HIPAA and 42 CFR Part 2: Walking Through the Maze A Presentation to the Law and Community Health Section Joan M. Wilson Assistant Attorney General Joan.Wilson@alaska.gov

Why? Growing body of medical research High prevalence of individuals with co-occurring substance abuse and mental health disorders Difficulty in accessing appropriate treatment in separate mental health and substance abuse systems Challenges to recovery when undiagnosed disorders

Why? To remedy, the Substance Abuse and Mental Health Services Administration (SAMSHA) created the Co-Occurring State Incentive Grant Program Alaska Department of Health and Social Services is a recipient One of seven initial states

Why? Requirements of Grant– Infrastructure Development in following areas Standardized Screening and Assessment Complementary Licensure and Credentialing Requirements Service Coordination and Network Building Financial Planning Information Sharing

Why? Alaska Department of Health and Social Services, Division of Behavioral Health DBH Grantees to Provide Integrated Care for Coexisting Substance Abuse and Mental Health Disorders Present Approach Substance abuse treatment facilities screen for mental illness, Mental health facilities screen for substance abuse No wrong door policy Eventual treatment for both disorders in all locations

Mental Health Facilities Does Screening Alone Subject Entities to the Substance Abuse Treatment Regulations for the first time?

42 CFR PART 2

42 CFR Part 2 Except under certain conditions, there is a prohibition on disclosure of information concerning a “patient” in a “federally assisted” program Federal assistance Program Patient

42 CFR Part 2 Federal assistance Includes federal block grants or other funds channeled through state or local governments Medicaid COSIG Grant Includes certification for Medicare reimbursement

42 C.F.R. Part 2 Program Individual or entity that holds itself out as providing and does provide alcohol or drug abuse diagnosis, treatment, counseling, or referral for treatment Note does not say “referral for diagnosis” Could stand in the place of a program if State law, regulation, or licensing requirement binds the individual or entity to the standards of 42 C.F.R. Part 2

42 CFR Part 2 Program, includes Individual or entity other than a general medical care facility Identified Unit within a general medical facility Medical staff in a general medical facility whose primary function is diagnosis, treatment, or referral

42 CFR Part 2 Patient An individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program

42 CFR Part 2 General Rule: Information that identifies an individual as a patient of a program may not be used or disclosed absent patient authorization, unless an exception for the use or disclosure applies

HIPAA Use and Disclosure Rule General rule: A covered entity and its workforce, may not use or disclose PHI, except — For TPO With individual permission To the individual As otherwise permitted or required by HIPAA

Mental Health Programs Utilize screening tool Raises possible of substance abuse problem Refers to another organization for diagnosis Is it subject to the Substance Abuse Treatment regulations?

Screening vs. Diagnosis From SAMSHA Information gathered by a program for purposes other than a diagnosis, treatment, or referral for treatment is not subject to the 42 C.F.R. Part 2 restrictions covered Screen or pre-screen procedures Identifying an Individual as possibly having a substance abuse problem by use of a screening or prescreening procedure that is not conducted as part of diagnosis or treatment is not subject to the 42 CFR Part 2 restrictions SAMSHA Technical Assistance Publication Series 24, “Welfare Reform and Abuse Treatment Confidentiality: General Guidance for Reconciling Need to Know and Privacy”

Key Benchmark for 42 CFR Part 2 Diagnosis and treatment The act or process of deciding the nature of a diseased condition by examination of the symptoms A careful analysis of the facts meant to explain something A decision based on such an examination or analysis

Not there yet, But

HIPAA and 42 CFR Part 2

Uses and Disclosures Under Both Regulations

HIPAA and 42 CFR Part 2 HIPPA 42 CFR Part 2 Providers who electronically transmit any health information in a HIPAA covered standard transaction 42 CFR Part 2 Individual or entity that holds itself out as providing and does provide alcohol or drug abuse diagnosis, treatment, counseling, or referral for treatment

Standard for Uses And Disclosures Apply the more restrictive standard Standards that provide greater privacy protections Exceptions Disclosures to the individual whose health information is at issue Disclosures to federal Department of Health and Human Services for HIPAA compliance determinations

The Answer: 42 CFR Part 2 General Rule: Information that identifies an individual as a patient of a program may not be used or disclosed absent patient authorization, unless an exception for the use or disclosure applies

With Authorization Make consistent with both regulations Elements Patient Name Meaningful and specific description of information Specific name or general description of Persons authorized to disclose Name of individual or organization to receive Purpose of disclosure Expiration date/ event (no longer than reasonably necessary for purpose Required statements: Right to revoke Whether authorization is a condition of treatment 42 CFR Part 2 re-disclosure statement Obtain appropriate signature or signatures copy to individual

Patient Authorization/Consent Statement to accompany disclosure This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR Part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or is otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.

Patient Authorization/Consent Disclosures to the referring criminal justice patient Patient has signed a written consent Disclosure only to individuals with a need to monitor progress Reasonable duration of consent Expiration of consent may be no later than final disposition Re-disclosure is permissible to carry out duties with regard to conditional release

42 CFR Part 2 Exceptions to Authorization HIPAA Exceptions To Authorization Internal Communications Treatment, Payment, Health Care Operations No Patient identifying information All other HIPAA exceptions Medical emergency Treatment Court order Court Order Crime on premises Law Enforcement Child Abuse and neglect reporting Required by law Research/audit, evaluation Health Care Operations, Health Oversight, and Research QSO Health Care Operations with Business Associate Agreement

HIPAA Permitted Disclosures Government and Other Purposes As required by other laws Public health activities Victims of abuse, etc. Health oversight activities Workers’ compensation Law enforcement purposes Decedents - coroners and medical examiners Organ procurement Research purposes, under limited circumstances Imminent threat to health or safety (to the individual or the public) Specialized government function Judicial and administrative proceedings These permit (but do not compel) disclosure of PHI Public health activities - disclosure to public health authorities, and to persons at risk Health oversight activities - disclosure to health oversight agencies - not defined Judicial and administrative proceedings - in response to a court order, or where the individual is a party to the proceedings and his medical condition is in issue Coroners and medical examiners - for identifying deceased person and cause of death Law enforcement purposes - Pursuant to legal process (warrant, grand jury subpoena, administrative request) Identification of individuals Information about victim of crime or abuse Intelligence and national security activities Health care fraud reporting Governmental health data systems Directory purposes - persons not incapacitated must agree; incapacitated persons need not; can disclose name, location in the facility, and general condition (not specific medical information) Banking and payment processes - disclosure to financial institution for routine activities Research purposes. Requires-- Waiver of authorization by IRB or privacy board Determination that the research meets certain criteria, including that it cannot practically conducted without the waiver, and that its importance outweighs the intrusion into subjects’ privacy, and that the waiver poses no more than a minimal risk to the subjects, and will not adversely affect their rights and welfare. Emergencies - permits disclosure to the individual or the public to prevent serious and imminent threat to health and safety Next of kin - includes close personal friends, where directly relevant to the person’s involvement in the individual’s health care Other laws Applies only to uses or disclosures not covered by the reg

Internal Communications and Use of TPO Communications of patient identifying information among personnel with a need to know within a program or with an entity having direct administrative control over the program Determine what uses or disclosures this will cover Do you need to disclose patient-identifying information? Disclosure must be permissible under this or another section

No Patient Identifying Information Disclosure does not impliedly or expressly indicate individual is or was a substance abuse patient Disclosure does not impliedly or expressly indicate an individual has applied for or received substance abuse diagnosis, treatment, counseling, or referral for treatment

No Patient Identifying Information Guidance from SAMSHA on “No Patient Identifying Information” If a program can disclose a patient’s identifying information without indicating “patient” status, 42 CFR Part 2 is not violated Disclosures possible primarily when a program is part of a larger entity and can use the larger entity’s name when making the disclosure Program physician with separate office Anonymous disclosures (e.g. vulnerable adult abuse reporting, duty to warn) Technical Assistance Publication Series 18, “Checklist for Monitoring Alcohol and Other Drug Confidentiality Compliance”

No Patient Identifying Information Key – Does the Disclosure identify an individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program Can you give information without identifying self as substance abuse treatment provider If so, Permitted Disclosures Under HIPAA can operate Required by Law Disclosures Public Health Activities Duty to Warn If not, consider anonymous disclosures Especially for duty to warn/threat of imminent harm

Medical Emergency Disclosure to medical personnel Treating a condition posing immediate threat to health of individual Immediate intervention required Documentation required

Court Orders HIPAA’s More Permissive Provisions will not Operate Subpoena alone not sufficient Court Order, including search warrant, alone not sufficient Satisfactory Assurances? Inoperable

Court Orders -- Civil Motion for Release of Records filed in court Fictitious name or Sealed proceeding Notice to patient and provider Opportunity to respond

Court Orders – Civil Hearing Criteria for order Other ways of obtaining information not available or effective Public interest and need for disclosure outweigh injury to patient, physician-patient, and treatment

Court Orders – Civil Confidential communications Necessary to protect against an existing threat, including child abuse Necessary to prosecute a serious crime, or Door opened

Court Orders - Civil Content of Order Order alone is not sufficient Limit disclosure to essential Limit recipients Order alone is not sufficient Subpoena is required

Court orders -- Criminal Motion, Notice, and Hearing like civil Criteria Extremely serious crime Reasonable likelihood of substantial value Other ways not effective Public interest weighing Independent representation for record holder Same criteria for confidential communications

Court Orders -- Criminal Content of order Limit disclosure to essential Limit recipients Order alone is not sufficient Subpoena is required

Court Orders – Criminal Additional criteria for investigation of a program or use of undercover agents 42 C.F.R. 2.66 and 2.67

Crime on Premises From program to law enforcement Crime or threat of crime on premises Limited to circumstances, but can disclose Patient name Patient status Address or last known location

Emergencies and Crimes Medical Emergencies HIPAA Treatment Exception Crimes on Premises HIPAA Law Enforcement Exception

Mandated Reporting Child Abuse and Neglect Other Disclosures? Report according to state law Does not cover release of records Other Disclosures? Vulnerable Adult Abuse Gunshot wound or burn Birth of child Public Health Crisis Attended or unattended death

Child Abuse and Other Required Reporting May Identify Patient Status Other Required Reports Remember required reports under state law only permissive under HIPAA May Not Identify Patient Status If Cannot Report without identifying patient Consider anonymous reporting HIPAA Required Reports HIPAA preemption provisions specific to state law But, required report to HHS for HIPAA compliance likely necessity (audit and evaluation) Access – same likely result

Audit and Evaluation Activities Disclosure is permissible if recipients agree in writing on redisclosure restrictions Person who conducts an audit or evaluation on behalf of federal, state, or local agencies providing financial assistance to the program or authorized by law to regulate the program’s activities Third party payer Peer review organization Otherwise qualified to conduct audit/evaluation activities (on premises only) Special rules for Medicaid/Medicare audits (42 C.F.R. 2.53(c))

Audit, Evaluation, and Oversight Key Factors for 42 CFR compliance Get statement in writing on re-disclosure restriction operations Feds and state should provide in request for disclosure Some organizations may rise to level of BA (e.g., accreditation organizations) Third party payer disclosures could fall in here Do you need to identify patient status?

Qualified Service Organization Person that provides services to a program that has entered into a written agreement acknowledging it is bound by 42 CFR Part 2 and will resist judicial disclosure (other than as permitted) Examples (operational services to organization, not program to program for substance abuse treatment) Data processing Bill collecting Dosage preparation Laboratory Analysis Professional services (legal, medical, accounting) Services to prevent, treat child abuse, including training on nutrition and child care or individual and group counseling

QSO’s and Business Associates Identify QSO status Identify Business Associate status e.g., laboratory analysis would fall under treatment Written Agreement Bound by 42 CFR Part 2 disclosure and judicial resistance provisions Other Business Associate provisions

42 CFR Part 2 Minors If a minor has legal capacity to consent under State law, no other consent is required If parental consent is required, need both consents In states requiring parental consent Minor must consent to disclosure to parent or Provider must decide minor lacks capacity to make rational choice

42 CFR Part 2 Criteria for Examining lack of capacity Extreme youth Presence of mental or physical condition Minor’s situation poses substantial threat to life and well-being of minor Communicating can reduce that threat

Minors– HIPAA and 42 CFR Part 2 In Alaska, No state law on consent other than minors living alone Parental Permission required to attend program No access to parent to records on request for service absent Minor consent Lack of rational choice determination Also apply HIPAA personal representative analysis (reason not to treat as pr)

Conclusion Very brief overview Staff of DBH Grantees Learning More Change Agent Training Other areas of concern?