reconciling medical record privacy and security requirements across systems october 10, 2006 renee...

Reconciling Medical Reconciling Medical Record Privacy and Record Privacy and

Security Requirements Security Requirements Across SystemsAcross Systems

October 10, 2006

Renee H. MartinTsoules, Sweeney & Martin, LLC

29 Dowlin Forge RoadExton, PA 19341

Tel.: (610) 423-4200Fax: (610) [email protected]

Copyright Tsoules, Sweeney & Martin, LLC 2

Overview

• Coordination of Care for Co-occurring Problems and Illnesses

• IOM Report• Barriers/Hindrances

– Cultural– Financial – Legal

HIPAA and pre-emptionPA Mental Health LawFederal and State Substance Abuse


Overview (Continued)

• National Health Information Network

• Electronic Health Records• Organizational approaches


Coordination of Care - Paramount

• Mental and substance abuse and illnesses rarely occur in isolation.

• Physical illnesses (heart disease, diabetes, cancer, neurological illnesses) frequently accompany mental and substance abuse.

• Diverse providers often fail to detect and treat these co-occurring problems.


Barriers to Collaboration/Coordination

• Separation of MH/Substance Abuse from general health care

• Separation of MH/Substance Abuse from each other

• Reliance on multiple systems and non-health care sectors to secure MH/Substance Abuse services (juvenile and criminal justice, education, child welfare)

• Multiple and separately licensed and regulated care providers

• Separate and multiple disclosure confidentiality requirements


Barriers to Collaboration/Coordination

• Separate financial systems and coverage

• Separate cultures


Legal Parameters for Sharing Healthcare

Information

HIPAA Privacy Rule:Generally: Permits (“Covered Entities”) to release – without patient authorization – protected health information (PHI) (except psychotherapy notes) to another provider for treatment, payment and health care operations.


Scope: Who is Covered?

• Limited to “covered entities”:– Health care providers who transmit

health information in electronic transactions for which the Secretary has adopted standards

– Health plans– Health care clearinghouses– Sponsors of prescription drug discount

cards

• Business associate relationships (indirectly)


Organizational Issues• Hybrid Entities (designate health

care component(s))• Organized Health Care

Arrangements (OHCAs) – multiple covered entities can share PHI; e.g., clinically integrated care settings (medical staff and hospital).– OHCAs hold themselves out to public as

joint arrangement– OHCAs participate in joint activities that

include UR, QA or sharing of financial risk


Organizational Issues

• Affiliated Covered Entities – legally separates CEs that are under common ownership. One entity has the power directly or indirectly to significantly influence or direct actions of the other or has ownership or equity interest of 5% or more in another.

– Must document relationship– Adhere to Security requirements


Business Associates

• Agents, contractors, others hired to do work on behalf of covered entity that requires use and disclosure of PHI to Business Associate

• Covered entity must obtain satisfactory assurances – usually through a contract – that a business associate will safeguard protected health information, limit use and disclosure


Preemption of State Law General Rule

• State law will be preempted if a standard, requirement, or implementation specification of HIPAA Privacy Rule is contrary to a provision of state law.


Preemption of State Law

• “…contrary to a provision of State law…”

– A covered entity would find it impossible to comply with both the state and federal requirements or

– The provision of state law is an obstacle to compliance and enforcement of HIPAA.


Preemption of State Law (Cont'd.)

HIPAA Privacy Regulations preempt

Pennsylvania laws and regulations

except:State law relates to privacy of PHI and is more stringent than HIPAA.


What is "More Stringent"?When state law is compared to the

HIPAA

Privacy Regulations, the state law:

1. Restricts or prohibits a use/disclosure permitted by HIPAA.

2. Permits greater rights of privacy in or to access or amendment of PHI.

3. Provides more information to the Individual.


What is "More Stringent"? (Cont'd.)

4. Narrower in scope or duration; reduces coercive effect surrounding authorizations.

5. Provides for the retention or reporting of more information or longer duration.


HIPAA Privacy Administrative Requirements

• DOCUMENTED policies, procedures and systems

• Designate privacy official and contact person

• Implement administrative, technical and physical safeguards

• Privacy Training

• Legal Documents – Notice of Privacy Practices; Business Associate

• Complaint mechanism

• Human Resource enforcement policies


HIPAA Preemption/Privacy Rule Result:

PA mental health law generally supersedes HIPAA and PA law applies relative to use and disclosure of PHI.

PA law silent on many of these administrative requirements. So must look to and comply with many of these administrative requirements.


HIPAA Security Rule

• HIPAA Privacy covers what information you protect – the use and disclosure of PHI

• HIPAA Security covers how you protect that information and when– Adopt national standards for

safeguards to protect the confidentiality, integrity, and availability of the data


General Requirements

• Ensure– Confidentiality: who can see the

information– Integrity: the information has not

been altered in any way– Availability: it can be accessed on a

timely basis


General Requirements• Applies to electronic protected

health information– Note that privacy extends to oral

and written communications

• Applies to the electronic PHI that a covered entity:– Creates– Maintains– Transmits


General Requirements

• Covered entities must:– Protect against reasonably

anticipated threats or hazards to the security or integrity of information

– Protect against reasonably anticipated uses and disclosures as outlined in the privacy rule

– Ensure compliance by workforce– Develop business associate contracts

as appropriate


Overarching Themes

• Security is technology neutral– Outlines what needs to be done to

protect the information, but not how it should be done

• Security is comprehensive– Covers the technical,

administrative, and behavioral aspects of compliance


Regulatory Approach

• Scalability (size) and flexibility (implementation)

• Organizational approaches should account for:– Size– Complexity– Technical Infrastructure– Cost– Potential Security Risks


Regulatory Approach

• Developed standards

– Administrative

– Physical

– Technical

• Within each standard are a series of implementation specifics that can be either Required or Addressable


Regulatory Approach

• Required – A MUST• Addressable – a covered after

conducting a documented risk analysis, may:– Implement a solution if reasonable

and appropriate– Implement an equivalent measure,

if reasonable and appropriate– Not implement


Administrative Standards

• Security Management

– Risk analysis (R)

– Risk management (R)

• Assigned Responsibility: Security Officer– (R)

• Workforce Security

– Termination procedures (A)

– Clearance procedures (A)


Administrative Standards• Information Access Management

– Isolating clearinghouse (R) – Access authorization (A)

• Security Awareness and Training (R )

• Security Incident Procedures (R)• Contingency Plan

– Disaster Recovery Plan (R) • Evaluation (R)• Business Associate Contracts


Physical Standards

• Facility Access Controls – All addressable– Contingency operations– Facility Security Plan– Access control– Maintenance records

• Workstation Use• Workstation Security• Device and Media Controls


Technical Standards• Access Control

– Unique user ID (R) – Emergency access (R) – Automatic logoff (A)– Encryption and decryption (A)

• Audit Controls• Integrity Controls• Person or Entity Authentication• Transmission Security


HIPAA Security Standards

• Security Standards do not preempt state law.

• PA mental health laws silent• Must implement HIPAA Security

Standards


SUBSTANCE ABUSE RECORD

CONFIDENTIALITY


Substance Abuse Confidentiality

• Confidentiality of Alcohol and Drug Abuse Patient Records (42 C.F.R. Part 2)– Protects from disclosure:– The records of the identity, diagnosis,

prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, training, treatment, rehabilitation, or research, which is conducted, regulated or directly or indirectly assisted by any department or agency of the United States.



• Confidentiality of Alcohol and Drug Abuse Patient Records (42 C.F.R. Part 2)– Definitions

“Records” – include any information received or acquired by a program whether oral or written. The prohibitions against disclosure of records continue to apply to records irrespective of the patient’s status in the program.

(Continued)



– Definitions“Patient” – includes any individual who

either has applied for or has been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program and includes any individual who, after arrest on a criminal charge, is identified as an individual with alcohol or drug abuse in order to determine that individual(s) eligibility to participate in a program.

(Continued)



– Definitions“Programs” – The requirements apply

only to a “federally assisted alcohol or drug abuse program” – defined as an individual or entity or an identified unit within a general medical facility “who holds itself out as providing, and provides alcohol or drug abuse diagnosis, treatment or referral for treatment.”

(Continued)



• The Federal Confidentiality Requirements do NOT apply to the following:– Hospital emergency room and general

medical surgical patients’ records where the health care facility is not a federally assisted “program” – does not have an identified unit which provides substance abuse services, or medical personnel or other staff whose primary function is the provision of substance abuse services and who are identified as being such providers.

(Continued)



• The Federal Confidentiality Requirements do NOT apply to the following:– Interchange of records within the Armed

Forces and the Veteran’s Administration.– Crimes on program premises or against

program personnel– Communications between a program and

a “qualified service organization” of information needed by the organization to provide services to the program.

– Internal communications within program



• Disclosure: Exceptions

– Internal Communications

Can occur within a program/office or with an entity having direct administrative control, if information is needed

Staff can share information with each other, supervisors

Staff of the hospital’s record-keeping or billing department



• Consent Requirements

– Consent Form Requirements

Redisclosure of information released is prohibited without written consent



• Exceptions to the Consent Requirement—Nonconsensual Disclosure Permitted– To medical personnel in a “bona fide”

medical emergency;

– To medical personnel of the FDA who need the information to notify patients of errors in drug labeling or manufacture;

– To qualified personnel when conducting scientific research, management audits, financial audits or program evaluation (cannot identify directly or indirectly any individual patient in any such report);

(Continued)



• Exceptions to the Consent Requirement—Nonconsensual Disclosure Permitted

– To governmental or third party payers, with certain restrictions; and

– If authorized by a court order and a subpoena, issued after a showing of “good cause.” 42 U.S.C. § 290dd-2(b)(2); 42 C.F.R. § § 2.51-2.53.



• Disclosure: Exceptions With Patient Consent– Patient can authorize specific

disclosures – The Patient’s consent must be in

writing– Consent must contain specific

elements: (very similar to HIPAA authorization)




– Qualified Service Organization Agreement

Program or office can disclose to QSO without consent

QSO: a person or agency that provides services that the program/office itself does not provide (e.g., data processing, billing, professional services, vocational counseling)

QSO must be qualified to communicate with the program/office (i.e., written agreement)




– Qualified Service Organization Agreement

Program or office may freely communicate with QSO only the information needed by QSO

Program or office can enter into such an agreement only if QSO offers service the program/office does not offer

Program/office doesn’t have to inform patients about QSOs


Part 2: “Security” Requirements

Written records must be “maintained in a

secure room, locked file cabinet, safe, or

similar container.” 42 C.F.R. § 2.16.

PA law-records shall be secured within a locked storage container. 4 Pa. Code § 257 (d)(1)(i).


MENTAL HEALTH PATIENT RECORDS


Confidentiality of RecordsINPATIENT PSYCHIATRIC SERVICES

Confidentiality of Records under MHPA:All documents concerning persons in treatment shall be kept confidential and, without the person’s written consent, may not be released or their contents disclosed to anyone except:

(a) those engaged in providing treatment for the person;

(b) the county administrator;

(c) a court in the course of commitment proceedings; and

(d) Under Federal laws governing patient information where treatment is undertaken in a federal agency.


Confidentiality of RecordsNon-Consensual Release of

Information

Treatment Records are confidential and shall not be released nor disclosed without written consent of client/patient except relevant portions or summaries may be released or copied as follows:

– Persons actively engaged in treatment– Third Party Payors (information released

without consent or court order is limited)– Reviewers and Inspectors (e.g. JCAHO, CARF)– Response to court order (§5100.35(b))– Emergency medical situation– Minimum Necessary


Confidentiality of Records

Patient Access to Records and Control Over Release of Records

– 14 years of age or older who understand nature of documents to be released

– A person chosen by client/patient

– If client/patient is deceased, client/patient’s executor or personal representative of estate

– Parent or Guardian if person is under 14 or incompetent



Patient Access to Records and Control Over Release of Records

– Records from other Agencies become part of record; subject to control by client/patient



Consensual Release to Third Parties– Access to records granted to third

parties upon written consent of client/patient

– Client/patient designates Payor-designates consent to release for reimbursement – minimum necessary applies

– Client/patient has right to inspect

– Mandated Requirements in consent form



Release to Courts– No release of records in response to a

subpoena or other discovery proceedings without patient consent or an additional court order

– Duty to Inform Court

– Inform client/patient’s attorney

– Defense counsel for Provider may review records; minimum necessary applies

– Violations include civil and criminal liability


Release of Mental Health Records

Under Act 147Rights of Minors

Except for the limited rights of a parent/legal guardian general rule:

The minor (age 14 or older) shall control the release of the minor's mental health inpatient and outpatient treatment records and information to the extent allowed by law.

Release subject to the provisions of the MHPA and other applicable federal and state statutes and regulations.


Nation Moving to Electronic Health Care Records

• National Health Information Infrastructure

• President’s New Freedom Commission on Transforming Mental Health Treatment Recommendations– Use HIT to improve access and

coordination– Develop and implement integrated

HER and personal health systems


So,. . . Where are we going?

• Most MH/Substance Abuse treatment is paper based– 3,000 to 10,000 hours of care go

undocumented = $360,000 to $1 million annually

– 25,000 to 42,000 hours of lost clinical time due to paper inefficiencies-annual value $2.2 to $3.7 million

– 13,000-20,000 hours of support staff time spent on unnecessary medical record work-annual value $500,000-$700,000.


National Health Information Infrastructure

• Executive Order 1335, April 2004 –– Called for widespread adoption of

interoperable EHRs within 10 years

– Created position of National Coordinator for Health Information Technology

– National Coordinator issued a Framework for Strategic Action issued July 21, 2004

– Consists of 4 goals, each with 3 strategies


Goals of the NHII

• Informing Clinical Practice

– Promoting use of EHRs by

Incentivizing EHR adoption

Reducing the risk of EHR investment


Goals of the NHII

• Interconnecting clinicians by creating interoperability through

– Regional Health Information Organizations (RHIOs)

– National health information infrastructure

– Coordinating federal health information systems


Goals of the NHII

• Personalizing care

– Promotion of personal health records

– Enhancing consumer choice by providing information about institutions and clinicians

– Promoting tele-health in rural and underserved areas


Goals of the NHII

• Improving population health

– Unifying public health surveillance

– Streamlining quality of care monitoring

– Accelerating research and dissemination of evidence


Regional Health Information Organization

RHIO

Public health surveillance Quality accountability Research Others?

Health Plan

Consumers

Provider Provider Provider Provider


Overcoming Legal Barriers

1. Unified Programs2. Take advantage of current law3. Universal Authorizations4. Effectuate change (locally and

nationally) Come to the table!


Ways to Disclose Under HIPAA and 42 C.F.R. § 2

• Use the OHCA and Affiliated Entity options to define your “program” more expansively

• Use the Qualified Service Organization/ designation with a mental health treatment provider to permit disclosure to mental health provider

NOTE: Mental health treatment provider precluded

from redisclosing under QSO designation.


Ways to Disclose Under PA Mental Health Law/HIPAA

• Take advantage of current law: Does an exception apply?

• Can you “embed” providers into one agency and facility?

• Provider-Provider

• Provider – Payor

• Use universal/3 way compliant authorization when necessary/appropriate


Ways to Disclose: Non-PHI

• De-identified data– May be

aggregated/shared– Is it truly de-identified?

• Limited data sets– For public health,

research or operations– Need data use

agreement

reconciling medical record privacy and security requirements across systems october 10, 2006 renee...

Documents

sweeney martin

martin tsoules

copyright tsoules

health care providers

health care components

health care operations

nonhealth care sectors

health information phi