Medical Emergency - Alameda Health Consortium
Download
Report
Transcript Medical Emergency - Alameda Health Consortium
CONFIDENTIALITY: ISSUES AND CONCERNS
FOR INTEGRATED SETTINGS
Alameda Health Consortium
Behavioral Health Integration Initiative
Monday, December 17, 2012
1:00 p.m. – 2:30 p.m.
Presenter: Linda J. Garrett, JD
Risk Management Services
707-792-4980
1
Topics
Confidentiality laws
Sharing information with each other
Sharing information with third parties
Confidentiality - Basic Rule
Never use or disclose private information
about clients, patients, or employees
UNLESS…….
you MUST or
you MAY
How do you know if you must or
you may?
Know what laws pertain to the kind of
information you hold (what discipline within
medicine created the information?)
See what that law says about the use or
disclosure
The laws
Federal
HIPAA – all “PHI”
42 CFR Part 2 – substance abuse tx programs
State
Civil Code 56.10 – general health info
W&I Code 5328 – mental health info
H&S Code 120980(g) – HIV test results
HIPAA “pre-emption analysis”
Compare HIPAA to state law; if there is a
conflict, follow HIPAA; if no conflict follow:
Strictest law protecting privacy
Most beneficial law providing patient rights
HIPAA “Must” and “May”
Disclosures of PHI
1.
2.
“Must” disclose:
Secretary of DHHS, if asked (e.g., HIPAA
breach investigation)
Patient, if seeking “access” to own record
(unless it will cause death or serious
physical harm)
HIPAA “Must” and “May”
Disclosures of PHI
1.
2.
“Must” disclose:
Secretary of DHHS, if asked (e.g., HIPAA
breach investigation)
Patient, if seeking “access” to own record
(unless it will cause death or serious
physical harm)
HIPAA disclosures –cont.
“May” disclose
1.
For treatment, payment or operations (45 CFR 164.506)
2.
With “authorization” (45 CFR 164.508)
3.
With opportunity to agree or object (45 CFR 164.510)
4.
Without permission (45 CFR 164.512) as specified:
HIPAA “May” disclose –cont.
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
l)
Without permission includes uses and disclosures:
Required by law
For public health activities
About victims of abuse, neglect or domestic violence
Health oversight activities
Judicial and administrative proceedings
Law enforcement purposes
Decedents
Organ or tissue donation
Research
To avert threat to heath or safety
Specialized government functions
Workers compensation
Examples of “must disclose” (CA law)
Reporting child abuse and neglect
---------------------------------
Reporting elder abuse/neglect
Court orders
*Tarasoff “duty to warn”
Most common “may” disclosure
applies to all disciplines:
To third parties with permission from the
patient/client
Get signed written permission on a HIPAAcompliant authorization form
Collaboration with others
One of Affordable Care Act’s goals is
patient-centered care, collaboration and
cooperation amongst providers
How do you share information with other
providers, e.g. primary care and
drug/alcohol without violating privacy rules?
HIPAA “collaboration” rule
(not the strictest rule!)
PHI may be shared with other health care providers
for “treatment” purposes (164.506)
“Treatment” defined to include provision, coordination,
or management of health care and related services by
one or more health care providers, including the
coordination or management of health care by a
health care provider with a third party; consultation
between health care providers relating to a patient; or
the referral of a patient for health care from one
health care provider to another. (164.501)
Permissive Disclosures Between Health Care
Providers – California Rule - general health info
Civil Code 56.10 (general health info)
(a) no disclosure w/o patient authorization except
as provided in (b) and (c) below
(b) when it MUST be disclosed
(1) through (9)
(c) when it MAY be disclosed
(1) through (20)
56.10(c)(1) General health information may be
disclosed to providers of health care, health care
service plans, contractors, or other health care
professionals or facilities for purposes of diagnosis
or treatment of the patient.
Note: “unauthorized access” by health care staff
(snooping) is specifically prohibited under state
and federal law and is a privacy breach that must
be reported!
CA rule - Permission Disclosures
– Mental Health information
Welfare & Institutions Code 5328 (mental
health info): No disclosure of mental
health information w/o authorization from
the client except as provided below:
(a) through (x)
W&I 5328(a) disclosure is permitted
•
“to professionals ‘within the facility’ who are
providing services or appropriate referrals”,
or
•
“in the course of conservatorship
proceedings”, or
•
“to ‘qualified professionals’ outside the
facility who have medical or psychological
responsibility for the care of the (client)
patient”.
Disclosures of SA info – very
strict 42 CFR Part 2
42 CFR Part 2 has only 3 exceptions to rule that
you must first get permission from client before
disclosing info to third parties (including other
health care providers) about the client:
Police emergency
Child abuse/neglect reporting
Medical emergency
Disclosing SA info –cont.
Patient “consent” (authorization to use and disclose) is
required for nearly every disclosure other than communication
within a program or between a program and an entity that
has direct administrative control over the program
Drug and Alcohol Treatment Programs may NOT share
information with the client’s providers who are OUTSIDE
the treatment program without patient authorization - 42
CFR Part 2
SA info is “in the vault”
You must get permission BEFORE you share
SA information with non-SA providers
including those other disciplines within the
integrated system of care and on the “team”
you have created
UNLESS you want EVERYONE to follow
42 CFR Part 2 (you don’t!)
Will the law change to reflect
ACA goals? Maybe….
To date, no change in 42 CFR Part 2 that
would permit disclosures of alcohol/drug
treatment program information to other
healthcare providers for treatment purposes,
in non-emergency situations
22
Statutory language
42 USC 290dd-2 Confidentiality of Records.
(b) Permitted Disclosure
(2) Method for disclosure.
Whether or not the patient…gives written
consent, the content of such record may be
disclosed as follows:
(A) To medical personnel to the extent
necessary to meet a bona fide medical
emergency.
42 CFR Part 2 –continued
(Regulations Language)
Medical Emergency – 42 CFR Subpart D,
Disclosures without Patient Consent
Section 2.51 – Medical emergencies.
(a) General Rule. …patient identifying
information may be disclosed to medical
personnel who have a need for information
about a patient for the purpose of treating a
condition which poses an immediate threat
to the health of any individual and which
requires immediate medical intervention.
42 CFR Part 2 -continued
A Proposal to Promote Coordination of Care an
Strengthen Patient Protections under the Federal
Alcohol and Drug Abuse Confidentiality Law, Prepared
for the Patient Protection Coalition, February 5, 2010
Primary Lead: Renee Popovits, Esq., and
Eric Goplerud, Ph.D. – George Washington University
42 CFR Part 2 -continued
Proposed language:
42 USC 290dd-2 Confidentiality of Records
(b) Permitted disclosure
(2) Method for disclosure.
(D) To and among health care providers and
health plans for purposes of providing or
coordinating health care and related services, or
implementing recovery support services, or
quality improvement or disease management
programs with respect to the individual who is
the subject of the record referred to in
subsection (a).
42 CFR Part 2 -continued
Proposal also includes many more protections for
patients to discourage breaches etc.
At this time Legal Action Center is leading the fight
against any change in the existing law and wrote
the June 17, 2010 SAMHSA position paper on
“Applying the Substance Abuse Confidentiality
Regulations to HIE”
Confidentiality:
Multi-disciplinary teams
Multi-disciplinary teams – two types
1.
2.
Health care providers only – often within an
“integrated system”: seeking collaboration for
treatment purposes, often from various
disciplines
Mixed teams: Health care providers and nonhealthcare providers (e.g., social services, law
enforcement, probation, school, Bd. of
Supervisors)
28
MDTs – healthcare providers only
General health information and mental health information
may be disclosed for “treatment purposes” (HIPAA, Civil
Code 56.10, and W&I 5328)
For example (mental health info), in communications with
other qualified professionals (any discipline), in the provision
of services or appropriate referrals, who have “medical or
psychological responsibility” for the patient’s care
But SA cannot share their information without “consent” –
get this permission before starting treatment if possible!
29
MDTs – Mixed Teams
there are several possible ways to handle
confidentiality issues where no health care providers
can share with “outside” third parties:
The EASIEST: get written authorization!
OR
De-identify the information (“we have a 27 year old
homeless female who recently received services from the
shelter but was then arrested for public intoxication and is
now back on the streets and in need of behavioral health
services – can you help find some financial resources and
30
housing for her?”)
Integrated Recordkeeping –
Paper Chart
With permission, ok to use one paper chart
that includes substance abuse tx program
records
Without permission, drug and alcohol chart
must be maintained separately and kept apart
from other records (access only by treatment
team WITHIN the drug/alcohol program and
administrative staff with a need to know) 31
Integrated Recordkeeping –
Electronic Record
Without permission, name connected to
drug/alcohol doesn’t register when
entered into system
With permission, name registers as being
within the system and drug/alcohol
information may be accessed on a need to
know basis
32
Subpoena’s – tell your supervisor or
call privacy officer!
MH and SA - need subpoena PLUS
1.
2.
authorization from client, OR
court order (if SA: order only AFTER client has
opportunity to a full hearing in court on the
matter)
Policies and procedures
Use HIPAA Notice of Privacy Practices outlining how you
intend to share information for treatment purposes and to
contact patient, remind them of appointments etc.
Train all staff on the need to get authorization to share SA
information with other disciplines within your program prior to
sharing such information with members of the team
Train all staff on differences between various laws protecting
confidentiality of medical, mental health, and SA information
Questions??