HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Similar documents
HIPAA Privacy & Security. Transportation Providers 2017

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

HIPAA s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals

INFORMATION FORM. Page 1 of 17

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

INDEPENDENCE BLUE CROSS LONG TERM CARE PROGRAM NOTICE OF PRIVACY PRACTICES

Effective Date: 4/3/17

"HIPAA RULES AND COMPLIANCE"

To: Our Clients and Friends January 25, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

ARTICLE 1. Terms { ;1}

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

Fifth National HIPAA Summit West

HIPAA PRIVACY AND SECURITY AWARENESS

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

NMH HIPAA Privacy Training Version

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA & The Medical Practice

Trinity Family Physicians

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Luedtke-Storm-Mackey Chiropractic Clinic S.C. Notice of Privacy Practices. Effective September 23, 2013

Robert E. Parker, Ph.D., P.C st Ave S. #101 Normandy Park, WA (206)

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Business Associate Agreement

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013

Notice of Privacy Practices Linn County Employee Health Care and Health Related Benefits Programs

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

HIPAA MANUAL Whole Child Pediatrics

NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C.

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY PRACTICES

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

TEXAS EAR, NOSE AND THROAT SPECIALISTS, L.L.P. NOTICE OF PRIVACY PRACTICES

Business Associate Agreement

Need help with frequent crisis, housing, transportation?

BUSINESS ASSOCIATE AGREEMENT

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA and ProAssurance

NOTICE OF PRIVACY PRACTICES

CREEKSIDE DENTAL REGISTRATION FORM. Please Print PATIENT INFORMATION. Patient s Last Name: First: Middle:

HIPAA Policy Minimum Necessary Use December 1, 2015

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

1. INTRODUCTION AND PURPOSE OF THIS DOCUMENT:

Washington County Request for Proposal Group Health Plan 2015

Business Associate Agreement For Protected Healthcare Information

HIPAA Policy 5032 Statement of Policy on Use and Disclosure of Protected Health Information for Research Purposes

Effective Date: March 23, 2016

HIPAA s Medical Privacy Standards:

New HIPAA-HITECH Proposed Regulations Issued

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

Interpreters Associates Inc. Division of Intérpretes Brasil

Consent for Purposes of Treatment, Payment and Healthcare Operations

NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

SCHOOLS SELF-INSURANCE OF CONTRA COSTA COUNTY NOTICE OF PRIVACY PRACTICES

Central Susquehanna Region School Employees Health and Welfare Trust

MICHIGAN HEALTHCARE PROFESSIONALS, P.C.

Christina Agustin, MD Board Certified in Adult Psychiatry 1 Lake Bellevue Drive, Suite 101 Bellevue, WA Phone Fax:

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

UNIVERSITY OF WYOMING STUDENT HEALTH SERVICE NOTICE OF PRIVACY PRACTICES

CMS stands for Centers for Medicare & Medicaid Services within the Department of Health and Human Services.

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

O n Jan. 25, 2013, the U.S. Department of Health

ADKINS CHIROPRACTIC LIFE CENTER 157 KEVELING DRIVE SALINE, MICHIGAN Notice of Patient Privacy Policy

First Name: Middle Name: Last Name: Preferred Name: Address: City: State: Zip: Mother s First & Last Name: Mother s Home Phone: Mother s Work Phone:

Determining Whether You Are a Business Associate

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

CHAPTER 33 HIPAA PRIVACY REGULATIONS

NEW JERSEY NOTICE FORM

Our portals are encrypted and password-protected, too, so health data remains secure.

Another covered entity can be a business associate.

HIPAA NOTICE OF PRIVACY PRACTICES Effective 1/1/14

Business Associate Agreement

University of Wisconsin Milwaukee

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Barrett Spinal Care, PC 441 S Muskogee Ave. Tahlequah, OK Notice of Patient Privacy Policy

BUSINESS POLICY AND PROCEDURE MANUAL

Notice of Privacy Practices

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

1.) The Privacy Rule (Part 164, Subpart E)

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

4900 MERCER UNIVERSITY DR. SUITE 1 MACON, GA Phone: Fax:

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

Highlights of the Omnibus HIPAA/HITECH Final Rule

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

Transcription:

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry (c)firststepcounselingonline2014 1

At the conclusion of the course/unit/study the student will... ANALYZE THE EFFECTS OF TRANSFERING INFORMATION ; COMPARE THE PROS AND CONS FOR A BUSINESS ASSOCIATE ; RECOGNIZE THE CONSEQUENCS OF NOT FOLLOWING THE HIPPA RULES. (c)firststepcounselingonline2014 2

Understand the basic fundamentals of HIPAA law as it relates to practicing in the substance abuse treatment industry. Use your respective association s Code of Ethics to create a foundation for resolving ethical dilemmas. PURPOSE OF COURSE: The purpose of this continuing education course is to provide a current understanding of issues relevant to the HIPAA guidelines for patient privacy. Government facts, guidelines and confidentially reporting information is provided to assist counselors in clarifying paperwork. (c)firststepcounselingonline2014 3

If a substance abuse treatment program transmits health information electronically in connection with one or more of these Part 162 transactions, then it must comply with the Privacy Rule. Part 162 may be amended in the future to cover additional transactions. Part 2 protects any and all information that could reasonably be used to identify an individual and requires that disclosures be limited to the information necessary to carry out the purpose of the disclosure. See 42 CFR 2.11 and 2.13(a). Under the Privacy Rule, a program may not use or disclose protected health information (PHI) except as permitted or required by the Rule.8 See 45 CFR 164.502(a). (c)firststepcounselingonline2014 4

Neither rule applies to information that has been de-identified.9 See 45 CFR 164.514(a) (de-identification of PHI) and 42 CFR 2.11 (definition of patient identifying information ). The Privacy Rule permits programs to assign a code or other means of record identification to allow information that has been de-identified to be re-identified, as provided in 45 CFR 164.514(c). (c)firststepcounselingonline2014 5

Second, the Final Rule requires that any person or entity that meets the definition of business associate execute a business associate agreement. If the task involving the protected health information is delegated by the covered entity, the covered entity must be a party to the business associate agreement. If the task involving the protected health information is delegated by a business associate, the covered entity is not required to be a party to the business associate agreement. (c)firststepcounselingonline2014 6

In that case, the business associate delegating the task and the business associate receiving the task must execute the business associate agreement. Business associates who further delegate tasks involving the use or disclosure of protected health information must likewise execute business associate agreements. As a result, many entities not previously subject to HIPAA will be required to execute business associate agreements and to meet the HIPAA requirements that apply directly to business associates. In addition, new business associates will incur liability for civil and criminal penalties for violating those requirements. (c)firststepcounselingonline2014 7

Third, although the HITECH Act specified the Security Rule provisions that would be applicable to business associates, it left some uncertainty as to the other HIPAA requirements that would apply directly to business associates. In response, the Department specified that business associates are directly liable under the HIPAA. (c)firststepcounselingonline2014 8

Rules for the following: Impermissible uses or disclosures of protected health information; Failure to provide breach notification to the covered entity; Failure to provide access to a copy of electronic protected health information either to the covered entity, the individual, or the individual s designee (as specified in the business associate agreement); Failure to disclose protected health information where required by the Department to investigate or determine the business associate s compliance with HIPAA Rules; and Failure to provide an accounting of disclosures. (c)firststepcounselingonline2014 9

Any recipient of a delegated task that involves the creation, receipt, maintenance or transmission of protected health information is a business associate regardless of whether a covered entity or other business associate delegated the task. Accordingly, hereinafter references to business associates include persons and entities not previously included in the definition of business associate but who must create, receive, transmit or maintain protected health information to perform a permitted task that has been delegated to them. Defining business associate in this manner significantly expands the Department s authority over a group of people and entities that previously had no direct HIPAA obligations. (c)firststepcounselingonline2014 10

The Final Rule further explains that business associates must limit any permissible use or disclosure of protected health information to the minimum necessary amount to achieve a permitted purpose. The Department views the minimum necessary standard [as] a condition of the permissibility of many uses and disclosures of protected health information. (c)firststepcounselingonline2014 11

Consequently, a use or disclosure of protected health information for which the requisite minimum necessary amount of protected health information has not been identified or that exceeds the minimum necessary would be impermissible under HIPAA. Business associates must make this assessment for themselves although they may reasonably rely on requests from other business associates or covered entities as requesting the minimum necessary for disclosure. (c)firststepcounselingonline2014 12

The Final Rule specifies a number of changes to the content of business associate agreements to reflect changes required by the HITECH Act and to reflect the Department s new regulatory authority with respect to business associates These changes include: Eliminating the requirement to notify the Secretary in cases where there is a violation of business associate agreement when termination is infeasible; Requiring all business associates to comply with the minimum necessary standard; (c)firststepcounselingonline2014 13

Requiring all business associates to comply with the obligations to safeguard electronic protected health information; report breaches of unsecured protected health information; and require subcontractors that create or receive protected health information to agree to the restrictions and conditions that apply to business associates with respect to protected health information; and If the business associate is performing an obligation of the covered entity, complying with all HIPAA requirements that apply to a covered entity performing such obligation (c)firststepcounselingonline2014 14

The Final Rule has materially changed the way covered entities and business associates will operate going forward with respect to HIPAA compliance. Privacy and Security Officers should be working with legal counsel to (1) identify policies and procedures that must be updated to reflect changed requirements and to address new ones; and (2) identify any existing subcontractors that qualify as business associates under the expanded definition and execute business associate agreements with them. The two regulations have some differences in the definition of what information is protected (c)firststepcounselingonline2014 15

. For instance, the Privacy Rule treats medical record numbers as PHI, subject to all the same requirements as other PHI. Part 2 would permit a program to disclose a medical record number because the regulation does not apply to a number assigned to a patient by a program, if that number does not consist of, or contain numbers... which could be used to identify a patient with reasonable accuracy and speed from sources external to the program. See 42 CFR 2.11. Programs subject to both rules must follow the Privacy Rule s protection of a medical record number. (c)firststepcounselingonline2014 16

Perhaps the best news in the Final Rule is its effective and compliance dates. The final rule is effective on March 26, 2013, but compliance with the new provisions will not be enforced until September 23, 2013.1 The Final Rule was officially published on January 25, 2013 so entities have approximately 8 months to comply. That is the good news. The bad news is that entities only have 8 months to get their HIPAA houses in order and to implement the changes. (c)firststepcounselingonline2014 17

1 See 78 Fed. Reg. 5566, 5669 (Jan. 25, 2013) (hereinafter the Final Rule ). The Final Rule also make[s] clear to the industry our expectation that going forward we will provide a 180-day compliance date for future modifications to the HIPAA Rules. Id.; see also id. at 5689 (to be codified at 45 CFR 160.105). (c)firststepcounselingonline2014 18

The Final Rule includes a grandfathering provision for business associate agreements in effect prior to January 25, 2013 (i.e., the publication date of the Final Rule) if the agreements (including any related service agreements) are not renewed or modified prior to the compliance date in the Final Rule (i.e., September 23, 2013).19 The grandfathering provision provides business associates meeting these specifications an extra year (i.e., until September 22, 2014) to amend the business associate agreements to comply with the new requirements (c)firststepcounselingonline2014 19

. The agreements will be deemed compliant with the Final Rule until either (i) the agreement is modified after the compliance date, or (ii) September 22, 2014, whichever occurs first. The grandfathering provision applies only to the business associate agreement requirement and not to any other provision of the Final Rule. (c)firststepcounselingonline2014 20

Covered Entities A Covered Entity is a health care provider or a health plan that submits bills electronically. Examples include: Hospitals; Physicians; Blue Cross Blue Shield of TEXAS; etc. All Covered Entities along with their Business Associates (that use or access patient information on the Covered Entity s behalf) are subject to HIPAA. (c)firststepcounselingonline2014 21

Question: If you have a document or an electronic device such as a thumb/flash drive that contains patient initials and medical record number(s), does your document or device contain PHI? Answer: Yes. Your document or device contains patient identifiers patient initials and medical record number that can be used to identify the patient(s). It does not matter that the full patient name is not included. (c)firststepcounselingonline2014 22

PHI is anything that is received, sent or stored in any form by a health care provider or health plan: - That identifies the patient or can be used to identify the patient; - That generally is about a patient s past, present and/or future treatment and payment of services. In other words: PHI is any health information that can lead to the identity of the individual or the contents of the information can be used to make a reasonable assumption as to the individual s identity. (c)firststepcounselingonline2014 23

Treatment, Payment and Operations (TPO) Treatment [T] : Various activities related to patient care. Payment [P]: Various activities related to paying for or getting paid for health care services. Health Care Operations [O]: Generally refers to day-to-day activities of a covered entity, such as planning, management, training, improving quality, providing services, and education. NOTE: Research is not considered TPO. Written patient authorization is required to access PHI for research unless authorization waiver is approved by the IRB. See the education program on research for more information. (c)firststepcounselingonline2014 24

Business Associate: Vendors who have access to or use PHI on our behalf must have a Business Associate Agreement - a signed agreement promising to keep PHI confidential in accordance with HIPAA. Example: A company developing order entry software must see actual PHI so they would need a written agreement.. (c)firststepcounselingonline2014 25

Minimum Necessary Rule Generally, the amount of PHI used, shared, accessed or requested must be limited to only what is needed. Workers should access or use only the PHI necessary to carry out their job responsibilities. (c)firststepcounselingonline2014 26

What is Use of PHI? Use of PHI refers to how PHI is internally accessed, shared and utilized by the covered entity. For some counselors, use refers to accessing, sharing, and utilizing PHI within the health system. What is Disclosure of PHI: Disclosure of PHI refers to how PHI is shared with individuals or entities externally. For some counselors, disclosure refers to sharing PHI with others outside of (external to) the health system. Different rules apply to Use vs Disclosure of PHI (c)firststepcounselingonline2014 27

Notice of Privacy Practices (NPP) Providers and Health Plans must have a Notice of Privacy Practices (NPP) - it provides a detailed description of the various uses and disclosures of PHI that are permissible without obtaining a patient s authorization. In general, anytime you release patient information for a reason unrelated to treatment, payment (e.g., billing) or healthcare operations (TPO), an authorization is required. (c)firststepcounselingonline2014 28

HIPAA transactions that a substance abuse treatment program might engage in include: Submission of claims to health plans Coordination of benefits with health plans Inquiries to health plans regarding eligibility, coverage or benefits or status of health care claims Transmission of enrollment and other information related to payment to health plans (c)firststepcounselingonline2014 29

Referral certification and authorization (i.e., requests for review of health care to obtain an authorization for providing health care or requests to obtain authorization for referring an individual to another health care provider). (c)firststepcounselingonline2014 30

What is an Authorization? A written permission signed by the patient or the patient s personal representative (e.g., a parent) to allow a Covered Entity to Use or Disclose a patient s PHI for reasons generally not related to Treatment, Payment or Healthcare Operations (TPO purposes). The Authorization must include: A detailed description of the PHI to be disclosed, who will make the disclosure, to whom the disclosure will be made, expiration date, and the purpose of the disclosure. (c)firststepcounselingonline2014 31

Types of Disclosures 3 Categories: 1.No Authorization Required 2.Authorization Required, but Must Give Opportunity to Object 3.Authorization Required (c)firststepcounselingonline2014 32

No Authorization is required to make the following disclosures: To disclose PHI to the patient. To use or disclose PHI for treatment, payment or healthcare operations (For examples: A physician discusses the patient s condition with another consulting physician; a health provider submit a bill to a health insurance plan; and patient records are reviewed for quality improvement purposes). Certain disclosures required by law (for example, public health reporting of diseases, child abuse/neglect cases, etc.). No Authorization is Required, but Must Offer Opportunity to Object: (c)firststepcounselingonline2014 33

-The Patient must be offered an opportunity to object before discussing PHI with a patient s family or friends. Before discussing patient information in an exam room, ask the patient if it is okay to discuss information in front of the patient s family member or friend. Alternatively, you can ask the family member or friend to leave, especially if the information is highly confidential. - Limited PHI (e.g., patient s hospital room/location number) is included in the Hospital Directory but patients are offered an Opt Out opportunity and certain disclosures to clergy members. (c)firststepcounselingonline2014 34

If a substance abuse treatment program transmits health information electronically in connection with one or more of these Part 162 transactions, then it must comply with the Privacy Rule. Part 162 may be amended in the future to cover additional transactions. B. Information that is protected under Part 2 and the Privacy Rule Part 2 protects any and all information that could reasonably be used to identify an individual and requires that disclosures be limited to the information necessary to carry out the purpose of the disclosure. See 42 CFR 2.11 and 2.13(a). (c)firststepcounselingonline2014 35

Under the Privacy Rule, a program may not use or disclose protected health information (PHI) except as permitted or required by the Rule.8 See 45 CFR 164.502(a). Neither rule applies to information that has been de-identified.9 See 45 CFR 164.514(a) (de-identification of PHI) and 42 CFR 2.11 (definition of patient identifying information ). (c)firststepcounselingonline2014 36

Authorization Is Required: Written authorization is required from the patient for the following: To access, use or disclose PHI for research (unless an Institutional Review Board such as the U-M IRBMED approves a waiver of authorization) To conduct certain fundraising activities For marketing activities (c)firststepcounselingonline2014 37

Incidental Disclosures Some disclosures are not completely avoidable. These are permitted under HIPAA and are called Incidental Disclosures Examples of Incidental Disclosures : Visitors hear a patient s name as it s called out in a waiting room; a hospital patient in a 2-bed room hears a physician speaking to the other patient. (c)firststepcounselingonline2014 38

HIPAA requires reasonable steps to be taken to minimize incidental disclosures such as: Speaking in soft tones when discussing PHI in open areas such as the recovery room, emergency department, etc.; Do not discuss PHI in public hallways, elevators or other public locations such as the cafeteria; Only use the minimum necessary minimize incidental disclosures. (c)firststepcounselingonline2014 39

This applies to Highly Confidential areas which include: Mental Health and Substance Abuse HIV/AIDS Testing or Treatment Psychotherapy Notes (which are not part of the medical record) Certain diagnostic and treatment services rendered to minors If you have questions about handling highly confidential information, ask your supervisor or privacy officer. (c)firststepcounselingonline2014 40

Most E-mail system to any other system is not considered secure (This includes email to a college.edu address; csc.hctx.net (Adult probation) or to a hotmail, yahoo,, Comcast, or other type of personal e-mail address) Check with your supervisor for department-specific procedures for emailing PHI outside of your E-mail System In all cases, use only the minimum necessary PHI. Use your electronic access to information systems only to perform your job-related duties and only access PHI on a need-to-know basis (c)firststepcounselingonline2014 41

All electronic systems are audited a log of all accesses is maintained and designed to protect patient privacy Inappropriate access to a patient s electronic medical record can lead to disciplinary action, up to and including discharge from employment. (c)firststepcounselingonline2014 42

Question: Would it be permissible for you to look up a coworker s address in the electronic medical record so you can send the coworker a get well card? Answer: No. You cannot access a coworker s electronic medical record. If you need information about a coworker, check with your supervisor. Accessing the electronic medical record system for purposes other than to complete your job responsibilities is not permitted. Inappropriate access to a patient s electronic medical record can lead to disciplinary action, up to and including discharge. (c)firststepcounselingonline2014 43

Use difficult to break passwords Never share your password with another person Change your password often Use a password-protected screensaver Log off from all electronic record applications (e.g., the electronic medical record system) before walking away from the computer Secure all electronic records using encryption Call technical support to set up secure electronic systems Do not save any PHI on portable electronic devices such as laptop computers, flash/thumb drives, electronic tablets, etc; and if any of these are stolen, notify your supervisor immediately. (c)firststepcounselingonline2014 44

Covered Entities and Individuals can be penalized for violating HIPAA Up to $1.5 million (per HIPAA violation per year) Criminal fines: $250,000/up to 10 years imprisonment NOTE: Individuals (This means You!) can be subject to criminal prosecution, fines and imprisonment. (c)firststepcounselingonline2014 45

Part 2 protects all information about any person who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program. See 42 CFR 2.11 (definition of a patient ). Information is subject to the Privacy Rule if it is individually identifiable information created, received, or maintained by the covered entity. (c)firststepcounselingonline2014 46

Former patients and deceased patients are protected under both Part 2 and the Privacy Rule. See 42 CFR 2.11 and 2.15 and 45 CFR 164.501 and 164.502(f). Programs should generally continue to follow Part 2, but note that if PHI is received prior to a patient applying to a program, under the Privacy Rule, such information is protected. (c)firststepcounselingonline2014 47

Name or general designation of the program or person permitted to make the disclosure; Name or title of the individual or name of the organization to which disclosure is to be made; Name of the patient; Purpose of the disclosure; How much and what kind of information is to be disclosed; (c)firststepcounselingonline2014 48

Signature of patient (and, in some States, a parent or guardian); Date on which consent is signed; Statement that the consent is subject to revocation at any time except to the extent that the program has already acted on it; and Date, event, or condition upon which consent will expire if not previously revoked. (c)firststepcounselingonline2014 49

Part 2 permits programs to disclose limited information to law enforcement officers. Such disclosures must be directly related to crimes and threats to commit crimes on program premises or against program personnel. The Privacy Rule permits programs to disclose to law enforcement officials PHI that the program believes in good faith constitutes evidence of a crime that occurred on the program s premises. (c)firststepcounselingonline2014 50

Part 2 requires that programs notify patients that Federal law and regulations protect the confidentiality of alcohol and drug abuse patient records and give them a written summary of the regulations requirements. See 42 CFR 2.22. The Privacy Rule requires that patients be given a notice of the program s privacy practices as well as their rights under the Privacy Rule. See 45 CFR 164.520. Programs subject to both rules can combine their requirements into a single notice. (c)firststepcounselingonline2014 51

Promptly return to the patient (if feasible) or dispose of (in accordance with the organization's destruction procedures) any health information that is not used or not solicited. Consider developing policies and procedures that confine the ability to request health information from external sources and to place such information in the patient's record to specified staff or personnel. (c)firststepcounselingonline2014 52

Collaborate with clinicians to develop procedures for identifying external information that has been used in patient care. Once identified as such, provisions should be made for including this in the patient's record, whether paper or electronic. Within the record, consideration should be given to filing or indexing the external information under a separate tab or section of the electronic or paper record developed for this purpose. Review state statues that may require inclusion of external information. (c)firststepcounselingonline2014 53

Develop written policies and procedures as well as staff training for clinical users that address the use of external information. Train HIM staff on procedures related to redisclosure of health information. Identify the records the organization believes individuals have the right to access and amend under state and federal laws and regulations (c)firststepcounselingonline2014 54

Apply HIPAA's pre-emption standards where individuals' rights to access and amend are not the same under other federal or state laws and regulations. (c)firststepcounselingonline2014 55

Subpoenas and court-ordered disclosures Part 2 permits programs to release information in response to a subpoena if the patient signs a consent permitting release of the information requested in the subpoena. When the patient does not consent, Part 2 prohibits programs from releasing information in response to a subpoena, unless a court has issued an order that complies with the rule. See 42 CFR Part 2, Subpart E. Subpart E sets out the procedure the court must follow, the findings it must make, and the limits it must place on any disclosure it authorizes. (c)firststepcounselingonline2014 56

The Privacy Rule permits a program to disclose PHI pursuant to a subpoena without a prior written authorization, if it receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure that the individual has been given notice of the request for PHI and the opportunity to object, or reasonable efforts have been made to secure a qualified protective order. See 45 CFR (c)firststepcounselingonline2014 57

164.512(e)(1)(ii). The Privacy Rule has different requirements regarding court orders, but programs can comply with both Part 2 and the Privacy Rule by continuing to follow the Part 2 s court order requirements. Unless the disclosure requires authorization under the Privacy Rule, the Part 2 consent form can be used. (c)firststepcounselingonline2014 58

Part 2 permits programs to comply with State laws that require the reporting of child abuse and neglect. See 42 CFR 2.12(c)(6). The Privacy Rule also permits such reporting. See 45 CFR 164.512(b)(1)(ii). However, Part 2 limits programs to making only an initial report; it does not allow programs to respond to follow-up requests for information or to subpoenas, unless the patient has signed a consent form or a court has issued an order that complies with the rule. Programs should continue to follow the rules established by Part 2. (c)firststepcounselingonline2014 59

"Fundamentals of the Legal Health Record and Designated Record Set." Journal of AHIMA 82, no.2 (February 2011): expanded online version. Privacy Act of 1974. 5 USC, Section 552A. Centers for Medicare and Medicaid Services. "Part 483? Requirements for States and Long Term Care Facilities." Title 42? Public Health. Chapter IV. Centers for Medicare and Medicaid Services. "State Operations Manual: Appendix PP? Guidance to Surveyors for Long Term Care Facilities." Revised December 2, 2009. (c)firststepcounselingonline2014 60

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback