500 likes | 618 Views
Confidentiality of Medical Information. Public Health Nursing and Professional Development Unit Eunice B. Inman, RN, BSN Pamela Serrell, RN, BSN Ellen Shope, RN, BSN Lynn Conner, RN, BSN Gay G. Welsh, RN, BSN, MPH. Introduction. Objectives for this presentation include:
E N D
Confidentiality of Medical Information Public Health Nursing and Professional Development Unit Eunice B. Inman, RN, BSN Pamela Serrell, RN, BSN Ellen Shope, RN, BSN Lynn Conner, RN, BSN Gay G. Welsh, RN, BSN, MPH
Introduction Objectives for this presentation include: • Identify laws that require NC Local Health Departments to keep patient information confidential. • Identify which information is confidential. • Describe when confidential information may be disclosed. • Describe how best to document disclosures of confidential information.
Introduction This presentation is meant to introduce an overview of confidentiality laws and how those laws address some of the issues that arise in NC local health departments. It is not meant to be comprehensive. Please consult an attorney if you need more information or advice for a specific situation.
Vocabulary Confidential as defined by Webster is private, secret.
Confidentiality The general ethic in the provision of health care is that a patient’s secrets uttered in confidence must be safeguarded by the physician, other health care providers, and the agency’s workforce (employees, volunteers, trainees, and other persons whose conduct, in the performance of their duties, is under the direct control of the agency, whether or not they are paid by the agency).
Laws Affecting LHDs in NC HIPAA Privacy Rule(45 CFR Parts 160 & 164):Federal law that governs when covered entities – a term that includes most health care providers, including LHDs–may and may not use and disclose PHI without a client’s permission. (Other federal and NC laws must also be considered inconjunctionwith HIPAA requirements.)
HIPPA Privacy Rule…cont. • Requires covered entities to have written policies & procedures designed to comply with the Privacy Rule. • Requires the implementation of administrative, technical, and physical safeguards to protect the privacy of individually identifiable health information. • Requires mitigation, to the extent possible, when breaches occur that violate the Privacy Rule or the covered entities’ policies/procedures when the breach is known by the covered entity.
HIPAA Privacy Rule…cont. • HIPAA Definitions: • PHI = Protected Health Information: • Individually identifiable health information (IIHI) that is transmitted electronically or maintained in any form or medium by a covered entity. • T = Treatment activities of a healthcare provider: • Includes provision, coordination, management of health care & related services, referrals, consultations, etc.
HIPAA Privacy Rule…cont. • P = Payment for treatment • Includes reimbursement for services, benefit coverage, eligibility, billing, collections, etc. • O = Health Care Operations that support the activities of healthcare provider • Includes QI, credentialing, financial and medical review audits, business management, etc. • Please refer to the HIPAA Privacy Rule for more detailed explanations.
ARRA - American Recovery & Reinvestment Act ARRA = Federal Law • Effective 02/18/09 • primarily found at 45 CFR Part 164, Subpart D (45 CFR 164.400 - 164.414) • Contains the HITECH Act that exceeds HIPAA in protecting PHI.
ARRA - American Recovery & Reinvestment Act • Within ARRA is the Health Information Technology for Economic & Clinical Health Act (HITECH Act) • Broadens and supplements HIPAA privacy and security requirements, and various state privacy breach notifications. • Safeguards PHI above and beyond current HIPAA requirements. • Extends requirements to certain non-covered entities, covered entities, and to business associates of covered entities • Includes breach notification requirements for a privacy breach.
ARRA - American Recovery & Reinvestment Act AARA & HITECT Act (continued) • HITECH Act may be found at:http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html • Guidance for managing breaches: http://www.sog.unc.edu/node/1040 under Security Breaches.
NC Identity Theft Protection Act NC Identity Theft Protection Act (GS 75-60, Article 2A) • NC law requiring private businesses and government agencies to protect personally identifying information that could be used for identity theft. • Includes specific actions private businesses and government agencies must take when experiencing a security breach involving personally identifying information that is not encrypted (not necessarily electronic encryption). • Requires notifications of breaches to individuals, media, and NC Attorney General’s Office in specific situations.
NC Identity Theft Protection Act • NC Identity Theft Protection Act found at: • http://www.ncga.state.nc.us/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html • Guidance may be found at • http://www.sog.unc.edu/node/1045 • Scroll down to “What does The Identity Theft Act Mean for Local Health Departments.”
Other NC State Laws re Confidentiality Public Health Patient Confidentiality Law (GS 130A-12): (revised, effective 01/01/12) NC law that applies only to LHDs, DHHS & DEHNR • Medical records held by either are confidential and are not subject NC’s public records law. • Disclosure of information only may occur with appropriate authorization or as required by federal or state law.
Other NC State Laws re Confidentiality Privilege Laws: (GS 8-53 and GS 8-53.13) NC laws meant to prevent information from being introduced into court proceedings against the patient’s will. • GS 8-53 – Communications between patients and their physicians (and others working under the direction of the physician) are privileged. • GS 8-53.13 – Communications between patients and nurses are privileged. Privileged information may be introduced in two circumstances: • The patient gives permission for the disclosure • The judge orders the disclosure after finding that it is necessary for the proper administration of justice.
Laws Protecting Specific Situations Title X Family Planning: (45 CFR59.11) Federal law that requires providers to keep information about Title X Clients confidential and disclose it only with the client’s documented consent (permission), unless the disclosure is necessary to provide services to the client or is required by law.
Law Protecting Specific Situations Communicable Disease Confidentiality: (GS 130A-143) (revised, effective 01/01/12) State Law that applies to information or records that identify a person who has or may have a reportable communicable disease or condition. Such information may be disclosed only when the disclosure fits into one of eleven circumstances specified in the statute. (Please consult the statute for these.)
Law Protecting Specific Situations Family Education Rights & Privacy Act: • Under FERPA school nurses must protect access to and disclosure of student education records. • FERA may be found at: Title 34, Part 99--Family Educational Rights and Privacy • Schools may also fall under HIPAA. • Helpful Q&A re HIPAA & FERPA in schools may be found at: http://www.sog.unc.edu/node/832
Law Protecting Specific Situations • Employees working with aspects of mental health or substance abuse clients may be subject to laws affecting those services. • Please consult appropriate sources for legal resources applicable to these services.
Pharmacy Records Law Availability of pharmacy records (G.S 90-85.36): • Pharmacy, whether written or electronic, orders are not public records and may only be provided to the following persons. • Persons for whom the prescription was written • Parent, Guardian or Persons standing in loco parentis of a minor child or disabled adult • Pharmacy owner & Pharmacist filling the prescription • Healthcare provider writing the prescription or otherwise treating the patient
Pharmacy Records Law (List continued…) • Anyone presenting an authorization for the release or subpoena for pharmacy information • Includes researchers • Any business entity responsible for paying for the medical care of the person for whom the prescription was written • Pharmacy Board members • HIPAA covered entity or non-covered health care provider for TPO purposes
Licensure Laws Components of Nursing Practice for the Registered Nurse (21 NCAC 36 .0224): (g)(4) is the specific section of administrative code that says the nurse must uphold confidentiality. (g) Collaborating involves communicating and working cooperatively with individuals whose services may have a direct or indirect effect upon the client's health care and includes: (4) safeguarding confidentiality.
Licensure Laws Components of Nursing Practice for the Licensed Practical Nurse (21 NCAC 36.0225): (g)(3) is the specific section of administrative code that says the LPN must uphold confidentiality as delegated by the registered nurse. (g) Collaborating involves communicating and working cooperatively with individuals whose services may have a direct or indirect effect upon the client's health care and includes: (3) safeguarding confidentiality.
Ethics and Policies ANA Code of Ethics:Interpretive Statement, Provision 3.2 “…the nurse has the duty to maintain confidentiality of all patient information.” To do less • Jeopardizes the patient’s welfare • Destroys trust in the nurse/patient relationship which jeopardizes the nurse’s ability to provide quality care.
Ethics and Policies AMA Code of Ethics:Opinion 5.05 Confidentiality The information disclosed to a physician by a patient should be held in confidence. The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services. The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication.
Ethics and Policies Local Health Department Policy & Procedure: Safeguards Policies – covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. • Safeguard policies/proceduresinclude, but are not limited to: • Policy sets forth guidance to safeguard andmaintain the integrity of the designated record set(financial andmedical records as defined by HIPAA) and how best to protect the rights of clients while affording the providers of care appropriate access.
Which Information is Confidential? • Agency Confidentiality Policy – Affirms the agency’s resolve to abide by the laws presented. • Any IIHI about a client is confidential – assume that it is all confidential. • It is not just the medical status or treatment information that is protected. • Even the fact that they are a client is protected. • Any (IIHI) individually identifiable health information the LHD has on a person who is not a client is most likely confidential. • Example: blood lead information cared for by a local pediatrician and environmental health is doing a home investigation.
Which Information is Confidential? Individually Identifiable Health information (IIHI) includes: • the client’s demographic information (name, address, age, date of birth, etc.). • information that is created or received by a health care provider, health plan, employer, or health care clearinghouse. • information related to the past, present, or future physical or mental health condition of the individual, provision of health care, or the past, present, or future payment for the provision of health care. • any information that identifies the client, or to which there is reasonable basis to believe that the information can be used to identify the client.
Which Information is Confidential? Protected Health Information includes: • IIHI that is transmitted electronically or maintained in any form or medium by the covered entity. • And everything else mentioned if not addressed in laws for specific services.
When may LHDs Disclose Patient Information? With the client’s (or personal representative’s) permission. • Permission must be in the proper format. • In most cases the permission must be in writing. • Must be on an appropriate HIPAA compliant authorization form.
When may LHDs Disclose Patient Information? Under certain circumstances without the client’s (or personal representative’s) permission as specified by law. • Broadly these include: • Treatment, payment and healthcare operations as defined by HIPAA, G.S. 130A-12, & G.S. 130A-143. • Please consult your HIPAA Officer or County Attorney regarding these definitions.
When may LHDs Disclose Patient Information? • When it is required by another law. • The following slides will address these. • Subpoenas & other court orders • Response guidance for LHDs from the NC School of Government may be found at:http://shopping.netsuite.com/s.nl/c.433425/it.I/id.218/.f?sc=7&category=49
Laws requiring disclosure of info. NC law requires the disclosure of confidential information or records for specific purposes for each of the following: (The following is a partial list of those who may demand records or information.) • HIPAA covered entities must verify the identity of the individual demanding the information and their authority to obtain the information. • G.S. 130A-385: Chief medical examiner or county medical examiner when a death is under investigation. • G.S. 130A-209: Diagnoses of cancer to central cancer registry
Laws requiring disclosureof info. List … cont. • GS 7B-301: Any person or institution must report known or suspected child abuse/neglect or child deaths believed to be due to maltreatment to DSS. • GS 7B-302: Records or information relevant to the investigation of known or suspected cases of child abuse or neglect may be released to director of social services • GS 7B-601: or guardian ad litem representing the child • GS 7B-1413: The N.C. Child Fatality Prevention Team, a community child protection team, and N.C. Child Fatality Task Force may review information they deem relevant to their task.
Laws requiring disclosure of info. List … cont. • GS 108A-102: Report suspected abuse of elderly or disabled adults to Social Services Director. • GS 130A-5 and 130A-15: NC Secretary of HHS may see patient records when the patient’s physician and a DHHS physician agree that there is a “clear danger to public health” and other health hazards. • GS 130A-135 et seq.: Outbreaks of reportable communicable diseases. • G.S. 130A-144: Local Health Directors or State Health Director may demand medical records pertaining to the diagnosis, treatment, or prevention of communicable disease.
Laws requiring disclosureof info. List … cont. • G.S. 51-2: Disclose relevant medical information of minors seeking to marry to court appointed guardian ad litem. • G.S.90-21.20: Report wounds/injuries to law enforcement if there appears to be criminal violence involved. • G.S. 130A-153 and 10A NCAC 41A.0406: Disclosures of immunizations to specific providers, schools, etc.
Laws requiring disclosureof info. List … cont. • G.S. 130A-456:Physicians must be report occupational injuries on farms and other reportable occupational diseases and illnesses to DHHS. • G.S. 130A-458:Persons in charge of laboratories that provide diagnostic services must report findings related to reportable occupational diseases and illnesses to DHHS.
Laws requiring disclosureof info. List … cont. • G.S. 130A-476(b):Authorizes State Health Director to issue temporary order requiring health care providers to report specifically requested medical information to local health director or State Health Director to investigate a possible bioterrorist incident. • State and federal auditors of programs such as Medicaid may review patient records under applicable state and federal regulations.
Other exceptions requiring disclosure. Responding to a court order, subpoena, warrant, & other law enforcement and judicial requests: Response guidance for LHDs from NC SOG may be found at: http://shopping.netsuite.com/s.nl/c.433425/it.I/id.218/.f?sc=7&category=49 • LHDs may disclose information without a patient’s permission upon receipt of a proper court order provided only the PHI disclosed is expressly authorized by the court order. • A subpoena must never be ignored; however, depending on the type of subpoena, automatic disclosure of information is not always appropriate. (Consult the above guidance and local attorney.)
Other exceptions requiring disclosure. • Health department should have a carefully crafted policy for handling subpoenas, court orders and law enforcement & judicial requests. • All the above requests should be brought to the attention of the health director immediately. • Consulting the LHD Attorney about the above types of legal requests prior to disclosing information is a good idea.
Obtaining Consent For TPO "Consent" as defined by HIPAA means that the client is giving the covered entity permission to use and disclose their protected health information for treatment, payment, and other health care operations. • Obtaining “consent for TPO” is optional under HIPAA and is no longer required by NC law (G.S.130A-12(3), revised, effective 01/01/12.)
Obtaining Consent For TPO “Consent”…cont. It is no longer recommended that local health departments obtain “consent for TPO.” • Continuing to obtain “consent for TPO” may result in barriers to care in specific circumstances and lost reimbursement if a client refuses to sign the consent for TPO as the mandated services are still required to be provided.
Verification Requirements Prior to disclosing requested PHI to a person or entity the HIPAA Privacy Rule requires covered entities to verify two things: • the requesting person’s identity (personal identity or as an appropriate designee of a requesting entity). • the requesting person’s authority to receive the information. Covered entities must have internal Verification Policies & Procedures and must have trained their staff on the policy/procedure.
Obtaining Permission to DiscloseInformation (Authorization) HIPAA Authorization Forms: • Must contain specific elements. • Must be used for disclosures outside the realm of TPO. • Please see the following references: • IOG: http://www.sog.unc.edu/node/818 • DPH: http://publichealth.nc.gov/lhd/ • See “Problem Oriented Health Record” topic and select DHHS Form 4056.
Obtaining Permission for Treatment "Consent for Treatment" • Obtaining informed consent to treat a patient is an entirely different legal obligation as opposed to obtaining “consent for TPO,” which is not a legal obligation. • “Consent for Treatment” means that the client is giving permission to the health care provider to provide medical care and treatment to the client. (G.S. 90-21.13) • Obtaining “consent for TPO,” which is no longer recommended, means the client is giving the covered entity permission to use and disclose their PHI for treatment and payment activities as well as health care operations. • Health departments still need informed consent to treat a patient.
Obtaining Permission for Treatment GS 90-21.13:Informed consent to healthcare or procedure. • Valid consent means that a reasonable person under all the surrounding circumstances would be: • mentally and physically competent to give consent. • able to understand the implications, risks and hazards of the treatment or procedure. • consent voluntarily to the treatment or procedure, and without coercion from the requestor.
Documenting Disclosures When information is disclosed with client’s consent (via HIPAA compliant authorization) • Put copy of signed authorization in client’s record. • HIPAA requires that the client be given a copy of the signed authorization. • Make a note in the record when the information is actually released. Disclosures made with the client’s authorization are not required to be included in the Accounting of Disclosures. (The client has the right to ask for an accounting of disclosures. See http://www.sog.unc.edu/node/818 for guidance on accounting of disclosure requirements.)
Documenting Disclosures When information is disclosed without permissio when meeting a legal requirement to disclose, documentation in the client’s record should include: • the date and the fact of its disclosure, • to whom it was disclosed • why it was disclosed • the name of staff member that disclosed the information • the signature/initials of the staff member recording the documentation in the record -Disclosures made without client authorization are required to be included in the Accounting of Disclosures.
Questions • Now a few minutes for questions.