Confidentiality of MH

1. Confidentiality of MH/DD/SA Records Family Court Conference March 9, 2006 Mark Botts School of Government, UNC

2. Applicable Confidentiality Laws State law governing MH/DD/SA providers�GS 122C Federal law governing health care providers�45 CFR (HIPAA Privacy Rule) Federal law governing substance abuse programs�42 CFR Part 2 Three categories of permitted uses and disclosures -2 categories of required uses Three categories of permitted uses and disclosures -2 categories of required uses

3. Each confidentiality law: Defines the providers that it governs Defines the information that it governs Permits providers to disclose information in certain situations Requires providers to disclose information in certain situations Under the Privacy Rule�s Consent Requirement A local health department�s prenatal clinic would be required to seek a woman�s consent before providing her with prenatal care or billing her insurer for that care. Consent would also permit the department to use the woman�s health information for quality assurance, credentialing of providers, and other management activities Under the Proposed Modification to the Rule A health department�s prenatal clinic would not be required to obtain the woman�s consent to use or disclose her information for treatment or billing purposes But would be required to give her a copy of the department�s notice of privacy practices and attempt to obtain her signature acknowledging receipt of the notice Under the Privacy Rule�s Consent Requirement A local health department�s prenatal clinic would be required to seek a woman�s consent before providing her with prenatal care or billing her insurer for that care. Consent would also permit the department to use the woman�s health information for quality assurance, credentialing of providers, and other management activities Under the Proposed Modification to the Rule A health department�s prenatal clinic would not be required to obtain the woman�s consent to use or disclose her information for treatment or billing purposes But would be required to give her a copy of the department�s notice of privacy practices and attempt to obtain her signature acknowledging receipt of the notice

4. Tools for Obtaining Confidential Information Provisions permitting disclosure with the authorization of the patient or the patient�s legal representative Provisions permitting or requiring disclosure in response to a court order Provisions permitting or requiring disclosure in other situations that might sometimes apply to family court cases TPO = core functions, your stock in trade These functions should largely remain unimpeded by the privacy rule Still need to try and obtain a signature or some form of patient acknowledgement that the patient has received the agency�s Notice of Privacy Practices -half of the elements in the consent form were references to the Notice of Privacy Practices -consistent with MH requirement to inform the client of client rights TPO = core functions, your stock in trade These functions should largely remain unimpeded by the privacy rule Still need to try and obtain a signature or some form of patient acknowledgement that the patient has received the agency�s Notice of Privacy Practices -half of the elements in the consent form were references to the Notice of Privacy Practices -consistent with MH requirement to inform the client of client rights

5. Patient Authorization A provider must obtain a patient�s written authorization for any disclosure that is not otherwise permitted or required by the applicable privacy law An authorization permits but does not require the covered entity to use or disclose PHI The privacy regulation imposes rules to assure that authorizations are voluntary and informed. �Otherwise permitted or required� means if it is Not a use or disclosure for TPO Not a use or disclosure permitted under Section 512 (the exceptions to the rule that permit disclosures for public health activities, disclosures required by law, for health oversight activities) Not required�when an individual is seek access or US DHHS is investigating the entity�s compliance with the rule Then you must obtain authorization to disclose The privacy regulation imposes rules to assure that authorizations are voluntary and informed. �Otherwise permitted or required� means if it is Not a use or disclosure for TPO Not a use or disclosure permitted under Section 512 (the exceptions to the rule that permit disclosures for public health activities, disclosures required by law, for health oversight activities) Not required�when an individual is seek access or US DHHS is investigating the entity�s compliance with the rule Then you must obtain authorization to disclose

6. Authorization Must Be Voluntary Provider may not condition the provision of treatment or eligibility for benefits on receiving an authorization Except may condition the provision of health care that is solely for the purpose of creating information for disclosure to a third party on an authorization for such disclosure

7. Authorization Must Be Voluntary An individual may revoke an authorization at any time by putting the revocation in writing except to the extent that the provider has taken action in reliance on the authorization The mental health agency is using PHI for its own treatment activity. The mental health agency is using PHI for its own treatment activity.

8. Authorization Form (State MH/DD/SA Law) client's name name of facility releasing the information name of individual(s) to receive information information to be released the purpose for the release length of time consent is valid (1 yr. max.) statement that consent is revocable signature of client/legally responsible person date consent is signed

9. Authorization�HIPAA adds to state law requirements: A description of the provider�s revocation procedure or reference to provider�s �notice of privacy practice� Statement that treatment may not be conditioned on receipt of authorization or statement regarding consequences of refusing to sign where conditioning is permitted Statement about potential for redisclosure 1) Recommendation: First determine the purpose. That will help you determine what information should be released and when the authorization should expire. E.g., If the purpose of the authorization is to disclose information to my probation officer so that my PO can determine whether I am complying with a term of probation, which requires me to get substance abuse treatment, then Then the information to be disclosed can be described as dates of my appointments, my attendance record (my progress, drug tests) And the expiration event can be the termination of my probation. 2) �At the request of the individual� is a sufficient statement of purpose when the individual initiates the authorization. 3) Personal representative 4) Right to revoke statement and a description of how the individual may revoke the authorization (or a reference to the Privacy Notice which must include this information) Recommendation: don�t rely on the Privacy Notice; put the procedure for revocation in the authorization, as you will be required to give the individual a copy of the authorization. 5) Statement that it cannot be conditioned, unless it is the type of authorization that the rule allows to be conditioned, in which case you must state the consequences of not signing (life insurance application) (employee drug testing or fitness for duty physical) 6) Redisclosure statement: you cannot guarantee that the receiving entity will not redisclose, especially if it is not a CE1) Recommendation: First determine the purpose. That will help you determine what information should be released and when the authorization should expire. E.g., If the purpose of the authorization is to disclose information to my probation officer so that my PO can determine whether I am complying with a term of probation, which requires me to get substance abuse treatment, then Then the information to be disclosed can be described as dates of my appointments, my attendance record (my progress, drug tests) And the expiration event can be the termination of my probation. 2) �At the request of the individual� is a sufficient statement of purpose when the individual initiates the authorization. 3) Personal representative 4) Right to revoke statement and a description of how the individual may revoke the authorization (or a reference to the Privacy Notice which must include this information) Recommendation: don�t rely on the Privacy Notice; put the procedure for revocation in the authorization, as you will be required to give the individual a copy of the authorization. 5) Statement that it cannot be conditioned, unless it is the type of authorization that the rule allows to be conditioned, in which case you must state the consequences of not signing (life insurance application) (employee drug testing or fitness for duty physical) 6) Redisclosure statement: you cannot guarantee that the receiving entity will not redisclose, especially if it is not a CE

10. Authorization (Federal SA Law) Consent form must contain the same elements as required by state law 1) Recommendation: First determine the purpose. That will help you determine what information should be released and when the authorization should expire. E.g., If the purpose of the authorization is to disclose information to my probation officer so that my PO can determine whether I am complying with a term of probation, which requires me to get substance abuse treatment, then Then the information to be disclosed can be described as dates of my appointments, my attendance record (my progress, drug tests) And the expiration event can be the termination of my probation. 2) �At the request of the individual� is a sufficient statement of purpose when the individual initiates the authorization. 3) Personal representative 4) Right to revoke statement and a description of how the individual may revoke the authorization (or a reference to the Privacy Notice which must include this information) Recommendation: don�t rely on the Privacy Notice; put the procedure for revocation in the authorization, as you will be required to give the individual a copy of the authorization. 5) Statement that it cannot be conditioned, unless it is the type of authorization that the rule allows to be conditioned, in which case you must state the consequences of not signing (life insurance application) (employee drug testing or fitness for duty physical) 6) Redisclosure statement: you cannot guarantee that the receiving entity will not redisclose, especially if it is not a CE1) Recommendation: First determine the purpose. That will help you determine what information should be released and when the authorization should expire. E.g., If the purpose of the authorization is to disclose information to my probation officer so that my PO can determine whether I am complying with a term of probation, which requires me to get substance abuse treatment, then Then the information to be disclosed can be described as dates of my appointments, my attendance record (my progress, drug tests) And the expiration event can be the termination of my probation. 2) �At the request of the individual� is a sufficient statement of purpose when the individual initiates the authorization. 3) Personal representative 4) Right to revoke statement and a description of how the individual may revoke the authorization (or a reference to the Privacy Notice which must include this information) Recommendation: don�t rely on the Privacy Notice; put the procedure for revocation in the authorization, as you will be required to give the individual a copy of the authorization. 5) Statement that it cannot be conditioned, unless it is the type of authorization that the rule allows to be conditioned, in which case you must state the consequences of not signing (life insurance application) (employee drug testing or fitness for duty physical) 6) Redisclosure statement: you cannot guarantee that the receiving entity will not redisclose, especially if it is not a CE

11. Who May Consent to Release (not/SA records) Adult client who has not been adjudicated incompetent Guardian of the person or general guardian of an adult client adjudicated incompetent Emancipated minor Legally responsible person for a minor when the minor is being treated pursuant to the LRP�s consent Unemancipated minor who is being treated pursuant to his or her own consent Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule. Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule.

12. Who May Consent to Release of SA Records Same rules provided in previous slide except that when an unemancipated minor is being treated pursuant to the consent of the minor�s legally responsible person, both the LRP and the minor must sign the consent for disclosure Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule. Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule.

13. Subpoenas A subpoena, alone, does not permit disclosure of information protected by the state mental health law (GS 122C) or the federal substance abuse records law (42 CFR Part 2) Although the HIPAA privacy rule permits providers to disclose in response to a subpoena, GS 122C and 42 CFR 2 control (where applicable) Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule. Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule.

14. Court Order GS 122C requires, and HIPAA permits, a provider to disclose in response to a court order No particular procedure, criteria, or findings are required by either law NC privilege statutes: a judge may order disclosure when �necessary to the proper administration of justice� Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule. Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule.

15. Court Order�SA Records Patient and provider must be given notice and opportunity to respond Judicial review of records must be in camera Court must find �good cause� for disclosure Court must limit disclosure (to essential parts of record and to persons who need the information) Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule. Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule.

16. Child Protective Services All three confidentiality laws permit disclosure of information while making a report under GS 7B-301 Only GS 122C and HIPAA permit disclosure to DSS that is investigating report or providing protective services Only GS 122C and HIPAA permit disclosure to GAL appointed under GS 7B-601 Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule. Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule.

17. Juvenile Petitions State law requires designated agencies to share with one another, upon request, information in their possession that is relevant to any case in which a petition has been filed alleging that a juvenile is abused, neglected, dependent, undisciplined, or delinquent (GS 7B-3100, 28 NCAC 01A.0300) Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule. Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule.

18. Juvenile Petitions�GS 7B-3100 Disclosures GS 122C-54(h) requires a mental health facility to disclose information as required by other state law Section 164.512(a) of the privacy rule permits providers to disclose protected information as required by law The federal SA law does not permit the disclosure of patient-identifying information pursuant to GS 7B-3100 Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule. Consistency: This means you are bound by the statements in the authorization. Uses and disclosures for purposes inconsistent with the statements made in the authorization constitute a violation of the privacy rule.