part three
Download
Skip this Video
Download Presentation
PART THREE

Loading in 2 Seconds...

play fullscreen
1 / 84

Page 1 NC DHHS HIPAA PMO - PowerPoint PPT Presentation


  • 124 Views
  • Uploaded on

PART THREE. Use and Disclosure - Consent or Authorization Not Required (continued). Judicial / Administrative Proceedings. Court Order / Subpoena. Covered health care components may disclose PHI in a judicial or administrative proceeding

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Page 1 NC DHHS HIPAA PMO' - tammy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
part three

PART THREE

Page 1NC DHHS HIPAA PMO

court order subpoena
Court Order / Subpoena
  • Covered health care components may disclose PHI in a judicial or administrative proceeding
    • In response to a court order or order by administrative law judge if the request specifically authorizes the disclosure of PHI and the component discloses only the information requested

or

    • In response to subpoena, discovery request or other lawful process (not accompanied by order noted above) if the component receives satisfactory assurance from party seeking PHI (‘requestor’) that the following reasonable efforts have been made

Page 4NC DHHS HIPAA PMO

reasonable efforts
Reasonable Efforts
  • Requestor needs to
    • Ensure client has been given notice via a written statement and accompanying documentation that
      • Requestor has attempted to provide written notice to client (if client location is unknown, sent to last known address); and
      • Notice included sufficient information about the litigation or proceeding to permit client to raise an objection to the court; and
      • Time allowed for client to raise objections has elapsed and no objections were filed or, if filed, have been resolved by the court and disclosures requested are consistent with the resolution
    • Secure a qualified protective order by receiving from requestor a written statement and accompanying documentation that
      • Parties to the dispute have agreed to qualified protective order and have presented it to the court with jurisdiction over the dispute; or
      • Requestor has requested a qualified protective order from the court

Page 5NC DHHS HIPAA PMO

qualified protective order
Qualified Protective Order
  • Qualified Protective Order
    • Prohibits parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which the PHI was requested; and
    • Requires
      • Return of the PHI to the covered health care component; or
      • Destruction of the PHI (including all copies made) at the end of the litigation or proceeding

Page 6NC DHHS HIPAA PMO

component initiates
Component Initiates
  • Covered health care components may disclose PHI in a judicial or administrative proceeding (cont’d)
    • In response to subpoena, discovery request or other lawful process (not accompanied order noted above) if the component does not receive satisfactory assurance from party seeking PHI (‘requestor’) if the component
      • Makes reasonable efforts to provide notice to the client; or
      • Seeks a qualified protective order
    • Best Practices
      • Place responsibility on requestor unless requestor does not know how to contact client and component has the information
      • Component could obtain authorization from client
      • PMO needs to work with AOC on court forms
  • Change in Current Practice - submission of client records to clerk of court before trial

Page 7NC DHHS HIPAA PMO

slide8

Law Enforcement

Page 8NC DHHS HIPAA PMO

reporting to leos
Reporting to LEOs
  • Pursuant to Process/Otherwise Required by law - Covered health care components may disclose PHI to law enforcement officials as required by law:
    • Excludes reporting of abuse covered earlier
    • Reporting of wounds or physical injuries (e.g., gunshot wounds)
    • To comply with
      • Court-ordered warrant, subpoena, or summons issued by a judicial officer; or
      • Grand jury subpoena; or
      • Administrative subpoena or summons, civil or authorized investigative demand, or similar process authorized by law if
        • PHI sought is relevant and material to a legitimate law enforcement inquiry; and
        • The request is specific and limited in scope based upon purpose for which it is sought; and
        • De-identified information cannot be reasonably used

Page 9NC DHHS HIPAA PMO

identification and location purposes
Identification and LocationPurposes
  • Covered health care component may disclose the following limited PHI in response to LEO request for purpose of identifying or locating a suspect, fugitive, material witness, or missing person
    • Name and address
    • Date and place of birth
    • SSN
    • ABO Blood type and rh factor
    • Type of injury
    • Date and time of treatment
    • Date and time of death, if applicable; and
    • Distinguishing physical characteristics (e.g., health, weight, gender, race, hair and eye color, facial hair, scars and tattoos)
    • Does not include DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue unless it relates to above information (e.g., blood type derived from DNA analysis)

Page 10NC DHHS HIPAA PMO

identification and location purposes1
Identification and LocationPurposes
  • Under Mental Health laws, could disclose this type of information when clients escape from a facility but not to locate a suspect
    • Information disclosed on escapees will have to conform to HIPAA requirements
  • Under 42 CFR, Part 2, most of these types of disclosures are specifically prohibited

Page 11NC DHHS HIPAA PMO

victims of a crime
Victims of a Crime
  • Covered health care component may disclose PHI in response to LEO request about an individual who is or is suspected to be a victim of a crime
    • Exclusive of abuse reporting
    • Client must agree to the disclosure
    • If client unable to agree due to incapacity or other emergency circumstance and
      • LEO represents the following
        • PHI is needed to determine if violation of law by person other than client has occurred and information will not be used against the victim; and
        • Law enforcement activity would be materially and adversely affected by waiting till client is able to agree to disclosure; and
      • Covered health care component, in exercise of professional judgement, determines disclosure is in best interest of client

Page 12NC DHHS HIPAA PMO

crime on premises
Crime on Premises
  • Covered health care component may disclose PHI to LEO when
    • a crime has occurred on the component’s premises
    • component believes in good faith that the PHI will provide evidence of the client’s criminal conduct
    • Example - Assault of staff member by a client including gathering information from other clients who witnessed the assault

Page 13NC DHHS HIPAA PMO

reporting crime in emergencies
Reporting Crime in Emergencies
  • Not on covered health care provider’s premises and not related to abuse reporting
    • Covered health care provider provides emergency healthcare in response to medical emergency
    • May disclose PHI to LEO if such disclosure is necessary to alert law enforcement to
      • Commission and nature of a crime;
      • Location of such crime or the victims of such crime; and
      • Identify, description, and location of perpetrator of crime
    • Example - Clients from John Umstead Hospital who were involved in fatal auto accident

Page 14NC DHHS HIPAA PMO

slide15

Decedents

Page 15NC DHHS HIPAA PMO

medical examiners funeral directors
Covered health care component can disclose PHI to coroners and medical examiners (or use PHI if component performs coroner or medical examiner duties), for

Identification of a deceased person

Determining cause of death

Other duties as authorized by law

In NC, Office of Medical Examiner is not a covered health care component

Covered health care component can disclose PHI to funeral directors

Consistent with applicable law

To carry out their duties with respect to decedent

Prior to and in reasonable anticipation of death (e.g., pre-pay burial arrangement)

Example - inform funeral director when client is HIV positive

Medical Examiners/Funeral Directors

Page 16NC DHHS HIPAA PMO

slide17
LEO
  • Covered health care component may disclose PHI about deceased client to LEO when there is suspicion that death may have resulted from criminal conduct
    • Examples - Suicide reporting; Client beat to death by another client

Page 17NC DHHS HIPAA PMO

slide18

WAKE UP!!!!

Page 18NC DHHS HIPAA PMO

slide19

Organ Transplants

Page 19NC DHHS HIPAA PMO

organ transplants
Organ Transplants
  • Covered health care component may disclose PHI
    • To organ procurement organizations engaged in procurement, banking or transplanting or cadaveric organs, eyes or tissue
    • In order to facilitate donation or transplantation

Page 20NC DHHS HIPAA PMO

avert serious threat to health or safety can disclose phi
Avert Serious Threat to Health or Safety - Can Disclose PHI
  • Covered health care component may, in good faith, use or disclose PHI
    • Disclose PHI in Good Faith
      • Based upon covered health care component’s actual knowledge, or
      • Based on knowledge of credible person (e.g., EMS)
    • When consistent with
      • Applicable law
        • Example - Mental Health laws in NC allow these disclosures
      • Standards of ethical conduct
    • When necessary to prevent or lessen serious and imminent threat to health or safety of a person (or public)
      • Disclosure is made to person(s) who can reasonably lessen the threat including target of threat
      • Example - During an outpatient therapy session, a client states they intend to kill their spouse

Page 22NC DHHS HIPAA PMO

avert serious threat to health or safety can disclose phi1
Avert Serious Threat to Health or Safety - Can Disclose PHI
  • Covered health care component may, in good faith, use or disclose PHI (cont’d)
    • Necessary for law enforcement authorities to identify or apprehend an individual
      • Because of a statement by an individual admitting participation in a violent crime and component reasonably believes crime may have caused serious physical harm to victim
        • Component can only release the ‘statement’
        • PHI is limited to information for Identification and Location Purposes previously outlined under disclosures for law enforcement - Limited Information for Identification and Location Purposes ; or
      • Appears individual has escaped from correctional institution or lawful custody

Page 23NC DHHS HIPAA PMO

avert serious threat to health or safety can t disclose phi
Avert Serious Threat to Health or Safety - Can’t Disclose PHI
  • Covered health care component may NOT disclose PHI to avert serious threat to health or safety when information is learned by component
    • In course of treatment to prevent the tendency to commit criminal conduct
      • Example - pyromaniac in treatment, can’t disclose a statement made during treatment that he wants to burn a particular building
    • Client is seeking treatment to prevent the tendency to commit criminal conduct

Page 24NC DHHS HIPAA PMO

military and veteran activities
Military and Veteran Activities
  • Covered health care component may use or disclose PHI of clients in Armed Forces
    • For activities deemed necessary by military command authorities to execute military mission
    • If military authority has published a notice in the Federal Register containing
      • Military command authorities; and
      • Purposes for which PHI may be used or disclosed
      • Recommendation - military needs to specify where information is published in the register
    • For foreign military personnel to the appropriate foreign military authority under same conditions noted above
    • Other requirements related to separation or discharge from military service or veterans do not relate to DHHS

Page 26NC DHHS HIPAA PMO

national security
National Security
  • Covered health care component may disclose PHI for conduct of lawful
    • Intelligence
    • Counterintelligence
    • Other national security activities authorized by National Security Act and implementing authority (e.g., Executive Order 12333)
    • Recommendation - consult Attorney General’s Office prior to disclosure

Page 27NC DHHS HIPAA PMO

protective services
Protective Services
  • Covered health care component may disclose PHI to authorized federal officials for provision of protective services to
    • President or other persons authorized by 19 U.S.C. 3056
    • Foreign heads of state or others authorized by 22 U.S.C. 2709(a)(3)
    • Conduct of investigations authorized by 18 U.S.C. 871 and 879
    • Recommendation - consult Attorney General’s Office prior to disclosure
    • Change in current practice - do not have to show a perceived threat to health or safety

Page 28NC DHHS HIPAA PMO

corrections lawful custody
Corrections/Lawful Custody
  • Covered health care component may disclose PHI to
    • Correctional institution (e.g., prison, jail, reformatory, detention center, halfway house, residential community program center) or
    • LEO having lawful custody of inmate or other individual (e.g., sheriff deputy transporting client to Dorothea Dix Hospital for pre-trial or individual found to be NGRI)

Page 29NC DHHS HIPAA PMO

corrections lawful custody1
Corrections/Lawful Custody
  • Covered health care component may disclose PHI when disclosure is necessary for
    • provision of health care to inmate/other individual (e.g., diabetic client);
    • health and safety of inmate/other individual or other inmates;
    • health and safety of officers or employees/others at correctional institution;
    • health and safety of inmate/individual and officers or other persons responsible for transporting inmates (e.g., HIV positive);
    • law enforcement on correctional institution premises; and
    • administration and maintenance of safety, security and good order of correctional institution

Page 30NC DHHS HIPAA PMO

corrections lawful custody2
Corrections/Lawful Custody
  • Covered health care component that is a correctional institution may use PHI of inmates for same purposes noted previously
  • Individual is no longer an inmate when released on parole, probation, supervised release, or no longer in lawful custody
  • Need to evaluate against disclosures permitted under 122C between MH/DD/SA facilities and DOC

Page 31NC DHHS HIPAA PMO

government health plans
Government Health Plans
  • Covered HEALTH PLANS that are government programs providing public benefits (e.g., DMA)
    • May disclose PHI relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits (e.g., DSS)
    • If sharing of eligibility or enrollment information or
    • Maintenance of such information in data system accessible to the government agencies
    • Is required or expressly authorized by statute or regulation
    • Limits PHI to eligibility and enrollment purposes
    • Provides balance between need for efficient administration of public programs and public funds and individual privacy
    • Example - Section 1137 of Social Security Act requires programs like Social Security, Medicaid, Food Stamps, etc. to participate in joint income and verification system

Page 32NC DHHS HIPAA PMO

government programs
Government Programs
  • Covered health care components that are government agencies administering government programs providing public benefits (e.g., Medicaid)
    • May disclose PHI related to the program to another covered health care component that is a government agency administering a government program providing public benefits (e.g., Health Choice)
    • If the programs serve the same or similar populations and
    • Disclosure of PHI is necessary
      • to coordinate covered functions of such programs or
      • to improve administration and management relating to the covered functions of such programs
    • In NC, Medicaid and Health Choice are administered by same covered health care component (DMA)

Page 33NC DHHS HIPAA PMO

slide34

Workers Compensation

State Car Bites the Dust

Page 34NC DHHS HIPAA PMO

workers compensation
Workers Compensation
  • Workers Compensation programs are not covered under HIPAA
    • No requirement to use standard transactions or code sets
    • Disclose PHI in accordance with workers compensation laws

Page 35NC DHHS HIPAA PMO

slide36

Research

Page 36NC DHHS HIPAA PMO

research without client authorization
Research WithoutClient Authorization
  • Covered health care component may use or disclose PHI for research provided:
    • Component obtains documentation that an alteration toor waiver of authorization has been approved by either
      • Institutional Review Board (IRB) established in accordance with federal law

or

      • Privacy Board

Page 37NC DHHS HIPAA PMO

privacy board
Privacy Board
  • Privacy Board
    • has members with varying backgrounds and appropriate professional competency
    • reviews effect of research protocol on client’s privacy rights and related interests
    • includesat least one member
      • not affiliated with component
      • not affiliated with entity conducting/sponsoring research
      • not related to any person affiliated with such entities
    • members do not have conflict of interest

Page 38NC DHHS HIPAA PMO

documentation alteration to or waiver of authorization
Documentation - Alteration toor Waiver of Authorization
  • Documentation that an alteration toor waiver of authorization includes
    • Statement identifying IRB or Privacy Board
    • Date alteration or waiver of authorization was approved
    • Brief description of PHI for which use or access has been determined to be necessary by IRB or Privacy Board
    • Statement that alteration or waiver of authorization has been reviewed and approved
      • IRB must follow requirement of Common Rule (45 CFR 46)
      • Privacy Board must review proposed research at properly convened meetings
    • Must be signed by IRB or Privacy Board chair or other member, as designated by chair

Page 39NC DHHS HIPAA PMO

documentation alteration to or waiver of authorization1
Documentation - Alteration toor Waiver of Authorization
  • Statement that IRB or Privacy Board has determined the alteration or waiver of authorization satisfies the following
    • Involves no more than minimal risk to clients
    • Will not adversely affect privacy rights and welfare of clients
    • Could not practicably be conducted without alteration/waiver
    • Could not practicably be conducted without access to PHI
    • Privacy risks to clients are reasonable in relation to
      • anticipated benefits to clients
      • importance of knowledge that may be expected to result from research
    • Adequate plan to protect identifiers from improper use/disclosure
    • Adequate plan to destroy identifiers at earliest opportunity
      • unless health or research justification or otherwise required by law
    • Written assurances that PHI will not be reused or disclosed

Page 40NC DHHS HIPAA PMO

research on decedent s phi
Research on Decedent’s PHI
  • Covered health care component obtains the following from researcher
    • Use or disclosure is sought solely for research on PHI of decedents
    • Documentation of client’s death
      • if requested by covered health care component
    • PHI is necessary for research purposes

Page 41NC DHHS HIPAA PMO

researcher representation
Researcher Representation
  • Representation from researcher either orally or in writing that
    • Use or disclosure is sought solely to review PHI to
      • prepare a research protocol or
      • similar purposes preparatory to research
    • PHI will not be removed from the covered component by the researcher, and
    • PHI is necessary for research purposes
      • e.g., to design a research study or to assess feasibility of conducting a study

Page 42NC DHHS HIPAA PMO

slide43

"Normally, I\'d discuss your condition with these first-year residents, but because of confidentiality restrictions, all I can really tell them is that you\'re a shoo-in for an invasive procedure. "

Cartoon by Dave Harbaugh

Page 43NC DHHS HIPAA PMO

slide44

Use and Disclosure -Requiring an Opportunity for the Client to Agree or Object

Page 44NC DHHS HIPAA PMO

verbal agreement required
Verbal Agreement Required
  • Under HIPAA, verbal agreement of client is required
    • For directory information (previously covered)
    • For disaster relief purposes
      • To public or private entity authorized to assist in disaster relief (e.g., state response team during Hurricane Floyd; American Red Cross)
      • Determination made that requirements for verbal agreement do not interfere with ability to respond to emergency circumstances
    • For providing client’s PHI related to current condition to those assisting in client’s care/notifying them of client\'s status
      • Disclosure to family members, friends, others identified by client
      • Provide only the PHI relevant to the person’s involvement with client’s care or payment
        • e.g., family member taking care of post op patient does not need to know entire client history

Page 45NC DHHS HIPAA PMO

verbal agreement possible
Verbal Agreement Possible
  • If client is able, health care provider uses or discloses information if:
    • Client agrees
    • Client is given opportunity to object to the disclosure and does not object
    • Reasonably infers client agreement based on professional judgement
      • Client asks friend to remain during a physician visit

Page 46NC DHHS HIPAA PMO

verbal agreement not possible
Verbal Agreement Not Possible
  • If client not able (e.g, incapacitated or emergency situation) or not present, health care provider uses or discloses PHI directly relevant to person’s involvement if:
    • Client previously expressed preference and provider not aware of reasons not to disclose
      • May have system ‘flag’ indicating previous agreement
    • Based upon professional judgement of component, disclosure is in the best interest of the client
      • In cases of abuse, may not be in client’s best interest
    • When client condition improves, component pursues verbal agreement

Page 47NC DHHS HIPAA PMO

verbal agreement documentation
Verbal Agreement Documentation
  • Not specified in HIPAA Regulations
  • Best Practice - Document in client record

Page 48NC DHHS HIPAA PMO

verification of requestor
Verification of Requestor
  • Prior to disclosing PHI, covered health care component must verify
    • identity of person requesting the information
    • authority of requestor to have access to the PHI

Page 50NC DHHS HIPAA PMO

verification of requestor1
Verification of Requestor
  • When identity is not known, component must obtain any documentation, statements, or representations from requestor
    • Can be oral or written
    • May include
      • administrative subpoena or summons
      • civil or authorized investigative demand
      • similar process authorized under law
        • PHI is relevant and material to LEO inquiry
        • Specific and limited in scope
        • De-identified information cannot be reasonably used
      • IRB waiver appropriately dated and signed

Page 51NC DHHS HIPAA PMO

verification of requestor2
Verification of Requestor
  • When disclosure is to public official or person acting on behalf of public official
    • For requests in person, require presentation of
      • Agency ID badge
        • DHHS issue - oversight agencies need to provide staff with ID badges
      • Other official credentials
      • Other proof of government status
    • Written requests are on government letterhead
    • For persons acting on behalf of public officials
      • Written statement on government letterhead that person is acting under government’s authority
      • Other evidence
        • Contract for services
        • MOU
        • Purchase Order

Page 52NC DHHS HIPAA PMO

marketing what it is
Marketing - What it is

Public Health Rocks

  • Communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service

Page 53NC DHHS HIPAA PMO

marketing what it isn t

Public Health Rocks

Marketing - What it isn’t
  • Provider describing its own service
  • Network describes services offered by providers or plans in the network
    • health plan preferred providers or new pharmacy accepting drug coverage
  • Health plan describes its own benefits
  • Covered health care component uses PHI to tailor a health-related communication to the client when such communication is
    • part of treatment
    • managing treatment or recommending alternative treatment
      • Reminders for appointments, prescription refills, etc.

Page 54NC DHHS HIPAA PMO

authorizations for marketing

Public Health Rocks

Authorizations for Marketing
  • Authorization required for
    • Sell or transfer of client list
    • Direct marketing
  • Authorization required for marketing except when using or disclosing PHI to make a marketing communication to a client that
    • Occurs in a face-to-face encounter with the client
    • Concerns products or services of nominal value
      • Drug sample provided to patient by physician
      • Items of nominal value, pens, sticky notes, etc.
    • Concerns health-related products and services of component or a third party under certain conditions
      • Doubt applicable in DHHS

Page 55NC DHHS HIPAA PMO

fundraising
Fundraising

$100 million raised to support Medicaid

Page 56NC DHHS HIPAA PMO

fundraising1
Fundraising
  • Covered health care component may use, or disclose the following PHI to a business associate or to an institutionally related foundation without authorization for the purpose of raising funds for its own benefit
    • demographic information relating to a client
    • dates of health care provided to a client
  • Must include statement in Notice of Privacy Practices that component will use PHI as permitted for fundraising purposes
  • Include ‘opt out’ option in fundraising materials sent to clients and make reasonable efforts to implement opt out capabilities

Page 57NC DHHS HIPAA PMO

questions next minimum necessary and accounting of disclosures

QUESTIONS? Next: Minimum Necessary and Accounting of Disclosures

Page 58NC DHHS HIPAA PMO

slide59

Minimum Necessary

Page 59NC DHHS HIPAA PMO

minimum necessary
Minimum Necessary
  • The key is to balance the privacy of health information against the need for information

Component’s need for the information (for use, disclosure or release

Privacy Rights of Client

Page 60NC DHHS HIPAA PMO

minimum necessary1
Minimum Necessary
  • When
    • Using Protected Health Information
    • Disclosing Protected Health Information
    • Requesting Protect Health Information

Make reasonable efforts to limit PHI to “minimum necessary” to accomplish the purpose.

  • Do not disclose more than is necessary
  • Can you de-identify the information and still accomplish the purpose?
  • Never send the entire medical record unless absolutely necessary!

Page 61NC DHHS HIPAA PMO

minimum necessary exceptions
Minimum Necessary - Exceptions
  • Minimum Necessary standard does not apply to:
    • Disclosure to or request by a health care provider for treatment purposes
      • Minimum necessary applies to ‘P’ and ‘O’ (of TPO)
    • Disclosures to the client who is the subject of information
      • Access to client can be limited
    • Uses or disclosures authorized by client
      • Client authorizes disclosure of specific PHI to life insurance company - disclose what is authorized
    • Uses or disclosures required for compliance with standard transactions
      • e.g., if standard transaction requires diagnosis code, must send
    • Disclosures to HHS for compliance/enforcement activities
    • Uses or disclosures required by other law
      • e.g., abuse reporting

Page 62NC DHHS HIPAA PMO

minimum necessary use
Minimum Necessary - Use
  • For uses of PHI, covered health care component must make reasonable efforts to identify
    • Persons or classes of persons (e.g., admission clerks) in workforce who need access to PHI to perform job
    • For such persons,
      • Category(ies) of PHI where access to PHI is needed (e.g., pre-admit, admit, patient inquiry functions) and
      • Any conditions appropriate to such access (e.g., inpatients only; clients on particular ward)
    • These determinations are dictated by the covered health care component and must be documented
      • Policies and procedures
      • Role-based access for system security

Page 63NC DHHS HIPAA PMO

minimum necessary disclosure
Minimum Necessary - Disclosure
  • For disclosures of PHI, covered health care component must determine if the disclosure is
    • Routine
    • Non-routine
  • Routine disclosures: develop policies/procedures
      • That limit PHI disclosed to amount reasonably necessary to achieve purpose of the disclosure
      • Example - Procedures that specify standard protocol for type of information to be disclosed and to whom
  • Non-routine disclosures: establish criteria
      • To that reasonably necessary to accomplish purpose; and
      • Review requests on individual basis based on criteria
      • Example - Criteria for abuse reporting

Page 64NC DHHS HIPAA PMO

minimum necessary judgment disclosures
Minimum Necessary JudgmentDisclosures
  • For disclosuresof PHI, covered health care component may assume requestor has applied the minimum necessary standard when
    • Making disclosures to public officials where consent or authorization is not required
      • e.g., State Auditor has right of access to data needed to perform specific purpose of audit
    • PHI is requested by another covered entity
      • e.g., Medicaid needs additional information about a client’s surgery (disclose information relevant to surgery only)

Page 65NC DHHS HIPAA PMO

minimum necessary judgment disclosures cont
Minimum Necessary Judgment Disclosures (cont)
  • For disclosuresof PHI, covered health care component may assume requestor has applied the minimum necessary standard when (cont)
    • PHI is requested by professional who is member of workforce or Business Associate of component
      • For purpose of providing professional services to the component (e.g., Controller’s Office is serving on a mock accreditation committee and needs access to PHI not normally used)
    • Person requesting PHI for research purposes
      • Research documentation from IRB or Privacy Board specifies extent of PHI needed

Page 66NC DHHS HIPAA PMO

minimum necessary requests
Minimum Necessary - Requests
  • For requests for PHI from other covered entities, the requestor is responsible for determining what is reasonably necessary
    • Routine/recurring requests:develop policies and procedures that limits PHI requested to the amount reasonably necessary to accomplish purpose for which request is made
      • (e.g., EMS needs specific information to satisfy billing requirements - they need policy on what is needed for recurring requests)
    • Non-routine requests: review each request to determine that PHI sought is limited to information reasonably necessary to accomplish purpose for which request is made
      • (e.g., Privacy Officer or designee may need to review all requests to determine if minimum necessary standard is met)

Page 67NC DHHS HIPAA PMO

minimum necessary guidance on reasonableness
Minimum Necessary Guidance on Reasonableness
  • Selective copying of portions of a medical record when practical to do so
  • Configure health information system to allow selective access to only certain fields (e.g., field level security)
    • In sophisticated computer systems, employees have access to limited fields in client records while other employees have access to complete record

Page 68NC DHHS HIPAA PMO

minimum necessary guidance on reasonableness cont
Minimum Necessary Guidance on Reasonableness (cont)
  • Components with primarily paper medical records are not expected to implement same restrictions on access
    • (e.g., on system can limit access to staff, but if information needed for billing is not on system, staff may need to review the medical record or implement procedure for extracting needed data)
  • Policies and procedures must bein place to govern requests anddisclosures of entire medical record
    • Presumptive violation of privacy rule if entire medical record is disclosed or requested without justification

Page 69NC DHHS HIPAA PMO

minimum necessary policies and procedures
Minimum Necessary Policies and Procedures
  • Policies and procedures must:
    • Identify who needs what information and when to carry out their job duties
    • Define for routine or recurring requests minimum necessary for that particular type of request
    • Develop reasonable criteria for determining minimal necessary for non-routine disclosures
    • Define when the entire medical record is required for what purposes and provide a justification
      • e.g., Physicians, Nurses and other Treatment Team members will have access to entire medical record in order to effectively carry out treatment responsibilities

Page 70NC DHHS HIPAA PMO

minimum necessary getting started
Minimum Necessary Getting Started
  • Study the Minimum Necessary Standard
  • Evaluate where, when, and how PHI is used, requested and disclosed
  • Evaluate needs of staff and determine amount of information needed by categories of staff in order to perform their jobs
  • Develop policies and procedures
  • Educate and train staff
  • Monitor compliance

Page 71NC DHHS HIPAA PMO

slide73

Accounting of Disclosures

Page 73NC DHHS HIPAA PMO

accounting of disclosures
Accounting of Disclosures
  • Prior to HIPAA, current practice usually tracked release of information through logs maintained in the Medical Record Department
  • Under HIPAA, covered health care components are required to track certain disclosures of protected health information
  • Tracking Information must be maintained for at least six years

Page 74NC DHHS HIPAA PMO

accounting of disclosures client right
Accounting of DisclosuresClient Right
  • A Client has right to receive a written accounting of disclosures of their PHI made by a covered health care component in the six years prior to the date of which the accounting was requested.
  • A Client may request an accounting for a period of time that is less than six years.
  • Disclosures are not limited to hard copy information but includes any manner that divulges information, including verbal release.
  • Includes disclosures to and by Business Associates

Page 75NC DHHS HIPAA PMO

accounting of disclosures exceptions
Accounting of DisclosuresExceptions
  • Not all disclosures require tracking or need to be accounted for upon request of a client.
  • Accounting of Disclosures does not apply to disclosures for:
    • For TPO
    • To Clients
    • For facility directory or persons involved in client’s care
    • For national security or intelligence purposes
    • To correctional institutions or law enforcement officials
    • That occurred prior to compliance date

Page 76NC DHHS HIPAA PMO

accounting of disclosures may be suspended
Accounting of DisclosuresMay be Suspended
  • Right can be temporarily suspended for disclosures to health oversight agency or law enforcement officials
    • when they provide written statement
      • that such accounting could impede their activities
      • specify time suspension is required
    • when they provide oral request, covered component must
      • document oral statement including identity of agency or official making request
      • temporarily suspend subject to oral statement
      • limit temporary suspension to no more than 30 days from date of oral statement unless written statement is provided

Page 77NC DHHS HIPAA PMO

content of the accounting of disclosures
Content of the Accountingof Disclosures
  • Date of disclosure
  • Name (and address, if known) of entity or person who received the PHI
  • Brief description of the PHI disclosed
  • Brief statement on purpose of the disclosure
    • or copy of written authorization
    • or copy of written request for disclosure
  • Multiple disclosures to same entity/person

Page 78NC DHHS HIPAA PMO

content of the accounting multiple disclosures to same entity
Content of the AccountingMultiple Disclosures to Same Entity
  • Multiple disclosures of PHI to same person or entity for single purpose or pursuant to single authorization requires additional documentation:
    • Accounting includes first disclosure during accounting period
    • Frequency, periodicity or number of disclosures made during accounting period
    • Date of last such disclosure during accounting period

Page 79NC DHHS HIPAA PMO

accounting of disclosures responsibilities
Accounting of DisclosuresResponsibilities
  • Must act on client’s request for accounting
    • no later than 60 days after receipt of request
    • if unable to provide in 60 days, entity may extend no more than 30 days
      • must provide client with written statement of reasons for delay
      • must provide date accounting will be provided
  • Must provide first accounting to client in any 12 month period at no charge
    • May impose reasonable fee for subsequent requests during 12 month period provided
      • client informed in advance of the fee
      • client is given opportunity to withdraw or modify the request

Page 80NC DHHS HIPAA PMO

accounting of disclosures documentation
Accounting of DisclosuresDocumentation
  • Covered health care component must document and retain:
    • Information required to be in an accounting of disclosures
    • Written accounting provided to client
    • Titles of persons or offices responsible for receiving and processing accounting requests

Page 81NC DHHS HIPAA PMO

accounting of disclosures tracking options
Accounting of DisclosuresTracking Options
  • A covered health care component may choose the best method to track disclosures.
  • Possible options include:
    • Computerized tracking system
      • This method would provide the ability to sort by individual and date
      • Using a network allows multiple staff to enter disclosures into one location
    • Manual log
      • One log per client would be required
      • All staff would be required to use the same paper trail
    • Authorization form
      • Need to include correct language on form
      • Requires another tracking system for disclosures that do not require authorization

Page 82NC DHHS HIPAA PMO

accounting of disclosures getting ready
Accounting of DisclosuresGetting Ready
  • Review state laws, regulations and standards to determine other requirements for tracking
  • Determine the best method for collecting the information
  • Determine if a manual or computerized log will be maintained
  • Establish process
  • Develop policies and procedures
  • Train staff

Page 83NC DHHS HIPAA PMO

questions next business associates

QUESTIONS? Next: Business Associates

BREAK - 15 Minutes

Page 84NC DHHS HIPAA PMO

ad