1 / 31

Privacy and Security/Consent Management—42 CFR Part 2 FAQs and Compliance

Privacy and Security/Consent Management—42 CFR Part 2 FAQs and Compliance. Kenneth Salyards Special Health Information Technology Expert Substance Abuse and Mental Health Services Administration. SAMHSA’S STRATEGIC INITIATIVES. SAMHSA’s Strategic Initiative - Health IT.

Download Presentation

Privacy and Security/Consent Management—42 CFR Part 2 FAQs and Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy and Security/Consent Management—42 CFR Part 2 FAQs and Compliance Kenneth Salyards Special Health Information Technology Expert Substance Abuse and Mental Health Services Administration

  2. SAMHSA’S STRATEGIC INITIATIVES

  3. SAMHSA’s Strategic Initiative - Health IT • Goal: Widespread Implementation of HIT Systems that Support Quality Integrated Behavioral Health Care for All Americans • Ensure that behavioral health provider networks fully participate in the adoption of Health IT • Support the behavioral health aspects of HIT based on the standards and systems promoted by the Office of the National Coordinator for Health IT • Support linkage with systems relevant to behavioral health that support prevention, treatment, wellness and recovery (Criminal justice, HUD, education, public health, recovery oriented systems of care, and other human services)

  4. Integrated Behavioral Health Care Outcomes Evidence-Based Practice Employment/ Education Systems of Care Business Community Addictions Reduced Criminal Involvement Cost Effectiveness Child Welfare Services & Supports Mental Health Peer Support Alcohol/Drug Tribes/Tribal Organizations Housing/ Transportation Mental Health Primary Care Community Individual Family Child Care Housing Health Care Wellness Recovery Financial Mutual Aid Vocational Employment Educational Education Stability in Housing Community Coalitions Perception Of Care DoD & Veterans Affairs Indian Health Service Spiritual Civic Organizations Legal Case Mgt Criminal Justice Private Health Care Abstinence Retention Bureau of Indian Affairs Organized Recovery Community Human Services Access/Capacity Social Connectedness Health Ongoing Systems Improvement

  5. Health Information Exchange Specialty Care EHR Primary Care Hospitals EHR EHR Clinics EHR Pharmacies EHR NwHIN HIE Labs EHR Health Plans Claims PHR Data Systems Patients Public Health Agency

  6. Privacy Regulations

  7. Privacy Regulations • Not meant to prevent information sharing but to set the standards for how to share • Federal laws are a baseline, states may adopt more strict regulations • Most states have laws that are stricter than HIPPA, few have laws that are stricter than Part 2 • State laws vary widely, presenting challenges for developing unified policy solutions or solutions that work across states, also difficult for technology vendors to develop functionality

  8. Why Confidentiality? • Reduction of stigma • Fostering trust • Preserving privacy • Encouraging help-seeking behavior • It is an important, but not absolute, legal and ethical principle • Balance between a patients legitimate desire to maintain privacy of sensitive information and permitting sharing of information that will improve treatment or public health or safety

  9. Critical Privacy Questions • Federal and state regulations provide the ground rules. Careful analysis determines how the rules are applied to ensure effective treatment of substance use and mental health disorders. • Who needs what information when? • Who determines who needs what Information when? • How should psychotherapy notes and other ultra-sensitive information be treated? • How should HIT systems be designed to control disclosure and re-disclosure of sensitive information

  10. 42 CFR Part 2 • Confidentiality of Alcohol and Drug Abuse Patient Records • The purpose of the statute and regulations prohibiting disclosure of records relating to substance abuse treatment, except with the patient's consent or a court order after good cause is shown, is to encourage patients to seek substance abuse treatment without fear that by doing so their privacy will be compromised. Source: State of Florida Center for Drug-Free Living , Inc.,842 So.2d 177 (2003) at 181.

  11. 42 CFR Part 2 • Applies to: Federally funded individual or entity that “holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or treatment referral” • Unit within a general medical facility that holds itself out as providing diagnosis, treatment or treatment referral

  12. Who must follow 42 C.F.R Part 2? “Holds itself out” as providing alcohol/drug related services: Regulations do not specify, but could be: • State licensing procedures • advertising or posting notices in office • certifications in addiction medicine • listings in registries • internet statements • consultation activities for non- Part 2 “program” practitioners • information given to patients/families • any activity that would lead one to reasonably conclude – provides these services

  13. 42 CFR Part 2 • Patient consent must be obtained before sharing information from a substance abuse treatment facility that is subject to 42 CFR Part 2 • Disclosure: • “A communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the record of a patient…” (42 CFR 2.11) • Even acknowledging that an individual is (or was) a patient at a Part 2 facility is a breach of the regulations Source: 42 CFR Part 2

  14. Restrictions on Redisclosure and Use • Notice of the Prohibition on redisclosure must be included in all disclosures: • “This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR Part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.” Source: 42 CFR Part 2

  15. Who must follow 42 C.F.R Part 2? • “federally assisted” • Gets federal funding – even if not for alcohol/drug abuse services; • Tax exempt by the I.R.S. • Receives Medicaid or Medicare reimbursement • Authorized, licensed, certified, or registered by Federal government • Registered with DEA to dispense controlled substances

  16. Consent Requirements • Patient’s name • The purpose of disclosure • Name/designation of the program that is being authorized to make the disclosure • Name/designation of program(s) authorized to receive the disclosure • Kind and amount of information authorized to be disclosed • Date signed • Statement that the consent is revocable at any time except to the extent that action has already been taken in reliance on it • Expiration date, event, or condition • Required signatures • Consent must be written, can be electronic

  17. Consent Forms: Purpose and Extent • Consent form must state the purpose for which information can be disclosed AND how much and what kind of information is to be disclosed. • Consent form must limit the amount of information to be disclosed to the minimum amount necessary to accomplish the purpose. • the purpose or need for the communication of information should be considered first, and then that can be used to determine how much information will be disclosed.

  18. Consent Forms: Expiration • Consent must specify the: • Date, event or condition upon which the consent will expire if not revoked before. • It is NOT permissible for consent to say effective “until consent is revoked.” • Date, event or condition must insure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given.

  19. Requirements for Minors • A minor’s consent is always required for a Part 2 program to disclose patient identifying records unless otherwise permitted by Part 2. • State law governs whether a parent’s or guardian’s consent is also required.

  20. 42 CFR Part 2 • Limited exceptions for disclosure without consent : • Medical emergencies • Child abuse reporting • Crimes on program premises or against program personnel • Public Health research • Court order • Audits and evaluations • Communications with a qualified service organization of information needed by the organization to provide services to the program Source: 42 CFR Part 2

  21. Qualified Service Organization Agreements • The 42 CFR Part 2 on disclosure in the regulations do not apply to communications between a program and a qualified service organization of information needed by the organization to provide services to the program. Source: 42 CFR § 2.12 (c)(4)

  22. Research & audit-evaluation • Part 2 programs may disclose patient-identifying information without consent to: • Researchers – but they are prohibited from using it for any other purpose or redisclosing it except back to the program (any report issued may not identify patient identities), and • Persons or organizations authorized to do an audit or evaluation. • may only use the information for audit/evaluation and • redisclose only – • back to program, • pursuant to court order to investigate/prosecute the program (not a patient) or • Government agency overseeing Medicare or Medicaid audit/evaluation

  23. 42 CFR Part 2 FAQs • To help providers in the behavioral health field better understand privacy issues related to Health IT, SAMHSA, in collaboration with ONC has created two sets of Frequently Asked Questions (FAQs). • These FAQs can be accessed at: http://www.samhsa.gov/healthprivacy/docs/EHR-FAQs.pdf and • http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf • Series of webinars by the Legal Action Center on 42 CFR Part 2 http://www.lac.org/index.php/lac/webinar_archive .

  24. Health Insurance Portability and Accountability Act (HIPAA) • Includes both privacy and security requirements for Covered Entities: • Health Care Providers • Health Plans • Health Care Clearinghouses IF they transmit health information electronically in connection with certain covered transactions – generally concerning billing and eligibility

  25. HIPAA • Allows four broad categories of information sharing without a patient’s consent for: • treatment, operations, or payment; • from public health plans to government entities providing public benefits (eligibility and enrollment information only); • by public health authorities to prevent disease; or • among government agencies providing public benefits (for coordination only). • One exception is psychotherapy notes. Consent must be obtained before this information can be shared.

  26. The Security Regulation • Security management • Assigned security responsibility • Workforce security • Information access management • Security awareness and training • Security incident procedures • Contingency plan • Evaluation

  27. State Laws • State laws often provide additional protections for HIV infection, mental health information, genetics, drug and alcohol abuse, minors, domestic violence. • Mental health records are treated as ultra-sensitive in many jurisdictions. • HIT systems have to recognize this variability in state statutes and regulations.

  28. Conclusions • Health IT has the potential to improve behavioral health care through increased efficiency and improved care coordination • HIPAA and 42 CFR Part 2 provide the ability to share protected health information, but it is the responsibility of the organizations to use that information in a way that benefits the health of the individuals • SAMHSA is working to ensure that providers understand the benefits of integrating Health IT into their programs and that they have the training and tools to support their goals

  29. Some Useful Resources • http://www.hipaa.samhsa.gov/download2/SAMHSAHIPAAComparisonClearedPDFVersion.pdf • http://hipaablog.blogspot.com/ • http://www.hhs.gov/ocr/privacy/index.html • http://www.samhsa.gov/healthprivacy/docs/EHR-FAQs.pdf • http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf

  30. Contact: kenneth.salyards@samhsa.hhs.gov Questions and Comments

More Related