Sisters of Charity Providence Hospitals Complying with the HIPAA by Tb406M3

VIEWS: 0 PAGES: 65

									TO DISCLOSE OR NOT TO DISCLOSE:
THE INS AND OUTS OF DISCLOSING HEALTH INFORMATION




SCORH
16TH ANNUAL RURAL HEALTH CONFERENCE

OCTOBER 10, 2012


                             JEANNE M. BORN, RN, JD
                                   N EXSEN P RUET, L L C
BACKGROUND


  Health Insurance Portability and Accountability
   Act of 1996 (“HIPAA”)

  Administrative Simplification

  Standards for the Protection of Individually
   Identifiable Health Information (“Privacy
   Standards”)
  Health Information for Economic and Clinical
   Health Act of 2009 (“HITECH”)
IIHI

   What is Individually Identifiable Health
   Information, or IIHI?
   Health information, including demographic
   information, that:
        is created or received by a health care
         provider, health plan, public health authority,
         employer, or health care clearing house
        relates to the past, present, or future physical or
         mental health condition of an individual, the
         provision of health care to an individual, or the
         past, present, or future payment for the
         provision of health care to an individual
AND

 identifies the individual

 with respect to which there is a reasonable
  basis to believe that the information can
  be used to identify the individual
THE PRIVACY STANDARD


    . . . is concerned with Protected health
    information (PHI)

    PHI is IIHI that is transmitted by electronic
    media; maintained in any medium described
    in the definition of electronic media in the
    Transaction Standard; or transmitted or
    maintained in any other form or medium
PHI EXCLUSIONS


    Certain education records

    Employment records in the covered
     entity’s (CE) role as employer
IMPORTANT POINTS ABOUT PHI:


    All treatment information about each
     patient is PHI

    All payment information about each
     patient is PHI

    The Designated Record Set contains
     treatment-related information and
     payment information
PRIVACY STANDARDS ARE CONCERNED WITH:
USE & DISCLOSURE OF PHI
            Use                        Disclosure
Means the sharing,             Means the release, transfer,
employment, application,       provision of, access to, or
utilization, examination, or   divulging in any other
analysis of individually       manner of information
identifiable health            outside the CE holding the
information within the         information
CE that maintains such
information
 CEs can use or disclose PHI only as
  provided in the Privacy Standards

 CE’s HIPAA Policies and Procedures
  should be developed to assure that
  the CE complies with the Privacy
  Standards’ permitted and required
  uses and disclosures of PHI
THE KEY TO COMPLIANCE:
     ALWAYS ASK 2 QUESTIONS:

   Who is requesting the information?
    The answer to the “who” question will guide you to the
     appropriate policy and procedure to follow.

   What is the purpose of the request?
    The answer to the “what” question will further guide you
     in following the policy and procedure.
WHO DEFINITIONS

  Patient
     Current patient
     Former patient
     Personal representative of the patient

  Third Party
       Another health care provider
       Personal representative
       Law enforcement
       Discovery request in a civil/criminal action
       Public health official
       Other third party
DEFINITION OF KEY TERMS

 HIPAA & HITECH           Payment
 Health information       Treatment
 IIHI                     Health Care Operations
 PHI                      Privacy Standards
 Minimum necessary        Security Standards
 Use                      Security Incident
 Disclosure               Personal Health Record
 Access                   Personal Health Record
 Workforce                 identifiable information
 Organized Health Care    Electronic Health Record
  Arrangement
 Business Associate
MINIMUM NECESSARY STANDARD

   Use or disclose only the minimum necessary PHI
   to accomplish the purpose
   Exceptions
      Disclosures for treatment purposes
      Disclosures to the Patient
      Disclosures to the Secretary of USDHHS
      Disclosures pursuant to an authorization
      Disclosures required by law
COMPLIANCE


   HIPAA Policies/Procedures should include:

     General Rule:
       A CE may use or disclose PHI only as permitted or
        required under the Privacy Standards.
     Required Disclosures:
       A CE MUST disclose PHI to the Secretary of USDHHS to
        determine compliance with the Privacy Standards
       A CE MUST disclose PHI to the individual (are
        exceptions) under the Access Standard and
        Accounting of Disclosures Standard
CONSENT

     The Privacy Standards do not require the
      consent of the patient before the CE uses or
      discloses PHI for treatment, payment or
      healthcare operations (TPO) purposes
     CE does not need to obtain the consent of the
      patient or the personal representative to
      disclose PHI for TPO
     But . . . Physician Patient Records Act requires
      physician offices to obtain the consent of the
      patient prior to releasing medical record
      information unless the release is required by law
PATIENTS’ RIGHTS TO PHI: ACCESS

  Your Access Policy should provide:
     The PHI in the Designated Record Set is the
      property of the facility
     Patient has a limited right to inspect and/or
      copy his or her PHI
     Patient or the patient’s personal
      representative is asked to submit a written
      request for inspection and/or copying the PHI
     Policy should include a “Form Request for
      Patient Access to PHI”
     Access can be granted or denied
ACCESS GRANTED


     Patients and Former                  Current Residents
      Residents of a SNF                      of a SNF
Inspection or copying must be      Inspection must be allowed
provided within 30 days of the     within 24 hours of the request -
request unless the PHI is not on   excluding weekends and
the CE’s premises, then within     holidays
45 days
                                   Copies must be provided
                                   within 2 working days of the
                                   request
LOGISTICS OF ACCESS: HITECH UPDATE

The individual has the right to request a copy of his/her PHI
in either paper or electronic format
   Advise that the Request for Access form require the
    individual elect the form of media the individual prefers,
    either paper or electronic format
   Advise providing the media and download as “read only”

The individual also has the right to direct the CE to transmit
the PHI to an entity or person designated by the individual
provided that the individual clearly, conspicuously and
specifically identifies that entity or person
   Take great care to assure that the correct address is used!!!
   Send in a “read only” format, such as pdf
LOGISTICS OF ACCESS

     If Paper Copy Requested: Fees for
     copies
          65¢ per page – first 30 pages
          50¢ per page – 31 pages or more
          Search and handling fee – up to $15
          DONOT CHARGE if for continuing
           treatment

     If Copy Requested on a form of
     electronic medium (CD; flash drive;
     etc.)
        Charge only what the form of media costs
         plus the $15 search and handling fee
LOGISTICS OF ACCESS


  Patient Requests Inspection only

    Always provide the PHI to the patient with the
     attendance of a CE employee
    Do not attempt to explain the record (unless
     qualified to do so)
SUMMARY OF RECORD



   A patient may request a summary of the
   record

   Always report the request for a summary to
   the Privacy Officer for handling
IF ACCESS IS DENIED


  Letter to patient denying access:
    Must state the reason for the denial
    Whether the denial is or is not reviewable

  Denials of access are either reviewable or
  un-reviewable
DENIAL – UNREVIEWABLE GROUNDS


    Patient is an inmate
    Patient is involved in research and has
     consented to not have access
    PHI is obtained from a third party (not a
     health care provider) under a promise of
     confidentiality and disclosure would
     reasonably be likely to reveal the source of
     the information
DENIAL – REVIEWABLE GROUNDS

    Access reasonably likely to endanger the
     patient or another
    PHI refers to another and provider has
     determined that access reasonably likely
     to cause substantial harm to the other
     person
    PHI requested by a personal
     representative: access has been
     determined by provider to reasonably
     likely cause substantial harm to the
     patient or another
IF DENIED AND REVIEWABLE


      Patient has the right to have the denial
       reviewed by a health care provider who
       acts as a reviewing official who did not
       participate in the decision resulting in
       denial
      Give the patient access to any of the
       parts of the record that are not subject
       to the denial
PERSONAL REPRESENTATIVES

    Adults
    Under the Privacy Standards if a person is
    legally authorized to consent for another,
    then that person may have the same
    access to PHI as the patient
       Probate Court Order for guardianship (not
        conservatorship)
       Healthcare power of attorney (when in
        effect)
       Other durable power of attorney documents
       Person in priority under the Adult Health
        Care Consent Act
PERSONAL REPRESENTATIVES

     Minors

      By law, a parent or legal guardian is the
       personal representative of a minor (less than
       18 years of age) and acts for the minor with
       the minor’s PHI
      A parent or legal guardian is not a personal
       representative of a minor 16 years of age or
       older who consents to his or her own
       healthcare (except surgery), BUT
      Notwithstanding the above, a parent or legal
       guardian has access to any minor’s PHI
CE DISCRETION WITH PERSONAL
REPRESENTATIVE ACCESS

  CE may refuse to treat an individual as a personal
  representative if CE reasonably believes:
     The patient may have been subjected to domestic
      violence, abuse or neglect by the personal
      representative; or
     In the exercise of professional judgment, the
      physician decides that it is not in the best interests of
      the patient to accept the individual as the patient’s
      personal representative
DECEDENTS


   Only the personal representative appointed
   by the Probate Court has the authority to act
   on behalf of a deceased individual as to PHI

    Must present the Probate Court Order with the
     raised seal of the Court
    Caveat: A CE may disclose the minimum
     necessary PHI of a decedent for payment
     purposes
VERIFICATION TEST = REASONABLENESS

     Patient
     Picture ID and/or comparison of signature

     Personal Representative
     Evidence as provided in the previous
     slides, for example:
          Copy of the Health Care Power of
           Attorney
          Copy of the Probate Court Order
           appointing a guardian
Public Official/Law Enforcement
Officer
  In person: ID Badge, official credentials or
   other proof of status
  In writing: Appropriate government
   letterhead

Other Third Parties
  Such as person named as recipient in an
   Authorization: Picture ID
TREATMENT PAYMENT & HEALTH CARE
OPERATIONS: “TPO”

   Generally, a CE may use or disclose (without
   consent (recall Physician Patient Records Act))
   PHI for:
        Treatment
        Payment
        Health Care Operations
        As described in the Notice of Privacy Practices
         (NPP)
NOTICE OF PRIVACY PRACTICES (NPP)


    NPP sets forth how CE may use or
     disclose a patient’s PHI
    Every patient is to receive a copy of
     CE’s Notice of Privacy Practices on
     admission
    Must complete acknowledgement
     form when Notice is provided
PROCESS TO DISCLOSE PHI FOR TPO

 Your HIPAA Policy should require a requesting
 party to provide their request in writing to the
 CE to include the following information:
      Name of the requesting party and verify as
       appropriate
      Name of the patient and date of birth or SSN
      (2 identifiers)
      Specification of records requested
      Purpose of the request (treatment, payment,
       etc.)
BEST PRACTICE



    Obtain a written request for any use or
    disclosure of PHI and add the request to
    the medical record with documentation
    of the PHI disclosed and the date of the
    disclosure
DISCLOSURES MADE WITHOUT CONSENT,
AUTHORIZATION OR OPPORTUNITY TO OBJECT

       Public health activities
       Law enforcement activities
       Health oversight activities
       Workers compensation
       Administrative and judicial proceedings
       Coroner, medical examiner or funeral director
       Organ donation
       Reporting victims of abuse
       Avoid a serious threat to health or safety
       Special government functions
IN GENERAL

  Requests that are NOT for TPO or listed on the
  previous slide require an authorization

  Advise that your HIPAA Policy have a form
  “Authorization to Disclose Protected Health
  Information”

  If you are reviewing an Authorization not on a
  CE form:
     See Authorization Checklist
     All authorizations that do not meet every
      element must be denied
LAW ENFORCEMENT



    IMPORTANT

    Verify the identity of the law
    enforcement official by ID badge or
    other official credentials
LAW ENFORCEMENT DISCLOSURES

May be made
    To identify a suspect, fugitive, material witness or
     missing person
    If the individual is suspected to be a victim of a crime
     AND the individual agrees (limited if the individual is
     incapacitated)
    Concerning a deceased individual if the death may
     have resulted from a crime
    Concerning an individual if there is evidence of crime
     on the premises
    In an emergency
    To prevent or lessen a serious/imminent threat

If you have questions, check with the Privacy
Officer and/or Legal Counsel
COURT-APPROVED DISCLOSURES TO LAW
ENFORCEMENT

   Disclosures of PHI can be made to law
   enforcement pursuant to:
     Court Order or Court-Ordered Warrant
     Subpoena or Summons issued by judicial officer
     Grand Jury Subpoena

   Always check with your Privacy Officer;
   Compliance Officer; Legal Counsel before
   making the disclosure
LAW ENFORCEMENT ADMINISTRATIVE
REQUESTS


  PHI can be disclosed pursuant to a law
  enforcement administrative request, subpoena,
  summons, civil investigative demand, if:
     PHI sought is relevant and material to legitimate
      law enforcement inquiry
     Request is specific and limited in scope to the
      extent reasonably practicable in light of
      purpose for which sought
     De-identified information could not reasonably
      be used
DISCOVERY REQUESTS


     Court Orders

     Verify the validity, then
          Immediately disclose the PHI
           specified
          Direct any questions to the Privacy
           Officer
Always:

 check with your Privacy Officer

 check with your Compliance Officer
  and comply with your compliance
  policies regarding law enforcement
  investigations
SUBPOENAS


    Verify the validity of the subpoena: Your
     HIPAA Policy should have a subpoena
     checklist for criminal or civil subpoenas

    Identify the party requesting the PHI

     If a law enforcement officer for a law
      enforcement purpose see the previous
      slides
SUBPOENAS AND DISCOVERY – PART I

  Identify the party requesting the PHI
  If not a law enforcement officer and the individual
  who is the subject of the PHI is a party to the action,
  PHI may be disclosed if Subpoena contains
  evidence of the following:
        Notice has been provided to the individual’s
         attorney
        Timeframe for objection has passed (14 days
         unless otherwise specified) and no objection
         has been filed
SUBPOENAS AND DISCOVERY – PART II

    Identify the party requesting the PHI
    If not a law enforcement officer and the
    individual is not a party to the action, PHI
    may be disclosed if the Subpoena is
    accompanied by written statement that
    provides:
         Notice has been provided or reasonable
          efforts (good faith attempts) have been
          made to provide the subject of the PHI with
          notice – and
 The notice included sufficient
  information about the litigation or
  proceeding in which the PHI is
  requested to permit the individual to
  raise an objection – and

 The time for the individual to object has
  passed and no objection was raised or
  any objection has been resolved
RESPONDING TO DISCOVERY REQUESTS


      If the attorney does not comply with the
       appropriate requirements, contact the
       Privacy Officer and s/he will respond (send
       a “Dear Attorney” letter)

      If the attorney does comply, carefully
       review the request and disclose only what
       is specified in the request
SUBPOENAS AND DISCOVERY – PART III


    Qualified Protective Order

    Either an order of the court or a consent
    order/stipulation by the parties that
    requires the destruction or return of the
    PHI at the end of the proceeding

    Carefully review the order and provide
    only the PHI responsive to the order
WORKERS COMPENSATION


     When you receive a request under the workers
      compensation laws, so long as the request is in
      writing (may be in a letter form or in a subpoena
      form) you may disclose the requested
      information.

     The only limitation is that the PHI requested must
      be “relevant to” or “pertaining to” the workers
      compensation claim.

     Disclose the PHI unless you receive written
      documentation of an objection.
DISCLOSURES TO BUSINESS ASSOCIATES

    You may disclose PHI to a business associate
    of the CE if you have a written business
    associate agreement (“BAA”) in place

    Disclose only the minimum necessary PHI for
    the BA to perform the function

    Substantial changes were made to the
    business associate relationship and agreement
    requirements in HITECH.
       Upshot: Update your BAAs for HITECH
        compliance
DOCUMENTATION


    All documents are to be filed with the
     patient’s medical record (access,
     authorization, etc.)

    The Privacy Standards require that all
     documents required by the Privacy Standards
     are kept for 6 years

    Generally, SC record retention requirements
     are 10 years for adults and for minors, to age
     of majority plus the applicable statute of
     limitations
EMAILING PHI


  Guidelines
    Due to the HITECH breach provisions, e-mail
     PHI only if the CE’s computer system has
     encryption capability
    Educate your staff and physicians NOT to use
     mobile devices to transmit PHI that are not
     approved devices subject to the CE’s security
     policies and procedures
    The risks are very high
ACCOUNTING OF DISCLOSURES

 Disclosures of PHI must be accounted for and
 recorded
 All disclosures must be accounted for except:
      Disclosures made before 04-14-03
      To carry out TPO (will be required generally in 2014)
      To the patient
      Pursuant to an authorization
      Facility directory or to persons involved in the
       patient’s care
      National security and intelligence purposes
      As part of a limited data set
      To correctional institutions or to law enforcement
       officials concerning custodial situations
      Disclosures made incident to all of the above
WHAT MUST BE IN THE ACCOUNTING

   For each disclosure that must be recorded in the
   accounting:
        Date of the disclosure;
        Name of the person/entity who received the PHI;
        A brief description of the PHI; and
        A statement of the purpose of the disclosure.
   Each request must be in writing
   Advise to have an Accounting of Disclosures
   Request Form
ACCOUNTING

     The accounting is for the previous 6 years
     After TPO accounting, only for previous 3 years
     Must respond to all requests within 60 days
      (can extend for an additional 30 days if
      communicated to the patient)
     The first request for any accounting in a 12-
      month period must be provided free of
      charge
     Charges for additional requests must be
      reasonable, cost based
     The patient must be informed of the charge in
      advance
 Must document each request for an accounting
  and maintain for 6 years
 May be temporarily suspended if a health
  oversight agency or law enforcement presents
  the CE with a written statement that providing
  the patient with the accounting will impede the
  agency’s or law enforcement’s activities
 Any suspension cannot exceed 30 days
 May be suspended for research purposes
AMENDMENT


  All requests for Amendment of PHI must be in writing

  Advise to have a Request to Amend Form

  All patients have the right to request amendment of
  PHI unless:
       The PHI was not created by the CE
       The PHI is not part of the designated record set
       The PHI is not subject to access by the patient
       The PHI is accurate and complete
Advise to have a process to address requests
to amend (Privacy Officer and then to the
Director of HIMS)

If request for amendment accepted:
     The CE identifies the records affected and
      appends or provides a link to the
      amendment
     The CE must inform the patient that the
      amendment has been accepted and
      approve notifying other healthcare providers
      or business associates whose records may
      also be affected
If the request is denied, the patient must be
provided with denial letter that includes:
     The basis for the denial
     The right to submit a one page written
      statement disagreeing with the denial and
      how to file such a statement
     A statement that the patient may request
      that the request for amendment and the
      denial be provided with any future disclosures
     A statement of how the patient may lodge a
      complaint
The CE may provide a written rebuttal to the
patient’s statement of disagreement, which must
be provided to the patient

Documentation of the Request for Amendment
(must be retained for 6 years):
     Request for Amendment
     Any denial of the request
     Patient’s statement of disagreement and
     Providence’s rebuttal

Must respond to a request to amend within 60
days (can extend for an additional 30 days if
communicated to the patient along with the
reason for the delay
QUESTIONS?
NEXSEN PRUET, LLC

             1230 Main Street, Suite 700
              Post Office Drawer 2426
                Columbia, SC 29202
                    803.771.8900

                WITH OFFICES ALSO IN:
                  South Carolina
       Greenville · Charleston · Myrtle Beach
                  Hilton Head Island
                   North Carolina
         Charlotte · Greensboro · Raleigh


               www.nexsenpruet.com

								
To top