Page 1 NC DHHS HIPAA PMO

1
Presented By NC DHHS HIPAA Program Management
Office Staff Sarah Brooks, MPA, RHIA, CPM Julie
Burton, BS (HIM), CPM April-May 2002
2
Welcome / Announcements

• Introduction of Speakers
• Facilities
• Lunch Possibilities
• Handouts
• Slides on Website
• http//dirm.state.nc.us/hipaa/
• Questions
• Use of Term Client

3
PART ONE
4
Training Objectives

• Comprehensive understanding of HIPAA Privacy
  Regulations
• Review NC DHHS Compliance Process
• Relate HIPAA Privacy Regulations to NC DHHS
  operations
• NOTE Presentation geared to state agencies
• Prerequisite
• Basic understanding of privacy and
  confidentiality practices in health care

5
HIPAA Core Privacy Training Agenda
TOPIC PRESENTER Welcome/Announcements Sara
h Brooks HIPAA Overview Sarah
Brooks Privacy Introduction Julie
Burton Consents and Authorizations Sarah
Brooks BREAK (15 Minutes) Consents
and Authorizations (continued) Sarah
Brooks Client Rights Julie Burton Use and
Disclosure Sarah Brooks LUNCH (1
Hour, 15 Minutes) Use and Disclosure Sarah
Brooks Minimum Necessary/Accounting of
Disclosures Julie Burton BREAK
(15 Minutes) Business Associates Julie
Burton Administrative Requirements Sarah
Brooks Compliance and Enforcement Julie
Burton Guidance, NPRM and Anticipated
Modifications Julie Burton Implementation
Sarah Brooks Please Turn in Evaluation Form
6
(No Transcript)
7
Purpose of HIPAA

• Improve portability and continuity of health
  insurance coverage in the group and individual
  markets
• To combat waste, fraud, and abuse in health
  insurance and health care delivery
• To promote the use of medical savings accounts
• To improve access to long-term care services and
  coverage and
• To simplify the administration of health insurance

8
How the Law is Structured

• HIPAA is divided into five titles - each
  addresses a unique aspect of health insurance
  reform.
• Title II is also known as Administrative
  Simplification
• If Congress did not adopt legislation to enact
  Administrative Simplification, HHS was charged
  with promulgating rules
• HHS was limited to enacting rules based on
  statutory language

9
Standards for Compliance

• Electronic Transactions
• Compliance required 10/16/02
• With a plan filed, compliance extended to
  10/16/03
• Claims Attachments
• Not drafted

• Unique Health Identifiers
• Employer, Health Plan, Provider, and Individual
  Identifiers
• Compliance Deadline 24 months after publication

10
Standards for Compliance (cont'd)

• Privacy
• Compliance required 4/14/03
• Proposed Amendments 3/27/02
• NOTE Extension of Transaction compliance DOES
  NOT extend Privacy Compliance
• Security and Electronic Signatures
• Proposed regs issued August 12, 1998
• Security final regs not yet published
• Enforcement
• Not yet drafted

11
Impact of Not Complying

• Possible litigation
• Potential withholding of federal Medicaid and
  Medicare funds
• Penalties
• Civil Monetary for violations of each standard
• Wrongful disclosure of protected health
  information

12
Terms You Should Know

• To understand HIPAA, there are some important
  terms you must know
• They are
• Covered Entity
• Hybrid Entity
• Health Care Component

13
Covered Entity

• Limited to Covered Entities
• Health care providers who electronically transmit
  health information in connection with a standard
  transaction
• Physicians, Hospitals, Labs, Public Health
  Departments
• Excludes providers who submit transactions on
  paper
• Health plans (provides or pays the cost of
  medical care)
• Medicaid, Medicare, Blue Cross
• Excludes Workers Comp, Disability, WIC,
  Government-funded programs like Willie M (Income
  replacement Public safety net programs, .)
• Health care clearinghouses (narrowly defined to
  those that translates data from non-standard to
  standard format)

14
Hybrid Entity

• A Hybrid Entity is
• A single legal entity that is a covered entity
  and whose covered functions are not its primary
  functions
• The hybrid entity is the covered entity
• DHHS is a hybrid entity
• The hybrid entity is responsible for ensuring
  that its health care components comply with the
  rules

15
Health Care Component

• DHHS is made up of health care components
  (often called covered health care components)
• A Health care component is a component of a
  covered entity that performs covered functions
  the qualify the component as a Health Care
  Provider, Health Plan, or Health Care
  Clearinghouse

16
Hybrid Entity
DHHS Hybrid Entity
Non-Health Care Component
Non-Health Care Component
Non-Health Care Component
Health Care Component
Health Care Component
Non-Covered Function
Covered Function
Covered Function
Covered Function
Covered Function
Covered Function
17
Who Is Covered in DHHS

• Division of Mental Health, Developmental
  Disabilities and Substance Abuse Services
• Substance Abuse Section, Adult Services
• Substance Abuse Section, Adolescent Services
• 12 state operated institutions (each institution
  and center is covered in its entirety)

• 4 Psychiatric Hospitals
• 5 Mental Retardation Centers
• 2 Alcohol and Drug Abuse Treatment Centers
• NC Special Care Center

18
Who Is Covered (cont'd)

• Division of Medical Assistance
• Entire Division is Covered Health Care Component
• Division of Public Health
• State Laboratory
• 13 state operated DECs (each center is covered in
  its entirety)
• Office of Education
• Governor Morehead School, Medical Services Unit

19
Health Care Component

• Another component of the covered entity is part
  of the entitys health care component to the
  extent that
• (i) It performs, with respect to a health care
  component, activities that would make such other
  component a business associate of the health care
  component if the two components were separate
  legal entities and
• (ii) The activities involve the use or disclosure
  of protected health information.

20
Others Who Are Impacted

• DHHS areas which provide business services that
  require the use or disclosure health information
  owned by a covered health care component
• DIRM
• Office of the Controller
• Others - not yet identified

21
DHHS Responsibilities

• To ensure covered health care components within
  the hybrid entity (DHHS) comply with the HIPAA
  regulations
• Ensure that transactions between DHHS health care
  components and local agencies (e.g., MH/DD/SA
  area programs, local public health departments,
  county DSS) comply with HIPAA regulations

22
QUESTIONS? Next Introduction to the Privacy
Rule
23
(No Transcript)
24
HIPAA Privacy Regulations Milestones

• HIPAA Act required privacy rules by 6-21-99
• Congress did not act--HHS drafted privacy rules
• Draft rules published in Federal Register 11-3-99
  
• Over 52,000 comments
• Final Rule Published 12/28/00
• 2nd Comment period 2/28/01, plus gt11,000
• Privacy Rules effective 4-14-01
• Privacy Rules implementation by 4-14-03
• Guidance in July, 2001
• Notice of Proposed Rule Making (NPRM) 3-27-02

25
Why Do We Need Privacy Regulations?

• The Privacy Regulations establish a federal floor
  of safeguards to protect the confidentiality of
  health information.
• With information broadly held and transmitted
  electronically, the old system of paper records
  in locked filing cabinets is not enough.
• The general public has had to rely on a patchwork
  of state and federal laws to protect health
  information.

26
What Do The Privacy Regulations Cover?

• Preempts state law unless state laws are more
  stringent
• Requires a Notice of Privacy Practices
• Requires consent to use or disclose information
  for TPO
• Limits the amount of information to be used or
  disclosed to what is minimally necessary
• Establishes requirements for use of protected
  health information in a Facility Directory
• Identifies use and disclosure for which an
  authorization is or is not required

27
What Do The Privacy Regulations Cover?
(cont)

• Establishes client right to access his health
  information and limits situations wherein access
  can be denied
• Establishes client right to request amendment to
  his health information
• Establishes requirement for de-identification of
  health information that can be disclosed with or
  without consent or authorization
• Provides special protections for psychotherapy
  notes
• Establishes a protocol for using protected health
  information for marketing and fundraising

28
What Do The Privacy Regulations Cover?
(cont)

• Establishes client right to an accounting of
  disclosures
• Specifies who may consent or authorize disclosure
  of information on behalf of the client
• Requires designation of a privacy officer and a
  contact person for complaints
• Requires identification of members of the
  workforce who need access to PHI and categories
  of information to which access is needed
• Requires training of all staff members

29
What Do The Privacy Regulations Cover?
(cont)

• Requires appropriate administrative, technical
  and physical safeguards to protect health
  information
• Requires new policies and procedures
• Establishes content or documentation
  requirements for policies, procedures, notices,
  consents, authorizations, amendments, accounting
  of disclosures, complaints and compliance
• Addresses fees that may be charged for
  unauthorized disclosures
• Requires compliance by April 14, 2003

30
Purpose of Privacy Regulations

• Gives clients more control over their health
  information.
• Sets boundaries on the use and disclosure of
  health records.
• Establishes appropriate safeguards health care
  providers and others must achieve to protect
  privacy of client information.
• Holds health care providers accountable with
  civil and criminal penalties if they violate
  clients privacy rights.

31
Objectives of Privacy Regulations

• To ensure each covered health care component
  protects the health information it maintains.
• To ensure a clients health information is not
  used inappropriately.
• To ensure the minimum amount of information is
  used or disclosed whenever possible.
• Does not apply to treatment
• To ensure clients have more control over when and
  how their personal health information is used.

32
Scope of Privacy Regulations

• Includes all medical records and other protected
  health information maintained by a health care
  provider or a health plan.

• Covers information in any format
• Paper
• Electronic
• Oral

• Affects use and disclosure of all client health
  information

33
What Does HIPAA Privacy Mean to You
Personally?

• You have a right to privacy mandated through
  federal regulations
• You have a right to knowledge and education on
  privacy protections
• You have a right to more control over your health
  information
• You have a right to access your health
  information
• You have a right to know who else is looking at
  your health information

34
What Does HIPAA Privacy Mean To You
Professionally?

• HIPAA impacts the majority of health care
  operations of a health care provider
• More than just a medical records issue
• Privacy training required for all staff
• HIPAA requires modifications in how health
  information is handled and maintained
• More client involvement in use and disclosure
• More accountability about use and disclosures
• HIPAA requires training and education of
  workforce that ensures knowledge of requirements.

35
Name That Rule

• The privacy regulation is broken down into rules
• Part 160 General Admin Requirements for Admin
  Simplification
• Part 164 Privacy
• 164.501 Definitions
• 164.502 Use Disclosure-General Rules
• 164.504 Use Disclosure-Organizational
  Requirements
• 164.506 Consent for Use Disclosure-TPO
• 164.508 Use Disclosure-Authorization Required
• 164.510 Use Disclosure-Opportunity to
  Agree/Object
• 164.512 Use Disclosure-Agree/Object Not
  Required
• 164.514 Use Disclosure-Other Requirements
• 164.520 Notice of Privacy Practices
• 164.522 Right to Request Restrictions
• 164.524 Right of Access to information
• 164.526 Amendment of information
• 164.528 Accounting of Disclosures
• 164.530 Administrative Requirements
• 164.532 Transition Provisions

36
Sections of the Privacy Regulations

• Section I Background and Purpose
• Basic information about need for rule
• Section II Preamble
• General information about each rule
• Section III Comments
• Comments to questions about rules
• Section IV Impact Cost Analysis
• Section V Privacy Standards
• Only 31 pages is the Regulation!!

37
Administrative Simplification??

• Attempting to get through all the rules,
  questions, comments, preamble, helpful hints,
  etc. is definitely not simple.

• Just understanding how the Privacy Regulation is
  put together helps the reader know where to go to
  find answers.

38
Putting It All Together

• Assemble all pertinent information
• Part 160 and Part 164
• Preamble
• Comments
• Guidance/NPRM
• Get familiar with definitions
• Organize materials by rule (Notebook in PMO)
• Electronic version on web (section by section)
• http//www.bricker.com/hipaa/hipaaindex.asp
• Read one rule at a time
• Read the Preamble about that rule then
• Read the comments about that rule

39
It Helps To Know

• That in the privacy regulation, a Rule and a
  Standard are the same thing.
• That HHS intends for the privacy regulations to
  be flexible and fit the needs of the health care
  provider, taking into account the providers size
  and resources.
• HIPAA calls this SCALABILITY
• That individually identifiable health information
  (IIHI) in Part160 Is called protected health
  information (PHI) in Part 164

40
Individually Identifiable Health
Information (IIHI)

• Any information, including demographic
  information collected from an individual, that
• a) Is created or received by a health care
  provider, health plan, employer, or health care
  clearinghouse and
• b) Relates to the past, present, or future
  physical or mental health or condition of an
  individual, the provision of health care to an
  individual, or the past, present, or future
  payment of the provision of health care to an
  individuals, and
• (i) Identifies the individual, or
• (ii) With respect to which there is a reasonable
  basis to believe that the information can be used
  to identify the individual

41
Protected Health Information (PHI)

• Individually identifiable health information
  (IIHI) that becomes protected health information
  (PHI) in Part 164.
• Maintained on Paper
• Oral
• Electronic

42
Its Good to Know

• Privacy and Security go hand-in-hand
• Privacy - What
• Individually Identifiable Health Information
  (IIHI) defined in Part 160 becomes protected
  health information (PHI) in Part 164
• Security - How
• Protect information from accidental or
  intentional disclosure and from alteration,
  destruction or loss

43
What Can I Learn From The Privacy
Regulations?

• No one regulation stands alone. They intertwine
  with each other.
• The central theme in each regulation is PRIVACY.
• How and when Protected Health Information can be
  used and disclosed.
• How consent and authorization are different.
• When you have to obtain consent.
• When you also have an authorization.

44
What Can I Learn From The Privacy
Regulations? (cont)

• How HIPAA client rights different from the
  existing mental health laws regarding client
  rights.
• How to determine who is a Business Associate.
• What it means to release only minimally necessary
  information.
• Just to name a few...

45
What Constitutes A Covered Component?

• Being a health care provider
• person or entity that furnishes, bills, or is
  paid for health care in the normal course of
  business
• Being a health care plan
• individual or group plan that provides or pays
  for medical care
• Using and maintaining protected health
  information
• Transmitting certain financial and/or
  administrative transactions electronically

46
Who Must Comply With HIPAA Privacy in DHHS

• Health Care Providers
• DMH/DD/SAS (12 Institutions and two workgroups in
  the Central Office)
• DPH (State Laboratory)
• Office of Education (One workgroup at the
  Governor Morehead School for the Blind)
• The 13 state operated DECs are health care
  providers that are covered under the Family
  Educational Rights and Privacy Act (FERPA) which
  HIPAA exempts
• Health Care Plan
• DMA

47
What is Covered?

• HEALTH INFORMATION
• HEALTH INFORMATION that is individually
  identifiable
• HEATH INFORMATION that is created or received by
  a covered health care component
• HEALTH INFORMATION in a Designated Record Set

48
Designated Record Set

• The Privacy Regulations address protected health
  information that is maintained in a designated
  record set.

49
Define Record

• Record
• any item, collection, or grouping of information
• includes PHI
• maintained, collected, used or disseminated by or
  for a covered health care component

50
Define Designated Record Set

• Designated Record Set
• Group of records about a client that is
  maintained by or for a covered health care
  component that includes
• Records maintained by health care providers
• Records maintained by or for a health plan
• Records that are used whole or in part to make
  decisions about a client.

51
Examples of Designated Record Set

• Financial Records
• Enrollment/Payment/Claims adjudication
• Patient Accounts folder

• Medical Records
• Case Management Records
• Hearts and HSIS Systems

52
When Is It Covered?

• Let me count the ways
• When you use it
• When you disclose it
• When you store it
• When you see it on your computer
• When it is lying on your desk
• When you share it with another health care
  provider
• When you share it with a contracted service
  provider
• When you are talking about it face to face
• When you are talking about it over the phone
• ARE YOU GETTING THE PICTURE?????

53
What is Not Covered?

• When it is NOT protected health information!
• De-identified Health Information
• Information that is de-identified is no longer
  considered to be protected health information,
  and is thus exempt from the other provisions of
  the regulation.
• Means of De-Identifying
• Removing
• Coding
• Encrypting
• Otherwise eliminating or concealing

54
De-identifying Health Information

• Name
• Geographic subdivisions smaller than a state
  including
• State address
• City
• County

• Zip codes their equivalent geocodes, except for
  the initial three digits of a zip code if
• The geographic unit formed by all zip codes with
  the same 3 digits contains more than 20,000
  people and,
• The initial three digits of a zip code for all
  geographic units containing 20,000 or fewer
  people is changed to 000

55
De-identifying Health Information

• All elements of dates (except year) for all dates
  directly related to an individual, including
• Birth date
• Admission date
• Discharge date
• All ages over 89 all elements of dates
  (including year) indicative of such aged, can
  aggregate into a single age category of 90 or
  older

• Telephone numbers
• Fax Numbers
• Electronic mail addresses
• Social Security Numbers
• Medical Record Numbers
• Health plan beneficiary number

56
De-identifying Health Information

• Account numbers
• Certificate/license numbers
• Vehicle identifiers

• Device identifiers and numbers Web Universal
  Resource Locators (URLS)
• Internet Protocol (IP) address numbers
• Biometric identifiers
• Full face photographic images comparable images
• Any other unique identifier, code, etc.

57
De-identification of PHI

• Covered health care components will need to
  review reports currently used and disclosed
• If reports contain identifying information
• Determine if report can be changed to be
  de-identified
• If de-identification not possible, determine
  purpose of report and areas that receive report
• Verify report recipients need all information
  contained on report
• Best Practice for reports distributed outside of
  component - de-identification

58
HIPAA Regulations in Electronic Form

• HIPAA Regulations may be located on the website
  of the US Dept of HHS
• http//aspe.hhs.gov/adminsimp/Index.htm
• Two versions
• Text version-Easier to download,/revise/search/fin
  d
• PDF version - Must have Abode Acrobat
• Test version does not retain the same page
  numbers as the Federal Regulation. PDF version
  does retain same page numbers.

59
QUESTIONS? Next Consents and Authorizations
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
Prerequisite Concepts

• Treatment, Payment, and Health Care Operations
  (TPO)
• Direct and Indirect Treatment Relationships
• Use and Disclosure

64
(No Transcript)
65
Treatment

• Provision, coordination or management of health
  care and related services
• Coordination and management of health care by a
  health care provider with a third party (e.g.,
  HMOs)
• Consultations among health care providers
• Referrals of patients from one health care
  provider to another (e.g., institution to area
  program)

66
(No Transcript)
67
Payment

• Activities by a health plan to obtain premiums
  (not applicable to Medicaid) or fulfill
  obligations for coverage and the provision of
  benefits (e.g., Medicaid eligibility)
• Activities by either a provider or a health plan
  to obtain or provide reimbursement (e.g.,
  Medicaid payment of claims provider filing of
  claims)

68
Examples of Payment

• Billing and Claims Management (e.g., filing
  claims, remittance advises, adjudication of
  claims)
• Determinations of eligibility or coverage
  (including Coordination of Benefits COB and
  determination of cost sharing amounts)
• Risk adjusting amounts due (e.g., Monthly
  Medicaid Liability, Ability to Pay)
• Utilization Review Activities (e.g.,
  pre-certification, prior approval, concurrent and
  retrospective reviews)

69
Examples of Payment

• Debt Collections
• Includes release of PHI by a health care provider
  to an insurer that is not a health plan to
  obtain payment (e.g., PHI may be disclosed to
  obtain reimbursement from a disability insurance
  carrier)
• Obtaining information about the location of the
  client is a routine activity to facilitate the
  collection of amounts owed and the management of
  accounts receivable

70
Release of Payment Information

• A covered health care component may release only
  the PHI about the client for its payment
  activities (e.g., cant use PHI of a family
  member)
• One covered health care component may not
  disclose PHI for payment activities of a second
  covered health care component (e.g., Dix cant
  disclose PHI to Wake Medical Center for a client
  they did not refer)

71
Release of Payment Information

• Covered health care components may release PHI
  for payment purposes to non-covered components
• For example, Western Carolina Center may disclose
  protected health information to a financial
  institution in order to deposit a check into a
  clients account

72
Release of Payment Information

• May release the following PHI to consumer credit
  reporting agencies (e.g., Equifax) in order to
  collect premiums or reimbursement
• Name and address
• Date of birth
• Social Security Number
• Payment history
• Account number
• Name and address of health care provider and/or
  health plan

73
(No Transcript)
74
Health Care Operations

• Quality assessment and improvement activities
• Outcomes evaluation and development of clinical
  guidelines
• Case management and care coordination
• Contacting health care providers and clients with
  information about treatment alternatives
• Competency and performance reviews
• Reviewing competence/qualifications of health
  care professionals
• Evaluating practitioner and provider performance
• Health plan performance
• Conducting training programs
• Students, trainees, or practitioners in areas of
  health care learn under supervision to practice
  or improve their skills as health care providers
• Training of non-health care professionals

75
Health Care Operations

• Accreditation, Certification, Licensing
• Credentialing
• Underwriting and other insurance related
  activities
• Medical review
• Legal services
• Auditing functions (including fraud and abuse
  detection and compliance programs)
• Business planning and development

76
Health Care Operations

• Business management and general administrative
  activities
• Activities relating to implementation of and
  compliance with the HIPAA regulations
• Customer service
• Resolution of internal grievances
• Due diligence in connection with the sale or
  transfer of assets
• Creating de-identified health information
• Some fund-raising and marketing

77
Direct vs. Indirect Treatment Relationship

• Direct Treatment Relationship
• Treatment relationship between an individual and
  a health care provider that is not an indirect
  treatment relationship (hands on, face to face)

• Indirect Treatment Relationship
• Relationship between an individual and a health
  care provider in which
• The health care provider delivers health care to
  the individual based on the orders of another
  health care provider and
• The health care provider typically provides
  services or products, or reports the diagnosis or
  results associated with the health care, directly
  to another health care provider, who provides the
  services or products or reports to the individual

78
Use vs. Disclosure

• Use
• The sharing, employment, application,
  utilization, examination, or analysis of
  Protected Health Information (PHI) within the
  covered health care component that maintains the
  PHI.

• Disclosure
• The release, transfer, provision of access to, or
  divulging in any other manner of PHI outside the
  covered health care component holding the
  information.

79
Consent vs. Authorization

• Consent
• Written consent required before direct treatment
  provider may use PHI for TPO (with some specific
  exceptions covered later)
• If client refuses to sign consent
• health care provider can deny treatment
• health plan may condition enrollment on provision
  of consent (if health plan chooses to obtain
  consent)
• Expiration date not required
• General language

• Authorization
• Required for all non-TPO uses/disclosures not
  otherwise permitted by law
• Customized document that gives permission to use
  specified PHI for specified purposes or disclose
  to specified third party
• If client refuses to sign authorization, health
  care provider can not deny treatment
• Expiration date required
• Precise language

80
(No Transcript)
81
Consent Required

• In most cases, Health Care Providers in a direct
  treatment relationship must obtain consent
• To access PHI for treatment, payment or health
  care operations
• To use PHI for treatment, payment or health care
  operations
• To disclose PHI for treatment, payment or health
  care operations

82
Consent - Not Required

• Consent for Use and Disclosure of PHI for
  Treatment, Payment and Health Care Operations is
  not required when
• Health Care Provider has indirect treatment
  relationship with client (e.g., Lab, Xray)
• Direct care provider consent covers indirect
  treatment providers
• When health care providers with direct treatment
  relationship consult with another health care
  provider, the provider being consulted does not
  need to obtain consent
• Client is an inmate as defined under 164.501 (may
  apply to Pre-Trial clients at Dix House Bill 95
  clients NGRI - awaiting final determination by
  AG)

83
Consent - Not Required

• Consent for Use and Disclosure of PHI for
  Treatment, Payment and Health Care Operations is
  not required when (contd)
• In the following situations, health care
  providers must document attempt to obtain consent
  and reason why not obtained
• Emergency treatment situation
• Unable to obtain consent due to substantial
  communication barriers and consent to receive
  treatment is inferred by client
• When required by law to treat and unable to
  obtain consent (e.g., involuntary commitment)

84
Consent - Not Required

• If a covered health care component not required
  to obtain consent chooses to obtain consent, the
  consent must meet the Privacy regulatory
  requirements for Consent
• Indirect Treatment Provider (e.g., State Lab)
• Health Plan (e.g.,Medicaid)

85
Consent - Content Requirements

• May be brief and written in general terms
• Plain language
• Inform client that information may be used and
  disclosed for treatment, payment and health care
  operations (TPO)
• State clients right to review the providers
  Notice of Privacy Practices, request restrictions
  and to revoke consent
• Inform client that notice may change and how to
  obtain revised notice

86
Consent - Content Requirements

• Client may revoke consent in writing
• except to extent covered health care component
  has taken action in reliance on the consent
• (Implementation Note)
• revocation after service provided does not
  prevent billing
• covered health care component does not have to
  retrieve PHI used or disclosed prior to
  revocation
• Client may request restrictions on uses or
  disclosures of health information for TPO
• Covered health care component does not have to
  agree to the requested restriction(s)
• Covered health care component is bound by any
  restrictions to which they agree

Consent
87
Consent - Content Requirements

• Dated and signed by client (or personal
  representative / legally responsible person)
• (Implementation Note)
• Do not need to verify Signature
• Electronic consent is acceptable
• Electronic signature on consents is acceptable if
  component adopts electronic signature standards

88
Combining Consents

• Can combine with other legal consent forms
• Example Consent to Treatment Benefits Assigned
• Consent for TPO must be
• visually and organizationally distinct from other
  consents
• must be separately signed and dated by client
• Cannot combine with Notice of Privacy Practices
• Cannot combine with most authorizations
• Exception in research

89
Consent - Administrative Issues

• Client must be given covered health care
  components Notice of Privacy Practices and may
  review the notice prior to signing the consent
• If consent not obtained due to emergency or
  communication barriers, must obtain consent as
  soon as feasible
• Consent only needed one time (even for treatment
  of unrelated conditions)
• Providers may want to obtain consent each
  admission since it may be easier than locating
  prior consents

90
Consent - Administrative Issues

• Certain integrated covered health care components
  may obtain one joint consent
• DHHS as a single legal entity does not qualify
• May need to consider in relation to local public
  health departments and area programs
• If Health plans (e.g., Medicaid) choose to obtain
  consent, must obtain at time of enrollment
• Local DSS agencies may be required to obtain the
  consent
• Consent does not apply to psychotherapy notes
  (must have authorization)

91
(No Transcript)
92
Personal Representatives

• Parent, guardian or other person acting in loco
  parentis usually has
• authority to make health care decisions about
  minors
• right to obtain access to health information
  about minor child
• Exceptions
• State or other law does not require consent of
  parent or other person before minor can obtain
  particular health care service
• Personal Representative agrees to confidentiality
  between minor and provider

93
Personal Representatives

• Step 1
• Determine if minor is emancipated
• Step 2
• If minor not emancipated, determine if minor has
  authority to act on his/her own behalf with
  respect to PHI
• Minor consents to his/her own health care (e.g.,
  mental health)
• Minor can obtain service without consent of
  personal representative (e.g., court ordered)
• Personal representative agrees to confidentiality
  between minor and provider
• Provider believes child may be victim of abuse or
  neglect

94
Personal Representatives

• Step 3
• If steps 1 and 2 do not apply, confirm that
  parent, guardian, or person standing in loco
  parentis has authority to act on minors behalf
• Request copies of guardianship papers
• If parent name is different from child, determine
  relationship to child
• HHS Secretary Tommy Thompson
• parents will have access about the health and
  well-being of their children, including
  information about mental health, substance abuse
  and abortion

95
QUESTIONS? Next Consents and
Authorizations (contd)
BREAK - 15 Minutes