1 COSIG Confidentiality Training for Breaking Barriers/ Building Dreams and OASIS Dept. of Alcohol and Other Drug Abuse Services: George Crosland, Manager of Program Accountability Carl Kraeff, Management Consultant Jenny Bouknight, COSIG Liaison Department of Mental Health Alan Powell, Assistant General Counsel Vocational Rehabilitation Department Jeb Batten, Staff Attorney
115
Embed
1 COSIG Confidentiality Training for Breaking Barriers/ Building Dreams and OASIS Dept. of Alcohol and Other Drug Abuse Services: George Crosland, Manager.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
COSIG Confidentiality Training for
Breaking Barriers/ Building Dreams and OASIS Dept. of Alcohol and Other Drug Abuse Services:
George Crosland, Manager of Program Accountability
Carl Kraeff, Management Consultant Jenny Bouknight, COSIG Liaison
Department of Mental Health Alan Powell, Assistant General Counsel
Vocational Rehabilitation Department Jeb Batten, Staff Attorney
2
General Introduction
The goal of this training is to familiarize No Wrong Door front line personnel with confidentiality laws and regulations.
This briefing is an abbreviated version of the Legal Action Center briefing that was presented to alcohol and drug abuse personnel last year.
Nonetheless, the full Legal Action Center presentation is made available as a handout.
3
This training is designed to provide general information, and is not presented as legal advice
The specific application of this information may vary based on specific facts and circumstances.
Specific application may also vary based upon other law and individual agency practices and procedures, including individual Privacy Practices.
General Introduction (Cont.)
4
Individual practices and procedures may include:
Type of Consent/Authorization Response to subpoenas Reporting of abuse and neglect Duty to Protect/Warn More restrictions to disclosure than applicable law
As needed, consult with your supervisor and/or legal counsel as applicable.
General Introduction (Cont.)
5
Frequently Asked Questions
When must I disclose client information? What is a subpoena and how should I handle it? What is a court order and how should I handle it? How should I deal with an arrest warrant from law
enforcement for a client in my facility? Who has final approval on whether or not I, the
counselor, discloses client information? When does 42CFR apply and HIPAA does not? How do I best protect myself from violating HIPAA
and/or 42CFR? When should consult with my agency supervisor
and/or attorney to clarify client confidentiality questions?
CONFIDENTIALITY AND COMMUNICATION: DRUG AND ALCOHOL
TREATMENT RECORDS
The following PowerPoint Presentation was created by the Legal Action Center for use in trainings conducted by its staff, and may only be used by
others with express written permission. Any other use, including copying or disseminating any
portion of this Presentation for profit or otherwise, is strictly prohibited. This Presentation does not
constitute legal advice. Please consult the
Legal Action Center for further information, or for answers to questions raised by this Presentation.
8
PART I:
INTRODUCTION
9
What is HIPAA?
Health
Insurance
Portability
Accountability
Act of 1996
10
HIPAA GENERALLY . . .
Establishes a federal floor of safeguards to protect the privacy of medical records and other Personal Health Information (PHI) by restricting use & disclosure.
Applies to PHI transmitted in electronic, written or oral form.
Allows individuals access to medical records & to have more control on how it is used.
11
Who must comply with HIPAA’s privacy standards?Health Care Clearinghouses, Health Plans, and Health Care Providers…That process claims, payment and remittance, coordination of benefits, claims status, or enrollment and disenrollment in a health plan…And transmit covered transactions in electronic form…
MUST comply with HIPAA’s privacy standards.
12
What is 42 C.F.R. Part 2?
It’s the set of federal regulations governing “confidentiality of alcohol and drug abuse patient records.” It implements the federal law on this topic.
Drug and alcohol treatment and prevention providers have been covered by these regulations and law for 30 years.
13
BUT Wait….
If I am a drug or alcohol program and have to follow 42.C.F.R. Part 2’s privacy standards, do I have to follow HIPAA? How can I do both, especially when they say different things?
14
YES
Treatment providers and programs must follow both 42 C.F.R. Part 2 and HIPAA.
The challenge comes when the two laws conflict.
15
Which providers must comply with 42 C.F.R. Part 2?
Providers must meet the definition of “program” and be “federally assisted.”
“Program” includes any person or organization that, in whole or in part, provides alcohol or drug abuse diagnosis, treatment or referral for treatment or prevention.
16
Which providers must comply with 42 C.F.R. Part 2 (cont.) A program is “federally assisted” if it:
receives federal funds in any form is assisted by the IRS through a grant of tax exempt
status is authorized to conduct business by the federal
government (e.g. licensed to provide methadone; certified as a Medicare provider)
is conducted directly by the federal government or by a state or local government that receives federal funds.
17
42 C.F.R. Part 2 and HIPAA: The General Privacy Rule
DISCLOSURE OR USE OF RECORDS OR OTHER PATIENT-RELATED INFORMATION IS PROHIBITED
18
The General Privacy Rule (cont.)
Does not matter whether or not the person/entity seeking the information:
already has it, has other ways to get it, has some kind of official status, has obtained a subpoena or warrant, or is authorized by state law.
19
InternalCommunications
No patient identifying information
Permitted Disclosures
Proper Consent
Qualified Service Organization Agreement
Medical Emergency
Research/ Audit
Court Order
Reporting suspected child abuse and neglect
Crime on program premises or against program personnel
42 C.F.R. Part 2 Exceptions to General Rule
20
DAODAS Advice
Clear the release with immediate supervisor
Make sure the request for release is proper, complete, and signed
Make sure the intended recipient gets it
Make sure you have re-disclosure authority
21
HIPAA vs. 42 C.F.R. Part 2We’ll discuss . . .
Which exceptions to the basic 42 C.F.R. Part 2 rule do not change under HIPAA
Which exceptions do change under HIPAA
22
PART II:
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA
23
HIPAA vs. 42 C.F.R. Part 2 Which Exceptions Have Not Changed
a. Law Enforcement/Legal Proceedingsb. Crimes on Program Premises/Against Program
Personnelc. Medical Emergenciesd. Child Abuse Reportinge. Internal Communicationsf. Minorsg. Duty to Warnh. Audit and Evaluation
24
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).
(a) Law enforcement and legal proceedings: subpoenas, court orders,
criminal prosecutions, warrants
25
Subpoenas
You are served with a subpoena that directs you to appear in court with your entire file on a particular patient and testify about the records in the file.
You get a subpoena in the mail that directs you to turn over your entire file on a particular patient to an attorney.
Should you turn the records over and/or testify?
26
Subpoenas (cont.)
Answer:
27
Subpoenas (cont.)
So What Should I Do If I Receive a Subpoena?
28
Subpoenas (cont.)
Answer:
Do not simply ignore a subpoena. Contact your program’s attorney (if you have one) Contact the client to see if she will consent (in writing) to
your responding to the subpoena If subpoena is issued by an attorney, and your client does
not consent to your responding, contact the attorney to say that confidentiality laws do not permit you to respond – attorney has to get a proper court order
Contact Legal Action Center if your program has no attorney and you have questions
29
Subpoenas (cont.)
Scenario:A process server walks in the front door of
Richmond Hill Drug Treatment Program and serves Carlos, the office manager, with a subpoena. The subpoena calls for Sue, one of the counselors, to come to court tomorrow for a hearing to determine whether Richmond Hill’s records about a patient should be turned over to the court in the context of a divorce hearing. Sue knows the patient’s wife is trying to show that the patient isn’t fit to have custody of their two sons. She believes he is a good man and a better parent than the wife. Plus, tomorrow is her day off. What should Sue do?
30
Subpoenas (cont.)
Answer:
31
Subpoenas (cont.)
Again, it’s possible that the subpoena may simply compel attendance at hearing to determine whether a court order should issue to disclose confidential information.
All the more reason to read the document carefully and consult with an attorney.
32
Court Order 42 C.F.R. Part 2: a court may issue an order
authorizing disclosure of confidential records only after it follows certain procedures and makes particular determinations
Again, a subpoena alone is not sufficient to authorize/compel a program to disclose information (but again, it may be enough to compel attendance at a hearing about disclosure)
33
Who can seek a court order?
Your program
An attorney in a case involving the person whose records are sought (the attorney need not represent that person, and often does not)
34
Court Order: Requirements Before Order Can Be Issued In A Civil Case
Notice (to the program and to the person whose records are sought)
Opportunity to be heard (for the program
and the person whose records are sought)
Proceeding must be brought using fictitious name
35
Court Order: Requirements Before Order Can Be Issued In A Civil Case (cont.)
Confidential proceeding (courtroom is closed, or hearing held in the judge’s chambers)
Good cause: order should be issued only if court finds the public interest and need for disclosure outweigh adverse effect disclosure will have on patient and treatment services
36
Limits on Scope of Order Order must limit disclosure to information
essential to fulfill the purpose of the disclosure Must be restricted to those people who need the
information for that purpose Court should take steps to protect confidentiality,
e.g. sealing records from public view
37
Limits on Scope of Order (cont.)
Court may not authorize disclosure of “confidential communications” by a patient to a program unless the disclosure is: Necessary to protect against threat to life or of
serious bodily injury Necessary to investigate or prosecute an extremely
serious crime In connection with proceeding where patient
presented evidence about the confidential communication
38
Criminal Investigations or Prosecutions: Court Orders to Disclose Confidential Information
An agency seeking a court order for purpose of investigating or prosecuting a
patient for a crime must meet 5 stringent criteria
39
Criminal Investigations or Prosecutions (cont.)
First,
The crime involved must be extremely serious, such as an act causing or threatening to cause death or serious injury.
40
Criminal Investigations or Prosecutions (cont.)
Second,
The records sought must be likely to contain information of significance to the investigation or prosecution.
41
Criminal Investigations or Prosecutions (cont.)
Third,
There must be no other practical way to get the information.
42
Criminal Investigations or Prosecutions (cont.)
Fourth,
The public interest in disclosure must outweigh harm to patient and the provision of treatment.
43
Criminal Investigations or Prosecutions (cont.)
Fifth,
When law enforcement seeks an order, the program must have the opportunity to be represented by counsel.
44
Search and Arrest WarrantsVery difficult situation for programsProgram cannot just agree to give
officer what he/she wants without consent or a valid court order
45
Search and Arrest Warrants: What to Do?
Program should take the following steps:
Produce copy of 42 C.F.R. Part 2 and explain that program cannot cooperate without an appropriate court order.
Try to contact a lawyer to help resolve the situation.
46
Search and Arrest Warrants: What to Do (cont.)
Ask to contact the prosecuting attorney or commanding officer. Stress that illegally seized records will not be admissible in court.
If an officer insists on entry, DO NOT forcibly resist.
47
Final Note About Arrest Warrants
If a patient committed or threatened to commit a crime on the program premises, the program may produce the individual, as 42 C.F.R. Part 2 has a special exemption for crimes on program premises or against personnel.
48
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).
(b) Crimes on Premises or Against Personnel
49
Crimes on Premises or Against Personnel (cont.)
Definition
When a patient . . .Commits or threatens to commit a crimeOn program premises orAgainst program personnel
50
Crimes on Premises or Against Personnel (cont.)
A patient punches another patient.
A patient grabs a counselor’s wallet.
Program wants to call the police and report.
May the program do that?
51
Crimes on Premises or Against Personnel (cont.)
Answer:
52
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).
(c) Medical Emergencies
53
Medical Emergency – Definition Immediate threat To any individual’s health Requires immediate medical intervention
54
Medical Emergency (cont.)
Josh, a resident of a Pine Tree Drug Rehab Services, has a heart attack in the day room.
May the program call 911 and tell the dispatcher the location (Pine Tree Drug Rehab Services)?
55
Medical Emergency (cont.)
Answer:
56
Medical Emergency (cont.)
Best Practice:
Have all incoming patients/clients sign a form indicating who should be contacted in case of emergency and authorizing release of information about the emergency and their whereabouts.
57
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).
(d) Child Abuse and Neglect
58
Child Abuse and Neglect
HIPAA and 42 C.F.R. Part 2 permit providers to comply comply with state mandates for: Initial report Written confirmation
59
Child Abuse and Neglect (cont).
What if a program receives a subpoena to produce additional information or records after the initial report is made? Can it turn over the documents?
60
Child Abuse and Neglect (cont.)
Answer:
61
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).
(e) Internal Communications
62
Internal Communications
Information may be disclosed to staff: within a program
- or - To an entity with administrative
control If the recipient needs information to
provide alcohol or drug services
63
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).
(f) Minors
64
Minors
Both HIPAA and 42 C.F.R. Part 2 leave the issue of who is a minor, and whether a minor can obtain health care or alcohol or drug treatment without parental consent entirely to state laws.
65
Minors (cont.)
Scenario:
Mike, who is 16 years old, was just admitted to a residential treatment program because of a marijuana problem. Fred, his boy scout leader, calls and asks how he is doing. Mike’s mother has signed a form permitting you to talk with Fred. Mike does not want you to do that. You know Fred from church and know he is a good man. Can you talk to Fred without Mike’s permission?
66
Minors (cont.)
Answer:
67
Minors (cont.)
Programs must always obtain the minor’s consent for disclosures and cannot rely on the parent’s signature instead.
If parental consent was not required to treat the minor, then parental consent is not required to make disclosures.
If parental consent for treatment is required, the consent of both the minor patient and the parent or guardian is required.
68
Minors (cont.)
Scenario:
Missy, who is 16 years old, was doing well in her alcohol treatment program, but has just relapsed. She is drinking so much that she is passing out.
Can the program tell her mother?
69
Minors (cont.)
Answer:
70
Minors (cont.)
Answer:
71
Minors (cont.)
The program believes Missy’s mom really should know about the situation with her daughter. Can’t it do anything?
72
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).
(g) Duty to Warn
73
Duty to Warn Tarasoff v. Regents of the University of California:
where therapist determines that patient presents serious danger of violence to another, has duty to notify the victim, the police, or take other reasonable steps to protect the victim.
HIPAA permits health care providers to disclose information to prevent or lessen a serious or imminent threat to someone’s health or safety.
42 C.F.R. Part 2 restricts the communications the program or its personnel may make to a law enforcement agency or a court or anyone else.
74
Duty to Warn (cont.)
Is there a duty to warn in South Carolina?
Yes, a common law duty exists.“ When the defendant stands in some special
relationship to the person whose conduct needs to be controlled, a duty of care may be imposed upon the defendant to protect threatened third parties from harm.”
75
How Do I Warn?
Ways to make reports: By obtaining a court order Via anonymous and other non-patient
identifying reporting. Cell phone call is notnot anonymous!
76
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Not Changed with HIPAA (cont).
(h) Audit and Evaluation
77
Audit and Evaluation
Under both HIPAA and 42 C. F.R. Part 2, government agencies that fund or regulate a program, private agencies that provide financial assistance, or third party payments to a program, and peer review organizations that review utilization or quality control
. . . may have access to program records without patient consent in order to conduct an audit or evaluation.
78
Audit and Evaluation (cont.)
Redisclosure of Patient Information:
Program must require that auditor agree in writing that it will only redisclose informationa. back to the program itselfb. pursuant to a court order to investigate or
prosecute the program (not a patient), orc. to a government agency overseeing a Medicaid or Medicare audit or evaluation
79
Audit and Evaluation (cont.)
Scenario:Bay State Medicaid program audits Charles River Alcohol Treatment Center on an annual basis to make sure it is complying with Medicaid laws. Bay State Medicaid suspects that Steve, a resident, may not actually qualify for Medicaid because he is working two jobs. After it completes an audit, Bay State asks Charles River for Steve’s file to check whether there is any information about his income in the file. Can Charles River turn over the file?
80
Audit and Evaluation (cont.)
Answer:
81
PART III:
42 C.F.R. Part 2: Exceptions to General Privacy Rule That HaveHave Changed with HIPAA
82
42 C.F.R. Part 2: Exceptions to General Privacy
Rule That Have Changed with HIPAA
1. Consent
2. Qualified Service Organization Agreements
3. No Patient-Identifying Information
4. Notice
5. Research
6. New Patient Rights
7. New Administrative Requirements
83
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)
1. Consent
84
Consent
While there are situations in which HIPAA allows disclosure without consent, most are prohibited under 42 C.F.R. Part 2unless written consent is obtained.
HIPAA adds certain requirements to content and use of consent form.
85
Consent: What stays the same?
Specific Consent Drafted as narrowly as possible, who will use or
disclose the PHI, for how long & for what purpose
Redisclosure Written notice of prohibition on redisclosure
86
Consent: What stays the same (cont.)
RevocationOral revocation is still valid.
Although HIPAA requires written revocation, HSS has stated that oral revocations must be honored.
87
Consent: What Changes?
Consent Elementsconsent forms MUST contain all
elements required by 42 C.F.R. Part 2 plus an additional element required by HIPAA (see next slide).
88
42 C.F.R. Part 2 requirements:1.Name of Program2.Name of Recipient3.Name of Patient4.Purpose/Need5.Extent/Nature6.Revocation Statement7.Expiration (date or event)8.Signature of Patient9.Date10. Program’s ability to condition
treatment, payment, enrollment or eligibility on the patient’s agreeing to sign the consent
HIPAA HIPAA RequirementRequirement::Written Notice Written Notice
of of Prohibition on Prohibition on RedisclosureRedisclosure
Consent: 10 Elements Required on Form
&
89
Consent/Authorization – general matters
Consent/Authorization must explain the purpose and description of the information for disclosure.
Must be limited to minimum necessary information and time period (or event or condition) required.
90
Consent/Authorization: general matters (cont.)
Scenario:
Celine has signed a consent form authorizing John Jay Drug Treatment Program to turn over all her records to Nassau Community College Health Center. John Jay’s file has records that came from Staten Island Medical Associates. Can/should John Jay turn over the Staten Island records to Nassau Community College?
91
Consent/Authorization: general matters (cont.)
Answer:
92
Consent/Authorization: general matters (cont.)
Consent/Authorization does not FORCE a program to make a disclosure . . .
. . . unless a subpoena or court order requires it
93
Consent/Authorization: general matters (cont.)
Consent/Authorization that is expired, deficient or known to be revoked, false or invalid must be REFUSED.
94
Criminal Justice System Referrals
42 C.F.R. Part 2 has special rules when person’s participation in a treatment program is an official condition of the disposition of the criminal case.
The special rules concerning criminal justice system (CJS) referrals apply only to individuals involved in the criminal justice system.
95
Criminal Justice System Referrals (cont.)
Best Practice:
A program should routinely ask for a court order for every patient mandated into the
program by the criminal justice system.
96
Criminal Justice System Referrals (cont.)
Best Practice:
Have judge or referring agency require that proper CJS consent form be signed before an individual is referred to treatment.
97
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)
2. QSO/BA Agreements
98
QSO/BA Agreements
Business Associate [BA] (HIPAA)
Qualified Service Organization [QSO] (42 C.F.R. Part 2)
=
99
QSO/BA Agreements (cont.)
What is a QSO/BA agreement?
100
QSO/BA Agreements (cont.)
Answer:
A written agreement that allows programs to disclose information without the patient’s consent to an outside organization that provides services to the program or to the program’s patients.
101
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)
(3) No Patient-Identifying Information
102
No Patient-Identifying Information
Both HIPAA and 42 C.F.R. Part 2 permit programs to communicate information that is not “patient-identifying.” Each has a different definition of what that term means, though.
42 C.F.R. Part 2 definition of the term includes:-- name-- address-- Social Security number-- other information from which patient’s identity can be determined either directly or by reference to other public information.
103
No Patient-Identifying Information (cont.)
HIPAA definition is broader. It includes all categories set forth in 42 C.F.R. Part 2 and more, including:
-- birth date
-- admission date
-- discharge date
-- telephone or fax number
-- e-mail address
-- medical record identifier number
-- fingerprints
-- photographs.
104
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)
(4) Privacy Notice
105
Privacy Notice 42 C.F.R. Part 2 and HIPAA require
programs to provide patients with a Privacy Notice. HIPAA also requires that programs: Give patients written summary of the law at first
delivery of service. Get written acknowledgment that patient received
notice and maintain copy. Post notice in clear and prominent location.
106
Privacy Notice (cont.)
Scenario:
Fulton Drug Treatment Services contracts with the Fulton County Jail to provide treatment to inmates. Must the program provide privacy notices to inmates?
107
Privacy Notice (cont.)
Answer:
108
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)
(5) Research
109
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)
(6) New Rights for Patients
110
HIPAA:New Rights For Patients
HIPAA Provides Patients with the Right to:
Access Records Request an Amendment Receive an Accounting Request Restrictions Receive Confidential Communications
111
Patient’s Right to Access Records (cont.)
Scenario:
JoAnne is moving to Chicago and asks for copies of all her records on file with Delta Alcohol Treatment Program. The records include notes taken by a psychologist that include opinions about JoAnne’s mental state, including the opinion that she suffers from an exaggerated sense of her own importance and has a martyr complex. Must Delta turn over these notes to JoAnne along with the rest of the records?
112
Patient’s Right to Access Records (cont.)
Answer:
113
42 C.F.R. Part 2: Exceptions to General Privacy Rule That Have Changed with HIPAA (cont.)
(7) New Administrative Requirements
114
COSIG Confidentiality Training
Questions?
115
SCDMH Records/Info (44-22-100)
Section 44-22-100 of the S.C. Code protects the confidentiality of a SCDMH patient/former patient or “individual whose commitment has been sought” (e.g. emergency admission/judicial commitment papers.)
Usually, HIPAA (psychiatric) and 42 CFR Part 2 (A&D e.g. Morris Village) are more restrictive than 44-22-100.
Non-A&D: while HIPAA allows release by subpoena, 44-22-100 limits such release to law enforcement, another agency or when furthering the patient/family’s welfare.