1 / 55

Privacy: A Guide for VA Health Care Providers Session 184

sorena
Download Presentation

Privacy: A Guide for VA Health Care Providers Session 184

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Privacy: A Guide for VA Health Care Providers Session #184 August 11, 2010 Patricia Christensen, MS, RHIA, CIPP/G Peggy Pugh, RN, CPC,CPC-H, CIPP/G VHA Privacy Office Privacy: A Guide for VA Health Care Providers August 11, 2010 Patricia Christensen, MS, RHIA, CIPP/G Peggy Pugh, RN, CPC,CPC-H, CIPP/G VHA Privacy Office Privacy: A Guide for VA Health Care Providers August 11, 2010 Patricia Christensen, MS, RHIA, CIPP/G Peggy Pugh, RN, CPC,CPC-H, CIPP/G VHA Privacy Office

    2. What is privacy? 2

    3. Objectives Obtain practical application knowledge of regulations governing privacy Develop understanding of use and disclosure of protected health information Enhance awareness of privacy responsibilities Identify requests for information and use proper disclosure authorities 3

    4. Objectives (cont.) Provide clinical support to local facility Privacy Officers Promote a proactive privacy environment within the organization Be the Key to Help Stop Privacy Violations 4

    5. OHI Organization

    6. Major VHA Privacy Players VHA Information Access and Privacy Office VHA Privacy Officer: Stephania Griffin VHA Privacy Office –Andrea Wilson VHA Privacy Advisory Council Privacy Compliance Assurance Office – David McDaniel Health Information Access Office – Charlie Stroup VHA Freedom of Information Act Office (FOIA) – Timothy Graham, Kellie Robinson, and Barbara Swailes Veterans Integrated Service Network (VISN) Privacy Officers Facility Privacy Officers Privacy Officer’s List Available at: http://vaww.vhaco.va.gov/privacy/Documents/VHACOPOList.doc 6

    7. Six Privacy Laws & Statutes Governing VHA The Freedom of Information Act (FOIA) (5 USC 552) The Privacy Act [5 USC 552a] The Health Insurance Portability and Accountability Act (HIPAA) (45 CFR Parts 160 and 164) 38 USC 5701 - VA Claims Confidentiality Statute 38 USC 7332 - Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse, Infection with the Human Immunodeficiency Virus, and Sickle Cell Anemia Medical Records 38 USC 5705 - Confidentiality of Healthcare Quality Assurance Review Records All available at: http://www.gpoaccess.gov/uscode/index.html 7 Speak about each of these statutes/ laws briefly -5701, must have the name of the individual to request info 7332- if pt treated for drug/ alcohol abuse, records fall under this statute (HIV, Sickle cell, etc) 5705- ie, designate in advance, Directive applicable to thisSpeak about each of these statutes/ laws briefly -5701, must have the name of the individual to request info 7332- if pt treated for drug/ alcohol abuse, records fall under this statute (HIV, Sickle cell, etc) 5705- ie, designate in advance, Directive applicable to this

    8. Applying All Six When conflicts arise between the laws and regulations: The more stringent law or regulation applies for uses and disclosures The one that affords the greatest rights to the individual applies for privacy rights VHA takes all of the privacy regulations into consideration and incorporates them into the VHA Handbook 1605.1 8 Failure to comply with privacy policies could lead to significant civil penalties for the agency and disciplinary or other adverse action or criminal penalties for the employee. Failure to comply with privacy policies could lead to significant civil penalties for the agency and disciplinary or other adverse action or criminal penalties for the employee.

    9. 9

    10. What is a Use? VHA employees must use or access information only as legally permissible for purposes of treatment, payment or health care operations (TPO) “Use” is defined as the sharing, employment, application, utilization, examination, or analysis of information within VHA 10

    11. What is a Disclosure? “Disclosure” is the release, transfer, provision of access to, or divulging of in any other manner information outside VHA Requires the request to be in writing unless VHA is paying for services Outside providers who request copies of records when we are not paying for services must make the request in writing Signed authorization of the individual or other legal authority (routine use) 11

    12. Question: Under the Privacy Act, supervisors could access Veteran/ employee health information Under the “need-to-know” If they were making sure an employee went to his/her VA appointment in order to charge appropriate leave... What changed on April 14, 2003? 12 Date HIPAA Privacy Rule was enforced. PHI can only be used for Treatment, Payment and Health Care Operations. Supervisors/employees cannot access veteran/employee’s PHI for employment purposes.Date HIPAA Privacy Rule was enforced. PHI can only be used for Treatment, Payment and Health Care Operations. Supervisors/employees cannot access veteran/employee’s PHI for employment purposes.

    13. Answer: Date the HIPAA Privacy Rule was enforced Supervisors or employees cannot access Veteran/ employee’s medical record unless for the purpose of treatment, payment or health care operations (TPO) Inappropriate access (privacy breach) Searching VA records for an address to send a get well card Planning birthday celebrations Curiosity about a co-workers’ health care condition How a provider rendered care to a patient Upon oral request of the employee 13

    14. Citation: All VHA employees must use or access information only as legally permissible under the applicable confidentiality and privacy laws, regulations and policies. [VHA Handbook 1605.1, Para. 3] Employee access should be limited only to those records or computer menus for which the employee has a need to perform his or her work under the minimum necessary standard. [45 CFR 164.502(b), 164.514(d), VHA Handbook 1605.2]  Just because an employee has access to VHA records, this does not grant the employee permission to: Access, use, and disclose information from a VHA record that is outside their scope of work or job responsibility (TPO) Access their own VHA record without a written request    14

    15. Question: May an employee access a family member or significant other’s chart while admitted to check on their status?  15

    16. Answer: No - the employee must have written authorization from the family member or significant other This authorization does not grant the employee permission to access the individual’s CPRS record directly  The employee must still: Go to the Release of Information Office (ROI) to obtain a hard copy of the patient’s chart, or Speak directly with the provider and staff who are taking care of their family or significant other Accessing the VHA electronic health record system is for the sole purpose of performing an employee’s authorized VHA duties 16

    17. Coordinating the Disclosure of Protected Health Information (PHI) For treatment and when VA is paying for services To resident care homes, assisted living facilities, and home health services for the purpose of health care referrals Under emergent conditions, requires notification of disclosure to the patient To welfare agencies, housing resources, and utility companies to prevent discontinuation of services that are critical to health and care of the individual No information pertaining to 38 USC 7332 can be provided without the patient’s specific written authorization 17 This refers to disclosures commonly requested of PROVIDERSThis refers to disclosures commonly requested of PROVIDERS

    18. Disclosures to Law Enforcement Entities/ Police Contact your Privacy Officer to ascertain legal authority Receipt of a Subpoena or Court Order Responding to calls from an Attorney If imminent threat to safety of individual or others, PHI may be disclosed excluding 38 USC 7332 information Patient authorization is required before disclosing PHI to a Probation Officer To VA police when conducting security and direct medical care functions only 18 Anyone from law enforcement entity- contact PO immediately!! PO will work with RC to determine if appearance necessary Determine if subpoena or court order is appropriate (signed by judge of competent jurisdiction) and also with a warrant! ALWAYS refer to PO- don’t respond to attorney yourself!!!! Tell them you must clear through PO before speaking with them (Attys) Under imminent threat, PO must notify patient!! So PO must be involved! VA Police- expound on this re: 1605.1 (can’t ask info w/o written request, get PO involved) sAnyone from law enforcement entity- contact PO immediately!! PO will work with RC to determine if appearance necessary Determine if subpoena or court order is appropriate (signed by judge of competent jurisdiction) and also with a warrant! ALWAYS refer to PO- don’t respond to attorney yourself!!!! Tell them you must clear through PO before speaking with them (Attys) Under imminent threat, PO must notify patient!! So PO must be involved! VA Police- expound on this re: 1605.1 (can’t ask info w/o written request, get PO involved) s

    19. Disclosures to Law Enforcement Entities/ Police (cont.) VA police, when conducting an investigation, may receive PHI upon a written request VA Office of Inspector General (OIG) may receive information when conducting a health care oversight investigation, but if for law enforcement (criminal investigation), a written request is required Can report a ‘Fugitive Felon’ to VA Police 19 Can’t come into VAMC to be admitted to avoid being picked up by outside police! Plus they can’t be treated by VA if status as a FFCan’t come into VAMC to be admitted to avoid being picked up by outside police! Plus they can’t be treated by VA if status as a FF

    20. Disclosures to Law Enforcement Entities/ Police (cont.) Duty for physician to report the commitment of a felony crime, however... Under HIPAA*, there are privacy restrictions: When discovery of a crime while treating a patient for a specific condition related to propensity to commit crime, you cannot disclose when the patient: Admits to a rape while being treated for aggressive sexual behavior Admits to use of hard drugs and/or commitment of crime, while undergoing drug treatment *Health Insurance Portability and Accountability Act 20 Can respond to requests for PHI in situations such as looking for missing persons, material witness Can give ltd info @ perpetrator of crime when report is made by victim To identify or apprehend individual Can respond to requests for PHI in situations such as looking for missing persons, material witness Can give ltd info @ perpetrator of crime when report is made by victim To identify or apprehend individual

    21. Citation: To identify or apprehend an individual who has admitted participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)-(3)). 21

    22. Question: Suppose I am treating a patient with epilepsy or dementia and the patient is driving in spite of being advised not to. Am I obliged to disclose this to the Motor Vehicle Department if the patient refuses to stop driving? 22

    23. Answer: Yes, as long as you have a State law requiring the reporting Information given to Privacy Officer or Release of Information (ROI) Unit to disclose on your behalf Ask the Department of Motor Vehicles (DMV) for a re-examination of this person’s driving skills in order to determine their ability to operate a motor vehicle safely Note: The provider may not disclose the actual diagnosis, but only the reason that the patient should not be driving, i.e., “impaired memory and thinking”, or a statement that “this patient is not capable of operating a motor vehicle safely”, and Patient’s name, date of birth, and mailing address The facility Privacy Officer can also assist in reporting to DMV appropriately 23

    24. Disclosures to Public Health Authorities Public health authorities are also considered a law enforcement entity, when charged with protection of public health, such as Adult or Child Abuse or the reporting of infectious diseases A “Standing Written Request Letter” (SWRL) is required Speak to Privacy Officer to ensure SWRL is on file before disclosing information Must exclude any 38 USC 7332 information 24 Regarding an abuse case, you must have a SWRL to disclose info; can’t just pick up phone and let someone know unless it falls under ‘imminent threat's Must exclude 7332 infoRegarding an abuse case, you must have a SWRL to disclose info; can’t just pick up phone and let someone know unless it falls under ‘imminent threat's Must exclude 7332 info

    25. Disclosures to Food and Drug Administration (FDA) For FDA to carry out program oversight duties Such as reporting adverse events, product tracking, conducting post-marketing surveillance To enable product recalls, repairs or replacements Written authorization is required from patient to disclose to product manufacturer or others subject to FDA regulations, or If FDA activity shifts from oversight to an investigation, a Court Order is required to disclose 38 USC 7332 information 25

    26. Disclosures to Family or Personal Representatives General information to the extent necessary and on a need-to-know basis consistent with good medical and/or ethical practices with whom the patient has a meaningful relationship Unless an inpatient who has opted out Inquiries in the presence of individual Provide opportunity to object, or Reasonably infer that patient does not object, and Document in CPRS 26

    27. Disclosures to Family or Personal Representatives (cont.) Inquiries outside presence of the individual Significant relationship to patient Q&A concerning care Picking up medical supplies and prescriptions Providing forms or other information relevant to the care of the individual Authorization of patient is required if providing a copy of medical records Serious threat to family and others 27 Providing forms- such as for placement in Nursing Home, etc., activities in best interest of pt; NOT for mental competency forms that benefit family and not patient (ie family wants to do guardianship)Providing forms- such as for placement in Nursing Home, etc., activities in best interest of pt; NOT for mental competency forms that benefit family and not patient (ie family wants to do guardianship)

    28. Privacy Complaints My doctor informed my family that I had multiple sclerosis He had no right to inform them, as I hadn’t planned on telling anyone My ex-spouse called in to the hospital and was told all about my personal health information She may be listed as my next-of-kin in your computer, but this was prior to our divorce two years ago Your computer is wrong! 28

    29. Privacy Complaints (cont.) The guardian of an unconscious patient opted the patient out of the facility directory A family member who was also a facility nurse, but was not treating the aunt, reported to family members that the aunt had been admitted to the facility The patient’s guardian complained 29

    30. Deceased Records VHA must protect deceased records under HIPAA just as it would if the person was living VHA may disclose to the personal representative the individually-identifiable health information, but only to the extent that the information is relevant to such personal representation To family members under a FOIA request, excluding 38 USC 7332 information, unless 38 USC 7332 information is needed for survivorship benefits (i.e., life insurance policy, or for Social Security benefits) Any information which would be an unwarranted invasion of the personal privacy of any surviving family member may not be disclosed to another family member 30

    31. Deceased Records (cont.) To a family member’s physician, excluding 38 USC 7332 with the exception of sickle cell anemia, when it is determined that it is relevant to the treatment of a decedent’s family member To funeral directors as necessary to carry out their duties 38 USC 7332 when collected for vital statistics To a coroner or medical examiner for purpose of identifying a deceased person or determining cause of death 38 USC 7332 upon written request or standing letter 31

    32. Email, Outlook, SharePoint... VistA email has been granted a waiver for Legacy systems only No individual identifiers in subject line Outlook email must not contain Protected Health Information (PHI) unless encrypted Communication with patient can only be in person, telephone or in writing until... Secure messaging via MyHealtheVet Cannot have patient sign an authorization to allow disclosure via email No individually identifiable information or PHI on Outlook calendars Unresolved issues with SharePoint 32

    33. Question: If an employee receives unwanted/ unsolicited but encrypted Protected Health Information (PHI) in an email, what is the employee’s obligation in terms of reporting/deleting/replying to the sender? Think treatment, payment, health care operations (TPO)/need-to-know 33

    34. Answer: An appropriately secured email containing Protected Health Information (PHI) that is sent to the wrong folks would be a privacy incident not a security incident Report the incident to the facility Privacy Officer Provide a printed copy of the email message Lastly, delete the email 34

    35. Answering Machine/Text Messages Providers are permitted to leave messages for patients but must apply reasonable safeguards Appointment date and time but no clinic name or Protected Health Information (PHI) Provide a call back number to obtain test results Exception: Prothrombin Time (PT/INR) lab test result with authorization, as this is considered an emergent need to take action under patient care Do not leave information on patient diagnosis or upcoming procedures to be performed Do not have patients return your call and request they leave their Social Security Number (in full or in part), date of birth, place of birth or maiden name 35

    36. Privacy Complaints Dr. XYZ left test results on voice mail I am homeless and living in subsidized housing The individual who took the message informed everyone that I was being treated for diabetes I share a cell phone with my wife Dr. XYZ left a message stating I had tested positive for cocaine My wife has now kicked me out of my home 36

    37. Incidental Disclosures HIPAA permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure As long as VHA has applied reasonable safeguards and implemented the minimum necessary standard: Cannot be reasonably prevented Limited in nature Occurs as a result of another use or disclosure that is permitted by the Rule 37

    38. Preventing Incidental Disclosures Speak quietly in public areas Avoid using patient names Post signs in elevators to observe patient confidentiality Close exam room doors Take care when discussing patient’s condition: On training rounds At nursing station Over the Rx counter In joint treatment area or semi-private rooms The key is taking reasonable precautions! 38

    39. Question: Can Protected Health Information or medical charts be left in a box outside my office with access to a public hallway? 39

    40. Answer: Yes, but... HIPAA requirements for incidental disclosures: Secondary Use: As the initial purpose of leaving the chart in the box is to provide the physician with access to the medical information relevant to the examination Limited in Nature: As long as it is the current chart and not all five volumes Reasonably Preventable: What are your safeguards? Limiting access to hallway by office staff Ensuring the area is supervised Escorting patients or non-VHA staff within this area, or Placing chart in box with front cover facing the wall 40

    41. Privacy Complaint I was at the VA hospital and a staff member came into the lobby blabbing out personal information about my medical condition in a very loud voice to everyone in the lobby When I requested that we go to a private room, this made the provider even madder She just continued expressing my medical needs in front of everyone! 41

    42. Privacy Complaint (cont.) I was walking down the hallway and overheard two providers discussing John Doe’s cancer and that he needed surgery to remove his pancreas I know John and didn’t realize he had cancer The doctors were not discreet I would not want my treating providers discussing my medical condition for all to hear My father’s unknown and grim prognosis was being discussed in the elevator, which I overheard. My father was devastated 42

    43. Minimum Necessary Guidance Information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function VHA must identify the persons or classes of persons who need access to health information, the categories or types of health information or PHI needed, and the conditions appropriate to such access per HIPAA Clinical providers fall under these functional categories Direct care providers: entire medical record Indirect care providers: where necessary to complete assignment Researchers: activities approved by Institutional Review Board (IRB) or preparatory to research Note: All VA Medical Center employees should be aware of their Functional Category designation. (VHA Handbook 1605.2, Minimum Necessary Standard for Protected Health Information) 43

    44. Basics of Amendments Individual’s right under Privacy Act and HIPAA Request must be in writing and describe specific information that is inaccurate, incomplete, irrelevant, or untimely Do not handle amendment via an addendum to the document Seek Privacy Officer involvement due to: Legal and time-related requirements Appeal rights Actions required if information is requested by or disclosed to other third parties prior to the amendment 44

    45. Common Amendment Requests Cutting and pasting old or resolved issues into a new progress note Provider listing personal non-factual opinions, i.e., “patient is obese” but chart documentation doesn’t support the body mass index or other clinical criteria for obesity Irrelevant statements that have no bearing on treatment, i.e., “patient has pager even though he is unemployed”, “patient is faking his service-connection” 45

    46. 46 COMMON PRIVACY BREACHES

    47. Privacy of Data Privacy Breach The loss, theft, or any other unauthorized access, other than those incidental to the scope of employment, to data Containing sensitive personal information in electronic, printed, or any other format Resulting in the potential compromise of the confidentiality or integrity of the data Sensitive Personal Information Any information about the individual maintained by VHA Education, financial transactions, medical history, and criminal or employment history Information that can be used to distinguish or trace the individual’s identity, including: Name SSN DOB Mother’s maiden name Biometric records 47

    48. Actual Privacy Breaches Appointment list found in waiting room by housekeeper Patient documents left overnight in unlocked conference room Patient information found in trash can or parking lot Provider left CPRS open on prior patient for next patient to view Desk or office left unattended or unlocked 48

    49. Actual Privacy Breaches (cont.) A nurse accessed her son’s records and wrote in her son’s chart requesting a consult Provider accessed her ex-spouse’s records to use information in upcoming custody hearing Provider gave her access and verify codes to new employee Provider left printed copies of patient record in back seat of unlocked car 49

    50. Actual Privacy Breaches (cont.) Curiosity Access to co-worker’s records Access to another provider’s treatment records due to suspicion of inappropriate care provided Access to other patient’s record where you are not a treating provider (local celebrity) Access requested by a fellow provider as a friend to review his father’s chart 50

    51. Actual Privacy Breaches (cont.) Taking Protected Health Information off facility grounds without supervisor approval VHA Handbook 6500 references VA employees, contractors, subcontractors and volunteers may transport, transmit, access, and use VA sensitive information outside of VA facilities only when their VA supervisor authorizes such action in writing 51

    52. Costs Incurred by VA After the 2006 theft of a laptop containing Veteran’s sensitive information, the Department of Veterans Affairs agreed to pay $20 million to settle a lawsuit filed by Veterans over the risk of potential identity theft In 2009, the cost to the government for the purchase of one year’s credit monitoring was $29.95 per person 52

    53. Costs Incurred by VA (cont.) Indirect costs include: Privacy Officer, Supervisory and employee time spent away from job duties, i.e., investigative time Preparation of correspondence/mailing Re-education of involved employees Cost of toll-free telephone numbers Notification of news media Harm to agency and facility reputation 53

    54. Who You Gonna Call? Your Privacy Officer!! Listing of Privacy Officers in VHA: http://vaww.vhaco.va.gov/privacy/Documents/VHACOPOList.doc VHA Privacy Office http://vaww.vhaco.va.gov/privacy/vhapo.htm 54

    55. 55

    56. Contacts Patricia Christensen, MS, RHIA, CIPP/G Phone: (602) 298-2424 Peggy Pugh, RN, CPC,CPC-H, CIPP/G Phone: (202) 731-6843

More Related