620 likes | 706 Views
The Ethics of a Practicing Therapist PAMFT Membership Conference April 11, 2014. Renee H. Martin, JD, RN, MSN Rhoades & Sinon, LLP 29 Dowlin Forge Road Exton, PA 19341 Tel.: (610) 423-4200 Fax: (610) 423-4201 E-mail: rmartin@rhoads-sinon.com. 941943.2. Outline. Minors ’ Rights
E N D
The Ethics of a Practicing TherapistPAMFT Membership ConferenceApril 11, 2014 Renee H. Martin, JD, RN, MSN Rhoades & Sinon, LLP 29 Dowlin Forge Road Exton, PA 19341 Tel.: (610) 423-4200 Fax: (610) 423-4201 E-mail:rmartin@rhoads-sinon.com 941943.2
Outline • Minors’ Rights • Courts/Subpoenas • Electronic/Social Media • HIPAA .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Adolescent Rights Consent to release of mental health records of all purposes and in all circumstances other than those provided in this section shall be subject to the provisions of the “Mental Health Procedures Act,” and other applicable federal and state statutes and regulations. .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Adolescent Rights Generally the minor shall control the release of the minor’s mental health treatment records and information to the extent allowed by law. .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Adolescent Rights When a minor has provided consent to outpatient mental health treatment (records related to prior treatment consented to by minor), the minor shall control the records of treatment to the same extent as the minor would control the records of inpatient care or involuntary outpatient care under the “Mental Health Procedures Act” and its regulations. .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG • When a parent or legal guardian (“P/LG”) has consented to treatment of a minor fourteen years of age or older Outpatient Treatment, the following shall apply to the release of the minor’s records and information: .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG • “The P/LG may consent to release of the minor’s medical records and information, including records of prior mental health treatment for which the PL/G had provided consent, to the minor’s current mental health care treatment provider.” .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG • If deemed pertinent by the minor’s current mental health treatment provider, the release of information under this subsection may include a minor’s mental health records and information from prior mental health treatment for which the minor had provided consent to treatment. .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG • “The P/LG may consent to the release of the minor’s mental health records and information to the primary care provider if, in the judgment of the minor’s current mental health treatment provider, such release would not be detrimental to the minor.” .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG • Release of mental health records and information shall be limited to release directly from one provider of mental health treatment to another or from the provider of mental health treatment to the primary care provider. .
Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG • The P/LG who is providing consent to outpatient mental health treatment of a minor (14+) shall have the right to: • information necessary for providing consent; • symptoms; • conditions to be treated; • medications; • other treatments; • risks and benefits; • expected results. .
Privacy, Confidentiality, Ethical Duties and Disclosure Confidentiality of Mental Health Treatment Records §5100.25 Release to Courts • No release of records in response to a Subpoena or other Court discovery proceedings without patient consent or an additional court order • Duty to Inform Court • Inform client/patient’s attorney • Defense counsel for Provider may review records; minimum necessary applies • Employees are to be informed; violations include civil and criminal liability .
Privacy, Confidentiality, Ethical Duties and Disclosure Court Orders • Issues by a Judge • Increased duty to respond • Search warrant (magistrate) .
Privacy, Confidentiality, Ethical Duties and Disclosure Ethical Duties and Social Media and e-mail • Provider-Patient Relationship • Explaining the Limits of Confidentiality • Social Media and Private Practice • Use of e-mail .
Privacy, Confidentiality, Ethical Duties and Disclosure Social Media refers broadly to Web-based tools that allow individuals to communicate quickly, easily and broadly. • Email • Facebook • Twitter • LinkedIn • Blogs • You Tube • Health sites .
Privacy, Confidentiality, Ethical Duties and Disclosure Confidentiality and Social Media When is the Provider-Patient Relationship created? • Contractual: implied by the actions of the parties in seeking and providing advice and care • Use of email .
Privacy, Confidentiality, Ethical Duties and Disclosure Principle II: Confidentiality 1.13 Electronic Therapy (AAMFT Code of Ethics) 2.4 Protection of Records. Marriage and family therapists store, safeguard, and dispose of client records in ways that maintain confidentiality and in accord with applicable laws and professional stands. 2.7 Protection of Electronic Information. When using electronic methods for communication, billing, recordkeeping, or other elements of client care, marriage and family therapists ensure that their electronic data storage and communications are privacy protected consistent with all applicable law. .
Social Media Guidelines & Recommendations • Professional Liability • Policies should remind employees and staff that online communications are not private and may be discoverable in litigation. • Policies should clearly define the parameters of the relationships between healthcare professionals and other social media users. • Professionals should be aware of the pros and cons of making patients their Facebook “friends”. • Distinguish between personal/social relationships versus doctor/patient relationships. • Be aware of risks of “practicing medicine online” • It is generally unwise to establish therapist/patient relationships online.
Social Media Guidelines & Recommendations • Professionals should monitor their social media/networking sites regularly. • Consider adding broad disclaimers such as a statement that your organization does not give medical advice via your website or social media sites and that users seeking specific medical advice should contact a physician or contact 911 in the event of an emergency.
Policies – Can They Help? • Be Proactive Not Reactive • Even if your employees don’t use or access computers at work, they most likely do at home – and may be talking about work. • Nearly every employer in every work environment should consider how social media could impact their workforce or company. • What steps should be taken now to avoid problems down the road.
Issues To Consider in Developing a Social Media Policy • Whose job will it be to monitor violations? • Who will monitor your social media activity? Use automated resources such as Google Alerts or have IT sources assist you to determine other resources available to monitor social media activity that may be impacting your company. • How will you discipline violators – consistently?
Issues To Consider After Developing a Social Media Policy • Be careful about disciplining employees who engage in concerted activity, report illegal activities and exercise freedom of speech. • Consider training employees regarding the social media policy and areas such as privacy, trade secret infringement, etc. • Re-evaluate on a regular basis. Social media is developing and changing quickly. Your attitudes and expectations regarding social media will likely change overtime – be sure your policies keep up.
Privacy, Confidentiality, Ethical Duties and Disclosure Confidentiality and Social Media • American Health Information Management Association (“AHIMA”) • American Medical Association Ethical Guidelines (AMA) • American Psychological Association Ethical Principles (APA) • Marriage and Family Therapists (Regulations and AAMFC Code of Ethics) .
Privacy, Confidentiality, Ethical Duties and Disclosure Questions to Consider with Social Media/E-mail • Is it necessary to use e-mail? • Is there another equally safe way to send information? • Is the disclosure necessary? • Does the disclosure affect my other obligations? • Should it be encrypted? • How do I dispose of it? • Is it part of the clinical record? .
HIPAA .
History of HIPAA 1996 - HIPAA enacted 1999-2000 - Initial Privacy & Security Regulations Issued 2002 - Final Privacy Rules Issued 2005 - Final Security Rules Issue 2009 - HITECH ACT – Interim Final Rule-Breach Notification 2010 - Enforcement Rules Published 2013 - HIPAA Final Omnibus Rule .
Who Is Subject to HIPAA? • Covered Entities (direct) • Health plans: insurance companies; HMO • Health care clearing houses (process nonstandard data elements into standard data elements) • Health care providers who transmit any health information in electronic form in connection with a covered transaction • Business Associates • Receive PHI from covered entity • Perform a function on its behalf .
What is a Business Associate? • A person who, on behalf of a covered entity - - • Performs or assists with a function or activity involving Individually Identifiable Information • Performs certain identified services .
Business Associate Auditors Lawyers Actuaries Other Covered Entities Billing Firms Covered Entity TPAs Clearing Houses Consultants Vendors Accreditation Organizations Management Firms .
Third Parties and Business Associate? • Covered entities may disclose PHI to a business associate • As necessary to permit the business associate to perform functions and activities on behalf of the covered entity • Business associate cannot use PHI for its own purposes .
Individually Identifiable Health Information (IIHI) • Health information including demographics that: • Is created or received by a health care provider, health plan, or health care clearing house and • Related to the past, present or future physical or mental health or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that • Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. .
Protected Health Information (PHI) • Individually identifiable health information that is: • Transmitted by electronic media • Maintained in any electronic media • Transmitted or maintained in any other form (including oral or written PHI) .
PHI and the Medical Record • The HIPAA Privacy Rule defines a Designated record set as follows: • (1) A group of records maintained by or for a covered entity that is: • The medical records and billing records about individuals maintained by or for a covered health care provider; • Used, in whole or in part, by or for the covered entity to make decisions about individuals. • (2) the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. .
Privacy Rule Summary • A covered entity may not use or disclose PHI except: • After is gives written Notice about its health information practices to the individual • In accordance with an individual’s written authorization* • When requested by the Department of Health and Human Services Office of Civil rights Note: MFT Rules of Ethics require authorization from individual in “unit” to permit disclosures. .
General Rule: Required Disclosure • To individual upon individual’s request; some exceptions apply • To HHS in connection with its enforcement and compliance review actions .
General Rule: Permitted Disclosures • Notice of Privacy Practices: Treatment, Payment, Health Care Operations • Authorization – always noted legal mandated exception • Statutory/Regulatory Disclosures (Duty to Warn, etc.) .
Scope of the Omnibus Rule • Revised breach notification standard • Patient access to information contained in an electronic health record (right already granted to paper records) • Regulation of business associates (“BAs”) and subcontractors • Prohibition on “sale” of PHI without authorization
Privacy, Confidentiality and Disclosure • HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j)) • A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure (emphasis added): Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and It to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; .
Privacy, Confidentiality and Disclosure • HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j)) Is necessary for law enforcement authorities to identify or apprehend an individual: Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody .
Privacy, Confidentiality and Disclosure • HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j)) Use or disclosure not permitted if the information described in this section is learned by the CE In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure…[during], or counseling or therapy; or Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy… .
Privacy, Confidentiality and Disclosure • HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j)) Limit on information that may be disclosed. Presumption of good faith belief. .
Scope of the Omnibus Rule • Patients’ right to restrict data sharing with payers • Requirements to modify and redistribute NPP • Clarifies and strengthen OCRs role in enforcement, imposition of civil monetary penalties (CMPs) and CMP liability for acts of Business Associates and subcontractors
Duty to Notify in Case of Breach • HITECH Act: Required Notification of Breach of “Unsecured PHI” • What is a “breach”? • “the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security or privacy of the PHI” • If definition is met, notification is required *Applies to both electronic and hard copy information*
Duty to Notify in Case of Breach • What is NOT a “breach”? • Determined by: • Definition of “breach” • Exceptions to definition of a breach
Not a Breach by Definition • Unintentional acquisition, access or use of PHI by a workforce member • or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) • if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted
Not a Breach by Definition • Applies only to “Unsecured PHI”: • If CEs and BAs apply the technologies and methodologies specified in the April 17, 2009 Guidance for PHI, the PHI is “secure” and no notice required. • Per the Guidance, • “Secure PHI” is PHI that is rendered unusable, unreadable or indecipherable to unauthorized individuals (i.e., encrypted or destroyed as detailed in the exhaustive list of technologies and methodologies)
Omnibus Rule Breach Notification Standard • An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised” • Determining whether or not there is a low probability data has been “compromised” requires analysis of what happened (or may have happened) to the data • Focus now switched to what happened to PHI?
Breach Notification – Risk Assessment • CE/BA should perform risk assessment post-breach discovery and must consider at least the following: • Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification • Who was the recipient of the PHI • Was the PHI actually acquired or viewed • The extent to which the risk to misuse of the PHI has been mitigated
Breach Notification – Burden of Proof • If no risk assessment performed, the default is notification • Burden of demonstrating low probability that PHI is compromised is on the CE/BA • Decision not to notify must be documented in case of review