Louisiana Drug Court Conference New Orleans February 22, 2006 Ethics, Confidentiality, and HIPAA! Legal Issues in Problem-Solving Courts Louisiana Drug Court Conference New Orleans February 22, 2006 The purpose of this training is to provide a basic understanding of Confidentiality laws as they impact drug court programs, and how, as supervision officers, you can perform your role, while also staying within the law. We are going to focus particular attention on new Privacy rules which are part of the Health Insurance Portability and Accountability Act, also known as HIPAA. We’re also going to focus on 42 CFR (Code of Federal Regulations). Both of these laws keep treatment information confidential. And all drug courts must function within the scope of these laws. Unfortunately, these laws were not written with drug courts in mind, so the fit isn’t perfect. There are over 1200 drug courts throughout the country operating today, and if you asked those programs, all of them would probably tell you that they are being compliant with the laws, but there are gray areas. We can’t give you legal advice, we can only raise the issues, refer you to sources, and tell you how other drug courts are handling these things.
Confidentiality/Privacy 42 CFR Part 2 – The alcohol and substance abuse treatment confidentiality rule. HIPAA – New federal rules covering all health related information. Confidentiality, also known as “Privacy” involves the protection of patient information and is protected by three major rules. 42 CFR part 2 – the alcohol and substance abuse treatment confidentiality rule. Most states also have specific laws that cover the release of HIV information. HIPAA – are new federal rules covering all health related information.
42 U.S. Code 290dd 42 CFR Part 2 First issued 1975, revised 1987 Designed to help deal with the stigma of addiction. Requires notification of confidentiality, consent forms, prohibition of redisclosure “I’m sorry I cannot acknowledge whether someone is or isn’t in our treatment program”. 42 CFR part 2 is the set of confidentiality laws that treatment providers have been operating under since 1975, with a major revision of those rules in 1987. They were designed to help patients avoid the stigma associated with addiction by keeping their treatment information confidential. It also allowed for patients to honestly talk about their drug and alcohol use, without fear that someone would obtain their information and then use it against them. This law requires the treatment providers to provide patients with a “notification of confidentiality”,…to sign consent forms to disclose information,…and requires the “prohibition of re-disclosure” form that is sent out with any patient information. The law is so strict that providers cannot even acknowledge whether someone is or isn’t in their treatment program. And the protection is so strong, that it survives death.
What 42 CFR Covers: “Any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation or research which is directly or indirectly assisted by any department or agency of the United States.”
HIPAA Health Insurance Portability and Accountability Act of 1996 45 CFR Parts 160 and 164, Subparts A and E Designed to ensure maintenance of health insurance coverage when you change jobs. Administrative simplification – Healthcare processes becoming very complex – look to standardize information – make it easier. Protect confidentiality and security of patient information HIPAA, the Health Insurance Portability and Accountability Act of 1996, was designed to ensure that people could maintain their health insurance coverage when they switched jobs. It also contains provisions referred to as “Administrative Simplification”. Operating Health Care programs has become very complicated with many different insurance companies, regulatory requirements, and various data systems. Administrative Simplification calls for the standardization of information so that all parties use the same billing codes, diagnostic codes, and service codes. This would hopefully make healthcare operations much simpler. HIPAA also contains important provisions regarding protection of the confidentiality of patient information.
Privacy Standards Places restrictions on the use and/or disclosure of “Protected Health Information” –PHI Effective 4/14/03 Essentially applies “42 CFR p.2-like” requirements to all health care. Privacy Standard place restrictions on the use and disclosure of what is known as “ Protected Health Information” also called “PHI”. We’ll get back to PHI in a moment. The privacy standards are effective on 4/14/03, and effect the whole healthcare industry. Basically, these standards apply requirements similar to 42-CFR part 2 to all of healthcare.
Protected Health Information (PHI) Any health information: Oral , paper, or electronic Including identifying demographic information Relating to: Physical or mental health (treatment) of individual, Provision of health care to an individual (operations) Payment for provision of health care to individual Protected Health Information, PHI, is any health information, whether it’s oral, paper, or electronic that includes information that could identify a patient in any way. The information relates to the treatment of physical and mental Health, providing that healthcare, called operations, and the payment for that healthcare.
Security Standards Security of information against non-approved access Electronic creation, transmission, and storage of information a significant concern – hackers Requirements for logging of access, automatic log offs, encryption of information sent by internet. Regulations take effect in 4/05 Another component of HIPAA are the security standards. Security references protection of PHI from non-approved access. Electronic creation, transmission and storage of information is a significant concern. Recently, a hacker obtained access to over 400,000 military health records. The security standards attempt to put into play safeguards to protect this from happening. The standards will contain requirements for logging on to computers, automatic log offs when the computer is unattended, and encryption of information sent via the internet, like external e-mail. These regulations were recently finalized and are scheduled to tale effect in 2/2005.
Minimum Necessary Standard When using/disclosing PHI, only the minimum necessary information should be shared. The disclosure should cover only the authorized information Individuals, family, visitors, etc. who do not have a need to know PHI should not have access to it. An important aspect of the HIPAA rules is the “Minimum Necessary Standard”. This requirement stipulates that only the minimum necessary information be shared when using and disclosing information. When disclosing information to an outside party, only that information which authorized by the patient may be shared. We are already familiar with this through our consent forms. Individuals, family, visitors, and others who do not have a need to know PHI should not have access to it. At an ATC, certain staff members will have a “need to know” only certain information. For example, a food service worker may need to know of certain health issues, like diabetes, when preparing and serving meals to the patient. The food service worker does not need to know other aspects of the patient’s information. The ATC’s will determine which staff members will have complete access to PHI, and which will have restricted access.
Is your Problem-Solving Court a HIPAA Covered Entity? http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp Some drug courts are actually HIPAA covered entities. Most of these are drug courts that fall under large entities, such as a Department of Corrections, which may have a hospital or other medical facility. There is a website as SAMSHA that will answer the question: Is my drug court a HIPAA covered entity? That website is: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp
HIPAA v. 42 CFR Part 2 The laws cover a lot of the same material. Some points of difference – more specific or more recent rule usually applies. For the CD Treatment providers, in most cases the rules of 42 CFR Part 2 are more stringent In several cases HIPAA wins. HIPAA has required your treatment provider and your drug court to make some changes in your confidentiality practices. HIPAA and 42 CFR cover a lot of the same material. When the two standards differ, the rule of law is that the more specific or more recent rule applies. With regards to chemical dependency treatment, 42 CFR is more stringent than HIPAA in many ways. A lot of what drug courts and treatment does has remained the same. In several cases, HIPAA has required some changes.
Do These Laws Apply to Problem-Solving Court Practitioners Do These Laws Apply to Problem-Solving Court Practitioners? How Do We Know They Apply?
Persons who are protected as “Patients” A person is a “patient” if they have sought or received a treatment programs services. If someone fails to appear for an initial appointment, that information is protected because they have “sought” treatment.
Defining the Program A unit a office of the problem-solving court itself provide diagnosis, treatment or makes referrals to CD treatment. Is a “Program” under 42 CFR Part 2. Is a “Covered Entity” if it transmits PHI electronically. Requires a valid multi-party consent to disclose information to the problem-solving court team.
Defining the Program The program is independent of the problem-solving court. Requires valid multiparty consents for re-disclosure of information to the problem-solving court team.
General Rule of Disclosure “Treatment Programs may only release information or records that will directly or indirectly identify a problem-solving court participant as a substance abuser: With a knowing and written consent from the participant, AND limited exceptions
How do You Obtain Written Consent from Your Participants?
Elements of a Consent Name of person or organization that may make the disclosure; Name or title of person (or organization) to whom disclosure may be made; Participant’s name; Purpose of the disclosure; How much and what kind of information may be disclosed; Participant’s signature; Date on which the consent was signed; Date, event, or condition upon which the consent will expire (Consent cannot be revoked unless in a civil or juvenile court setting)
And under HIPAA Must be in plain language Can be signed by a personal representative (then, must contain a description of the representative’s authority to act on patient’s behalf) Patients must be given copy of written form Programs must keep copy of form for six years from expiration date Program must ensure that consent complies with applicable requirements of 45 CFR section 164.508
Consents A proper consent can authorize all parties involved in the problem-solving court to share information necessary to monitor treatment progress and compliance. To be effective the consent form should be signed at the earliest possible time. Judge, coordinator, probation, etc., should get consent and fax it to treatment before 1st appointment. Before the drug court participant is seen by someone at the treatment agency for the first screening or assessment, the consent needs to be signed. The treatment agency cannot share any information without the consent. You have in your materials a copy of a model consent including HIPAA and 42 CFR requirements. In the monographs on confidentiality, on the DCPI website, and in 42 CFR itself, there are examples of consents to use.
Requiring Consents HIPAA prohibits a program from conditioning treatment on a patient signing a consent, but The judge (problem-solving court) can condition participation in the court program on the defendant signing the consent form.
Consent Guidelines Criminal Justice System (CJS) consents Determine whether assessment and treatment participation is an official condition that the person must meet. CJS consents have special rules under 42 CFR part 2 – irrevocable until expiration. HIPAA requires all consent be revocable.
Satisfying 42 CFR and HIPAA HIPAA requires all consents to be revocable, but HIPAA also allows for the use of an administrative order for information disclosure. Therefore, Programs that provide both substance abuse and mental health treatment services can pair their 42 CFR consent with a HIPAA administrative order and/or build HIPAA language into their consent
Option 1- Court Order & Irrevocable Consent Use of Court Order (court or administrative body) – Satisfies HIPAA “Standing order” “Limited HIPAA Order” Irrevocable consent – 42 CFR Part 2
Option 2 – Revocable Consents “Unlikely” the individual will revoke consent if it means they will be in violation of terms of sentence. Saves Court work – no orders If revoked, programs will have to inform court that a 42 CFR Part 2 court order is needed. Consent needs to describe specifically how disclosed info will be used.
Use and Redisclosure Under 42 CFR § 2.35, information from a CJS release may be redisclosed and used only in connection to their official duties with respect to the particular criminal proceeding. The information may not be used in other proceedings, for other purposes or with respect to other individuals. (42 CFR § 2.12(d)(1))
Permitted disclosures -no consent Medical emergency Crimes on the premises Crimes against staff Administration / qualified service programs working with treatment facility (must have business associate agreement under HIPAA—see 67 Federal Register 53264 for sample contract language—published by HHS office for Civil Rights) Outside auditors, central registries and researchers No re-disclosures unless permitted All disclosures must be documented
Mandatory disclosure -no consent State child abuse laws A valid court order State laws relating to cause of death Duty to protect others, to warn of imminent, serious harm This is one example of where 42 CFR is much stricter than HIPAA. HIPAA, information can be released with a subpoena. With 42 CFR, a subpoena isn’t sufficient. Information can only be released on a court order, based on information gathered in a court hearing, where both sides are given notice. The judge must decide whether the need to know the information outweighs the person’s need for confidentiality. (I would also discuss here whether the supervision officers are mandatory reporters of child or elderly abuse.)
Subpoenas v. Court Orders Part 2 allows information to be released by subpoena if patient has signed consent permitting release If no consent, then see 42 CFR Part 2, Subpart E for procedures the court must follow, findings, and limits HIPAA allows information release under subpoena with assurance patient has been given notice (or reasonable efforts made to give notice) with the opportunity to object
Can a Judge share treatment information in open court? The Judge may decide that sharing information about progress/difficulty in treatment is a “legitimate part of the court’s official duties and responsibilities with respect to the criminal proceedings”. Remember the Minimum Necessary Information standard.
What if your court clerk answers the telephone, “Good morning What if your court clerk answers the telephone, “Good morning. Smith County Drug Court.” Is this a violation of the confidentiality laws?
Hypothetical Joe and Mary are in your drug court. They have different primary counselors at different agencies. At a pre-staffing meeting of treatment providers, the counselors share the following information: Mary’s counselor reports that Mary is thrilled because she and Joe are going to try to have a baby. Joe’s counselor reports that Joe is excited that she and Mary are trying to have a baby, but that although they’ve begun having unprotected sex, he’s unwilling to share with Mary that he’s HIV positive.
Hypothetical What ethical issues are presented? What confidentiality issues are presented? What difference, if any, would it make if the whole team had been given this information? What difference, if any, would it make if Mary or Joe were underage?
Resources Legal Action Center (www.LAC.org) www.hipaadvisory.com Confidentiality and Communication (2003) Of Substance – newsletter www.hipaadvisory.com