part two n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
PART TWO PowerPoint Presentation
Download Presentation
PART TWO

Loading in 2 Seconds...

play fullscreen
1 / 90

PART TWO - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

PART TWO. Authorization. Authorizations. May be client initiated or component initiated Client wants PHI disclosed for life insurance application Social Worker wants to help client apply for disability benefits. Authorization - Content Requirements.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'PART TWO' - malorie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
part two

PART TWO

Page 1NC DHHS HIPAA PMO

slide2

Authorization

Page 2NC DHHS HIPAA PMO

authorizations
Authorizations
  • May be client initiated or component initiated
    • Client wants PHI disclosed for life insurance application
    • Social Worker wants to help client apply for disability benefits

Page 3NC DHHS HIPAA PMO

authorization content requirements
Authorization - Content Requirements
  • A description of information to be used or disclosed that identifies the information in a specific and meaningful fashion
    • Examples
      • discharge summary
      • laboratory reports
      • clinical assessment reports
      • psychotherapy notes

Page 4NC DHHS HIPAA PMO

authorization content requirements1
Authorization - Content Requirements
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure
    • Examples
      • Health Information Management Dept Staff at Dorothea Dix Hospital
      • DPH State Lab personnel
      • Dr. William Smith, Psychiatrist

Page 5NC DHHS HIPAA PMO

authorization content requirements2
Authorization - Content Requirements
  • The name or other specific identification of the person(s), or class of persons, to whom the covered health care component may make the requested use or disclosure
    • Examples
      • Attorneys in law firm of Smith and Jones
      • Johnson Pharmaceuticals - Psychotropic Medication Research Project staff

Page 6NC DHHS HIPAA PMO

authorization content requirements3
Authorization - Content Requirements
  • Expiration date or expiration event that relates to the client or the purpose of the use or disclosure
    • Examples
      • 90 days from date authorization is signed
      • 30 days post discharge

Page 7NC DHHS HIPAA PMO

authorization content requirements4
Authorization - Content Requirements
  • Statement of client’s right to revoke the authorization at any time and exceptions to the right to revoke and description of how client can revoke the authorization
    • must be in writing
    • revocation not effective to extent component has taken action in reliance on authorization
    • revocation not effective in certain circumstances where insurer has right by law to contest a claim under a policy

Authorization

Page 8NC DHHS HIPAA PMO

authorization content requirements5
Authorization - Content Requirements
  • Acknowledge information used or disclosed pursuant to the authorization may be subject to re-disclosure by recipient and no longer protected by HIPAA
  • Signature of client or personal representative and date of the authorization
    • Description of personal representative’s authority to sign for client (e.g., guardian of person)

Page 9NC DHHS HIPAA PMO

authorization content requirements6
Authorization - Content Requirements
  • Electronic signature on authorizations will be acceptable if component adopts electronic signature standards
  • Authorization must be written in plain language
  • Can include additional data elements but they cannot be inconsistent with HIPAA requirements

Page 10NC DHHS HIPAA PMO

authorization content requirements7
Authorization - Content Requirements
  • Advise patient that he can refuse to sign
    • Generally, component may not condition treatment, payment and/or enrollment in a health plan, or eligibility for benefits on signing of authorization by client
      • Exceptions
        • Research related treatment
        • Provision of health care solely for purpose of creating PHI for disclosure to third party (e.g., life insurance physical)
        • Prior to enrollment in health plan if authorization is for eligibility or enrollment determinations
        • Disclosure is needed to determine payment of claim

Page 11NC DHHS HIPAA PMO

authorization content requirements8
Authorization - Content Requirements
  • Additional content requirements when authorization is requested by component for its own use or disclosure
    • Component WILL NOT condition treatment (except for clinical trials), payment and/or enrollment in a health plan, or eligibility for benefits on signing of authorization by client
    • A description of purpose for the request
      • Must provide individuals with the facts they need to make an informed decision whether to allow release of the information

Page 12NC DHHS HIPAA PMO

authorization content requirements9
Authorization - Content Requirements
  • Additional content requirements when authorization is requested by component for its own use or disclosure (cont’d)
    • Statement that client may:
      • inspect or copy information to be disclosed
      • refuse to sign the authorization
    • Statement that covered health care component will receive remuneration (when applicable)
    • Must provide client with signed copy of authorization

Page 13NC DHHS HIPAA PMO

authorization content requirements10
Authorization - Content Requirements
  • Additional content requirements when authorization is requested by component for disclosure by another covered entity
    • Description of purpose of requested disclosure
    • Statement that component will not condition treatment, payment or enrollment in health plan or eligibility for benefits on client signing authorization
      • Unless disclosure necessary to determine payment of claim
    • Statement that client may refuse to sign authorization
    • Must provide client with signed copy of authorization

Page 14NC DHHS HIPAA PMO

authorization required
Authorization Required
  • For disclosures of PHI for specified purposes other than TPO that are not otherwise allowed under the regulations
  • For disclosures to third parties specified by the client
  • For medical research
  • For marketing by third party
  • To use or disclose psychotherapy notes

Page 15NC DHHS HIPAA PMO

when is an authorization invalid
When is an Authorization Invalid?
  • Expiration date has passed or expiration event has occurred
  • Not filled out completely with respect to required elements
  • Revoked by client
  • Authorization form lacks a required element
  • Material information in authorization is known by component to be false
  • Impermissable compound authorization

Page 16NC DHHS HIPAA PMO

compound authorizations
Compound Authorizations
  • Cannot combine with
    • Consent documents (e.g., TPO consent; consent for surgery)
    • Any other documents including any other written legal permissions from the client
  • Can combine with
    • Research including treatment
    • Another authorization for psychotherapy notes

Page 17NC DHHS HIPAA PMO

psychotherapy notes as defined in the rules
Psychotherapy Notes as Defined in the Rules
  • Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the client’s medical record.

Page 18NC DHHS HIPAA PMO

psychotherapy notes as defined in the rules1
Psychotherapy Notes as Defined in the Rules
  • Excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items:
    • Diagnosis
    • Functional Status
    • The treatment plan
    • Symptoms
    • Prognosis
    • Progress-to-date

Page 19NC DHHS HIPAA PMO

psychotherapy notes administrative issues
Psychotherapy Notes - Administrative Issues
  • Most uses or disclosures of psychotherapy notes require an authorization
  • Covered health care providers
    • need to be aware of staff maintaining separate psychotherapy notes
    • evaluate how the psychotherapy notes are being maintained and safeguarded
    • ensure that MHPs understand the HIPAA requirements relative to psychotherapy notes

Page 20NC DHHS HIPAA PMO

authorizations not required psychotherapy notes
Authorizations Not Required - Psychotherapy Notes
  • To carry out TPO in following instances
    • Use by originator of notes for treatment
    • Use or disclosure by covered health care component for training purposes for students, trainees or practitioners in mental health
    • Use or disclosure by covered health care component to defend legal action or other proceeding brought by the client

Page 21NC DHHS HIPAA PMO

authorizations not required psychotherapy notes1
Authorizations Not Required - Psychotherapy Notes
  • In the following circumstances (not TPO)
    • HHS Secretary to investigate or determine compliance
    • Use or disclosure required by law
    • Oversight activities required by law
    • Coroners and Medical Examiners
    • Threat to health or safety of person or public

Page 22NC DHHS HIPAA PMO

authorization and consent administrative issues
Authorization and Consent- Administrative Issues
  • Covered health care component must retain signed authorizations and consents for minimum of 6 years from date of creation or date when last in effect, whichever is later
    • Authorization is valid for specified period of time or until a particular event occurs so 6 years after either one of these conditions is met
    • Consent is valid until client signs new consent or discontinues services with component so 6 years after either one of these conditions is met
    • Covered health care component can determine how retained (e.g., paper, electronic)
    • If consent is part of client’s medical record, retain in accordance with Record Retention and Disposition Schedule

Page 23NC DHHS HIPAA PMO

authorization and consent administrative issues1
Authorization and Consent- Administrative Issues
  • If a covered health care component has both a signed consent and authorization that relates to disclosure of PHI for TPO, the more restrictive document applies
  • Transition provisions
    • Allows providers to rely on authorizations and consents received prior to 4/14/03 for uses and disclosures of health information
    • Must obtain new HIPAA authorizations and consents for information created or received after 4/14/03

Page 24NC DHHS HIPAA PMO

state law in relation to consents and authorizations
State Law in Relation to Consents and Authorizations
  • Analysis is underway
  • Example of issues to be addressed
    • § 122C-53. Exceptions; client.
      • (a) A facility may disclose confidential information if the client or his legally responsible person consents in writing to the release of the information to a specified person. This release is valid for a specified length of time and is subject to revocation by the consenting individual.
    • Comparable to authorization but not consent

Page 25NC DHHS HIPAA PMO

questions next client rights

QUESTIONS? Next: Client Rights

Page 26NC DHHS HIPAA PMO

slide27

Client Rights

Page 27NC DHHS HIPAA PMO

client rights identified in notice
Client Rights Identified in Notice
  • HHS has identified specific rights of clients as they relate to their protected health information in the Privacy Regulation.
  • Although “client rights” are introduced in the rule that requires a notice of privacy practices to be made available to clients, the rights of clients affect nearly all of the privacy rules.

Page 28NC DHHS HIPAA PMO

why is a notice needed
Why Is A Notice Needed?
  • Most clients know and do not object :
    • Complete health information that is timely and accurate must be collected and maintained by their health care provider
    • Such information must be made available to the health care provider’s workforce in order to accurately diagnose and treat the client.

Page 29NC DHHS HIPAA PMO

information through notice
Information Through Notice
  • Clients have a right to be informed about all of the other ways their records are used.
  • Clients may not be aware of the fact that their private health information may also be used for other purposes:
    • Legal document describing care given
    • Verification for third-party payment
    • Tool used in quality improvement initiatives
    • Document used for research purposes
    • Information tracking for public health
    • Provides data for planning

Page 30NC DHHS HIPAA PMO

notice of privacy practices
Notice of Privacy Practices
  • Each health care provider and health plan must develop a notice of privacy practices that is posted prominently in the agency and must be generally available at time of service and provided in writing or electronically upon request.
  • For health plans, the Notice must be given no later than the plan’s compliance date and to new enrollees.

Page 31NC DHHS HIPAA PMO

notice of privacy practices cont
Notice of PrivacyPractices (cont)
  • The Notice must be presented as a separate document from all other forms and documents given to each client.
  • The Notice must include specific elements as required by HIPAA.
  • It must name the person to contact for more information or to file a complaint and provide their telephone number.
  • Whenever the Notice is revised, all clients who received the prior Notice must be given the revised Notice.

Page 32NC DHHS HIPAA PMO

required elements in notice
Required Elements in Notice
  • HIPAA requires a specific heading in the Notice. It does not leave the wording up to the provider.
  • Must have the following heading:

“This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”

Page 34NC DHHS HIPAA PMO

required elements in notice cont
Required Elements in Notice (cont)
  • The Notice must contain a description, including at least one example, of the types of use and disclosures that the covered health care provider is permitted to make for treatment, payment and other health care operations.
  • A description of each of the other purposes for which the covered health care provider is permitted or required to use or disclose PHI without the client’s written consent or authorization.
  • Each of purpose must be described in detail.

Page 35NC DHHS HIPAA PMO

required elements in notice cont1
Required Elements in Notice (cont)
  • If a covered health care component engages in any of the following, they must be separately and specifically stated in the Notice:
    • Contacting a client for
      • Appointment reminders
      • Treatment follow-up
      • Other health-related benefits or services
      • Fund-raising

Page 36NC DHHS HIPAA PMO

other required elements in notice cont
Other Required Elements in Notice (cont)
  • Statement that the covered health care component is required
    • By law, to maintain the privacy of individual’s information and provide notice of its legal duties and privacy practices
    • To abide by the notice currently in effect
    • To provide individuals with a revised notice should any revisions be necessary.

Page 37NC DHHS HIPAA PMO

slide38

Client Rights Identified

Page 38NC DHHS HIPAA PMO

client rights golden rule
Client Rights Golden Rule
  • We should treat health information about others as we would want others to treat health information about us.
  • Privacy has always meant that health information must be kept confidential.

Page 39NC DHHS HIPAA PMO

client rights identified
Client Rights Identified
  • Client’s right to obtain a paper copy of the Notice from the covered health care provider or plan upon request, even though the client agreed to receive the notice electronically.
    • The client may be offered the option of receiving the notice electronically but he/she may still want a paper copy and has the right to have that.

Page 40NC DHHS HIPAA PMO

client rights identified cont
Client Rights Identified (cont)
  • Client’s right to access, inspect and copy their protected health information.
    • Exception for research projects if client is also receiving treatment.
    • Request for access, inspection and copying should be evaluated by a professional who has the authority to make the determine if requested should be granted or denied.

Page 41NC DHHS HIPAA PMO

client rights identified cont1
Client Rights Identified (cont)
  • Client’s Right to amend their protected health information.
    • If, for example, a client disagrees with a medical opinion and submits a second opinion to be included in the medical record, the client has the right to request that his record be amended.
  • The covered health carecomponent must act on therequest within 60 days with a one-time 30 day extension.

change

Page 42NC DHHS HIPAA PMO

client rights identified cont2
Client Rights Identified (cont)
  • Client’s Right torequest restrictions on certain uses and disclosures for the purpose of treatment, payment or health care operations.
    • Health care providers are not required to agree with request to restrict, but if they do agree then they are bound by such agreement.

Page 43NC DHHS HIPAA PMO

client rights identified cont3
Client Rights Identified (cont)
  • Client’s Right to obtain an accounting of disclosures of their protected health information maintained by this covered health care component.
  • This accounting of disclosures does not include any disclosures for the purpose of treatment, payment or health care operations.
  • Health care plans are requiredto account for other disclosures they may routinely make to researchers and to health oversight agencies.

Page 44NC DHHS HIPAA PMO

client rights identified cont4
Client Rights Identified (cont)
  • Client’s Right to confidential communications by alternative means or at alternative locations.
    • Should a client be concerned about receiving information about their health treatment or payment at home, they have the right to request that they be contacted only in a specified manner.
    • Calling only at work
    • Sending communications to another address

This request should be honored if there is any indication that the disclosure of this information could endanger the client.

Page 45NC DHHS HIPAA PMO

client rights identified cont5
Client Rights Identified (cont)
  • Client’s Right to a contact person to whom the client may lodge a complaint about a health care provider.
    • The name and telephone number of such contact person must be included in the Notice of Privacy Practices.
    • The client may lodge a complaint directly with HHS.

Page 46NC DHHS HIPAA PMO

client rights exception
Client Rights Exception
  • When a client requests information in the following categories, the request may be denied without affording the client any appeals rights.
    • Psychotherapy Notes
    • Information compiled for civil, criminal, legal actions/proceedings
    • Information subject to Clinical Laboratory Improvements Amendments (CLIA)
    • Information obtained from someone other than a health care provider under the promise of confidentiality where access would likely reveal the source of the information

Page 47NC DHHS HIPAA PMO

notice of privacy practices to do list
Notice of Privacy Practices To Do List
  • Establish a point of contact by assigning an individual who has ownership of Notice
  • Decide whether a copy of Notice will go into client record or be maintained in permanent file elsewhere
  • Develop policies and procedures
  • Educate and train staff
  • Post approved notice and make copies available
  • Implement and monitor

Page 48NC DHHS HIPAA PMO

health care provider duties
Health Care Provider Duties
  • The Covered Health Care Component has the duty to ensure that clients are able to exercise their rights with respect to the protected health information that they maintain.
  • Each covered health care component must establish and implement policies and procedures that ensure these rights are exercised.

RESPONSIBILITY

Page 49NC DHHS HIPAA PMO

slide50

Facility Directory

Page 50NC DHHS HIPAA PMO

facility directory
Facility Directory
  • Facility Directories are typically maintained by residential or in-patient facilities.
  • For those covered health care components that maintain a Facility Directory, you must now inform each client of this directory and allow each client to agree or opt out to certain disclosures being made from the facility directory.

Page 51NC DHHS HIPAA PMO

facility directory1
Facility Directory
  • Content in most facility directories include:
    • Individual’s name
    • Location in facility
    • Condition in general terms
    • Religious affiliation
      • To clergy only

Page 52NC DHHS HIPAA PMO

facility directory2
Facility Directory
  • Disclosures can be made from the Facility Directory if the client has been informed and has not opted out. Such disclosures would probably be made to:
    • Members of the clergy
    • Others who ask for individual by name
        • Exception: Religious Affiliation

Page 53NC DHHS HIPAA PMO

facility directory3
Facility Directory
  • In non-emergency situations, the covered health care component must provide the opportunity for the client to restrict or prohibit disclosure
  • In emergency situations:
    • Consistent with prior expressed preferences (if any)
    • Best interest determined by provider
    • Give opportunity to object as soon as possible

Page 54NC DHHS HIPAA PMO

questions next use disclosure

QUESTIONS?Next: Use & Disclosure

Page 55NC DHHS HIPAA PMO

slide56

Use and Disclosure

Page 56NC DHHS HIPAA PMO

permitted uses and disclosures
Permitted Uses and Disclosures
  • To the Individual
  • Consent for TPO
  • Authorization
  • Special Circumstances where Consent or Authorization is not required

Page 57NC DHHS HIPAA PMO

use and disclosure key points
Use and DisclosureKey Points
  • Covered health care components can provide greater protections (beyond HIPAA)
  • Required disclosures under HIPAA are limited to:
    • Disclosures to the individual who is the subject of information
    • Disclosures to Office of Civil Rights to determine compliance
  • All other uses and disclosures in the Rule are permissive
  • Where many standards in HIPAA are permissive, state law may be required

Page 58NC DHHS HIPAA PMO

consent and authorization not required
Consent and AuthorizationNot Required
  • Covered health care components may use or disclose PHI without a consent or authorization when the use or disclosure comes within one of the listed exceptions:
    • Required by law
    • Activities involving public health
    • Adult abuse, neglect or domestic violence
    • Health oversight activities
    • Judicial and administrative proceedings
    • Law enforcement
    • Decedents
    • Organ transplants
    • Avert serious threat to health or safety
    • Other specialized government functions
    • Workers Compensation
    • Research purposes

Page 60NC DHHS HIPAA PMO

required by law
Required By Law
  • “Required by law” includes
    • NC General Statutes
    • NC Administrative Code
    • Federal Law
    • Code of Federal Regulations
    • Court orders and court- ordered warrants
    • Subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information
    • Civil or authorized investigative demand
    • Medicare conditions of participation with respect to health care providers participating in the program
    • Common Law
    • Constitution

Page 62NC DHHS HIPAA PMO

use disclosure required by law
Use/Disclosure Required by Law
  • Covered health care component may use or disclose PHI required by law
    • To extent specified in the law
    • Limited to the relevant requirements of the law
    • ‘Less’ rather than ‘more’
  • Covered entities are responsible for determining which state laws prevail as part of the compliance process
  • HIPAA does not preempt state laws in non-covered entities/components

Page 63NC DHHS HIPAA PMO

state law analysis
State Law Analysis
  • NCGS 130A-143
    • All information and records, whether publicly or privately maintained, that identify a person who has AIDS virus infection or who has or may have a disease or condition required to be reported pursuant to the provisions of this Article shall be strictly confidential. This information shall not be released or made public except under the following circumstances…..
  • Non-covered entities/components continue to follow state law
  • Covered entities/components must evaluate each provision of the law in relation to HIPAA

Page 64NC DHHS HIPAA PMO

legal review
Legal Review
  • NC DHHS HIPAA PMO Legal Review
    • NCHICA review of NC General Statutes relative to Use and Disclosure
    • Legal Requirements Matrices submitted by DHHS covered health care components and Division Business Associates
    • Analysis of
      • When state law prevails
      • When HIPAA prevails
      • When other federal laws prevail

Like a crossword puzzle

Page 65NC DHHS HIPAA PMO

slide66

Preemption

Page 66NC DHHS HIPAA PMO

preemption contrary
Preemption - Contrary
  • HIPAA creates federal privacy floor and supercedes any contrary state law
    • Constitution, statute, regulation, rule or common law
  • A law is contrary if
    • it is impossible to comply with both (HIPAA & state law), or
    • state law is an obstacle to accomplishing HIPAA objectives

Page 67NC DHHS HIPAA PMO

preemption exemptions
Preemption Exemptions
  • More Stringent
    • Provisions of state law that provide greater privacy protections will not be preempted
    • Follow strictest requirement when in doubt
      • Whichever is more stringent in protecting privacy controls
    • More stringent if:
      • Further limits uses and disclosures
      • Provides to clients
        • Greater amount of information
        • Greater rights of access or amendment
      • Enhances authorization/consent protections
      • Imposes greater record keeping requirements (e.g., accounting of disclosures, retention periods)
      • Otherwise enhances privacy protection

Page 68NC DHHS HIPAA PMO

preemption exemptions1
Preemption Exemptions
  • Public Health Exemptions
    • HIPAA does not preempt state laws that provide for reporting
      • Disease or Injury
      • Child Abuse
      • Births or Deaths
      • Public Health Surveillance, Investigation or Intervention
  • Health Plan Exemptions
    • HIPAA does not preempt state laws that require a health plan to report, or to provide access to, information for the purpose of
      • management audits
      • financial audits
      • program monitoring and evaluation, or
      • licensure or certification of facilities or individuals

Page 69NC DHHS HIPAA PMO

preemption exemptions2
Preemption Exemptions
  • HHS Secretarial determinations
    • State law controls if US HHS Secretary determines (after state requests exception) that state law provision
      • Is necessary to prevent fraud and abuse related to provision of or payment for health care
      • Is necessary to ensure regulation of insurance or health plans
      • Is necessary for state reporting on health care delivery or costs
      • Serves a compelling need related to health, safety & welfare
      • Regulates controlled substances

Page 70NC DHHS HIPAA PMO

activities involving public health
Activities Involving Public Health
  • Covered health care components may disclose PHI (and when the covered health care component is also the public health authority, they mayusePHI) for the following public health purposes/activities

Page 72NC DHHS HIPAA PMO

disclosure for public health activities
Disclosure for Public Health Activities
  • To public health authorities authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, disability
    • Births and Deaths (Local Public Health Dept; Register of Deeds)
    • Public Health surveillance, investigations, interventions (Local Public Health Dept)
    • At the direction of public health authority, can disclose to an official of a foreign government agency acting in collaboration with a public health authority
      • For example, foreign government agency that is collaborating with the Centers for Disease Control and Prevention to limit the spread of infectious disease

Page 73NC DHHS HIPAA PMO

disclosure for public health activities1
Disclosure for Public Health Activities
  • To government authority authorized by law to receive reports of child abuse or neglect
    • County DSS
  • For persons subject to FDA jurisdiction
    • Adverse events from food, dietary supplements, product defects
      • Malfunctioning Pacemaker; Breast Implants
    • Disclose to person directed by FDA to track products
    • Enable product recalls, repairs or replacements (including notifying individuals who have received product recall products)
      • Breast Implant recalls - supply name and address
    • Conduct post marketing surveillance

Page 74NC DHHS HIPAA PMO

disclosure for public health activities2
Disclosure for Public Health Activities
  • To persons exposed or at risk of contracting or spreading a disease or condition (when authorized by law)
    • Hepatitis exposure in a restaurant
    • Sexually transmitted diseases - contacting partners exposed
    • Example - Local Public Health Dept that provides primary care treats a client with STD. The Public Health Dept can USE the information for public health purposes.

Page 75NC DHHS HIPAA PMO

disclosure for public health activities employers
Disclosure for Public Health Activities - Employers
  • To an employer about a member of the workforce if
    • Healthcare provider is member of workforce or is providing healthcare to workforce member at request of employer
      • To conduct medical surveillance of workplace (e.g., annual TB tests)
      • Example - evaluation of emissions levels by Industrial Nurse
      • To evaluate work-related illness or injury
    • PHI disclosed is limited to work-related illness, injury or surveillance

Page 76NC DHHS HIPAA PMO

disclosure for public health activities employers1
Disclosure for Public Health Activities - Employers
  • To an employer about a member of the workforce if (cont’d)
    • Employer needs the PHI to comply with OSHA or Federal Mine Safety and Health Act
      • Example - Toxic threat thresholds
    • Healthcare provider gives written notice to client that PHI related to work-related illness, injury or surveillance is disclosed to employer
      • Notice is separate from Notice of Privacy Practices
      • Provide notice to client when healthcare is provided; or
      • Post notice where healthcare is provided if provided in workplace

Page 77NC DHHS HIPAA PMO

reporting adult abuse neglect domestic violence
Reporting Adult Abuse, Neglect, Domestic Violence
  • Child abuse reporting is covered under previously discussed “Public Health Activities”
  • Covered health care components may disclose the victim’s PHI in order to report abuse, neglect or domestic violence (e.g., spouse abuse; nursing home abuse)
    • When required by law
      • Disclosures are limited to relevant requirements of the law (e.g., law may specify what can be reported)
    • Or, client agrees to the disclosure

Page 79NC DHHS HIPAA PMO

disclosure to governmental authorities
Disclosure to Governmental Authorities
  • Disclosures can be made to any governmental authority authorized by law to receive reports of such abuse, neglect, or domestic violence.
    • These entities may include, for example,
      • Adult protective or social services agencies
      • State survey and certification agencies
      • Ombudsmen for the aging or those in long-term care facilities
      • Law enforcement or oversight

Page 80NC DHHS HIPAA PMO

informing client
Informing Client
  • Covered health care component MUST inform client that report has or will be made, unless
    • Based upon professional judgment of component, believe informing client will place the client at risk or serious harm (e.g., emotional harm); or
    • Component would be informing personal representative (e.g., guardian) and
      • Component suspects representative is responsible for the abuse, neglect or injury; and
      • Component, based upon professional judgment, believes informing representative would not be in best interest of client

Page 81NC DHHS HIPAA PMO

informing client1
Informing Client
  • Process for informing client
    • Oral recommended
    • Written notification could get into hands of abuser

Page 82NC DHHS HIPAA PMO

slide83

Health Oversight Activities

Page 83NC DHHS HIPAA PMO

health oversight activities
Health Oversight Activities
  • PHI can be disclosed to public oversight agencies (and to private entities acting on behalf of public agencies) without client authorization
  • Disclosure must be for health oversight activities authorized by law. For example
    • Adult Care Home Inspections (GS 131D-2; 131D-27)
    • MH/DD/SA Inspections (GS 122C-25; 122C-192)
    • Hospital Licensure (GS 131E-80)
    • Nursing Home Licensure (GS 131E-105; 131E-24b)
    • Home Care Agencies (GS 131E-141)
    • Ambulatory Surgical Centers (GS 131E-150)
    • Nursing Pools (GS 131E-154.8)
    • Cardiac Rehabilitation Certification (GS 131E-170)
    • Hospices (GS 131E-207)
    • Jails (GS 153A-222)

Page 84NC DHHS HIPAA PMO

health oversight activities include
Health Oversight Activities Include
  • Audits (e.g., Medicaid Audits)
  • Civil, Administrative or Criminal Investigations (e.g., Abuse Allegation Investigation)
  • Inspections (e.g., unannounced DFS inspection)
  • Licensure or Disciplinary Actions (e.g., Board of Nursing)
  • Civil, Administrative or Criminal proceedings or actions

Page 85NC DHHS HIPAA PMO

health oversight activities include1
Health Oversight Activities Include
  • Other activities necessary for appropriate oversight of
    • The health care system
    • Government benefit programs where health information is relevant to beneficiary eligibility (e.g., DMA)
    • Components subject to government regulatory programs where health information is necessary for determining compliance with program standards (e.g., DFS)
    • Components subject to civil rights laws where health information is necessary for determining compliance (e.g., DOJ)

Page 86NC DHHS HIPAA PMO

exceptions to health oversight activities
Exceptions to Health Oversight Activities
  • Does not include JCAHO, COA (covered under TPO)
  • Investigation or other activity where the client is the subject of the investigation or activity and does not arise from or not directly related to
    • Receipt of health care
    • Claim for public benefits related to health (e.g., disability)
    • Qualification for, or receipt of, public benefits or services when a client’s health is integral to the claim for public benefits or services
    • Example - sexual harassment claim between client and provider (client authorization would be required)

Page 87NC DHHS HIPAA PMO

exceptions to health oversight activities1
Exceptions to Health Oversight Activities
  • If health oversight activity is conducted in conjunction with oversight activity related to claim for public benefit not related to health, consider same as health oversight activity (e.g., joint investigation for suspected Medicaid and Food Stamp fraud)

Page 88NC DHHS HIPAA PMO

health oversight activities1
Health Oversight Activities
  • If covered health care component is also an oversight agency, the component can use PHI for oversight activities
    • For example, Division of Medical Assistance is a health plan that also performs Medicaid oversight activities
  • Best Practice
    • When in doubt, request copy of statute or regulation that governs the oversight activity
      • Remember, the covered health care component is responsible for ensuring compliance with Privacy Regulations - not the oversight agency

Page 89NC DHHS HIPAA PMO

questions next use and disclosure continued

QUESTIONS? Next: Use and Disclosure (continued)

LUNCH - 1 Hr, 15 min

Page 90NC DHHS HIPAA PMO