Confidentiality 42 CFR Part 2 & HIPAA Lynn M. Eldridge, MEd Division of Behavioral Health lynn.eldridge@alaska.gov

Confidentiality 42 CFR Part 2 & HIPAA This is not legal advice. Please consult your agency’s attorney or legal department for legal advice involving any confidentiality questions.

42 CFR Part 2 Code of Federal Regulations Therefore it is a Federal Law Two separate laws developed in 1970 & 1972 Two regulations combined in 1992.

42 CFR Part 2 Purpose Purpose: To encourage substance abusers to seek treatment, who might otherwise be deterred for fear that their substance abuse treatment would become public information.

To Whom the Regulations Apply 42 CFR Part 2 Regulations Apply to: * AOD programs that are federally conducted, regulated or assisted in any way, directly or indirectly. * Generally, to recipients of AOD patient identifiable information from anyone subject to these regulations.

The General Rule Information Protected Under the Rule: “Patient Identifying Information” -Information, recorded or unrecorded, that could potentially link an individual, by name or otherwise, to a substance abuse treatment program.

The General Rule Information Protected Under the Rule: - Protection to anyone who has applied for or been given substance abuse treatment services, and anyone checking on eligibility to get into a program.

The General Rule Disclosure Prohibited Under the Rule: -Direct communications of PII -Verifications of PII

Example Becki: referred by PO. Never called never showed to office, Program XYZ hasn’t heard of her. Susan: referred by PO. Called, gave name but never made an appointment. Bea: referred by PO. Called, gave name, made appointment, showed up for appoint. No release. Lynn: referred by PO. Showed for appointment, signed releases.

Exceptions Exceptions permit only LIMITED disclosures, which are disclosures of only so much information as is necessary to carry out the purpose of the disclosure.

Exceptions-Written Consent Required Elements in a Written Consent: 1. Who can disclose PII 2. To whom disclosure can be made 3. Name of the patient 4. Purpose of disclosure 5. What can be disclosed 6. Signature of patient

Exceptions-Written Consent 7. Date consent was signed 8. Right to revoke & exception (but a criminal justice system consent can be irrevocable) 9. Expiration date, event, or condition

Signature Requirements If the patient is a minor, the patient must sign the consent form, and: a) If state law requires parental consent, parents signature will also be required. b) If state law permits the minor to be treated without parental consent, the minor’s signature alone will authorize disclosure.

Signature Requirements If the patient has died, the executor of his/her estate or if there is none, the spouse or surviving next of kin may sign. If the patient is incompetent, a person appointed by a court to oversee his/her affairs may sign.

Exceptions Without Consent Internal Communications: a) Within a program, and b) between a program and an entity that has administrative control over the program.

Exceptions Without Consent Internal Communications: * Allows for communication between and among program personnel, who have a need for the information in connection with their duty to diagnose, treat, or refer for treatment substance abusers.

Exceptions Without Consent Internal Communications: *Redisclosure by program personnel and/or the administrative entity is PROHIBITED, except as permitted within these regulations.

Exceptions Without Consent 2. Anonymous Disclosures: Disclosures which do not communicate PII that in any way links a patient to a substance abuse program. Example: You can provide patient’s name, state of health, and whereabouts so long as, by that communication or verification, you are not in any way associating said patient with an AOD program.

Exceptions Without Consent 3. Qualified Service Organization Agreement (QSOA): Written agreement between an AOD program and an outside Service Organization (SO):

Exceptions Without Consent - Disclosures of PII are permitted between the AOD program and the SO. (SO may NOT be a law enforcement agency or another AOD program that provides the same or similar services.)

Exceptions Without Consent - Permissible disclosures are limited to the extent that the PII being exchanged must be needed by the SO to provide the agreed-upon services to the program. Drug testing facility separate from the AOD program.

Exceptions Without Consent Required Promises in the Written QSOA: -The SO must acknowledge that it is bound by Federal confidentiality regulations; - The SO must promise not to redisclose PII to which it becomes privy; and -The SO promises to resist unauthorized efforts to gain access to any PII Law enforcement, OCS, etc.

Exceptions Without Consent 4. Medical Emergency Three Keys needed to invoke this exception: 1) Disclosure can be made to medical personnel only; 2) Condition must be present which poses immediate threat to the health of the individual; and

Exceptions Without Consent 4. Medical Emergency Con’t.: 3) A need for immediate medical intervention must exist. Taking an adolescent to the doctor?

Exceptions Without Consent 4. Medical Emergency Cont: If you invoke the medical emergency exception, you must document the following: -The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;

Exceptions Without Consent - The name of the individual making the disclosure; - The date and time of the disclosure; and - The nature of the emergency

Exceptions Without Consent 5. Research Exception: PII can be disclosed to researchers conducting scientific research, if the program director determines the researcher: - Is qualified to do the research. - Has a protocol securing the privacy and redisclosure of PII; and

Exceptions Without Consent 5. Research Exception: - Has a satisfactory written statement indicating that at least three others have reviewed the protocol and deemed it safe enough to protect the patient’s confidentiality in light of the potential research benefits. Permission from client to participate in a research study? Signatures? How do you keep them confidential?

Exceptions Without Consent 6. Audit and Evaluation Exception: Permits regulatory agencies, funders, third-party payers, and peer review organizations to monitor AOD programs to ensure that they are complying with regulatory mandates and are properly accounting for and disbursing all funds received.

Exceptions Without Consent 6. Audit and Evaluation Exception Cont: - Time-limited disclosure - Written agreement is necessary to protect PII - Programs must have secure facilities and record keeping practices to protect such information when not being used.

Exceptions Without Consent 7. Authorizing Court Order: A Federal, State, or local court may authorize a program to make a disclosure that would otherwise be prohibited, but a unique kind of court order is required in which special procedures are followed and particular criteria are met.

Exceptions Without Consent 7. Authorizing Court Order: * A subpoena, search warrant, or arrest warrant (a compelling legal document), in and of itself, even if signed by a judge, is NOT sufficient to permit or require disclosure of PII.

Exceptions Without Consent 7. Authorizing Court Order: * A court is not entitled to a patient’s AOD treatment information merely because it ordered the patient to treatment. Programs can only disclose PII if the court issues the unique type of order as outlined in the regulations.

Exceptions Without Consent 7. Court order cont Non-Criminal Case Procedures: * Applicant must use fictitious name for patient. * Notification must be given to patient whose information is sought and to the program that has the information, giving each an opportunity to file a written response or appear in person to dispute.

Exceptions Without Consent 7. Court Order Non-Criminal: * Court must find “good cause” for the disclosure: a) there is no other effective way to obtain the PII b) The public interest and need for disclosure outweigh potential injury to the patient, the patient’s relationship to the

Exceptions Without Consent 7. Court Order Non-Criminal and the program’s ongoing treatment services. * If the court grants disclosure, it must LIMIT disclosure to only the essential parts of the record and to only persons who have a need for the PII, and it must PROTECT against redisclosure. Sealing portions of the public record in the case.

Exceptions Without Consent Criminal Case Procedures: Investigation or Prosecution of Patient: * Applicant must use fictitious name for patient. *Notification must be given to program, not patient. *Program must have opportunity to be represented by counsel and address the court on whether criteria for a court order are met.

Exceptions Without Consent Investigation or Prosecution of Patient: *Proceedings must be sheltered from public. *To grant a court order, court must find: a) That crime is extremely dangerous; b) Records are reasonably likely to reveal substantially valuable information to investigation or prosecution;

Exceptions Without Consent Investigation or Prosecution of Patient: *Proceedings must be sheltered from public cont: c) No other available effective ways of obtaining the PII; and d) That public has interest and need for disclosure that outweigh injury to the patient, patient-program relationship, and program’s ability to provide services.

Exceptions Without Consent Investigation or Prosecution of Patient Cont: * If court order is granted, it must be LIMITED disclosure to necessary parts of record and LIMIT disclosure and use to law enforcement personnel with need for it.

Exceptions Without Consent Criminal Procedures: Investigation or Prosecution of Program: - Any agency having jurisdiction over the program or its activities may apply for such a court order. - Application must be filed separately or as a part of a pending civil or criminal action against the program or person holding the records, if records are needed to provide material evidence. - Same procedures are required as for civil cases, except no notice at all is required for program or patients. Agencies include administrative, regulatory, supervisory, investigative, law enforcement or prosecutorial. Or employees/agents of the program or person

Exceptions Without Consent Criminal Procedures: If Confidential communications are sought additional criteria required: No disclosure can be made unless: - It is necessary to protect against the threat to life or serious bodily injury. - It is necessary to investigate or prosecute an extremely serious crime; or -It is connected with a proceeding in which the patient has already presenting evidence concerning the confidential communication.

Exceptions Without Consent 8. Patient threat/crime on Program Premises or Against Program Personnel: -To Law Enforcement - Disclosure is limited to the incident, including the patient’s name, address last known whereabouts, and status. -The program is not permitted to report on a patient’s other crimes.

Exceptions Without Consent 9. Reporting Suspected Child Abuse and Neglect: -Must be in compliance with state reporting laws/requirements. -Program staff can make reports & confirm in writing: a) Name b) Address c) Nature of suspected abuse/neglect d) How the reporter became aware of it.

Exceptions Without Consent 9. Reporting Suspected Child Abuse and Neglect: But, other exceptions must be invoked in order to disclose further PII in the investigation of such reports

Restrictions on Redisclosure Anyone who receives PII under any of the permissible exceptions to the AOD Confidentiality Rule is subject to the rule. And in order for the recipient of the PII to redisclose that information, the recipient will need to find his/her/its own exception to the rule.

Restrictions on Use Except as permitted by a court order, information subject to these regulations may not be used to initiate, substantiate or investigate criminal charges against a patient.

Administrative Requirements Programs must provide written notice of confidentiality requirements to a patient at time of admission or as soon as patient is capable of rational communication. Records must be maintained in a secure room, locked file cabinet, safe, or other similar container when not in use. Programs must adopt written procedures regulating and controlling access to and use of written records.

Relationship to State Laws More protective State laws remain in effect. No State law can either authorize or compel any disclosure prohibited by the Federal AOD Confidentiality Rule.

Penalties Enforcement: US Attorney for the judicial district in which the violation occurs; $500 for the first violation and up to $5,000 for each subsequent offense; Professionals in violation may risk suspension or loss of their professional license/certification to provide services; Programs in violation can risk loss of their State certification or accreditation and/or Federal funding.

Health Insurance Portability and Accountability Act (HIPAA) Important: This is not legal advice and is a brief and incomplete summary of the HIPAA regulations. Legal consultation should be sought when determining how to be HIPAA compliant. (Exerts taken from the American Psychological Association Practice Organization, March 2002 Edition. “Getting Ready for HIPAA: What you need to know now.”)

Health Insurance Portability and Accountability Act (HIPAA) What is HIPAA? 1) Federal law signed into effect in August 1996, became effective April 14, 2001, and all agencies were to become compliant by April 14, 2003. 2) The act was designed to protect Americans who were previously ill from losing their health insurance when they changed jobs or residences.

Health Insurance Portability and Accountability Act (HIPAA) 3) To assist in streamlining the health care system through the adoption of consistent standards for transmitting uniform electronic health care claims. 4) Provides a privacy and confidentiality rule regarding health records. 5) HIPAA provides for the “transaction” rule, which requires standard formatting of electronic transactions for specified financial and administrative purposes. * Health care claims, plan eligibility or plan coverage.

Health Insurance Portability and Accountability Act (HIPAA) Penalties for not following HIPAA: 1) Administrative action by the Health and Human Services Office for Civil Rights; 2) Individual person civil penalties of not more than $100 per violation, not to exceed $25,000 during any calendar year; 3) Fines up to $250,000, Imprisonment for up to 10 years or both for knowingly violating “wrongful disclosure of individually identifiable health information.”

Health Insurance Portability and Accountability Act (HIPAA) To Whom does HIPAA apply? 1) Health Care Providers 2) Health Plans 3) Health Care Clearinghouses 4) Also applies to those doing business with HIPAA covered entities. * Including employer-sponsored group plans, Medicaid & Medicare

Health Insurance Portability and Accountability Act (HIPAA) What kind of Information is protected by HIPAA? 1) Health information: oral, recorded, created or used by health care professionals. 2) Anything that identifies or can be used to identify an individual 3) An individual becomes protected when their health information is transmitted or maintained in any form or medium. Relates to past, present or future physical/mental health condition. 4) Psychotherapy Notes, recorded in any medium.

Health Insurance Portability and Accountability Act (HIPAA) Electronic Transmission: 1) Mode of electronic transmission includes: internet, extranets, leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact-disk media.

Health Insurance Portability and Accountability Act (HIPAA) Electronic Transmission Cont: 2) Faxes should be treated as if HIPAA applies: - If original fax is generated on a computer or sent via the computer rather than fax machine, then an electronic copy of the document exists even if the document has been erased. - When a therapist receives a fax, he/she has no way of knowing whether it has been created, stored, or sent electronically.

Health Insurance Portability and Accountability Act (HIPAA) Releasing of Information: CONSENT! CONSENT! CONSENT!

Health Insurance Portability and Accountability Act (HIPAA) Releasing Information w/o Consent: 1) Court Order 2) Order from an administrative tribunal (Social Security Administration) 3) Reporting disease 4) Reporting of Child abuse/neglect 5) To prevent/lessen a serious & imminent threat to the health or safety of a person or the public. Release can only be made to those person(s) who can reasonably prevent or lessen the threat

Health Insurance Portability and Accountability Act (HIPAA) Minimum Necessary Standard: Limits on Uses: A program is required to identify who, within its workforce, needs access to what categories of personal health information to carry out their duties, and any conditions appropriate to such access.

Health Insurance Portability and Accountability Act (HIPAA) Minimum Necessary Standard: Need P&P’s for routine and recurring disclosures and requests that limit PHI to only the amount reasonably necessary to achieve the purpose of the disclosure or request.

Health Insurance Portability and Accountability Act (HIPAA) Minimum Necessary Standard: Need P&P’s for non-routine/no-recurring disclosures and requests that look at each individually and what the criteria is.

Health Insurance Portability and Accountability Act (HIPAA) Part 2 Consent 11 and Privacy Rule Authorization The Privacy Rule The Privacy Rule permits uses and disclosures for “treatment, payment and health care operations” as well as certain other disclosures without the individual’s prior written authorization. Disclosures not otherwise specifically permitted or required by the Privacy Rule must have an authorization that meets certain requirements. With certain exceptions, the Privacy Rule generally requires that uses and disclosures of PHI be the minimum necessary for the intended purpose of the use or disclosure. 42 CFR Part 2 Programs may not use or disclose any information about any patient unless the patient has consented in writing (on a form that meets the requirements established by the regulations) or unless another very limited exception specified in the regulations applies. Any disclosure must be limited to the information necessary to carry out the purpose of the disclosure. https://www.nachc.com/.../SAMHSAs%2042%20CFR%20Part2-HIPAAC...

Part 2 & HIPAA Which “wins”? Generally, the more recently enacted, HOWEVER: Not if earlier law has a more narrow, precise, or specific subject Not if later law addresses an issue on which an earlier law was silent www.ehcca.com/presentations/HIPAA10/6_04.ppt

Part 2 & HIPAA Many HIPAA provisions PERMIT something but don’t mandate it. 42 CFR Part 2 PROHIBITS all disclosures unless specifically allowed by the regulation. www.ehcca.com/presentations/HIPAA10/6_04.ppt

Examples of “rule conflict” Disclosure for Payment HIPAA PERMITS disclosure with out patient consent for the purpose of payments. 42 CFR Part 2 PROHIBITS these disclosures with out patient consent. SUD providers must follow 42 CFR Part 2. www.ehcca.com/presentations/HIPAA10/6_04.ppt

Examples of “rule conflict” Patient Rights & Administrative Requirements *HIPAA imposes several new administrative requirements and establishes new patient rights. *These are not included in 42 CFR Part 2. SUD providers must follow HIPAA. www.ehcca.com/presentations/HIPAA10/6_04.ppt

Examples of “rule conflict” Re-disclosure of Information HIPAA is silent on this topic. 42 CFR Part 2 requires that a statement prohibiting re-disclosure accompanies the patient information that is disclosed. SUD providers must follow 42 CFR Part 2. www.ehcca.com/presentations/HIPAA10/6_04.ppt

Examples of “rule conflict” Disclosure to Public Health HIPAA permits disclosure to a public health authority for disease prevention or control, or to a person who may have been exposed to or at risk of spreading a disease or condition. 42 CFR Part 2 prohibits these disclosures unless there is an authorization, court order, or the disclosure is done with out revealing patient information. SUD providers must follow 42 CFR Part 2. www.ehcca.com/presentations/HIPAA10/6_04.ppt

Examples of “rule conflict” Right to Access Records HIPAA REQUIRES a covered program to give an individual access to his/her own health information (with few exceptions). 42 CFR Part 2 gives programs DISCRETION to decide whether to permit patients to view or obtain copies of their records, unless they are governed by a state law that gives right to access. SUD providers must follow HIPAA. www.ehcca.com/presentations/HIPAA10/6_04.ppt

Health Insurance Portability and Accountability Act (HIPAA) Additional Points: 1) An individual can request and receive a list of all disclosures of any personal health information made in the previous 6 years. 2) Need to keep a list of all disclosures made. Tracking began on April 14, 2003.

Health Insurance Portability and Accountability Act (HIPAA) Parent has to give consent for medical treatment (except where 42 CFR Part 2 applies) of a minor except for the following: 1) Pregnancies or appointments relating to the pregnancy; 2) Contraception information; 3) STD Testing and Results The child must give consent to release the above.