Managing Information Privacy & Security in Healthcare. When an Authorization is Required

Transcription

1 D21 Managing Information Privacy & Security in Healthcare When an Authorization is Required By Barbara Demster, MS, RHIA, CHCQM and Sandra Sinay, JD, LLM Authorizations for Uses and Disclosures: The regulations provide a general rule that an authorization is required to disclose PHI with certain defined exceptions contained in the regulations. Those exceptions are discussed in the Toolkit chapter When an Authorization is Not Required. A covered entity may not use or disclose protected health information without an authorization. That authorization must be valid and is only valid if it complies with the requirements as defined within the regulations. The regulations state that the covered entity s response to a valid authorization must be consistent with the content of that authorization. Refer to Toolkit chapter Marketing and Fundraising for authorization requirements for Marketing and Fundraising. See the AHIMA Practice Brief: Required Content for Authorizations to Disclose < > Psychotherapy notes Subsection (a)(2) of under the HIPAA standard states that a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except in the following circumstances. To carry out the following treatment, payment, or health care operations: 1. Use by the originator of the psychotherapy notes for treatment; note that the treatment exception applies only to the originator or author of the psychotherapy notes. 2. Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or 3. Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and A use or disclosure that is: 1. Requested by the individual, 2. Required by law, 3. Used for the purpose of oversight of the author of the psychotherapy notes

2 When Must the Individual be Given the Opportunity to Agree or to Object? A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure. The covered entity may orally inform the individual of and obtain the individual s oral agreement or objection to a use or disclosure permitted as discussed below. Use and Disclosure for Facility Directories: See subsection (a) of Permitted Uses and Disclosure. Except when an objection is expressed, a covered health care provider may: - Use the following protected health information to maintain a directory of individuals in its facility: o The individual s name; o The individual s location in the covered health care provider s facility; o The individual s condition described in general terms that does not communicate specific medical information about the individual; and o The individual s religious affiliation; and - Disclose for directory purposes such information: o To members of the clergy; or o Except for religious affiliation, to other persons who ask for the individual by name. Refer to the Special Issues section of the Toolkit for more discussion of the issues on disclosures to clergy and pastoral care. Opportunity to Object: A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures. Emergency Circumstances. If the opportunity to object to uses or disclosures cannot practicably be provided because of the individual s incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information for the facility s directory, if such disclosure is: - Consistent with a prior expressed preference of the individual, if known; and - In the individual s best interest as determined by the covered health care provider, in the exercise of professional judgment. The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes when it becomes practicable to do so

3 Uses and Disclosures for Involvement in the Individual s Care and Notification Purposes: See subsection (b) of Permitted Uses and Disclosures - A covered entity may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person s involvement with the individual s care or payment related to the individual s health care. - A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual s location, general condition, or death. Uses and Disclosures with the Individual Present. If the individual is present for, or otherwise available prior to, a permitted use or disclosure and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it: - Obtains the individual s agreement; - Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or - Reasonably infers from the circumstances, based the exercise of professional judgment, that the individual does not object to the disclosure. Limited Uses and Disclosures When the Individual is not Present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person s involvement with the individual s health care. Use and Disclosures for Disaster Relief Purposes. A covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities and as permitted by the above

4 HITECH Privacy and Security Modification Final Rule 1 Section Uses and Disclosures for Which an Authorization is Required Sale of Protected Health Information [78FR5604] Sale of protected health information by a covered entity or a business associate is prohibited except as pursuant in this section. To clarify the final rule added the definition for the sale of protected health information. Sale of protected health information means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. This provision also clarifies that the way remuneration is used in this statute is different than how is it used in the marketing section and therefore, remuneration here means both financial and nonfinancial benefits (also known as in-kind benefits). The sale of protected information does not included disclosures of protected information: for public health for research purposes where remuneration was a reasonable cost-based fee to cover the costs to prepare and transmit the information for treatment and payment purposes for a sale, transfer, merger or consolidation related to due diligence to a business associate (or the subcontractor) that undertakes activities on behalf of the covered entity, where the remuneration is only for the performance of those activities to an individual who has requested the protected health information as required by law for any other purpose permitted where remuneration is a reasonable cost-based fee to cover the costs to prepare and transmit the information or where the fee is otherwise expressly permitted by law For those sections that are allowed a reasonable cost-based fee to prepare and transmit the data, costs include both direct and indirect costs for generating, storing, retrieving and transmitting protected health information: labor materials supplies Any fees generated that incur a profit margin are not allowed. This provision also clarifies that de-identified protected health information is not subject to the remuneration prohibition as it is no longer considered protected health information. However, limited data sets are not completely exempted from this provision. Limited data sets that are 1 Also see AHIMA analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules

5 permitted under the rule are exempt from the authorization requirements to the extent that the only remuneration received is in exchange for the data is a reasonable cost-based fee. b. Section (b) Disclosures about a Decedent to Family Members and Others Involved in Care [78FR5614] This provision amends (b) and now permits entities to disclose a decedent s PHI to family members and others who were involved in the care or payment for care of a decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the CE. For example, a healthcare provider can describe the circumstances that led to an individual s death or provide billing information to a decedent s sibling. This does not include past unrelated medical problems. The final rule includes a definition of family member under These disclosures are permitted and not required. If the CE is uncomfortable or believes the disclosure to be inappropriate or doubts identity of the requestor, the final decision lies with the covered entity