Presentation is loading. Please wait.

Presentation is loading. Please wait.

CONFIDENTIALITY: ISSUES AND CONCERNS FOR INTEGRATED SETTINGS Alameda Health Consortium Behavioral Health Integration Initiative Monday, December 17, 2012.

Similar presentations


Presentation on theme: "CONFIDENTIALITY: ISSUES AND CONCERNS FOR INTEGRATED SETTINGS Alameda Health Consortium Behavioral Health Integration Initiative Monday, December 17, 2012."— Presentation transcript:

1 CONFIDENTIALITY: ISSUES AND CONCERNS FOR INTEGRATED SETTINGS Alameda Health Consortium Behavioral Health Integration Initiative Monday, December 17, 2012 1:00 p.m. – 2:30 p.m. Presenter: Linda J. Garrett, JD Risk Management Services 707-792-4980 1

2 Topics Confidentiality laws Sharing information with each other Sharing information with third parties

3 Confidentiality - Basic Rule Never use or disclose private information about clients, patients, or employees UNLESS……. you MUST or you MAY

4 How do you know if you must or you may? Know what laws pertain to the kind of information you hold (what discipline within medicine created the information?) See what that law says about the use or disclosure

5 The laws Federal HIPAA – all “PHI” 42 CFR Part 2 – substance abuse tx programs State Civil Code 56.10 – general health info W&I Code 5328 – mental health info H&S Code 120980(g) – HIV test results

6 HIPAA “pre-emption analysis” Compare HIPAA to state law; if there is a conflict, follow HIPAA; if no conflict follow: Strictest law protecting privacy Most beneficial law providing patient rights

7 HIPAA “Must” and “May” Disclosures of PHI “Must” disclose: 1. Secretary of DHHS, if asked (e.g., HIPAA breach investigation) 2. Patient, if seeking “access” to own record (unless it will cause death or serious physical harm)

8 HIPAA “Must” and “May” Disclosures of PHI “Must” disclose: 1. Secretary of DHHS, if asked (e.g., HIPAA breach investigation) 2. Patient, if seeking “access” to own record (unless it will cause death or serious physical harm)

9 HIPAA disclosures –cont. “May” disclose 1. For treatment, payment or operations (45 CFR 164.506) 2. With “authorization” (45 CFR 164.508) 3. With opportunity to agree or object (45 CFR 164.510) 4. Without permission (45 CFR 164.512) as specified:

10 HIPAA “May” disclose –cont. Without permission includes uses and disclosures: a) Required by law b) For public health activities c) About victims of abuse, neglect or domestic violence d) Health oversight activities e) Judicial and administrative proceedings f) Law enforcement purposes g) Decedents h) Organ or tissue donation i) Research j) To avert threat to heath or safety k) Specialized government functions l) Workers compensation

11 Examples of “must disclose” (CA law) Reporting child abuse and neglect --------------------------------- Reporting elder abuse/neglect Court orders *Tarasoff “duty to warn”

12 Most common “may” disclosure applies to all disciplines: To third parties with permission from the patient/client Get signed written permission on a HIPAA- compliant authorization form

13 Collaboration with others One of Affordable Care Act’s goals is patient-centered care, collaboration and cooperation amongst providers How do you share information with other providers, e.g. primary care and drug/alcohol without violating privacy rules?

14 HIPAA “collaboration” rule (not the strictest rule!) PHI may be shared with other health care providers for “treatment” purposes (164.506) “Treatment” defined to include provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. (164.501)

15 Permissive Disclosures Between Health Care Providers – California Rule - general health info Civil Code 56.10 (general health info) (a) no disclosure w/o patient authorization except as provided in (b) and (c) below (b) when it MUST be disclosed (1) through (9) (c) when it MAY be disclosed (1) through (20)

16 56.10(c)(1) General health information may be disclosed to providers of health care, health care service plans, contractors, or other health care professionals or facilities for purposes of diagnosis or treatment of the patient. Note: “unauthorized access” by health care staff (snooping) is specifically prohibited under state and federal law and is a privacy breach that must be reported!

17 CA rule - Permission Disclosures – Mental Health information Welfare & Institutions Code 5328 (mental health info): No disclosure of mental health information w/o authorization from the client except as provided below: (a) through (x)

18 W&I 5328(a) disclosure is permitted “to professionals ‘within the facility’ who are providing services or appropriate referrals”, or “in the course of conservatorship proceedings”, or “to ‘qualified professionals’ outside the facility who have medical or psychological responsibility for the care of the (client) patient”.

19 Disclosures of SA info – very strict 42 CFR Part 2 42 CFR Part 2 has only 3 exceptions to rule that you must first get permission from client before disclosing info to third parties (including other health care providers) about the client: Police emergency Child abuse/neglect reporting Medical emergency

20 Disclosing SA info –cont. Patient “consent” (authorization to use and disclose) is required for nearly every disclosure other than communication within a program or between a program and an entity that has direct administrative control over the program Drug and Alcohol Treatment Programs may NOT share information with the client’s providers who are OUTSIDE the treatment program without patient authorization - 42 CFR Part 2

21 SA info is “in the vault” You must get permission BEFORE you share SA information with non-SA providers including those other disciplines within the integrated system of care and on the “team” you have created UNLESS you want EVERYONE to follow 42 CFR Part 2 (you don’t!)

22 Will the law change to reflect ACA goals? Maybe…. To date, no change in 42 CFR Part 2 that would permit disclosures of alcohol/drug treatment program information to other healthcare providers for treatment purposes, in non-emergency situations 22

23 Statutory language 42 USC 290dd-2 Confidentiality of Records. (b) Permitted Disclosure (2) Method for disclosure. Whether or not the patient…gives written consent, the content of such record may be disclosed as follows: (A) To medical personnel to the extent necessary to meet a bona fide medical emergency.

24 42 CFR Part 2 –continued (Regulations Language) Medical Emergency – 42 CFR Subpart D, Disclosures without Patient Consent Section 2.51 – Medical emergencies. (a) General Rule. …patient identifying information may be disclosed to medical personnel who have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.

25 42 CFR Part 2 -continued A Proposal to Promote Coordination of Care an Strengthen Patient Protections under the Federal Alcohol and Drug Abuse Confidentiality Law, Prepared for the Patient Protection Coalition, February 5, 2010 Primary Lead: Renee Popovits, Esq., and Eric Goplerud, Ph.D. – George Washington University

26 42 CFR Part 2 -continued Proposed language: 42 USC 290dd-2 Confidentiality of Records (b) Permitted disclosure (2) Method for disclosure. (D) To and among health care providers and health plans for purposes of providing or coordinating health care and related services, or implementing recovery support services, or quality improvement or disease management programs with respect to the individual who is the subject of the record referred to in subsection (a).

27 42 CFR Part 2 -continued Proposal also includes many more protections for patients to discourage breaches etc. At this time Legal Action Center is leading the fight against any change in the existing law and wrote the June 17, 2010 SAMHSA position paper on “Applying the Substance Abuse Confidentiality Regulations to HIE”

28 Confidentiality: Multi-disciplinary teams Multi-disciplinary teams – two types 1. Health care providers only – often within an “integrated system”: seeking collaboration for treatment purposes, often from various disciplines 2. Mixed teams: Health care providers and non- healthcare providers (e.g., social services, law enforcement, probation, school, Bd. of Supervisors) 28

29 MDTs – healthcare providers only General health information and mental health information may be disclosed for “treatment purposes” (HIPAA, Civil Code 56.10, and W&I 5328) For example (mental health info), in communications with other qualified professionals (any discipline), in the provision of services or appropriate referrals, who have “medical or psychological responsibility” for the patient’s care But SA cannot share their information without “consent” – get this permission before starting treatment if possible! 29

30 MDTs – Mixed Teams there are several possible ways to handle confidentiality issues where no health care providers can share with “outside” third parties: The EASIEST: get written authorization! OR De-identify the information (“we have a 27 year old homeless female who recently received services from the shelter but was then arrested for public intoxication and is now back on the streets and in need of behavioral health services – can you help find some financial resources and housing for her?”) 30

31 Integrated Recordkeeping – Paper Chart With permission, ok to use one paper chart that includes substance abuse tx program records Without permission, drug and alcohol chart must be maintained separately and kept apart from other records (access only by treatment team WITHIN the drug/alcohol program and administrative staff with a need to know) 31

32 Integrated Recordkeeping – Electronic Record Without permission, name connected to drug/alcohol doesn’t register when entered into system With permission, name registers as being within the system and drug/alcohol information may be accessed on a need to know basis 32

33 Subpoena’s – tell your supervisor or call privacy officer! MH and SA - need subpoena PLUS 1. authorization from client, OR 2. court order (if SA: order only AFTER client has opportunity to a full hearing in court on the matter)

34 Policies and procedures Use HIPAA Notice of Privacy Practices outlining how you intend to share information for treatment purposes and to contact patient, remind them of appointments etc. Train all staff on the need to get authorization to share SA information with other disciplines within your program prior to sharing such information with members of the team Train all staff on differences between various laws protecting confidentiality of medical, mental health, and SA information

35 Questions??


Download ppt "CONFIDENTIALITY: ISSUES AND CONCERNS FOR INTEGRATED SETTINGS Alameda Health Consortium Behavioral Health Integration Initiative Monday, December 17, 2012."

Similar presentations


Ads by Google