CONFIDENTIALITY 12 VAC

Confidentiality General Rule: n Each individual is entitled to have all information that a provider maintains or knows about him remain confidential.

Confidentiality n Each individual has a right to give his consent before the provider shares information about him or his care unless another law, federal regulation, or the HR regulations specifically require or permit the provider to disclose certain specific information.

n Providers must maintain the confidentiality of any information that identifies an individual receiving services from the provider. –If an individual’s services record pertains in whole or in part to referral, diagnosis or treatment of substance abuse, providers may release information only according to the federal SA confidentiality regulations (this includes a substance abuse label) Provider’s Duties:

Provider’s Duties, con’t: n Providers are obligated to tell each individual, and his LAR, if applicable, about the individual’s confidentiality rights. –This shall include how information can be disclosed and how others might get information about the individual without consent.

n Providers shall prevent unauthorized disclosures of information from services records and shall convey the information in a secure manner. –What is “secure”? –Faxes? Provider’s Duties, con’t:

n If consent to disclosure is required, providers shall get the written consent of the individual or the legally authorized representative, as applicable, before disclosing information. Provider’s Duties, con’t:

Minors: n Consent of the custodial parent or other person authorized to consent to the minor’s treatment under § is required to release confidential info. Exceptions: A minor is permitted to authorize the release of records related to medical or health services for sexually transmitted disease or family planning (see Virginia Code § (E)) A minor may authorize the release of outpatient substance abuse records without parental consent in programs governed by 42 CFR Part 2. Provider’s Duties, con’t:

Redisclosure: n When providers disclose information, they must attach a statement that informs the person receiving the information that it must not be disclosed to anyone else unless the individual consents or unless the law allows or requires further disclosure without consent. Provider’s Duties, con’t:

n Upon request, providers shall tell individuals the sources of information contained in their services records and the names of anyone, other than employees of the provider, who has received information about them from the provider. –Individuals receiving services should be informed that the department may have access to their records. Provider’s Duties, con’t:

n Consent must be obtained and documented in the services record for the provider to contact family members, friends, or others. –Providers may, and probably should, encourage individuals to name family members, friends, and others who may be told of their presence and general condition or well-being. What about family and friends??

What about family and friends??, con’t. BUT... n Nothing in this provision shall prohibit providers from taking steps necessary to secure a legally authorized representative.

n In some limited circumstances (listed in the regulations) providers may disclose information without consent or violation of the individual’s confidentiality…. Exceptions:

Exceptions, con’t: n If information is disclosed without consent to anyone other than employees of DMHMRSAS, CSB, or other providers, the following steps shall be followed before the disclosure (or promptly after in an emergency): 1) Put a written notation of the information disclosed, the name of the person receiving the information, the purpose of the disclosure, and the date of disclosure in the individual’s services record; 2) Give the individual or his LAR written notice of the disclosure, including the name of each person who received the information and the nature of the information.

A) Emergencies: Providers may disclose information to any person who needs that particular information for the purpose of preventing injury, death or substantial property destruction in an emergency. –The provider shall not disclose any information that is not needed for these specific purposes. What are the exceptions?

B) Employees: Providers may disclose to any employee, consultant, agent, or contractor of the provider, or to the department or CSB, information required to give services to the individual or to get payment for services. What are the exceptions?, con’t:

C) Insurance companies and other third party payers: Disclosure may be made to insurance companies and other third party payers according to § et seq. of the Code of Virginia. What are the exceptions?, con’t:

D) Court proceedings: n If the individual, or someone acting for him, introduces any aspect of his mental condition or services as an issue before a court, administrative agency, or medical malpractice review panel, the provider may disclose any information relevant to that issue. n The provider may also disclose any records if they are properly subpoenaed, if a court orders them to be produced, of if involuntary commitment or certification is being proposed or conducted. What are the exceptions?, con’t:

E) Legal Counsel: Providers may disclose information to their own legal counsel, or to anyone working on behalf of their legal counsel, in providing representation to the provider. –State providers may disclose to the OAG for representation purposes What are the exceptions?, con’t:

F) Human Rights Committees: Providers may disclose to the LHRC and the SHRC any information necessary for the conduct of their responsibilities under these regulations.

G) Others authorized or required by the Commissioner, CSB or private program director: Providers may disclose information to other persons if authorized or required by one of the above, for the following activities: 1) Licensing, human rights, certification or accreditation reviews; 2) Hearings, reviews, appeal or investigation under these regulations; What are the exceptions?, con’t:

3) Evaluation of provider performance and individual outcomes (see § of the Code of Virginia); 4) Statistical reporting; 5) Preauthorization, utilization reviews, financial and related administrative services reviews and audits; or 6) Similar oversight and review activities.

H) Preadmission screening, services and discharge planning: Providers may disclose to the department, the CSB or to other providers information necessary to prescreen individuals or to prepare and carry out a comprehensive individualized services or discharge plan (see § of the Code of Virginia). What are the exceptions?, con’t:

I) Protection and Advocacy Agency: Providers may disclose to the P & A any information that may establish probable cause to believe that an individual receiving services has been abused or neglected and any information concerning the death or serious injury of any individual while receiving services, whatever the suspected cause of death. What are the exceptions?, con’t:

J) Historical Research: Providers may disclose information to persons engaging in bona fide historical research if all of the following conditions are met: 1) The Commissioner, or CSB/Program director authorizes the research; 2) The individual(s) who are the subject of the disclosure are deceased; What are the exceptions?, con’t:

3) There are no known living persons authorized by law to consent to the disclosure; and 4) The disclosure would in no way reveal the identity of any person who is not the subject of the historical research. n The regulations also lay out the requirements for a request for human research.

K) Protection of the public safety: If a provider reasonably believes an individual receiving services is a present threat to a specifically identifiable person or the public, the provider may communicate only those facts necessary to alleviate the potential threat. –“Duty to Warn” What are the exceptions?, con’t:

L) Inspector General: Providers may disclose to the Inspector General any individual services records and other information relevant to the provider’s delivery of services. What are the exceptions?, con’t:

N) Virginia Patient Level Data System: Providers may disclose financial and services information to Virginia Health Information as required by law (see § et seq.) What are the exceptions?, con’t:

O) Other statutes or regulations: Providers may disclose information to the extent required or permitted by any other state or federal statute or regulations. What are the exceptions?, con’t:

Other Confidentiality Laws n The Patient Health Records Privacy Act (Va. Code § :03) n Federal Law on the Confidentiality of Substance Abuse Records (42 U.S.C. §290dd-2 and 42 C.F.R., Part 2) n Numerous other scattered laws

Patient Health Records Privacy Act (“PHRPA”) n Same general rule: No provider, or other person working in a health care setting, may disclose the records of a patient. BUT… n The majority of the PHRPA is a listing of exceptions to this general right of privacy

Patient Health Records Privacy Act (“PHRPA”), con’t. n Pursuant to the written consent of the patient or in the case of a minor patient, his custodial parent, guardian or other person statutorily authorized to consent to his treatment (see ) n In an emergency where it is impractical to obtain written consent, pursuant to the patient’s oral consent to discuss with a specified third party

Patient Health Records Privacy Act (“PHRPA”), con’t. n In compliance with a subpoena or a court order upon good cause shown n In situations where disclosure is reasonably necessary to establish or collect a fee n In situations where disclosure is reasonably necessary to defend a provider or the provider’s employees or staff against any accusation of wrongful conduct

Patient Health Records Privacy Act (“PHRPA”), con’t. n As required in the course of an investigation, audit, review or proceedings regarding a provider’s conduct by a duly authorized law- enforcement, licensure, accreditation, or professional review entity n In testimony in accordance with the practitioner-patient privileges

Patient Health Records Privacy Act (“PHRPA”), con’t. n If requested in writing or by subpoena by an attorney or his client in anticipation of, or in the course of, litigation when the patient is a party and the records are, or would be, admissible as evidence (see § ) n As required or authorized by other provisions of law, including contagious disease, public safety, and suspected child or adult abuse reporting requirements

Patient Health Records Privacy Act (“PHRPA”), con’t. n Where “necessary in connection with the care of the patient” n In the “normal course of business in accordance with accepted standards of practice within the health services setting” –Verify and document!!!

Patient Health Records Privacy Act (“PHRPA”), con’t. n When the patient has waived his/her right to privacy of the medical records n When examination and evaluation are undertaken pursuant to judicial or administrative law order, but only to the extent required by such n To the guardian ad litem in the course of a guardianship proceeding of an adult

Patient Health Records Privacy Act (“PHRPA”), con’t. n To the attorney appointed by the court to represent a patient in a civil commitment proceeding n To the attorney and/or guardian ad litem of a minor patient who represents such minor in any judicial or administrative proceeding, provided the court or hearing officer has so ordered

Patient Health Records Privacy Act (“PHRPA”), con’t. n With regard to the Court-Appointed Special Advocate (CASA) program, a minor’s records (see § ) n To an agent appointed under a patient’s power of attorney or an agent or decision maker designated in the patient’s advance directive or under the Health Care Decisions Act

Patient Health Records Privacy Act (“PHRPA”), con’t. n To third-party payors and their agents for purposes of reimbursement n As necessary to support an application for receipt of government health care benefits, or as required by an authorized governmental agency reviewing such application or benefits already provided

Patient Health Records Privacy Act (“PHRPA”), con’t. n Upon the sale of a medical practice or upon a change of ownership or closing of a pharmacy (see § ) n In accord with § B, to communicate a patient’s specific and immediate threat to cause serious bodily injury or death of an identified or readily identifiable person

Patient Health Records Privacy Act (“PHRPA”), con’t. n In the case of substance abuse records, when permitted by and in conformity with federal law n In connection with the work of a legally established entity to evaluate adequacy or quality of professional services or the competency and qualifications for professional staff privileges (see § )

Patient Health Records Privacy Act (“PHRPA”), con’t. n To the provider’s designated organ procurement organization or any certified eye or tissue bank for the purpose of conducting record reviews of inpatient hospital deaths to promote identification of organ donors n To the OIG for MH, MR and SA Services (see § et seq.)

Patient Health Records Privacy Act (“PHRPA”), con’t. n To the personal representative or executor of a deceased patient or the legal guardian or committee of an incompetent or incapacitated patient, or if there is no personal representative, executor, legal guardian or committee appointed, to the following persons in the following order of priority:

Patient Health Records Privacy Act (“PHRPA”), con’t. –Spouse – Adult son or daughter – Either parent – Adult brother or sister – Any other relative of the deceased patient in order of blood relationship.

Federal Substance Abuse Confidentiality Law n Very restrictive n Applies to all programs receiving federal assistance and that relate to substance abuse “education, prevention, training, treatment, rehabilitation, or research” n Release only allowed with the patient’s prior written consent, unless one of the few listed exceptions apply