Case Study. Developing a Universal Consent Form: Lessons Learned from Florida Medicaid



Similar documents
NC General Statutes - Chapter 90 Article 29A 1

ELECTRONIC HEALTH RECORDS. Nonfederal Efforts to Help Achieve Health Information Interoperability

Strategies for Electronic Exchange of Substance Abuse Treatment Records

Appendix B: Existing Guidance to Support HIE Implementation Opportunities

This Agreement is based on the following general principles:

Use of Electronic Health Record Data in Clinical Investigations

How To Write A Community Based Care Coordination Program Agreement

COMPARISON OF KEY PROVISIONS House and Senate Comprehensive Mental Health Reform Legislation

ILHIE Authority Data Security and Privacy Committee. Briefing Summary: Policies # 1, 3 (Panel #1) -- Patient Choice, Opt-in/Opt-out

Physician Champions David C. Kibbe, MD, & Daniel Mongiardo, MD FAQ Responses

Business Associate and Data Use Agreement

Privacy and Security Solutions for Interoperable Health Information Exchange

Health Information Technology (IT) Simplified

ehealth Pod Pilot Program Challenges I. Identifying Challenges for Providers Not Participating in the Pilot

GEORGIA MEDICAID TELEMEDICINE HANDBOOK

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

HIPAA Enforcement Training for State Attorneys General

Florida Children and Youth Cabinet Headline Indicator Update Access to Health Care. Florida s Uninsured Children

Health Insurance Portability and Accountability Policy 1.8.4

Business Associates under HITECH: A Chain of Trust

RULES OF THE ALABAMA BOARD OF MEDICAL EXAMINERS CHAPTER 540-X-15 TELEHEALTH. Table of Contents

BUSINESS ASSOCIATE AGREEMENT. Recitals

ELECTRONIC HEALTH RECORDS

BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

Privacy and Security Solutions for

Request for Proposal Implementation Agents of Health Information Technology: Behavioral Health, Primary Care, and other Specialty Healthcare Providers

Guidance for Industry. IRB Review of Stand-Alone HIPAA Authorizations Under FDA Regulations

A FEDERAL STATE DISCOURSE ON PRIMARY CARE AND BEHAVIORAL HEALTH INTEGRATION. Background Material

Parsonage Vandenack Williams LLC Attorneys at Law

SaaS. Business Associate Agreement

Releasing Information

HIPAA Privacy Rule Primer for the College or University Administrator

Florida Senate (PROPOSED BILL) SPB 7044

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

BUSINESS ASSOCIATE AGREEMENT

State Medicaid Program - Changes in 2012

BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance in Litigation and Discovery 10 Key Concepts Click to edit Master title style

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE

PATIENT INTAKE FORM PATIENT INFORMATION. Name Soc. Sec. # Last Name First Name Initial Address. City State Zip. Home Phone Work/Mobile Phone

HIPAA Compliance and the Protection of Patient Health Information

Iowa Medicaid Integrated Health Home Provider Agreement General Terms

Revision to the Executive Director for Health Care Policy and Financing Rule Concerning the All-Payers Claims Database, Section 1.

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for Committee Substitute for House Bill No.

RUTGERS POLICY. Responsible Office: RBHS Office of Ethics, Compliance & Corporate Integrity

RULES OFTHE ALABAMA BOARD OF MEDICAL EXAMINERS CHAPTER 540-X-15 TELEHEALTH. Table of Contents

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

Graphic Communications National Health and Welfare Fund. Notice of Privacy Practices

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

BUSINESS ASSOCIATE AGREEMENT

State Medicaid HIT Plan (SMHP) Overview

Center for Medicaid, CHIP, and Survey & Certification SMDL # June 21, Re: Third Party Liability. Dear State Medicaid Director:

HL7 & Meaningful Use. Charles Jaffe, MD, PhD CEO Health Level Seven International. HIMSS 11 Orlando February 23, 2011

COMPLIANCE WITH LAWS AND REGULATIONS (CLR)

BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM

Transcription:

Case Study Developing a Universal Consent Form: Lessons Learned from Florida Medicaid Prepared for: Agency for Healthcare Research and Quality U.S. Department of Health and Human Services 540 Gaither Road Rockville, MD 20850 http://www.ahrq.gov Report Contract No. HHSA2902007-10079T Prepared by: RTI International 3040 Cornwallis Road Research Triangle Park, NC 27709 AHRQ Publication No. 10-0104-EF September 2010

Case Study Developing a Universal Consent Form: Lessons Learned from Florida Medicaid Agency Overview Florida s Medicaid program provides coverage for 2.5 million beneficiaries, representing 14 percent of the total population. The State s Children s Health Insurance Program (CHIP), Florida KidCare, enrolls an additional 225,000 children. KidCare is a combination program, with some portions of the program included as an expansion to Medicaid and other portions within a separate stand-alone program. Approximately two-thirds of beneficiaries are enrolled in a managed care program. The Agency for Health Care Administration (AHCA) administers Florida s Medicaid program and develops and carries out policies related to the Florida Medicaid program. KidCare is administered by four partner agencies, including AHCA, the Department of Children and Families, the Department of Health, and the Florida Healthy Kids Corporation. AHCA also is the State Designated Entity for the statewide health information exchange (HIE) network funded through the State Health Information Exchange Cooperative Agreement with the Office of the National Coordinator for Health IT (ONC). Project Background Health information technology (health IT) activities have been active in Florida since then- President Bush issued an executive order in 2004 calling for all Americans to have electronic health records (EHRs) by 2014. In response to this executive order, then-governor Jeb Bush created the Governor s Health Information Infrastructure Advisory Board to advance EHR adoption in the State of Florida. Florida s initiative to create a single authorization form for the disclosure of health information emerged from work conducted under the Health Information Security and Privacy Collaboration (HISPC), an initiative funded by ONC and the Agency for Healthcare Research and Quality (AHRQ). Under that project, Florida participated in two collaborative work groups, one examining needs and opportunities for harmonizing State privacy law and a second aimed at educating providers about the benefits of health IT and HIE. During this work, Florida s legal work group (tasked with examining the legal issues surrounding health IT and HIE) noted that one of the major barriers to interoperable HIE was the battle of the forms, in which providers each had their own form for patients to sign to authorize the disclosure of patient records. The

multitude of forms created confusion for providers who were unable to determine whether another provider s form met all of the requirements and increased burden on patients who faced delays in the transmission and receipt of their medical records. In response to this barrier, the Florida legislature passed a law in 2009, authorizing AHCA to create universal authorization form(s) for the disclosure of patient records. 1 Project Details Under the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), authorization is not required to release health records for treatment, payment, or health care operations. 2 However, Florida law provides additional protections for certain categories of information, such as mental health information, even when the information is being shared for treatment purposes. Although AHCA had originally intended to create a single form, they decided to create two forms: one that provides a single authorization to release all information in the medical record to the named provider(s), and a second that allows patients to limit the information that is disclosed and place other restrictions on use of the data. The first form is a full authorization and allows for the disclosure of the entire record (Full Disclosure form) to a provider for treatment of the patient. 3 This Full Disclosure form is intended to meet the required standards for patient authorization required for disclosure of any health information on the patient to a treating provider required by Florida State law and the various Federal laws, including 42 C.F.R. Pt. 2 (federally funded substance abuse treatment programs); Veterans Administration (which require specific consent to share sickle cell anemia information); the Family Educational Rights and Privacy Act (FERPA) (records from educational institutions that may contain health information on the student); HIPAA; and HITECH. 4 The second form that AHCA developed is an alternative authorization form containing many options for specifying what individuals/organizations can see what portions of the medical record and for what purpose(s) (Limited Disclosure form). Pursuant to the legislation passed in 2009, the use of the form(s) is voluntary, but if a provider is presented with the properly completed and signed form, he/she must accept the form and disclose the data specified in the form. 5 In addition, use of the form provides some additional liability protection for the provider related to improper disclosure. 6 (It does not offer any additional liability protection for medical malpractice.) Currently, Medicaid providers can already access claims information through an online portal, the Medicaid Health Information Network. AHCA requires that providers have a signed authorization on file before accessing patient records via the portal. Medicaid providers will be 1 The legislation creates Section 408.051, of the Florida Statutes. 2 These terms are defined in the Privacy Rule at 45 CFR 164.501. 3 The full version of the form is available online at http://www.fhin.net/psresourcectr/flpsproject/flconsentfinalfull060410.pdf 4 Psychotherapy notes, as defined in HIPAA, are not included in the Full Disclosure form, because of their special requirements for disclosure in HIPAA and their limited usefulness to other providers in treatment of the patient. 5 Florida Statute 408.051(4)(c). 6 Florida Statute 408.051(4)(e) and (f).

encouraged to use the Full Disclosure form, although it is not currently mandatory for them to do so. In the planned statewide HIE network, AHCA will not be filtering data, because there is no reliable way to parse data to ensure patient confidentiality of portions of records as would be based on the patient s disclosure limitation selection(s). For example, indications of a patient s mental health condition may be present in textual notes, rather than a diagnosis code field. With the new Full Disclosure form, patients can determine which providers have access to their information, but cannot filter that information based on type. Patients do have the option of restricting records if the provider agrees under HIPAA and/or using the Limited Disclosure form for certain providers. AHCA encountered several challenges during the legislative and development process, including unfamiliarity or real-world experiences with electronic HIE and how that might transform the need for new forms and processes. In addition, some thought that a single entity would be responsible for collecting the authorizations (rather than the providers at the point of care); however, the simplicity of the Full Disclosure form was viewed as beneficial for electronic HIE where a treating provider was looking up a patient s history. There is a fair amount of misunderstanding among providers related to the need for an authorization form due to the treatment exemption under HIPAA, and a lack of recognition of the State law requirements that are layered on top of the HIPAA requirements (in cases where State law preempts HIPAA). As part of the rollout process, AHCA expects to offer provider education to ensure that providers are fully aware of both Federal and State restrictions on the disclosure of health information. Large providers (e.g., hospitals and integrated delivery networks) have indicated their support and intent to use the Full Disclosure form due to the liability protections included in the statute and the simplicity of the form. Next Steps Currently, AHCA is drafting a frequently asked questions document and plans to inform and engage providers through their professional associations in fall/winter 2010 to announce the availability of the forms. AHCA expects the rollout and deployment of the forms to be gradual as provider awareness and participation in HIE both increase. During the rule development process, AHCA received substantive feedback from providers, and they expect to gain additional feedback as the form is rolled out in 2010 and 2011. AHCA has already identified one area of the form that will need to be updated to reflect new guidance issued by the Substance Abuse and Mental Health Services Agency (SAMHSA), which requires an end date for any authorization related to records covered under 42 C.F.R. Pt. 2. The legal work group will continue to monitor the need for additional revisions. AHCA is also working on an agreement for participation in the planned statewide HIE network, similar to the Data Use and Reciprocal Support Agreement (DURSA), which would allow the exchange of clinical information across providers and hospitals. If Medicaid provides

information to the exchange, use of the Full Disclosure form or equivalent authorization form would be required, except in medical emergencies. 7 Lessons for Other Agencies AHCA noted several key lessons learned that may be helpful to other agencies considering a similar undertaking. First, they note the need for an extensive review of State law. HIPAA compliance is a necessary but not sufficient condition without consideration of applicable State law for meeting provider obligations for the appropriate use and disclosure of health records. In addition, educating providers about the legal requirements (under both HIPAA and State law) takes a significant amount of time. AHCA has created a Web site to serve as a resource to providers. It includes a search tool for reviewing Florida law on the use and disclosure of protected health information, the Florida Statutes Crosswalk Tool, to help providers identify applicable laws and raise awareness of the requirements for patient authorization even as applicable to records exchanged in the treatment of patients. The educational offerings also need to address provider concerns about work load and administrative burden. Providers will need to recognize that using the form can reduce work load and administrative burden because the form is not subject to modification. Therefore, if they use or receive the form, they can be confident that they or the requesting party are meeting all legal requirements. Additional Information For additional information about this case study, please contact Medicaid-SCHIP- HIT@ahrq.hhs.gov or call 1-866-253-1627. 7 Florida Statute 408.051(3) and 42 CFR Part 2 Section 2.51.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information