PRIVACY REGULATIONS FOR BEHAVIORAL HEALTH PROVIDERS WHAT YOU NEED TO KNOW

Transcription

1 PRIVACY REGULATIONS FOR BEHAVIORAL HEALTH PROVIDERS WHAT YOU NEED TO KNOW September 10, 2013

2 AGENDA The Changing Privacy Climate Overlapping Laws & Regulations Health Insurance Portability & Accountability Act (HIPAA) Substance Abuse & Mental Health Services Administration (SAMHSA) Regulations 42 CFR Part 2 Florida State Law Putting It All Together Scenarios Q/A

3 THE CHANGING PRIVACY CLIMATE z

4 OVERLAPPING LAWS & REGULATIONS HIPAA Applies to health care providers, health plans, health care clearinghouses (and their business associates) 42 CFR Part 2 Applies to substance abuse programs State Law Various statutes apply to health care providers, behavior health records and substance abuse programs HIPAA State law 42 CFR Part 2 Providers must comply with each and every regime. Just because a disclosure is allowed under one does not mean it is OK!

5 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Statutory Purposes Provide health insurance portability and continuity for individuals. Encourage adoption of health information technology (HIT) systems. Standardize certain electronic healthcare transactions. Increase privacy and security protections for patient information. U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) Promulgates regulations Enforcement authority HIPAA often refers to both federal statutes and the various regulations and rules that implement them. Individual states can (and do) impose additional requirements.

6 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS History 1996: HIPAA Enacted 2000: Privacy Rule Issued (Amended in 2002) 2003: Security Rule, Enforcement Rule (Interim) Issued 2006: Enforcement Rule Issued 2009: Health Information Technology for Economic and Clinical Health (HITECH) Act Enacted Increases Patient Rights & Provider Obligations Heightens Enforcement through Increased Penalties & Proactive Audits 2009: HITECH Enforcement (Interim) and Breach Notification (Interim) Rules Issued 2010: HITECH Changes to HIPAA Regulations Proposed 2013: Final Omnibus HIPAA Regulations Issued

7 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Key Roles Covered Entities (CEs) Health Plans Examples include group health plans, HMOs, Medicare, Medicaid, issuers of health/long-term care insurance Health Care Clearinghouses Data translation services Health Care Providers who engage in certain electronic transactions MOST providers! Business Associates (BAs) Service providers to Covered Entities who create, receive, maintain or transmit Protected Health Information Under the HITECH Act The regulations apply directly to BAs BA subcontractors are also treated as BAs under the regulations to create an unbroken chain of data protection Business Associate Agreements (BAAs) must be in place that define duties and obligations and limit how BAs are allowed to use & disclose PHI.

8 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Protected Health Information or PHI BROADLY DEFINED Individually Identifiable Health Information transmitted by or maintained in electronic or other media. Individually Identifiable Health Information relates PHI is not To the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Education records (See the Family Educational Rights and Privacy Act) Employment records held by a Covered Entity in its role as employer Data regarding a person deceased more than 50 years De-identified data (according to specific requirements)

9 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Regulations are Organized into Four Key Rules 1. The Security Rule establishes requirements for safeguarding PHI. 2. The Breach Notification Rule sets requirements for notifying affected patients, the HHS Secretary, and the media in the event of certain data breaches. 3. The Privacy Rule defines regulations regarding permitted uses & disclosures of PHI and patient rights. 4. The Enforcement Rule defines administrative processes for investigations and sanctions.

10 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS The Security Rule establishes requirements for safeguarding PHI. Covered Entities & Business Associates must Designate an Information Security Official Perform a Risk Assessment Meet Organizational Requirements» Business Associate Agreements Implement and Maintain Appropriate Safeguards» Administrative» Physical» Technical

11 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS The Breach Notification Rule sets requirements for notifying affected patients, the HHS Secretary, and the media in the event of certain data breaches. Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA regulations which compromises the security or privacy of the PHI. Organizations should put processes and plans in place for workforce members to report breaches and to manage response BEFORE such events occur. Two Key Parts Good faith efforts can help to minimize damage to patients and providers. 1. Unauthorized (improper) acquisition/access/use/disclosure AND 2. Compromise of security or privacy

12 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Exceptions Situations that are generally not considered breaches under HIPAA Unintentional, good faith access to PHI by a workforce member Example: Billing clerk accidentally looks up the wrong record. Inadvertent disclosure within a Covered Entity or Business Associate organization Example: Nurse accidentally gives a file to the wrong doctor. Disclosures where the Covered Entity or Business Associate has a good faith belief that the recipient would not have been able to retain the PHI Beware data is easier to retain than you might think, but imagine examples such as a screen momentarily viewable by an individual.

13 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Breach Notification Rule (continued) Breaches that affect 500 or more individuals are published on a publicly available website ( the wall of shame ). Only breaches of unsecured (not encrypted) data call for notification, encouraging the use of data encryption. Unless an exception applies, the regulations presume that an unauthorized use or disclosure of PHI is a breach unless the Covered Entity or Business Associate demonstrates that there is a low probability of compromise based on a specific set of risk assessment factors. Guilty until proven innocent. In other words, beware, a breach is (usually) a breach!

14 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS The Privacy Rule defines regulations regarding permitted uses & disclosures of PHI and patient rights. Covered Entities must Designate a Privacy Official Meet Organizational Requirements» Business Associate Agreements Provide patients with a Notice of Privacy Practices Establish and maintain processes to support Patient Rights» Access to PHI» Accounting of disclosures» Requests for amendments» Requests for restrictions Under HITECH, requests for certain restrictions regarding services paid for out-ofpocket must be granted.

15 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Privacy Rule (continued) PHI may only be used and disclosed as permitted by the Rule unless a Patient Authorization is provided. Many exceptions are permitted by the Rule.» Treatment, payment, health care operations» Required by law, public health, judicial and administrative proceedings» Victims of abuse, neglect or domestic violence» Law enforcement (including emergencies, with limits & restrictions)» To avert a serious threat to health or safety (within limits)» Research, health oversight, special government functions, worker s compensation Some exceptions call for informing patients and providing them an opportunity to object.» Facility directories, individuals involved in care (e.g., friends & family)

16 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Privacy Rule (continued) Psychotherapy notes are given extra protection. Limited Data Sets may be released for research, public health and health care operations purposes with a Data Use Agreement (DUA). Direct identifiers must be removed. Popular with researchers as some geographic information and dates of service are included. De-identified data is no longer considered PHI. Direct and indirect identifiers (18 of them!) must be removed to meet the Rule s safe harbor. A Covered Entity may also depend on a documented expert analysis (based on generally accepted statistical & scientific principles) that the risk of identifying an individual is very small.

17 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Privacy Rule (continued) Under the HITECH Act, additional restrictions apply to sales of PHI and uses of PHI for marketing purposes. SALES of PHI The sale of PHI is generally prohibited without patient authorization. Sale is broadly defined (direct or indirect remuneration) Exceptions (i.e., these disclosures are likely not considered sales, but some call for only cost-based remuneration)» Public health & research purposes» Treatment & payment purposes» Sale, transfer, merger or consolidation of a Covered Entity» Related to business associate activities» For an individual s access to records» As required by law

18 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Privacy Rule (continued) The marketing rules can be tricky seek advice! Use of PHI for Marketing Purposes Is also generally prohibited without patient authorization.» Face-to-face communications and promotional gifts of nominal value are likely to be OK.» If financial remuneration from a third party to the Covered Entity is involved, the authorization must state so. What is Marketing under the HIPAA Rules?» To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. NOT communications made:» To provide refill reminders or communicate about a current prescription, if the Covered Entity only receives remuneration reasonably related to the cost of making the communication» For certain treatment and health care operations purposes where the Covered Entity does not receive financial remuneration for making the communication.

19 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS The Enforcement Rule defines administrative processes for investigations and sanctions. Imposes civil monetary & criminal penalties for violations. Penalties may apply to organizations and/or individuals. Penalties are based on the extent and egregiousness of the violation and range from $100 to $50,000 per violation, up to $1.5M for identical violations in a calendar year. Criminal sanctions may apply to those who knowingly engage in violations, and penalties escalate where false pretenses or intent for commercial advantage, personal gain or malicious uses are involved (e.g., fraud, identify theft).

20 SUBSTANCE ABUSE & MENTAL HEALTH REGULATIONS BASICS Statutory Purposes (42 U.S.C. 290dd-3; 290ee-3) Address the stigma and fear of prosecution associated with seeking treatment by ensuring patient confidentiality Confidentiality of Alcohol and Drug Abuse Patient Records Regulations originally promulgated in 1975, updated in Known as 42 CFR Part 2 Regulations Disclosure only allowed with Patient Consent with very limited exceptions. Medical emergencies Research, audit and evaluation Court orders HIPAA often refers to both federal statutes and the various regulations and rules that implement them. Individual states can (and do) impose additional requirements. Regulatory authority is held by the Substance Abuse and Mental Health Services Administration (SAMHSA) within HHS.

21 SUBSTANCE ABUSE & MENTAL HEALTH REGULATIONS BASICS Key Roles Covered Programs Federally assisted drug abuse or alcohol abuse programs The concept of federal assistance is broadly defined and includes those granted federal tax exemptions. Includes identified units within a more general medical facility. Qualified Service Organizations (QSOs) Service providers to Covered Programs Must enter into an agreement with Covered Program(s) that acknowledges that it is bound by the regulations. Qualified Service Organization Agreements (QSOAs) must be in place that acknowledge application of the regulations to service providers.

22 SUBSTANCE ABUSE & MENTAL HEALTH REGULATIONS BASICS Patient Consents must include nine specific elements. 1. Who is allowed to make the disclosure; 2. Who will receive the information; 3. Patient name; 4. The purpose of the disclosure; 5. How much and what kind of information is to be disclosed; 6. Patient (or authorized representative) signature; 7. Date on which the consent is signed; 8. A statement regarding revocation rights; and 9. When or how the consent will expire (within reasonably necessary limits).

23 FEDERAL & STATE LAW Relationship between federal and state laws and regulations. HIPAA is a floor states can (and do) enact more stringent requirements. Required by law exception may allow for use or disclosures mandated by state law. Florida recognizes exceptions such as those for patient care and treatment but is more narrow than HIPAA (Fla. Stat ). States cannot override 42 CFR Part 2 Regulations.

24 FLORIDA STATE LAW Florida state law includes consent requirements (with exceptions) for behavioral health records (Fla. Stat ). The Florida Electronic Health Records Exchange Act (Ch , effective July 28, 2010) includes requirements for state regulators to create universal patient authorization forms. Assist in standardizing consent (i.e., authorization) forms and health information exchange among providers. Providers must accept universal forms. Providers gain certain liability protections if disclosures are made on the basis of the forms. See ( Patient Authorization ).

25 PUTTING IT ALL TOGETHER Comprehensive, Process-Driven Compliance Programs Compliance programs are most effective when a single, integrated approach addresses all the pertinent regulations, to the extent feasible, so workforce members can understand a single set of rules of the road. Electronic Health Records (EHRs) & Intermingled Data Separating out behavioral health or substance abuse data in health information technology ( HIT or Health IT ) systems may be difficult, but such systems can be managed by addressing the most stringent regulations (increasingly through granular consent ). Health Information Exchange (HIEs) & Patient Consent Providers can share information using HIEs and centralized systems, if patient consent requirements and other regulatory obligations are met.

26 SCENARIOS Let s talk through a few common (and challenging!) situations and how to manage them Can I do that?! But what about

27 SCENARIOS Discussing patient-specific information What s the right time, place and manner to discuss patient-specific information? But I did not use the patient s name, isn t that enough? What if a colleague has a need to know details? What if a family member or other person who assists in the patient s care asks me for details? What if someone from another organization contacts me and asks for information?

28 SCENARIOS Protecting stored patient information Where and how should data be kept? Can I keep patient information on a laptop? What if it is protected? What is data encryption and why does it matter? What about my iphone? My Blackberry? My Android device? We are going to sell (or reuse) some computers that might have patient information on them, what should I do? What if I need to patient information, is that ok? How do I properly dispose of paper files? Other records?

29 SCENARIOS Managing patient rights What kinds of processes should be in place? When should I get help? Are patients entitled to a copy of all their records? Are there exceptions if the provider thinks it is better not to share the records? Can a patient ask us not to disclose or release their information, even to another provider? What if a patient asks me for an electronic copy of their records? What if a patient asks to correct their records? What is an accounting of disclosures?

30 SCENARIOS Using health IT (HIT) systems What if someone asks me to use my login/password? Can systems be used that permit different providers (or others) to access and share patient information? How does patient consent or authorization work with HIT systems? What is a health information exchange (HIE) and how is that different from an electronic health record(ehr)? How can information be extracted or used for data analytics? Can data from our systems be used for research? What if the researcher does not need patient-identifying information? What is cloud computing and how is that different from our old systems?

31 QUESTIONS?