Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law

§2Definitions (3)Authorization – (4)Business associate (10)Designated record set (15)Health care operations (17)Incidental use or disclosure (20)LAR or legally authorized representative

§2Definitions (con.) (27)Professional (28)PHI or protected health information (29)Psychotherapy notes (30)Public health disaster

§4General Provisions (a) Policies and procedures (b) Retention (d) Safeguarding PHI (e) Disclosing PHI – Verify identity except in emergency – Alcohol and drugs – HIV AIDS

§4General Provisions (con.) (e) Disclosing PHI con. – Records from outside sources – Non disclosure of PHI about third party – Authorization in writing

§9When Authorization is not Required to Use or Disclose PHI (a)When necessary for TPO (b)When required or authorized by law. – CPS – Audits – Abuse/neglect – Advocacy Inc. – HHS – Law enforcement to lessen imminent harm

(b)When required or authorized by law (con.) – Research – Correctional institutions – Entities paying fees – Administrator of estate of deceased – LAR of person with DD

(c)When required by judicial and administrative proceedings Civil subpoenas Criminal subpoenas Court orders Law enforcement

§12Valid Authorization to Use or Disclose Protected Health Information the name of the individual; a description of the information to be used or disclosed that is specific and meaningful; a description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when the individual initiates the authorization and does not, or elects not to, provide a statement of the purpose; the name or other specific identification of the person(s), or class of persons, permitted to make the disclosure;

§12Valid Authorization to Use or Disclose Protected Health Information the name or other specific identification of the person(s), or class of persons, to whom the disclosure may be made; an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; a statement that: – the individual may revoke the authorization – the component will comply with the revocation except to the extent that it has acted in reliance on it; – a statement that the component may not withhold treatment, Medicaid benefits, or payment processing if the individual does not to sign the authorization;

§12Valid Authorization to Use or Disclose Protected Health Information a statement that, except for PHI related to alcohol or drug abuse treatment, the potential exists for the PHI described in the authorization to be re-disclosed by the recipient and, therefore, no longer protected by medical privacy laws; the signature of the person who can authorize the use or disclosure (i.e., individual, LAR, or other representative) if the authorization form is signed by the individual's LAR or other representative, a description of the LAR's or other representative's authority to act for the individual; and the date the authorization form was signed.

§16Access to Protected Health Information by Individuals and LARs Denial provide a written denial to the requestor that uses plain language and contains: – the basis for the denial; – the duration of the denial; – if access is denied for a reviewable ground under paragraph (2) of this subsection, a statement of the requestor's right to request a review of the denial of access and the procedures for requesting a review; and – a description of how the requestor may complain to the component pursuant to the component's complaint procedures (as required in §7 (Complaints)), to the Office for Civil Rights, U.S. Department of Health and Human Services, including the contact information;

§16Access to Protected Health Information by Individuals and LARs file a copy of the written denial in the individual's record; to the extent possible, provide access, in accordance with subsection (c) of this section, to any other PHI requested, after excluding the PHI to which the component has reason to deny access; and allow examination and copying of the PHI by another professional if the individual selects the other professional to treat the individual for the same or a related condition as the professional denying access.

Breach Notification Act defines ‘‘breach’’ as the ‘‘unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.’’ Business associates notify the covered entity. Time within 60 days from discovery

Breach Notification (con.) In writing –first class mail to last known address May be multiple mailings May also do electronic Minor to parent If not address, may do phone, public posting or major media Law enforcement may request a delay.

Breach Notification (con.) (1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (2) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (3) any steps individuals should take to protect themselves from potential harm resulting from the breach;

Breach Notification (con.) (4) a brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an address, Web site, or postal address. With respect to indicating in the notification the types of protected health information involved in a breach, we emphasize that this provision requires covered entities to describe only the types of information involved.

Breach Notification (con.) Notification to secretary of HHS Immediately of 500 or more people Less than 500 people, keep a log and submit by year