Clinical Practice and Information Sharing: HIPAA, State Confidentiality Laws and Other Legal Issues

Harrisburg, Pennsylvania

December 3, 2013

John Petrila, J.D., LL.M.

Professor

College of Public Health

University of South Florida

jpetril1@health.usf.edu

Welcome to Florida…And Do Hurry Back!

There is a Knock on the Door

• And a police officer is standing there, asking if Don Smith is or has been a patient at your treatment center. The officer says Smith is a suspect in a bank robbery.

• Does HIPAA permit you to answer?

NSA Chief Defends Spying On Americans, Claims 50 Foiled Terrorist Plots

Unmanned drones flying in US spying on Americans, says FBI

What Do These Celebrities Have in Common?

• Drew Barrymore

• Arnold Schwarzenegger

• Tom Hanks

• Leonardo DiCaprio

Californian Sentenced To Prison For HIPAA Violation

• Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27, 2010 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California

Dr. Phil Breaches APA's Code of Conduct with Spears Family

UCLA hospitals to pay $865,500 for breaches of celebrities' privacy

The Latest in Privacy Fashion

Today’s Workshop

• Values underlying confidentiality

• Core legal principles and statutes

• Consumer rights

• Penalties

• Electronic security

First, A Definition

• Confidentiality: The MHP’s ethical and legal obligation to the client with regard to privacy of communications

• Privilege: The law’s recognition of confidentiality in legal proceedings in which the protected material otherwise would be subject to disclosure

Values

Redmond v. Jaffee (1996)

TRUST

Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace.

For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment.

Pennsylvania Law Agrees

• “Confidentiality between providers of services and their clients is necessary to develop the trust and confidence important for therapeutic intervention” (PA Admin Code 5100.31(b)

APA Ethical Principles 4.01 Maintaining Confidentiality

Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stored in any medium, recognizing that the extent and limits of confidentiality may be regulated by law or established by institutional rules or professional or scientific relationship.

Why Share Information?

• Continuity in clinical care

– Within systems

– Across systems

• Policy analysis

• Real-time decisionmaking

Some Difficulties

• Overly restrictive legal advice

• Liability fears

• Dated statutes

• Conflicting laws

• Old technology

Law

LAW

Some Basic Points To Remember

• HIPAA sets a minimum standard for privacy of protected health information

• 42 CFR Part 2 sets the highest possible standard for privacy of alcohol/substance use information

• State confidentiality laws are almost always stricter than HIPAA but rarely stricter than 42 CFR Part 2, except of course in Pennsylvania

• The privacy regulations get too much focus

• The security regulations do not get enough focus

The (Mis)Application of HIPAA

• Birthday parties in nursing homes in New York and Arizona have been canceled for fear that revealing a resident’s date of birth could be a violation.

• Patients were assigned code names in doctor’s waiting rooms — say,

“Zebra” for a child in Newton, Mass., or “Elvis” for an adult in Kansas City, Mo. — so they could be summoned without identification.

• Nurses in an emergency room refused to telephone parents of ailing

students themselves, insisting a friend do it, for fear of passing out confidential information, the hospital’s patient advocate said.

• State health departments throughout the country have been slowed in

their efforts to create immunization registries for children because information from doctors no longer flows freely.

– Jane Gross, Keeping patient details private, even from kin. New York

Times, July 3, 2007

Which Elvis Please?

VIPAA?

Who Is Covered?

AKA Is the Law Just Trying to Make Me Hate It?

Who Does HIPAA Cover?

• Myth: HIPAA applies to everybody

• Fact: HIPAA applies only to –Health plans (group health plan, Medicare,

Indian Health Service plan…)

–Health care clearinghouses

–Health care providers who transmit health information in electronic form

HIPAA Does Not Apply If

You only use paper, phone, or fax for

Submitting claims Checking claims status inquiry/response Checking eligibility/receiving response Enrolling/disenrolling in health plan Receiving heath care payments/remittance Providing coordination of benefits No one does this electronically for you

Who Does 42 CFR Part 2 Cover?

• “PROGRAM”

• An individual or entity that “holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or treatment referral”

• Unit within a general medical facility that holds itself out as providing diagnosis, treatment or treatment referral

• The incidental provision of alcohol or substance abuse treatment is not a “program”

Pennsylvania Law

All patient records …relating to drug or alcohol abuse or drug or alcohol dependence prepared or obtained by a private practitioner, hospital, clinic, drug rehabilitation or drug treatment center shall remain confidential and may be disclosed only with the patient's consent

71.1690.108(b)

What Is Covered?

What Does HIPAA Cover: Protected Health Information

• Any oral or recorded information relating to – the past, present, or future physical or mental health of an

individual; – the provision of health care to the individual; – or payment for health care

• Includes the traditional medical record, personal

notes, and billing information

• The security regulation applies only to protected health information in electronic form

Individually identifiable

• a subset of “health information,” including demographic information,

• (1) that is created or received by a health care provider, health plan, employer, or health care clearinghouse;

• (2) that relates to the person’s health condition, health care, or payment

• (3) that identifies the individual, or might reasonably be used to identify the individual.

Pennsylvania Law: “Records Includes…

• all written clinical information, observations and reports

• or fiscal documents, relating to a prospective, present, or past, client or patient…required or authorized…by the act or by the MHMR Act of 1966. (PA Admin Code 5100.31

Substance/Alcohol Abuse

42 CFR Part 2

• Records: Any information whether recorded or not relating to a patient received or acquired by the program

• Any information identifying a patient as alcohol or drug abuser, obtained by the program for diagnosis, referral, or treatment

Pennsylvania Law

• Information in a patient’s records that relates to drug or alcohol abuse or dependency, as defined in 71 P. S. § 1690.102

Psychotherapy Notes: HIPAA (164.501)

• Notes in any medium recorded by a MHP documenting or analyzing the contents of a conversation during a private counseling session

• Requires specific patient authorization to disclose

• Payment cannot be denied for non-disclosure

Psychotherapy notes are NOT

• Medication, prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment, results of clinical tests, and any summary of diagnosis, functional status, treatment plans, symptoms, prognosis, progress or testing

– http://www.apa.org/monitor/feb03/hipaa.html

Intercept 1

• Can a dispatcher mention the person may be mentally ill?

• Can a police officer mention this?

• Can a mental health center provide any information to the officer?

Pennsylvania Law

• Non-consented disclosure permitted in response to emergency medical situation when release necessary to prevent serious risk of bodily harm or death…must be pertinent to relief of the emergency (Pa Admin Code 5100.31 (9)

• Duty to disclose in Tarasoff situations (Emerich v Center for Phila Center for Hum Dev, Pa Supreme Court, 1998) – Patient makes immediate and specific threat of bodily harm

– Specifically identified or readily identifiable victim

– Can discharge through warning to potential victim

HIPAA: Permitted Disclosure: Threat to Health or Safety

• If use or disclosure is necessary to prevent or lessen a serious threat to the health or safety of individual or public

• To a person able to prevent the threat, including the victim

• Is necessary for law enforcement to apprehend the person

• Most state laws makes disclosure discretionary – To protect an identified potential victim – No liability as long as good faith and no gross negligence

DISCLOSURES

HIPAA and Pennsylvania Law

• HIPAA

• necessary to carry out treatment,

• payment, or

• health care operations

• Pennsylvania Law (50 P.S. § 7111(a)

• Written consent

• Those providing treatment

• County administrator for application for emergency exams

• To court for commitment proceedings

• Under federal law, to federal agency providing treatment

• ,

HIPAA Consent Forms

• Plain language

• Inform person that PHI may be used and disclosed for treatment, payment or health care operations

• Notice that privacy practices may be changed

• Tell individual that has right to request restrictions on use, but covered entity is not bound (if restrictions agreed upon, they are binding)

• Consent may be revoked in writing

• Individual must sign and date

Consent Form Mental Health: Pennsylvania

• Time limit on validity with start and end dates

• Agency or person to whom release will occur

• Statement of the specific purposes for which released records are to be used

• Specific relevant and timely information to be released

• Signature and date for client or representative

• Signature of staff person obtaining consent

• Note that consent is revocable on written request – (PA Admin Code 5100.34)

Consent Form: Substance Abuse (PA)

• Name of the person or agency to whom disclosure to be made

• Specific information disclosed

• Purpose of disclosure

• Dated signature of client

• Expiration date of consent

– PA Admin Code 709.28

HIPAA and 42 CFR

• A crosswalk between HIPAA and 42 CFR: http://sphhs.gwu.edu/departments/healthpolicy/DHP_Publications/pub_uploads/dhpPublication_DADD1CBA-5056-9D20-3DE73E0BFFB8DA1B.pdf

HIPAA Disclosures in General

• Valid authorization by individual required except – For treatment, payment, or health care operations

– Specified uses where may object

– Other specified uses and disclosures where authorization or opportunity to agree or object not required (45 CFR 164.512)

– State laws may not be as broad

– However, may disclose mental health information to “aftercare treatment provider”

Format for Disclosures Without Authorization (164.512)

• HIPAA Standard permits a use, then

• Defines the permitted disclosure

– 42 CFR has a similar principle (information required to carry out the purpose of disclosure)

Permitted Disclosure: Public Health Activities

• Disclosure of PHI permitted to enable public health activities such as

– Disease prevention and control

– Child abuse or neglect (state law and federal substance use law also permits) (PA Admin Code 5100.38)

– To investigate work-related injury (with notice to employee)

– 42 CFR permits disclosure of cause of death

Permitted Disclosure: Victims of abuse or neglect

• PHI may be disclosed if covered entity reasonably believes person is victim of abuse, neglect, or domestic violence

• Individual either agrees, or

• State law permits, and covered entity believes necessary to prevent serious harm to individual or others, or

• Person lacks capacity and law enforcement represents PHI required for “immediate enforcement activity”

Correctional Facilities

• Can a jail send a treatment facility a list of bookings?

• Can a jail flag mental health clients?

• Can a mental health facility communicate with jail treatment staff without client’s consent?

Permitted Disclosures: Correctional Facilities

• PHI can be disclosed without consent to provide health care to the inmate, or for the health and safety of other inmates or correctional officials (HIPAA)

• If the person is released, e.g. on parole, then HIPAA rules apply

• No similar provision in 42 CFR

Pennsylvania Law

• Non-consented disclosure of mental health information permitted to “professional treatment staff of State Correctional Institutions and county prisons” when person referred for treatment (Pa Admin Code 5100.32(a)(1)

Courts

Permitted Disclosure: Judicial/Administrative Proceedings

• PHI may be disclosed in response to

– Order from court or administrative tribunal – Subpoena or discovery request without court order if

• Reasonable efforts to provide notice, or • Reasonable efforts to obtain qualified protective order • Qualified protective order: Court order or stipulation by parties

that information will not be used other than for litigation purposes and PHI will be returned or destroyed at end of litigation

– 42 CFR requires court order

– In general state law will require court order

Judicial Proceedings Pennsylvania

• No subpoenaed records should be released without additional court order (5100.35)

• Note Pennsylvania has very strong privilege law (42 Pa. C.S.A. 5944)

• “The confidential relations and communications between a psychologist or psychiatrist and his client shall be on the same basis as those provided or prescribed between an attorney and client”

HIPAA and Special Issues

Law Enforcement: Fugitives, Suspects, Witnesses, Missing Persons

• On officer’s request, provider may disclose: – Name and address

– Date/place of birth

– Social security number

– ABO blood type

– Type of injury

– Date and time of treatment

– Date and time of death (if applicable)

– Distinguishing physical characteristics

– DNA, dental bodily fluids not covered

Permitted Disclosure: Public Health Activities

• Disclosure of PHI permitted to enable public health activities such as

– Disease prevention and control

– Child abuse or neglect (state law and federal substance use law also permits) (PA Admin Code 5100.38)

– To investigate work-related injury (with notice to employee)

– 42 CFR permits disclosure of cause of death

Permitted Disclosure: Victims of abuse or neglect

• PHI may be disclosed if covered entity reasonably believes person is victim of abuse, neglect, or domestic violence

• Individual either agrees, or

• State law permits, and covered entity believes necessary to prevent serious harm to individual or others, or

• Person lacks capacity and law enforcement represents PHI required for “immediate enforcement activity”

Permitted Disclosure: Law Enforcement

• In compliance with court order/grand jury subpoena/administrative summons

– Information sought is relevant and material

– Request is specific and limited in scope

– De-identified information not reasonable

– 42 CFR is more restrictive

Permitted Disclosure: Law Enforcement (cont)

• Information about victims of a crime – Individual agrees to disclosure or

– Individual lacks capacity and • Law enforcement represents info necessary to

determine whether law has been violated (but not by victim)

• Info won’t be used against the victim

• Covered entity determines is in victim’s best interest

• No comparable provision in 42 CFR

Permitted Disclosure: Law Enforcement (cont)

• Decedents, to alert law enforcement that covered entity believes death may have been suspicious (42 CFR is similar)

• To coroner or medical examiner or funeral director (42 CFR requires consent from legal representative or family member)

• Crime on premises (42 CFR is similar) • Crime in emergencies

– Commission and nature of crime; location of crime or victim; identity, location, description of perpetrator

CONSUMER RIGHTS

Individual Access

Individual Right of Access

• Key provision, designed for accuracy

• Must allow inspection or copy in form requested within 30 days of request (30 day extension permitted; 60 days if not on-site)

May Deny Access

• Psychotherapy notes

• Information compiled in anticipation of legal proceeding

• Inmate request, if harm may occur

• Research-related information until end of research

• If a 3rd party (not a health care provider) gave information on promise of confidentiality

May Deny Access with Opportunity for Review

• If reasonably likely access would cause harm to the individual or others

• Requested information refers to a 3rd party who may be endangered

• Request is by a personal representative and disclosure would be reasonably likely to cause harm

If Request Denied

• Must provide denial in writing within 30 days

• Basis for denial

• Right to review by designated licensed health care professional

• Notice on how to file a complaint with HHS

Pennsylvania Law

• Person has right of access and to make written corrections

• Access may be denied

– On documentation of team leader that disclosure of specific information will constitute a substantial detriment to treatment

– When disclosure will reveal the identity of persons or breach trust of 3rd party informants • Pa Admin Code 5100.33 (c)-(d)

Note on Minors

• HIPAA defers to state law

• In general, under Pennsylvania law, if minor is 14 or older, person who consented to treatment controls access to and disclosure of records

– Pa Admin Code 35 P.S. 10101.2 (release of medical records)

Some Basic Rights Under HIPAA: Right

to notice of privacy practices

• http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html

• 4.01(b) Unless it is not feasible or is contraindicated, the discussion of confidentiality occurs at the outset of the relationship and thereafter as new circumstances may warrant.

Right to Inspect and Copy Record

• http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/medicalrecords.html

• Key provision, designed for accuracy

• Must allow inspection or copy in form requested within 30 days of request (30 day extension permitted; 60 days if not on-site)

May Deny Access with No Right to Review

• Psychotherapy notes

• Information compiled in anticipation of legal proceeding

• Inmate request, if harm may occur

• Research-related information until end of research

• If a 3rd party (not a health care provider) gave information on promise of confidentiality

May Deny Access with Opportunity for Review

• If reasonably likely access would cause harm to the individual or others

• Requested information refers to a 3rd party who may be endangered

• Request is by a personal representative and disclosure would be reasonably likely to cause harm

If Request Denied

• Must provide denial in writing within 30 days

• Basis for denial

• Right to review by designated licensed health care professional

• Notice on how to file a complaint with HHS

Can Denial Become a Problem?

• Incident: Cignet denied 41 patients, on separate occasions, access to their medical records when requested. The company also failed to cooperate with the HHS Office for Civil Rights’ investigation.

• Penalties: The fine for the initial violation was $1.3 million. OCR concluded that Cignet’s committed willful neglect to comply with the Privacy Rule. The fine for these violations was $3 million.

Right To Request Confidential Communication

• Client can ask that you communicate with her only in particular ways

• As one example (from Yale University): – We normally send information relating to your care to

the address and phone numbers you have provided. However, if you would like to have the information sent elsewhere to protect the confidentiality of the information, you may do so by completing our form to request confidential communication.

Other HIPAA Rights

• Request an amendment of the record – http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthi

t/correction.pdf

• Request an accounting of disclosures

(http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_an_accounting_of_disclosures/index.html)

• For a disclosure of medical information about an individual, an accounting is a record of: – The date of the disclosure – The name of the person or entity who received the information – A brief description of the information disclosed – A brief statement of the purpose of the disclosure (or, as an

alternative, a copy of the request for a disclosure).

Need Not Account For

• Oral communications for payment, treatment or health operations http://www.hhs.gov/ocr/privacy/hipaa/faq/right_to_an_accounting_of_disclosures/370.html

• But if for other purposes (for example, to public health authority) then must document

PENALTIES

Penalties

HIPAA Enforcement

• http://www.hhs.gov/ocr/privacy/hipaa/enforcement/ • Most common enforcement actions (89,000 complaints

since 2003): 1. Impermissible uses and disclosures of protected health

information; 2. Lack of safeguards of protected health information; 3. Lack of patient access to their protected health

information; 4. Uses or disclosures of more than the minimum necessary

protected health information; and 5. Lack of administrative safeguards of electronic protected

health information.

“HIPAA Violations: UPMC Employee Criminally Indicted”

• The indictment alleges that Pepala disclosed to other people the names, birth dates and Social Security numbers of patients, in violation of HIPAA laws. This patient data was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers. – http://www.healthleadersmedia.com/content/TEC-

256668/HIPAA-Violations-UPMC-Employee-Criminally-Indicted.html

“HHS investigating HIPAA violation at

Pa. 911 dispatch center” • http://healthitsecurity.com/2013/03/27/hhs-

investigating-hipaa-violation-at-pa-911-dispatch-center/

Can You Make All of This Work?

Multi-System Tools

• System mapping

• Uniform consent form

• Business Associate Agreements

• Patient Safety Organizations

• Standard Judicial Orders

System Mapping

Uniform Consent Form • Essential tool

• Individual consents to use within a treatment system

• All providers are on the form

• Other requirements may be met as well

Business Associate Agreements

• Can be used for disclosure in which a party provides a “function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, utilization review, quality assurance, billing, benefit management, and repricing… (164.501)

• Other functions as well, for example, provision of legal advice

• 42 CFR permits qualified service organization agreements

Patient Safety Organization

• Permits DHHS Secretary to certify these organizations

• Designed to permit privileged exchange of information within the PSO

• Relevant information includes

– Efforts to improve patient safety and quality

– Collection and analysis of patient safety work product

– Development and dissemination of patient safety information, e.g. protocols, best practices, etc

– Use of such information to encourage “a culture of safety and of providing feedback and assistance to effectively minimize patient risk” • Public Law 109-41, Section 921-925.

Standing Judicial Order

• Courts are not covered entities

• Courts may seek PHI

• Best solution is a standard order

The Water Looked So Inviting… The HIPAA Security Rule

Privacy

Security

Risk

Some Basic Questions: Are You

• Storing the data? or

• Being asked for the data? or

• Identifiable data? or

• Protected health information (PHI)? Or

• Covered entity? Or

• Accessing it as needed?

• Requesting the data?

• Non-identifiable data?

• Non-PHI?

• Business Associate?

A Health Care Provider

A Health Plan A Health Care Clearinghouse

This includes providers such as: •Doctors •Clinics •Psychologists •Dentists •Chiropractors •Nursing Homes •Pharmacies ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes: •Health insurance companies •HMOs •Company health plans •Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

A Covered Entity is one of the following:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/

Business Associate

…creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter

The HIPAA Privacy and Security Rules permit a covered entity to disclose PHI to a business associate…provided the covered entity obtains satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information

What is Minimal Necessity?

When You Want the Data

When You Are Asked for the Data

September 23, 2013: A Day You Will Always Remember

• http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

The Basic Domains of the Security Rule

Administrative Safeguards (operational standards) Who is responsible? Policies and procedures Training

Physical Safeguards Physical facilities Location of computers Disposal of electronic media

Technical Safeguards (controlling access) Who may access information Under what conditions Audits and tracking of use Protection from malware,

The HIPAA Security Risk Analysis Standard

§164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(A) –

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Risk Analysis

• Scope: Potential risks and vulnerabilities to confidentiality, availability and integrity of all e-PHI that you create, receive, maintain or transmit

• Identify and document potential threats and vulnerabilities

• Assess current security measures

• Determine likelihood and potential impact of threat occurrence as well as level of risk

• Document all of this

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf

Implications for Governance

• You will only be taken as seriously as your security is

• Someone has to be responsible for security

• There are many checklists online

• You will have to have someone who can create agreements for you