840 likes | 1k Views
PART THREE. Use and Disclosure - Consent or Authorization Not Required (continued). Judicial / Administrative Proceedings. Court Order / Subpoena. Covered health care components may disclose PHI in a judicial or administrative proceeding
E N D
PART THREE Page 1NC DHHS HIPAA PMO
Use and Disclosure -Consent or Authorization Not Required (continued) Page 2NC DHHS HIPAA PMO
Judicial / Administrative Proceedings Page 3NC DHHS HIPAA PMO
Court Order / Subpoena • Covered health care components may disclose PHI in a judicial or administrative proceeding • In response to a court order or order by administrative law judge if the request specifically authorizes the disclosure of PHI and the component discloses only the information requested or • In response to subpoena, discovery request or other lawful process (not accompanied by order noted above) if the component receives satisfactory assurance from party seeking PHI (‘requestor’) that the following reasonable efforts have been made Page 4NC DHHS HIPAA PMO
Reasonable Efforts • Requestor needs to • Ensure client has been given notice via a written statement and accompanying documentation that • Requestor has attempted to provide written notice to client (if client location is unknown, sent to last known address); and • Notice included sufficient information about the litigation or proceeding to permit client to raise an objection to the court; and • Time allowed for client to raise objections has elapsed and no objections were filed or, if filed, have been resolved by the court and disclosures requested are consistent with the resolution • Secure a qualified protective order by receiving from requestor a written statement and accompanying documentation that • Parties to the dispute have agreed to qualified protective order and have presented it to the court with jurisdiction over the dispute; or • Requestor has requested a qualified protective order from the court Page 5NC DHHS HIPAA PMO
Qualified Protective Order • Qualified Protective Order • Prohibits parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which the PHI was requested; and • Requires • Return of the PHI to the covered health care component; or • Destruction of the PHI (including all copies made) at the end of the litigation or proceeding Page 6NC DHHS HIPAA PMO
Component Initiates • Covered health care components may disclose PHI in a judicial or administrative proceeding (cont’d) • In response to subpoena, discovery request or other lawful process (not accompanied order noted above) if the component does not receive satisfactory assurance from party seeking PHI (‘requestor’) if the component • Makes reasonable efforts to provide notice to the client; or • Seeks a qualified protective order • Best Practices • Place responsibility on requestor unless requestor does not know how to contact client and component has the information • Component could obtain authorization from client • PMO needs to work with AOC on court forms • Change in Current Practice - submission of client records to clerk of court before trial Page 7NC DHHS HIPAA PMO
Law Enforcement Page 8NC DHHS HIPAA PMO
Reporting to LEOs • Pursuant to Process/Otherwise Required by law - Covered health care components may disclose PHI to law enforcement officials as required by law: • Excludes reporting of abuse covered earlier • Reporting of wounds or physical injuries (e.g., gunshot wounds) • To comply with • Court-ordered warrant, subpoena, or summons issued by a judicial officer; or • Grand jury subpoena; or • Administrative subpoena or summons, civil or authorized investigative demand, or similar process authorized by law if • PHI sought is relevant and material to a legitimate law enforcement inquiry; and • The request is specific and limited in scope based upon purpose for which it is sought; and • De-identified information cannot be reasonably used Page 9NC DHHS HIPAA PMO
Identification and LocationPurposes • Covered health care component may disclose the following limited PHI in response to LEO request for purpose of identifying or locating a suspect, fugitive, material witness, or missing person • Name and address • Date and place of birth • SSN • ABO Blood type and rh factor • Type of injury • Date and time of treatment • Date and time of death, if applicable; and • Distinguishing physical characteristics (e.g., health, weight, gender, race, hair and eye color, facial hair, scars and tattoos) • Does not include DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue unless it relates to above information (e.g., blood type derived from DNA analysis) Page 10NC DHHS HIPAA PMO
Identification and LocationPurposes • Under Mental Health laws, could disclose this type of information when clients escape from a facility but not to locate a suspect • Information disclosed on escapees will have to conform to HIPAA requirements • Under 42 CFR, Part 2, most of these types of disclosures are specifically prohibited Page 11NC DHHS HIPAA PMO
Victims of a Crime • Covered health care component may disclose PHI in response to LEO request about an individual who is or is suspected to be a victim of a crime • Exclusive of abuse reporting • Client must agree to the disclosure • If client unable to agree due to incapacity or other emergency circumstance and • LEO represents the following • PHI is needed to determine if violation of law by person other than client has occurred and information will not be used against the victim; and • Law enforcement activity would be materially and adversely affected by waiting till client is able to agree to disclosure; and • Covered health care component, in exercise of professional judgement, determines disclosure is in best interest of client Page 12NC DHHS HIPAA PMO
Crime on Premises • Covered health care component may disclose PHI to LEO when • a crime has occurred on the component’s premises • component believes in good faith that the PHI will provide evidence of the client’s criminal conduct • Example - Assault of staff member by a client including gathering information from other clients who witnessed the assault Page 13NC DHHS HIPAA PMO
Reporting Crime in Emergencies • Not on covered health care provider’s premises and not related to abuse reporting • Covered health care provider provides emergency healthcare in response to medical emergency • May disclose PHI to LEO if such disclosure is necessary to alert law enforcement to • Commission and nature of a crime; • Location of such crime or the victims of such crime; and • Identify, description, and location of perpetrator of crime • Example - Clients from John Umstead Hospital who were involved in fatal auto accident Page 14NC DHHS HIPAA PMO
Decedents Page 15NC DHHS HIPAA PMO
Covered health care component can disclose PHI to coroners and medical examiners (or use PHI if component performs coroner or medical examiner duties), for Identification of a deceased person Determining cause of death Other duties as authorized by law In NC, Office of Medical Examiner is not a covered health care component Covered health care component can disclose PHI to funeral directors Consistent with applicable law To carry out their duties with respect to decedent Prior to and in reasonable anticipation of death (e.g., pre-pay burial arrangement) Example - inform funeral director when client is HIV positive Medical Examiners/Funeral Directors Page 16NC DHHS HIPAA PMO
LEO • Covered health care component may disclose PHI about deceased client to LEO when there is suspicion that death may have resulted from criminal conduct • Examples - Suicide reporting; Client beat to death by another client Page 17NC DHHS HIPAA PMO
WAKE UP!!!! Page 18NC DHHS HIPAA PMO
Organ Transplants Page 19NC DHHS HIPAA PMO
Organ Transplants • Covered health care component may disclose PHI • To organ procurement organizations engaged in procurement, banking or transplanting or cadaveric organs, eyes or tissue • In order to facilitate donation or transplantation Page 20NC DHHS HIPAA PMO
Avert Serious Threat to Health or Safety Page 21NC DHHS HIPAA PMO
Avert Serious Threat to Health or Safety - Can Disclose PHI • Covered health care component may, in good faith, use or disclose PHI • Disclose PHI in Good Faith • Based upon covered health care component’s actual knowledge, or • Based on knowledge of credible person (e.g., EMS) • When consistent with • Applicable law • Example - Mental Health laws in NC allow these disclosures • Standards of ethical conduct • When necessary to prevent or lessen serious and imminent threat to health or safety of a person (or public) • Disclosure is made to person(s) who can reasonably lessen the threat including target of threat • Example - During an outpatient therapy session, a client states they intend to kill their spouse Page 22NC DHHS HIPAA PMO
Avert Serious Threat to Health or Safety - Can Disclose PHI • Covered health care component may, in good faith, use or disclose PHI (cont’d) • Necessary for law enforcement authorities to identify or apprehend an individual • Because of a statement by an individual admitting participation in a violent crime and component reasonably believes crime may have caused serious physical harm to victim • Component can only release the ‘statement’ • PHI is limited to information for Identification and Location Purposes previously outlined under disclosures for law enforcement - Limited Information for Identification and Location Purposes ; or • Appears individual has escaped from correctional institution or lawful custody Page 23NC DHHS HIPAA PMO
Avert Serious Threat to Health or Safety - Can’t Disclose PHI • Covered health care component may NOT disclose PHI to avert serious threat to health or safety when information is learned by component • In course of treatment to prevent the tendency to commit criminal conduct • Example - pyromaniac in treatment, can’t disclose a statement made during treatment that he wants to burn a particular building • Client is seeking treatment to prevent the tendency to commit criminal conduct Page 24NC DHHS HIPAA PMO
Other Specialized Government Functions Page 25NC DHHS HIPAA PMO
Military and Veteran Activities • Covered health care component may use or disclose PHI of clients in Armed Forces • For activities deemed necessary by military command authorities to execute military mission • If military authority has published a notice in the Federal Register containing • Military command authorities; and • Purposes for which PHI may be used or disclosed • Recommendation - military needs to specify where information is published in the register • For foreign military personnel to the appropriate foreign military authority under same conditions noted above • Other requirements related to separation or discharge from military service or veterans do not relate to DHHS Page 26NC DHHS HIPAA PMO
National Security • Covered health care component may disclose PHI for conduct of lawful • Intelligence • Counterintelligence • Other national security activities authorized by National Security Act and implementing authority (e.g., Executive Order 12333) • Recommendation - consult Attorney General’s Office prior to disclosure Page 27NC DHHS HIPAA PMO
Protective Services • Covered health care component may disclose PHI to authorized federal officials for provision of protective services to • President or other persons authorized by 19 U.S.C. 3056 • Foreign heads of state or others authorized by 22 U.S.C. 2709(a)(3) • Conduct of investigations authorized by 18 U.S.C. 871 and 879 • Recommendation - consult Attorney General’s Office prior to disclosure • Change in current practice - do not have to show a perceived threat to health or safety Page 28NC DHHS HIPAA PMO
Corrections/Lawful Custody • Covered health care component may disclose PHI to • Correctional institution (e.g., prison, jail, reformatory, detention center, halfway house, residential community program center) or • LEO having lawful custody of inmate or other individual (e.g., sheriff deputy transporting client to Dorothea Dix Hospital for pre-trial or individual found to be NGRI) Page 29NC DHHS HIPAA PMO
Corrections/Lawful Custody • Covered health care component may disclose PHI when disclosure is necessary for • provision of health care to inmate/other individual (e.g., diabetic client); • health and safety of inmate/other individual or other inmates; • health and safety of officers or employees/others at correctional institution; • health and safety of inmate/individual and officers or other persons responsible for transporting inmates (e.g., HIV positive); • law enforcement on correctional institution premises; and • administration and maintenance of safety, security and good order of correctional institution Page 30NC DHHS HIPAA PMO
Corrections/Lawful Custody • Covered health care component that is a correctional institution may use PHI of inmates for same purposes noted previously • Individual is no longer an inmate when released on parole, probation, supervised release, or no longer in lawful custody • Need to evaluate against disclosures permitted under 122C between MH/DD/SA facilities and DOC Page 31NC DHHS HIPAA PMO
Government Health Plans • Covered HEALTH PLANS that are government programs providing public benefits (e.g., DMA) • May disclose PHI relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits (e.g., DSS) • If sharing of eligibility or enrollment information or • Maintenance of such information in data system accessible to the government agencies • Is required or expressly authorized by statute or regulation • Limits PHI to eligibility and enrollment purposes • Provides balance between need for efficient administration of public programs and public funds and individual privacy • Example - Section 1137 of Social Security Act requires programs like Social Security, Medicaid, Food Stamps, etc. to participate in joint income and verification system Page 32NC DHHS HIPAA PMO
Government Programs • Covered health care components that are government agencies administering government programs providing public benefits (e.g., Medicaid) • May disclose PHI related to the program to another covered health care component that is a government agency administering a government program providing public benefits (e.g., Health Choice) • If the programs serve the same or similar populations and • Disclosure of PHI is necessary • to coordinate covered functions of such programs or • to improve administration and management relating to the covered functions of such programs • In NC, Medicaid and Health Choice are administered by same covered health care component (DMA) Page 33NC DHHS HIPAA PMO
Workers Compensation State Car Bites the Dust Page 34NC DHHS HIPAA PMO
Workers Compensation • Workers Compensation programs are not covered under HIPAA • No requirement to use standard transactions or code sets • Disclose PHI in accordance with workers compensation laws Page 35NC DHHS HIPAA PMO
Research Page 36NC DHHS HIPAA PMO
Research WithoutClient Authorization • Covered health care component may use or disclose PHI for research provided: • Component obtains documentation that an alteration toor waiver of authorization has been approved by either • Institutional Review Board (IRB) established in accordance with federal law or • Privacy Board Page 37NC DHHS HIPAA PMO
Privacy Board • Privacy Board • has members with varying backgrounds and appropriate professional competency • reviews effect of research protocol on client’s privacy rights and related interests • includesat least one member • not affiliated with component • not affiliated with entity conducting/sponsoring research • not related to any person affiliated with such entities • members do not have conflict of interest Page 38NC DHHS HIPAA PMO
Documentation - Alteration toor Waiver of Authorization • Documentation that an alteration toor waiver of authorization includes • Statement identifying IRB or Privacy Board • Date alteration or waiver of authorization was approved • Brief description of PHI for which use or access has been determined to be necessary by IRB or Privacy Board • Statement that alteration or waiver of authorization has been reviewed and approved • IRB must follow requirement of Common Rule (45 CFR 46) • Privacy Board must review proposed research at properly convened meetings • Must be signed by IRB or Privacy Board chair or other member, as designated by chair Page 39NC DHHS HIPAA PMO
Documentation - Alteration toor Waiver of Authorization • Statement that IRB or Privacy Board has determined the alteration or waiver of authorization satisfies the following • Involves no more than minimal risk to clients • Will not adversely affect privacy rights and welfare of clients • Could not practicably be conducted without alteration/waiver • Could not practicably be conducted without access to PHI • Privacy risks to clients are reasonable in relation to • anticipated benefits to clients • importance of knowledge that may be expected to result from research • Adequate plan to protect identifiers from improper use/disclosure • Adequate plan to destroy identifiers at earliest opportunity • unless health or research justification or otherwise required by law • Written assurances that PHI will not be reused or disclosed Page 40NC DHHS HIPAA PMO
Research on Decedent’s PHI • Covered health care component obtains the following from researcher • Use or disclosure is sought solely for research on PHI of decedents • Documentation of client’s death • if requested by covered health care component • PHI is necessary for research purposes Page 41NC DHHS HIPAA PMO
Researcher Representation • Representation from researcher either orally or in writing that • Use or disclosure is sought solely to review PHI to • prepare a research protocol or • similar purposes preparatory to research • PHI will not be removed from the covered component by the researcher, and • PHI is necessary for research purposes • e.g., to design a research study or to assess feasibility of conducting a study Page 42NC DHHS HIPAA PMO
"Normally, I'd discuss your condition with these first-year residents, but because of confidentiality restrictions, all I can really tell them is that you're a shoo-in for an invasive procedure. " Cartoon by Dave Harbaugh Page 43NC DHHS HIPAA PMO
Use and Disclosure -Requiring an Opportunity for the Client to Agree or Object Page 44NC DHHS HIPAA PMO
Verbal Agreement Required • Under HIPAA, verbal agreement of client is required • For directory information (previously covered) • For disaster relief purposes • To public or private entity authorized to assist in disaster relief (e.g., state response team during Hurricane Floyd; American Red Cross) • Determination made that requirements for verbal agreement do not interfere with ability to respond to emergency circumstances • For providing client’s PHI related to current condition to those assisting in client’s care/notifying them of client's status • Disclosure to family members, friends, others identified by client • Provide only the PHI relevant to the person’s involvement with client’s care or payment • e.g., family member taking care of post op patient does not need to know entire client history Page 45NC DHHS HIPAA PMO
Verbal Agreement Possible • If client is able, health care provider uses or discloses information if: • Client agrees • Client is given opportunity to object to the disclosure and does not object • Reasonably infers client agreement based on professional judgement • Client asks friend to remain during a physician visit Page 46NC DHHS HIPAA PMO
Verbal Agreement Not Possible • If client not able (e.g, incapacitated or emergency situation) or not present, health care provider uses or discloses PHI directly relevant to person’s involvement if: • Client previously expressed preference and provider not aware of reasons not to disclose • May have system ‘flag’ indicating previous agreement • Based upon professional judgement of component, disclosure is in the best interest of the client • In cases of abuse, may not be in client’s best interest • When client condition improves, component pursues verbal agreement Page 47NC DHHS HIPAA PMO
Verbal Agreement Documentation • Not specified in HIPAA Regulations • Best Practice - Document in client record Page 48NC DHHS HIPAA PMO
Use and Disclosure -Other Requirements Related to PHI Page 49NC DHHS HIPAA PMO
Verification of Requestor • Prior to disclosing PHI, covered health care component must verify • identity of person requesting the information • authority of requestor to have access to the PHI Page 50NC DHHS HIPAA PMO