
• Developed standards
– Administrative
– Physical
– Technical
• Within each standard are a series of
implementation specifics that can be
either Required or Addressable
Copyright  Tsoules, Sweeney & Martin, LLC
25
Regulatory Approach
• Required – A MUST
• Addressable – a covered after
conducting a documented risk
analysis, may:
– Implement a solution if reasonable and
appropriate
– Implement an equivalent measure, if
reasonable and appropriate
– Not implement
Copyright  Tsoules, Sweeney & Martin, LLC
26
Administrative Standards
• Security Management
– Risk analysis (R)
– Risk management (R)
• Assigned Responsibility: Security
Officer– (R)
• Workforce Security
– Termination procedures (A)
– Clearance procedures (A)
Copyright  Tsoules, Sweeney & Martin, LLC
27
Administrative Standards
• Information Access Management
– Isolating clearinghouse (R)
– Access authorization (A)
• Security Awareness and Training (R )
• Security Incident Procedures (R)
• Contingency Plan
– Disaster Recovery Plan (R)
• Evaluation (R)
• Business Associate Contracts
Copyright  Tsoules, Sweeney & Martin, LLC
28
Physical Standards
• Facility Access Controls – All
addressable
– Contingency operations
– Facility Security Plan
– Access control
– Maintenance records
• Workstation Use
• Workstation Security
• Device and Media Controls
Copyright  Tsoules, Sweeney & Martin, LLC
29
Technical Standards
• Access Control
– Unique user ID (R)
– Emergency access (R)
– Automatic logoff (A)
– Encryption and decryption (A)
•
•
•
•
Audit Controls
Integrity Controls
Person or Entity Authentication
Transmission Security
Copyright  Tsoules, Sweeney & Martin, LLC
30
HIPAA Security Standards
• Security Standards do not preempt
state law.
• PA mental health laws silent
• Must implement HIPAA Security
Standards
Copyright  Tsoules, Sweeney & Martin, LLC
31
SUBSTANCE ABUSE
RECORD CONFIDENTIALITY
Copyright  Tsoules, Sweeney & Martin, LLC
32
Substance Abuse Confidentiality
• Confidentiality of Alcohol and Drug
Abuse Patient Records (42 C.F.R. Part
2)
– Protects from disclosure:
– The records of the identity, diagnosis,
prognosis, or treatment of any patient
which are maintained in connection with
the performance of any program or activity
relating to substance abuse education,
training, treatment, rehabilitation, or
research, which is conducted, regulated or
Copyright  Tsoules, Sweeney & Martin, LLC
33
directly or indirectly
assisted by any
Substance Abuse Confidentiality
• Confidentiality of Alcohol and Drug
Abuse Patient Records (42 C.F.R. Part
2)
– Definitions
“Records” – include any information received
or acquired by a program whether oral or
written. The prohibitions against disclosure of
records continue to apply to records
irrespective of the patient’s status in the
program.
(Continued)
Copyright  Tsoules, Sweeney & Martin, LLC
34
Substance Abuse Confidentiality
– Definitions
“Patient” – includes any individual who either
has applied for or has been given diagnosis or
treatment for alcohol or drug abuse at a
federally assisted program and includes any
individual who, after arrest on a criminal
charge, is identified as an individual with
alcohol or drug abuse in order to determine
that individual(s) eligibility to participate in a
program.
Copyright  Tsoules, Sweeney & Martin, LLC
(Continued)
35
Substance Abuse Confidentiality
– Definitions
“Programs” – The requirements apply only to a
“federally assisted alcohol or drug abuse
program” – defined as an individual or entity or
an identified unit within a general medical
facility “who holds itself out as providing, and
provides alcohol or drug abuse diagnosis,
treatment or referral for treatment.”
(Continued)
Copyright  Tsoules, Sweeney & Martin, LLC
36
Substance Abuse Confidentiality
• The Federal Confidentiality Requirements do
NOT apply to the following:
– Hospital emergency room and general medical
surgical patients’ records where the health care
facility is not a federally assisted “program” –
does not have an identified unit which provides
substance abuse services, or medical personnel
or other staff whose primary function is the
provision of substance abuse services and who
are identified as being such providers.
(Continued)
Copyright  Tsoules, Sweeney & Martin, LLC
37
Substance Abuse Confidentiality
• The Federal Confidentiality Requirements do
NOT apply to the following:
– Interchange of records within the Armed Forces
and the Veteran’s Administration.
– Crimes on program premises or against program
personnel
– Communications between a program and a
“qualified service organization” of information
needed by the organization to provide services to
the program.
– Internal communications within program
Copyright  Tsoules, Sweeney & Martin, LLC
38
Substance Abuse Confidentiality
• Disclosure: Exceptions
– Internal Communications
 Can occur within a program/office or with an
entity having direct administrative control, if
information is needed
 Staff can share information with each other,
supervisors
 Staff of the hospital’s record-keeping or billing
department
Copyright  Tsoules, Sweeney & Martin, LLC
39
Substance Abuse Confidentiality
• Consent Requirements
– Consent Form Requirements
Redisclosure of information released is
prohibited without written consent
Copyright  Tsoules, Sweeney & Martin, LLC
40
Substance Abuse Confidentiality
• Exceptions to the Consent Requirement—
Nonconsensual Disclosure Permitted
– To medical personnel in a “bona fide” medical
emergency;
– To medical personnel of the FDA who need the
information to notify patients of errors in drug
labeling or manufacture;
– To qualified personnel when conducting scientific
research, management audits, financial audits or
program evaluation (cannot identify directly or
indirectly any individual patient in any such
report);
Copyright  Tsoules, Sweeney & Martin, LLC
(Continued)
41
Substance Abuse Confidentiality
• Exceptions to the Consent Requirement—
Nonconsensual Disclosure Permitted
– To governmental or third party payers, with
certain restrictions; and
– If authorized by a court order and a subpoena,
issued after a showing of “good cause.” 42
U.S.C. § 290dd-2(b)(2); 42 C.F.R. § § 2.51-2.53.
Copyright  Tsoules, Sweeney & Martin, LLC
42
Substance Abuse Confidentiality
• Disclosure: Exceptions With Patient
Consent
– Patient can authorize specific disclosures
– The Patient’s consent must be in writing
– Consent must contain specific elements:
(very similar to HIPAA authorization)
Copyright  Tsoules, Sweeney & Martin, LLC
43
Substance Abuse Confidentiality
• Disclosure: Exceptions
– Qualified Service Organization Agreement
Program or office can disclose to QSO without
consent
QSO: a person or agency that provides
services that the program/office itself does not
provide (e.g., data processing, billing,
professional services, vocational counseling)
QSO must be qualified to communicate with
the program/office (i.e., written agreement)
Copyright  Tsoules, Sweeney & Martin, LLC
44
Substance Abuse Confidentiality
• Disclosure: Exceptions
– Qualified Service Organization Agreement
Program or office may freely communicate with
QSO only the information needed by QSO
Program or office can enter into such an
agreement only if QSO offers service the
program/office does not offer
Program/office doesn’t have to inform patients
about QSOs
Copyright  Tsoules, Sweeney & Martin, LLC
45
Part 2: “Security”
Requirements
Written records must be “maintained in a
secure room, locked file cabinet, safe, or
similar container.”
42 C.F.R. § 2.16.
PA law-records shall be secured within
a locked storage container. 4 Pa. Code
§ 257 (d)(1)(i).
Copyright  Tsoules, Sweeney & Martin, LLC
46
MENTAL HEALTH
PATIENT RECORDS
Copyright  Tsoules, Sweeney & Martin, LLC
47
Confidentiality of Records
INPATIENT PSYCHIATRIC SERVICES
Confidentiality of Records under MHPA:
All documents concerning persons in
treatment shall be kept confidential and,
without the person’s written consent, may not
be released or their contents disclosed to
anyone except:
(a) those engaged in providing treatment for the person;
(b) the county administrator;
(c) a court in the course of commitment proceedings; and
(d) Under Federal laws governing patient information where
treatment is undertaken in a federal agency.
Copyright  Tsoules, Sweeney & Martin, LLC
48
Confidentiality of Records
Non-Consensual Release of Information
Treatment Records are confidential and shall not
be released nor disclosed without written
consent of client/patient except relevant
portions or summaries may be released or
copied as follows:
– Persons actively engaged in treatment
– Third Party Payors (information released without
consent or court order is limited)
– Reviewers and Inspectors (e.g. JCAHO, CARF)
– Response to court order (§5100.35(b))
– Emergency medical situation
Copyright  Tsoules, Sweeney & Martin, LLC
– Minimum Necessary
49
Confidentiality of Records
Patient Access to Records and Control
Over Release of Records
– 14 years of age or older who understand
nature of documents to be released
– A person chosen by client/patient
– If client/patient is deceased, client/patient’s
executor or personal representative of estate
– Parent or Guardian if person is under 14 or
incompetent
Copyright  Tsoules, Sweeney & Martin, LLC
50
Confidentiality of Records
Patient Access to Records and Control
Over Release of Records
– Records from other Agencies become part
of record; subject to control by
client/patient
Copyright  Tsoules, Sweeney & Martin, LLC
51
Confidentiality of Records
Consensual Release to Third Parties
– Access to records granted to third parties
upon written consent of client/patient
– Client/patient designates Payor-designates
consent to release for reimbursement –
minimum necessary applies
– Client/patient has right to inspect
– Mandated Requirements in consent form
Copyright  Tsoules, Sweeney & Martin, LLC
52
Confidentiality of Records
Release to Courts
– No release of records in response to a subpoena
or other discovery proceedings without patient
consent or an additional court order
– Duty to Inform Court
– Inform client/patient’s attorney
– Defense counsel for Provider may review records;
minimum necessary applies
– Violations include civil and criminal liability
Copyright  Tsoules, Sweeney & Martin, LLC
53
Release of Mental Health
Records
Under Act 147
Rights of Minors
Except for the limited rights of a parent/legal
guardian general rule:
The minor (age 14 or older) shall control the release of
the minor's mental health inpatient and outpatient
treatment records and information to the extent allowed
by law.
Release subject to the provisions of the MHPA and
other applicable federal and state statutes and
regulations.
Copyright  Tsoules, Sweeney & Martin, LLC
54
Nation Moving to Electronic
Health Care Records
• National Health Information
Infrastructure
• President’s New Freedom Commission
on Transforming Mental Health
Treatment Recommendations
– Use HIT to improve access and
coordination
– Develop and implement integrated HER
and personal health systems
Copyright  Tsoules, Sweeney & Martin, LLC
55
So,. . . Where are we going?
• Most MH/Substance Abuse treatment is
paper based
– 3,000 to 10,000 hours of care go
undocumented = $360,000 to $1 million
annually
– 25,000 to 42,000 hours of lost clinical time
due to paper inefficiencies-annual value
$2.2 to $3.7 million
– 13,000-20,000 hours of support staff time
spent on unnecessary medical record
work-annual value $500,000-$700,000.
Copyright  Tsoules, Sweeney & Martin, LLC
56
National Health Information
Infrastructure
• Executive Order 1335, April 2004 –
– Called for widespread adoption of
interoperable EHRs within 10 years
– Created position of National Coordinator
for Health Information Technology
– National Coordinator issued a Framework
for Strategic Action issued July 21, 2004
– Consists of 4 goals, each with 3 strategies
Copyright  Tsoules, Sweeney & Martin, LLC
57
Goals of the NHII
• Informing Clinical Practice
– Promoting use of EHRs by
Incentivizing EHR adoption
Reducing the risk of EHR investment
Copyright  Tsoules, Sweeney & Martin, LLC
58
Goals of the NHII
• Interconnecting clinicians by creating
interoperability through
– Regional Health Information Organizations
(RHIOs)
– National health information infrastructure
– Coordinating federal health information
systems
Copyright  Tsoules, Sweeney & Martin, LLC
59
Goals of the NHII
• Personalizing care
– Promotion of personal health records
– Enhancing consumer choice by providing
information about institutions and
clinicians
– Promoting tele-health in rural and
underserved areas
Copyright  Tsoules, Sweeney & Martin, LLC
60
Goals of the NHII
• Improving population health
– Unifying public health surveillance
– Streamlining quality of care monitoring
– Accelerating research and dissemination
of evidence
Copyright  Tsoules, Sweeney & Martin, LLC
61
Regional Health Information Organization
Public health surveillance
Quality accountability
Research
Health Plan
Others?
RHIO
Consumers
Provider
Provider
Provider
Copyright  Tsoules, Sweeney & Martin, LLC
Provider
62
Overcoming Legal Barriers
1.
2.
3.
4.
Unified Programs
Take advantage of current law
Universal Authorizations
Effectuate change (locally and
nationally) Come to the table!
Copyright  Tsoules, Sweeney & Martin, LLC
63
Ways to Disclose Under HIPAA
and 42 C.F.R. § 2
• Use the OHCA and Affiliated Entity options to
define your “program” more expansively
• Use the Qualified Service Organization/
designation with a mental health treatment
provider to permit disclosure to mental
health provider
NOTE: Mental health treatment provider precluded
from redisclosing under QSO designation.
Copyright  Tsoules, Sweeney & Martin, LLC
64
Ways to Disclose Under PA
Mental Health Law/HIPAA
• Take advantage of current law: Does an
exception apply?
• Can you “embed” providers into one agency
and facility?
• Provider-Provider
• Provider – Payor
• Use universal/3 way compliant authorization
when necessary/appropriate
Copyright  Tsoules, Sweeney & Martin, LLC
65
Ways to Disclose: Non-PHI
• De-identified data
– May be aggregated/shared
– Is it truly de-identified?
• Limited data sets
– For public health, research
or operations
– Need data use agreement
Copyright  Tsoules, Sweeney & Martin, LLC
66
Copyright  Tsoules, Sweeney & Martin, LLC
67