HIPAA Training Workshop

1
HIPAA Training Workshop 2

• Trainer Kaye L. Rankin
• Rankin Healthcare Consultants, Inc.

2
Todays Topics

• Required Disclosures
• Uses and Disclosures Requiring an Opportunity to
  Agree or Object
• Uses and Disclosure Requiring a Signed
  Authorization
• Uses and Disclosures Permitted Without
  Authorization or an Opportunity to Agree or Object

3
Required Disclosures

• To the Individual
• To inspect and copy
• In response to a request for an Accounting of
  Disclosures
• To the Secretary
• To investigate or determine the covered entitys
  compliance.

4
Uses and Disclosures Requiring an Opportunity to
Agree or Object

• Facility Directories
• Involvement in the Individuals Care and
  Notification Purposes
• Family Members, Friends, and Others
• Disaster Relief Activities

5
Uses and Disclosures Requiring an Opportunity to
Agree or Object

• Family Members, Friends and others involved in
  the patients care
• When the Individual is present and has the
  capacity to make decisions obtain agreement
• When the individual is not present a decision
  may be made based on professional judgment
• Document the basis (an accounting of the
  disclosure is not required) Note Regulations
  initializing 330 grants do not provide for this
  disclosure without the individuals consent.

6
Involvement in the Individuals Care and
Notification Purposes

• TITLE 42--PUBLIC HEALTH
• CHAPTER I--PUBLIC HEALTH SERVICE,
• DEPARTMENT OF HEALTH AND HUMAN SERVICES
•  PART 51c--GRANTS FOR COMMUNITY HEALTH SERVICES
• Sec. 51c.110 Confidentiality.
• All information as to personal facts and
  circumstances obtained by the project staff
  about recipients of services shall be held
  confidential, and shall not be divulged without
  the individual's consent except as may be
  required by law or as may be necessary to provide
  service to the individual or to provide for
  medical audits by the Secretary or his designee
  with appropriate safeguards for confidentiality
  of patient records. Otherwise, information may be
  disclosed only in summary, statistical, or
  other form which does not identify particular
  individuals.

7
Involvement in the Individuals Care and
Notification Purposes

• Disaster Relief Purposes
• Federal, state or local government agencies
  engaged in disaster relief or
• Assistance organizations (like the Red Cross)
  authorized by law to assist in disaster relief
  efforts.
• Must limit to basic information only name, city
  of residence, age, sex and general condition
• Record an accounting of disclosure

8
Uses and Disclosures Requiring a Signed
Authorization

• Psychotherapy Notes
• Notes recorded by a mental health professional
  during private, joint, group or family counseling
  sessions
• Exceptions for treatment, payment and health care
  operations
• Use by the originator for treatment
• Training, for CEs own purposes, under
  supervision to practice or improve skills
• CE defense of legal action
• Exceptions to comply with law and health oversight

9
Uses and Disclosures Requiring a Signed
Authorization

• Marketing
• To make a communication about a product or
  service that encourages recipients of the
  communication to purchase or use the product or
  service, unless its to describe your own products
  or services, for treatment, case management or to
  recommend alternative treatments.
• CE discloses PHI to other entities for direct or
  indirect remuneration.

10
Uses and Disclosures Permitted Without Consent,
Authorization or an Opportunity to Agree or Object

• Required by Law
• Mandate contained in law that compels a CE to
  make a use or disclosure of PHI and that is
  enforceable in a court of law
• Court orders, warrants, subpoena
• Medicare conditions of participation
• Other statutes and regulations
• Disclosures must comply with law and be limited
  to the relevant requirements of law
• An accounting of disclosure is required

11
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Public Health Activities
• Controlling disease, injury or disability.
  Report communicable disease or someone at risk of
  contracting or spreading the disease
• To an official of a foreign govt. if
  collaborating with a public health authority
• To report child abuse or neglect
• To a person subject to the jurisdiction of FDA
• To report communicable disease or someone at risk
  of spreading a disease or condition
• To an employer (medical surveillance, work
  related injury or illness

12
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Procedures
• Get the request in writing
• Verify identity and authority of the requestor
  and document that verification.
• Limit the disclosure to minimum necessary (note
  CE may rely on request as being minimum
  necessary)
• Record an accounting of the disclosure
• Retain documentation for 6 years

13
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Victims of Abuse, Neglect or Domestic Violence
• If CE reasonably believes that an individual has
  been a victim of abuse, neglect or domestic
  violence and report is made to an agency
  authorized by law to receive report
• As required by law, and limited to information
  relevant to law
• If the individual agrees, or
• In professional judgment CE believes the
  disclosure is necessary
• If the individual is incapacitated, a law
  enforcement or other public official represents
  that the disclosure is not intended to be used
  against the individual
• Inform the individual

14
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Victims of Abuse, Neglect or Domestic Violence
• Procedures
• Verify the identity and authority of the
  requestor
• Limit the disclosure to information relevant to
  law
• Inform the victim of the report (unless there is
  risk of harm)
• Record an accounting of the disclosure
• Retain documentation for 6 years

15
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Health care oversight
• For oversight activities authorized by law
• Audits
• Civil, administrative, or criminal
  investigations, inspections, licensure or
  disciplinary actions or other activities related
  to oversight
• Of the health care system
• Government benefit programs
• Entities subject to government regulatory
  programs
• Entities subject to civil rights laws pertaining
  to compliance

16
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Procedures Health care oversight
• Verify the identity and authority of the auditor
• Limit the disclosure to the minimum necessary
  (Note you may rely on auditors representation
  that the request is the minimum necessary)
• Record an accounting of the disclosure
• Retain documentation for a period of 6 years

17
Time for a BREAK!
18
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Standard for Judicial and Administrative
  Proceedings
• Judicial and Administrative Proceedings
• Order of a court or administrative tribunal
• Subpoena, discovery request or other lawful
  process not accompanied by an order of a court or
  administrative tribunal if
• Attempt has been made to notify the individual
• Reasonable efforts have been made by the
  requestor to secure a qualified protective order.

19
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Procedures Judicial and administrative
  proceedings
• California process will remain enforce but CEs
  will have to merge requirements when appropriate
• Verify the identity and authority of requestor
• Limit the disclosure to information expressly
  authorized by the order.
• Record an accounting of the disclosure
• Retain documentation related to the disclosure
  for 6 years.

20
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Law Enforcement
• Pursuant to process, required by law
• Identification and location
• Victim of a Crime
• Decedents to report a death from criminal conduct
• Crime on Premises
• Reporting Crime in Emergencies

21
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Procedures Law Enforcement
• Verify the identity and authority of the law
  enforcement official (document any
  representations)
• Limit the disclosure to information relevant to
  the stated purpose (basic information only for
  identification and location)
• Record an accounting of disclosure
• Retain all documentation related to the
  disclosure for 6 years

22
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Uses and Disclosures about Decedents
• To coroners and medical examiners
• To funeral directors
• To health care providers for the treatment of
  others (family member, etc.)
• To personal representative with legal authority

23
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Procedures Uses and Disclosures about Decedents
• Verify the identity and authority of requestor
• Limit the disclosure to information relevant to
  the stated purpose (basic information only for
  identification and location)
• Record and accounting of disclosure
• Retain all documentation related to the
  disclosure for 6 years

24
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Uses and Disclosures for Cadaveric Organ, Eye or
  Tissue Donation Purposes
• To organ procurement organizations or other
  entities engaged in
• Procurement
• Banking
• Transplantation

25
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Procedures Uses and Disclosures for Cadaveric
  Organ, Eye or Tissue Donation Purposes
• Verify the identity and authority of requestor
• Limit the disclosure to information the minimum
  amount of information only
• Record and accounting of disclosure
• Retain all documentation related to the
  disclosure for 6 years

26
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Uses and Disclosures for Research Purposes
• Disclosures preparatory to research (with
  representations from the researcher)
• If the information is de-identified
• If the information is a limited data set
• If the project is covered by an Institutional
  Review Board or a Privacy Board waiver
• Note An individual must authorize research that
  includes treatment.

27
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Uses and Disclosures Preparatory to Research
• May be disclosed by a CE without Authorization
  if
• PHI is sought solely to review PHI to prepare for
  research
• PHI is not removed from the site
• PHI is necessary for the research
• Representations should be documented

28
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Procedures Research
• Procedures for de-identifying data
• Procedures for creating a limited data set and
  requiring a data use agreement from the
  researcher
• Review of IRB Waiver or Privacy Board Waiver to
  ensure that all elements are completed.
• Retention of Documentation
• Record an accounting on the Disclosure History

29
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• To Avert a Serious Threat to Health or Safety
• Providers who believe in good faith that the use
  or disclosure is necessary to prevent or lessen a
  serious and imminent threat to the health and
  safety of a person or the public
• Law enforcement
• Any person or persons reasonably believed to
  prevent or lessen the threat
• Or, Is necessary for law enforcement to to
  identify or apprehend an individual
• Because of a statement of participation in a
  violent crime or
• The individual has escaped from a correctional
  institution or from lawful custody.

30
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• To Avert a Serious Threat to Health or Safety
• Exceptions
• If information Is learned in the course of
  treatment to affect the propensity to commit the
  criminal conduct, or counseling or therapy
• If information is learned through a request by
  the individual to initiate a referral for
  treatment, counseling or therapy.
• California law Duty to Warn

31
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Specialized Government Functions
• Military and Veterans Activities
• National Security and Intelligence Activities
• Protective Services for the President and others
• Medial Suitability determinations
• Correctional Institutions and other Law
  Enforcement Custodial Situations
• Covered Entities that are Government Programs
  Providing Public Benefits

32
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Military and Veterans Activities
• PHI to Armed Forces if
• Notice is published in the Federal Register
• PHI of individuals who are foreign military
  personnel to appropriate military authority if
• Notice is published in the Federal Register
• Notice must identify military authority and
  purpose for disclosure.

33
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• National Security and Intelligence Activities
• To authorized federal officials for
• Conduct of lawful intelligence
• Counter-intelligence
• Other national security activities authorized by
  the National Security Act

34
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Protective Services for the President and Others
• To authorized federal officials
• Provision of protective services to the President
  
• Provision of protective services to Heads of
  State
• For conduct of authorizations

35
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Medical Suitability Determinations
• Use of information by the Department of State

36
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Correctional Institutions and other Law
  Enforcement Custodial Situations
• If the law enforcement official represents that
  the information is necessary for
• Provision of health care to the individual
• The health and safety of the individual or other
  inmates
• The health and safety of the officers or
  employees of the institution or individuals
  transporting the individual
• The administrations and maintenance of the
  safety, security, and good order of the
  institution.

37
Uses and Disclosures Permitted Without
Authorization or an Opportunity to Agree or Object

• Covered Entities that are Government Programs
  Providing Public Benefits
• A health plan that is a government program
  providing public benefits may disclose PHI
  related to eligibility or enrollment
• CEs that are government agencies administering a
  government program may disclose PHI to other
  government agencies administering a government
  program

38
The Clock is Ticking!