THE ROLE OF ETHICS IN PROTECTING THE PRIVACY OF PERSONAL HEALTH INFORMATION

1
THE ROLE OF ETHICS IN PROTECTING THE
PRIVACY OF PERSONAL HEALTH INFORMATION
Brian Balicki, PhD, MHS Director, Health Care
Compliance Group MACRO International, Inc Project
Director, SAMHSAs Privacy Confidentiality, Data
Security Ethics Training Project Rockville,
Maryland 240-747-4736 (O) 866-447-2284, x1
(toll-free) bbalicki_at_shs.net
2
AOD BASICS .
3
HIPAA BASICS .
4
QUESTION
What if Fred (and/or his colleague) is a
card-carrying member of the
American Mental Health Counselor
Association (AMHCA)? How do compliance
requirements change ?
5
Intersection of AMHCA AOD Confidentiality
Protections
DISCLAIMER The information herein is for
reference use only and does not constitute the
rendering of legal advice by CSAT/SAMHSA/HHS.
42 CFR Part 2
6
(No Transcript)
7
Why / how do privacy requirements change for
individual AMHCA members (or any other
professional )?

• Stringency of AMHCAs ethics versus HIPAA and
  AOD privacy (i.e. mix of professionals in
  workforce)
• Geographic location of employer (i.e. Alabama)
• Federal statutes regulations (involvement in
  electronic transactions, Federal funding streams,
  and service mix)
• State laws regulations

8
How does this affect compliance by health care
organizations ?
Any health care organization committed to privacy
compliance and risk mitigation must have systems
in place to integrate.

• Privacy / ethics principles
• Professional standards for privacy
• Statutory requirements
• Electronic and manual systems

9
Objectives of Presentation

• PROFILE OF PRIVACY ETHICS COMPLIANCE
  ENFORCEMENT
• Why are better compliance systems needed ?
  Recent evidence from Federal/State privacy
  enforcement.
• COMPLIANCE SYSTEM REQUIREMENTS
• THE ABCs OF PRIVACY / ETHICS COMPLIANCE
• stringency what does it mean ?
• professional judgment when is it
• needed ?
• suggested methodology for ethics-based
  decision-making
• how do I define a single, organization-wide
  ethics standard when professional judgment is
  necessary and competing standards exist within an
  organization?

10
PROFILE OF PRIVACY ETHICS COMPLIANCE AND
ENFORCEMENT
11
Why are better compliance system(s) necessary ?

• Privacy enforcement is being ratcheted up !!!

The privacy police can have many faces
. Office of Civil Rights State Ethics Boards
12
HIPAA Privacy Rule EnforcementApril 14, 2003
December 31, 2006
13
HIPAA enforcement data
BOOTS ARE ON THE GROUND !!
14
State Privacy / Ethics Violations,2004 -2006

• 30 of 50 states report privacy / ethics
  violations
• 140 cases resulting in disciplinary actions
  (license suspensions or terminations)
• 5.45 national rate of disciplinary actions per
  1000 privacy complaints
• Five states with the highest reported rates of
  privacy ethics violations
• Maryland 7.0
• Alaska 5.3
• Florida 5.0
• Kansas 4.8
• New Hampshire 3.7

Includes terminated and suspended licenses to
practice
15
While enforcement is accelerating, major
compliance gaps remain among providers!!!

• 70 of providers have trained their total staff
  on privacy ethics
• of programs delivering privacy ethics training
  to
• 74 of clinical staff
• 62 of senior administrative staff
• 43 of IT staff
• 33 of programs have integrated privacy ethics
  into organizational policies and procedures

16
NCVHS REPORT ON PRIVACY AND CONFIDENTIALITY
RECOMMENDATIONS FOR THE NHIN (June 22, 2006)

• We believe that appropriate civil and criminal
  sanctions should be imposed on individuals and
  entities responsible for the violation of
  confidentiality and security provisions of EHRs
  and the NHIN.
• A commitment to aggressive enforcement (of
  privacy and confidentiality laws) on the part of
  federal regulators is necessary to ensure the
  adoption and success of the NHIN.

17
CONSEQUENCES OF UNETHICAL OR UNFOUNDED
PROFESSIONAL JUDGMENT DECISIONS UNDER HIPAA AND
42 CFR PART 2 ..
LOSS OF CERTIFICATION, PROGRAM FUNDING,
OR MONETARY PENALTIES, ETC. SUSPENSION OR LOSS
OF LICENSE TO PRACTICE PROFESSIONALLY,
MONETARY PENALTIES, ETC.
18
Key Elements of a Privacy Compliance System

• Inventory of relevant Federal State privacy
  statutes that bind organization
• Inventory of professional codes of ethics
  represented in the organizations professional
  workforce
• Policies and procedures that integrate the above
• Electronic privacy management system
• An adaptable, flexible electronic system that
  integrates all of the above

19
ABCs OF COMPLIANCE with PRIVACY ETHICS
REQUIREMENTS
20
Stringency ?
When evaluating laws versus each other, or
standards versus laws, to be more stringent
means
(a law or standard) provides requirements that
narrow the scope or duration, increase the
privacy protections afforded ( i.e. greater
control over, or greater access to ones PHI),
or reduce the coercive effects of the
circumstances surrounding the express legal
permission.. (45 CFR, 160.202(4))
21
HIPAA BASICS .
22
(No Transcript)
23
What is in the AMHCAs Code of Ethics that
Creates Greater Stringency ?

• Mental health counselors have a primary
  obligation to safeguard information about
  individuals obtained in the course of practice,
  teaching, or research. Personal information is
  communicated to others only with the person's
  written consent or in those circumstances where
  there is clear and imminent danger to the client,
  to others or to society.
• All materials in the official record shall be
  shared with the client, who shall have the right
  to decide what information may be shared with
  anyone beyond the immediate provider of service.
  
• The release of information without the consent
  of the client may only take place under the most
  extreme circumstances.
• The mental health counselor (or staff member)
  does not release information by request unless
  accompanied by a specific release of information
  or a valid court order.
• Information received in confidence by one agency
  or person shall not be forwarded to another
  person or agency without the client's written
  permission.

24
(No Transcript)
25
What is in the ASAMs Code of Ethics that Creates
Greater Stringency ?

• In most circumstances, personally-identified
  information should be released only with the
  written informed consent of the patient.
• Disclosures of information from the medical
  record should contain only the information needed
  for the intended purpose. Patients should be
  informed about the protections of their personal
  medical information and in what circumstances
  information may be released without their consent
  (e.g. medical emergency, child abuse reporting as
  required by law, threats of harm to self or
  others).
• Law enforcement and other government agencies
  seeking information from the medical records of
  individual patients without patient consent
  should be denied such access unless a specific
  court order has been granted. Such court orders
  should be reserved for cases involving serious
  crime, and in which the information sought is not
  available from other sources.
• Personally-identified health information
  released with the patients consent in order to
  obtain insurance benefits, whether public or
  private, should not be shared with other
  government or commercial entities without further
  consent. This includes non-healthcare divisions
  or parent organizations of commercial entities
  involved in healthcare service delivery,
  insurance, case management, and utilization
  management.

26
Which code of ethics has more stringent standards
on patient consent ?

• What standard provides greater control to the
  client ?
• Of the two --- AMHCA vs ASAM --- ASAM indicates
  the client should have a greater , direct role in
  consent in 13 of HIPAAs 18 permissible areas
  of disclosure. AMHCA requires consent in just 10
  of HIPAAs 18 permissible areas.
• BOTH PROHIBIT REDISCLOSURE WITHOUT CONSENT !!

27
Relative Stringency of Codes of Professional
Ethics --- HIPAA Stringency Index (Scale 1-19)
Least stringent Most
stringent
28
DEFINITION OF PRIVACY RULES FOR BEHAVIORAL
HEALTH ORGANIZATIONS REQUIRES ..
COMPARING STRINGENCY
29
Can ethics standards bemore stringent than the
law ?Absolutelyyes
30
HIPAA EXPLICITLY RECOGNIZES THAT ETHICS STANDARDS
CAN BE MORE STRINGENT THAN THE STATUTE ITSELF AND
SHOULD BE FOLLOWED
(AUGUST 14, 2002, VOL 67, NO. 157, PAGE 53212,
FINAL MODIFICATIONS TO HIPAA PRIVACY RULE)
COMMENT Some commenters asserted that
eliminating the consent requirement would be a
departure from medical ethical standards that
protect patient confidentiality and common law
and state law remedies for breach of
confidentiality that generally require or support
patient consent prior to disclosing patient
information for any reason.. Another commenter
also was concerned removal of the consent
require- ment will supplant professional ethical
duties to obtain consent for use of protected
health information.
31
The Privacy Rule provides a floor of privacy
protections..In order to not interfere with such
ethical standards, the rule permits covered
entities to obtain consent. Thus, professional
standards that are more protective of privacy
retain their vitality. (AUGUST 14, 2002, VOL
67, NO. 157, PAGE 53212, FINAL MODIFICATIONS TO
HIPAA PRIVACY RULE) BOTTOM-LINEWHEN ETHICS
STANDARDS AFFORD MORE PRIVACY THAN THE HIPAA
STATUTE, THEY CANNOT BE IGNORED.
32
THE MOST COMPELLING REASON FOR RECOGNIZING THE
IMPORTANCE THAT ETHICS PLAYS IN COMPLIANCE WITH
HIPAA OR 42 CFR PART 2 ?

• Lack of knowledge OR misunderstanding of
  ethical responsibility is NOT a defense against a
  charge of unethical conduct
• Actual quotation from the codes of ethics for
  the American Counseling Association and American
  Psychology Association.

33
TWO SCENARIOS WHENPROFESSIONAL JUDGMENT
(ETHICS) IS NECESSARY.
34
WHEN IS PROFESSIONAL JUDGMENT NEEDED ?
ETHICS BEGINS WHERE THE LAW ENDS
35
Why are Ethics Important in Compliance with
Privacy Statutes and Standards ?

• This regulation describes a set of basic
  consumer protections and a series of regulatory
  permissions for use and disclosure of health
  information. The protections are a mandatory
  floor, which other governments and any covered
  entity may exceed. The permissions are just that,
  permissive -- the only disclosures of health
  information required under this rule are to the
  individual who is the subject of the information
  or to the Secretary for enforcement of this rule.
  We expect covered entities to rely on their
  professional ethics and use their own best
  judgments in deciding which of these permissions
  they will use.

Preamble to HIPAA Privacy Statute
36
AOD BASICS .
37
HIPAA BASICS .
38
Why Are Ethics Important ? Reason 1

• AOD and HIPAA statutes permit uses and
  disclosures, but do not require them.
• After making a permitted disclosure, your
  professional judgment, or standards of
  professional judgment in your Institutions
  Policies and Procedures, may be challenged by
  public complaints.

39
Why Are Ethics Important?Reason 2

• Statutes often
• mandate use of professional judgment
• about handling personal health information
  (PHI).

40
Why Are Ethics Important ?Reason 3

• Sometimes, statutes may be SILENT on issues
  such as..
• IF you should use/disclose..?
• WHAT you should use / disclose?
• HOW you should use/disclose ?

41
HOW MUCH VARIATION EXISTS AMONG PROFESSIONAL
CODES OF ETHICS IN NECESSITY FOR CONSENT ?42
CFR AND HIPAA
42
42 CFR PART 2

• ACA - American Counseling Association
• ANA American Nursing Association
• AAP - Association of Addiction Professionals

43
Intersection of ACA AOD Confidentiality
Protections
General Rule Prohibiting
Disclosure of PII
Exceptions Permitting Limited Disclosures
Written Consent Consenting to Disclosures
Not Otherwise Permitted 2 Anonymous
Disclosures 3 Qualified Service Organization
Agreements (QSOAs) 5 Research 6 Audit
Evaluation
Without Written Consent 1 Internal
Communications 4 Medical Emergency 7
Authorizing Court Order 8 Patient Threat/Crime
on Program Premises or Against Program
Personnel 9 Reporting Suspected Child Abuse and
Neglect
DISCLAIMER The information herein is for
reference use only and does not constitute the
rendering of legal advice by CSAT/SAMHSA/HHS.
42 CFR Part 2
44
Intersection of ANA AOD Confidentiality
Protections
General Rule Prohibiting Disclosure of PII
Exceptions Permitting Limited Disclosures
Without Written Consent 1 Internal
Communications 4 Medical Emergency 7
Authorizing Court Order 8 Patient Threat/Crime
on Program Premises or Against Program
Personnel 9 Reporting Suspected Child Abuse and
Neglect
Written Consent Consenting to Disclosures
Not Otherwise Permitted 2 Anonymous
Disclosures 3 Qualified Service Organization
Agreements (QSOAs) 5 Research 6 Audit
Evaluation
DISCLAIMER The information herein is for
reference use only and does not constitute the
rendering of legal advice by CSAT/SAMHSA/HHS.
42 CFR Part 2
45
Intersection of AAP AOD Confidentiality
Protections
General Rule Prohibiting Disclosure of PII
Exceptions Permitting Limited Disclosures
Written Consent Consenting to Disclosures
Not Otherwise Permitted 1 Internal
Communications 2 Anonymous Disclosures 3
Qualified Service Organization Agreements
(QSOAs) 5 Research 6 Audit Evaluation
Without Written Consent 4 Medical
Emergency 7 Authorizing Court Order 8 Patient
Threat/Crime on Program Premises or Against
Program Personnel 9 Reporting Suspected Child
Abuse and Neglect
DISCLAIMER The information herein is for
reference use only and does not constitute the
rendering of legal advice by CSAT/SAMHSA/HHS.
42 CFR Part 2
46
HIPAA 45 CFR

• ACA
• ANA
• AAP
• ASAM - American Society of Addiction Medicine

47
(No Transcript)
48
(No Transcript)
49
Intersection of AAP HIPAA Privacy Protections
General Rule Prohibiting Use and Disclosure of
PHI
Permitted Exceptions
Written Authorization
2 TPO 3 Incidental use/disc. 4 Facility
Directory 5 Next of Kin/Caregiver 6 Business
Associate 8 Health Oversight 11 Public Health
Activities 13 Research 15 About Decedents 16
Workers Comp 17 For Cadaveric Donation 18
For Specialized Govt Functions

• Without Authorization
• 1 To the Individual
• 7 Averting a Serious
• Health/Safety Threat
• 9 Judicial Admin Proc.
• 10 Law Enforcement
• 12 Required by Law
• Victims of Abuse

50
(No Transcript)
51
HOW DO WE HANDLE VARIATION IN CODES OF ETHICS,
GENERALLY ?
52
THE MIX OF PROFESSIONALS IN EACH ORGANIZATION
PARTLY DEFINES WHAT PRIVACY STANDARDS SHOULD
EXIST IN IT !
MORE PERMISSIVE ORGANIZATION
MORE RESTRICTIVE ORGANIZATION
53
TWO SCENARIOS WHENPROFESSIONAL JUDGMENT
(ETHICS) IS NECESSARY.
54
WHAT ETHICAL COMPASS CAN PROFESSIONALS FOLLOW
TO GUIDE THEM THROUGH OTHER PRIVACY DECISIONS?
HERES ONE APPROACH !!
55
A Hierarchy of Principles Exists and Is Grounded
in
1. Statutory ethics 2. Institutional/
Program / Professional ethics 3. Personal
ethics/values.
56
STATUTORY ETHICS
57
Statutory Ethics Are Consistent!
Use or Disclosure of PHI Cannot Impede Access to
Care under EITHER statute, but.
58
42 CFR FOCUSES ON ACCESS PRIMARILY.

• They (the regulations) are intended to insure an
  alcohol or drug abuse patient in a
  federally-assisted alcohol or drug abuse program
  is not made more vulnerable by reason of the
  availability of his or her patient records than
  an individual who also has an alcohol or drug
  problem BUT does not seek treatment. 42 CFR
  Part 2, Section 2.3 (b)(2).

ACCESS TO AND, CONTINUITY IN, TREATMENT ARE CORE
PRINCIPLES OF 42 CFR PART 2.. !!!
59
HIPAA RAISES THIS STANDARD !!

• privacy is necessary to secure effective, high
  quality care.. (page 19, Preamble, Final Rule,
  HIPAA, December 28, 2002)
• modifications adopted in this rule are intended
  to address the possible adverse effects of the
  final privacy standards on an individuals access
  to, or the quality of, health care (August 14,
  2002, Final HIPAA Rule, Vol. 16. No 157, IV.B.)

60
IF I USE OR DISCLOSE PHI.
61
IF YES ., PROBABLY SHOULD NOT DISCLOSE .
62
IF NO. PROGRAM OR INSTITUTIONAL ETHICS STANDARDS
MUST BE CONSIDERED.
INSTITUTIONAL PROGRAM AND/ OR
.. PROFESSIONAL. ETHICS STANDARDS SHOULD
BE WEIGHED
63
INSTITUTIONAL / PROGRAM ETHICS STANDARDS
64
WHERES THE PROBLEM..?
INSTITUTIONAL OR PROGRAM POLICIES AND
PROCEDURES
PROFESSIONAL ETHICS STANDARDS
65
WHERE YOU STAND ETHICALLY, MAY DEPEND ON WHERE
YOU SIT ORGANIZATIONALLY .
WITHIN A LARGER
INSTITUTION ? (COVERED ENTITY)
PRIVATE PRACTICE ?
CONSULTING PROFESSIONAL ?
66
AS A PROFESSIONAL, HOW DOES ONES ORGANIZATION
DEFINE ETHICS ?
WITHIN A LARGER
INSTITUTION ? (COVERED ENTITY)
PRIVATE PRACTICE ?
CONSULTING PROFESSIONAL ?

• PROFESSIONAL CODE
• OF ETHICS
• POLICIES AND
• PROCEDURES OF THE
• LARGER ORGANIZATION
• (COVERED ENTITY) ?
• STATE LAWS FOR
• PROFESIONS ?
• FOR INSTITUTIONS ?

• PROFESSIONAL CODE
• OF ETHICS
• POLICIES AND
• PROCEDURES OF
• THE PRACTICE ?
• (IF COVERED ENTITY)
• POLICIES AND
• PROCEDURES OF THE
• LARGER ORGANIZATION
• (COVERED ENTITY) ?
• STATE LAWS FOR
• PROFESSIONS ?

• PROFESSIONAL CODE
• OF ETHICS
• POLICIES AND
• PROCEDURES OF
• THE PRACTICE ?
• (IF COVERED ENTITY)
• STATE LAWS

67

• REMEMBER !!!
• Lack of knowledge .
• OR
• misunderstanding of ethical responsibility
  is NOT a defense against a charge of unethical
  conduct .
• quotation from the codes of ethics for the
  American Counseling Association and the American
  Psychology Association.

68
BACK TO THE HIERARCHY
X ??
1. Statutory ethics 2. Institutional/
Program / Professional ethics 3. Personal
ethics/values.
69
IF I USE OR DISCLOSE PHI.
70
IF YES ., PROBABLY SHOULD NOT DISCLOSE .
71
PERSONAL ETHICS
72
IF NO ., ONE LAST GUT CHECK .
IF I USE OR DISCLOSE PHI, .. DOES THIS HARM
MY CLIENT ?
LAST PRINCIPLE DO NO HARM ..
73
Personal Ethics/Values
Do no harm!!! Basic human
valuestrust, respect, responsibility, dignity
They often mirror those already expressed in
professional codes of ethics.
74
FOR ANY INDIVIDUAL PRIVACY (AND/OR SECURITY)
ISSUE, HOW DOES AN ORGANIZATION DEFINE A SINGLE
STANDARD ?
75
DEFINING ETHICS STANDARDS FOR YOUR ORGANIZATION
IDENTIFY PROFESSIONAL CODES OF ETHICS REPRESENTED
IN YOUR PROGRAM THAT ARE MORE STRINGENT THAN
HIPAA AND 42 CFR PART 2 ON CONSENT PROVISION
76
DEFINING AN ETHICAL STANDARD FOR YOUR
ORGANIZATION WHERE DO YOU SET THE BAR?
MOST RIGOROUS
STRINGENCY OF ETHICAL STANDARDS
LEAST RIGOROUS
PROFESSION B
PROFESSION A
PROFESSION C
77
For HIPAA Covered Entities,These Decisions
Should Be in Policies and Procedures
LEADS TO SINGLE PROGRAM STANDARD
SYNTHESIS OF STANDARDS
78
ELECTRONIC HEALTH RECORDS (EHR) SYSTEMS THE
NEWEST CHALLENGE TO PRIVACY
NHIN
RHIOs
MEDICAL SYSTEM
MEDICAL HOME
KEY PRIVACY ISSUES WHO GETS IT ? HAND-OFFS
? CONSENT MANAGEMENT ?
79
Protected Health Information

• Name
• Address information
• E-mail address
• Dates (Birth and/or Service Dates)
• Social Security Number
• Medical record number
• Health plan beneficiary number
• Account numbers
• Certificate numbers
• License numbers
• Vehicle identifiers
• Facial photographs
• Telephone numbers
• Device identifiers
• URLs
• Internet Provider Addresses
• Biometric identifiers
• Zip code clusters

80
Why / how do privacy requirements change for any
professional or health care organization ?

• Stringency of professional ethics standards
  represented in the organizations workforce
• Geographic location of employer (i.e. Alabama)
• Federal statutes regulations (involvement in
  electronic transactions, Federal funding streams,
  and service mix)
• State laws regulations

81
PRIVACY / ETHICS REQUIREMENTS VARY BY STATE
AND PROVIDER
EHR BASED DATA MOVES QUICKLY !!
82
What defines a compliant, ethics-based privacy
management strategy ?

• Inventory of relevant Federal State privacy
  statutes that bind organization
• Inventory of professional codes of ethics
  represented in the organizations professional
  workforce
• Policies and procedures that integrate the above
• Electronic privacy management system
• An adaptable, flexible electronic system that
  integrates all of the above

83
(No Transcript)
84

• TECHNICAL ASSISTANCE
• IS AVAILABLE!
• Toll-Free
• Call Center
• 1-866-447-2284 X1
• E-mail
• Brian Balicki, PhD
• Project Director
  bbalicki_at_shs.net
• CONFIDENTIALITY AND ETHICS TRAINING PROJECT
• SAMHSA CONTRACT 270-03-7112