Privacy & Security of Occupational, Behavioral & Deceased Patient Records Alisha R. Smith, RHIA

Similar documents
A general review of HIPAA standards and privacy practices 2016

HIPAA Privacy Rule and Sharing Information Related to Mental Health

DEPARTM PRACTICES. Effective: Tel: Fax: to protecting. Alice Gleghorn, Page 1

[Enter Organization Logo] USE AND DISCLOSURE OF MENTAL HEALTH RECORDS. Policy Number: [Enter] Effective Date: [Enter]

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES UNIVERSITY OF CALIFORNIA IRVINE HEALTHSYSTEM

Mental Health. Notice of Privacy Practices

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

Patient Privacy Requirements Beyond HIPAA

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

SAMPLE. Release of Information in California: E-book Series, 12 of 12. Published by:

Psychological Services Agreement

PATIENT PRIVACY: RIGHT TO ACCESS PROTECTED HEALTH INFORMATION IN THE DESIGNATED RECORD SET POLICY

NOTICE OF PRIVACY PRACTICES

HIPAA Policies and Procedures Manual

Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

NOTICE OF PRIVACY PRACTICES

LICENSED CLINICAL SOCIAL WORKER-PATIENT SERVICES AGREEMENT

Sandra V Heinsz, Ph.D. Informed Consent Services Agreement

INFORMED CONSENT FOR TREATMENT

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

Creation Date: 1/30/15 Title: Patient Right to Access, Inspect and Copy Revision History:

NOTICE OF PRIVACY PRACTICES

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

SUNY DOWNSTATE MEDICAL CENTER POLICY AND PROCEDURE

Sharing Behavioral Health Information in Massachusetts: Obstacles and Potential Solutions. March 30, 2016

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

POLICY & PROCEDURE. This policy applies to all healthcare organizations owned and/or managed by WFH.

CHI Mercy Health. Definitions

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

JOINT NOTICE OF PRIVACY PRACTICES

To ensure proper disclosure and release of Protected Health Information (PHI) Division/Department: All HealthPoint Policy/Procedure #:

POLICY NUMBER B JULY 8, 2014

always legally required to follow the privacy practices described in this Notice.

NOTICE OF PRIVACY PRACTICES OF THE OSF HEALTHCARE SINGLE AFFILIATED COVERED ENTITY

PSYCHOTHERAPIST-PATIENT SERVICES AGREEMENT COLORADO

Acknowledgement of Notice of Privacy Practices

Notice of HIPAA Privacy Practices Updates

Federal Occupational Health (FOH) Employee Assistance Program

Clarifying HIPAA Privacy Rules for Mental Health and Addiction Crises. National Council for Behavioral Health March 19, 2018

Notice of Privacy Practices

Counseling Center of Montgomery County

OREGON HIPAA NOTICE FORM

MAIN STREET RADIOLOGY

Notice of Privacy Practices for Protected Health Information (PHI)

Macon County Mental Health Court. Participant Handbook & Participation Agreement

NOTICE OF PRIVACY PRACTICES

Parental Consent For Minors to Receive Services

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

NOTICE OF PRIVACY PRACTICES

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

42 CFR Part 2 and HIPAA: Sharing Behavioral Health Information in Compliance with the Law

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

HIPAA PRIVACY TRAINING

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Lou Eckart, Ph.D. and Associates Licensed Clinical Psychologists 22 Mill St. Suite 305 Arlington, MA

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

PATIENT INTAKE PACKET

General and Informed Consent to Treatment

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Southwest Acupuncture College /PWFNCFS

MSK Group, PC NOTICE O F PRIVACY PRACTICES Effective Date: December 30, 2015

Basic Information. Date: Patient s Name: Address:

John W. Steele, Ph.D., Licensed Psychologist 1285 Fairfield Drive, Boulder, CO 80305

Your Medical Record Rights in Rhode Isl and

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Curo Health Services Notice of Privacy Practices

HIPAA Notice of Privacy Practices

Notice of Privacy Practices

Patient Registration Form Pediatrics

Jayme Yodice, MA 1905 J.N. Pease Place Suite 104 Licensed Psychological Associate Charlotte, NC NC

NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT

SCARF. Serving Children and Reaching Families, LLC. Client Handbook

Southwest Medical Thermal Imaging & Ultrasound, LLC. Informed Consent for Thermal Imaging. Patient Name: DOB:

Welcome to LifeWorks NW.

Massachusetts Department of Public Health. Privacy of Health Data

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

HIPAA-HITECH HELPBOOK NJ Physician Practices

NOTICE OF PRIVACY PRACTICES

Nathan Swisher, PsyD, PLLC

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Virginia. Your Medical Record Rights in. (A Guide to Consumer Rights under HIPAA)

NOTICE OF PRIVACY PRACTICES

Balance Fitness and Nutrition

Johns Hopkins Notice of Privacy Practices for Health Care Providers

NOTICE OF PRIVACY PRACTICES

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2015 HOUSE DRH20205-MG-112 (03/24) Short Title: Enact Death With Dignity Act. (Public)

Transcription:

Privacy & Security of Occupational, Behavioral & Deceased Patient Records Alisha R. Smith, RHIA 1

Objectives Occupational Health Records Roles & Challenges Content HIPAA or OSHA? Authorizations & Disclosures Retention Scenarios Behavioral Health Records Harm Federal laws vs. North Carolina state laws Health Information Exchange Retention laws Scenarios Questions 2

Objectives Continued Deceased Patient Health Records Standards Challenges Questions 3

Quote Information is powerful medicine 4

OCCUPATIONAL HEALTH RECORDS 5

Occupational Health Records Definition an occupation-related, chronological, cumulative record, regardless of the form or process by which it is maintained. Examples: paper document, microfiche, microfilm, automatic data processing media Alternate Terms Occupational Health Record Occupational Medical Record Employee Health Record Acronyms: OHR, OMR, EMR, EHR 6

Occupational Health Records Roles Employer Employee / Patient Healthcare Provider Health Plan Challenges Application of regulations Ownership of occupational records Sharing of information Management of records HIEs Patient portals External reporting 7

Occupational Health Records Documentation Identify the patient Record patient information during or post visit Legibly sign, date and time stamp Secure the information Content Drug testing forms and results Immunization records Medical certifications / recertifications Occupational and medical history Medical complaints resulting from workplace exposure or injury Provider opinions and recommendations Employee health department recommendations Results of exams and tests Progress notes from rehab Refusals to be examined/tested Wellness program participation Workers compensation and insurance records OSHO information 8

Occupational Health Records OHRs Do NOT contain: Non-work related patient health information Environmental hazard records Employee assistance program records Substance abuse records Workers compensation*** 9

Occupational Health Records Health risk assessments Weight loss Nutrition classes Diabetes management classes Company gym with personal trainers External gym memberships at a discounted or paid rate Tobacco cessation Preventative services 10

Occupational Health Records HIPAA or OSHA? Providers who are the employer and treat their own employees are not covered by HIPAA; they are covered by OSHA Ask the following questions prior to a patient being treated: Is the healthcare provider providing services as an occupational health service provider to his/her employees? OR Is the healthcare provider providing services to an external entity s employees? 11

Occupational Health Records Employees rights: Access Examination Photocopy Management of use and disclosure HIPAA regulation 45 CFR 164.512 The patient must be a past or present member of the employer Purpose of disclosure: (1) to conduct an evaluation Aggregated data De-identified Contract (2) to evaluate whether the individual has a work-related illness or injury 12

Occupational Health Records Questions to ask prior to disclosing information: Is individually identifiable PHI present within the disclosure? Has the patient signed a valid authorization? Is the disclosure permitted or required? Does the minimum necessary standard apply? Are there any additional federal or state laws applicable to the disclosure? No Authorization Required Government officials investigating employer compliance (i.e. ADA, FMLA, OSHA, EEOC) Worker s Compensation Authorization Required Requests for external disclosure of patient occupational health information that do not fall into categories identified elsewhere 13

Occupational Health Records Minimum Necessary Protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. Safeguards Role-based access to information Routine access audits Administrative, physical, and technical safeguards Random OHR reviews for accurate and complete documentation Review of federal and state privacy and security regulations Retention: 30 years after termination of employment 14

OHR Scenario 1 A healthcare provider renders occupational health services at a clinic site. 1. Who owns the records? The provider 2. Is the provider subject to HIPAA regulations? Yes 3. Can the provider distribute copies of the personal health information to the employer? Why or why not? No 15

OHR Scenario 2 A healthcare provider renders occupational health services at the employer s site. 1. Who owns the records? The employer 2. Is the provider subject to HIPAA regulations? OSHA 16

OHR Scenario 3 A patient presents to a healthcare provider for an employer-required fitness exam. The patient completes a short medical history and review of systems form. On this form, the patient discloses that he has an unrelated chronic illness for which he is receiving treatment. The condition is currently under control and does not affect his ability to perform job-related functions. The provider has been requested by the employer to complete a short exam form indicating whether the employee is cleared for duty. The patient has signed an authorization allowing for this limited information to be disclosed to the employer. Should the provider disclose the chronic condition to the employer? No 17

BEHAVIORAL HEALTH RECORDS 18

Behavioral Health Records Examples of Harm Social stigma Employment discrimination Insurance discrimination Possible criminal prosecution Job termination Forfeiture of legal protections Consumers want providers that are involved in their care to have access to the behavioral records Patients may fear unauthorized disclosures and deny or neglect treatment Repercussions for damage done provides no relief 19

Behavioral Health Records Federal laws governing disclosure of mental illness & substance use disorders HIPAA 42 C.F.R. Part 2 Family Education Rights and Privacy Act Medicaid Law State laws governing disclosure of mental illness & substance use disorders North Carolina Mental Health Act 20

Behavioral Health Records HIPAA Health plans, health care clearinghouses, and healthcare providers protected Disclose information for treatment, payment and healthcare operations Minimum necessary Does not apply to a request for information intended for treatment purposes More stringent state and federal laws apply 21

Behavioral Health Records HIPAA & Psychotherapy Notes Greater protection Definition Notes recorded in any medium by a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session that are separate from the rest of the individual s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. Must separate psychotherapy records from all other behavioral health records 22

Behavioral Health Records 42 C.F.R. Part 2 The Federal Confidentiality of Alcohol and Drug Abuse Patient Records law Greatest impact on sharing PHI related to behavioral health Disclosure of PHI for federally assisted alcohol and drug programs is prohibited Disclosure Communication of patient identifying information Verification of a person s communication of patient identifying information The communication of any information from the record of a patient who has been identified Disclosure without Authorization Medical emergencies Research activities Audits 23

Behavioral Health Records FERPA The Family Educational Rights and Privacy Act of 1974 Protects student education records Enables: Access to student records Prevents third party access Prohibits the record release without consent Enables amendments Medicaid Privacy Statute Not interpreted 24

Behavioral Health Records Four types of state laws governing the privacy of mental health records, dependent upon setting: Records in mental hospitals Records in mental health programs Records for patients involuntarily committed to mental institutions Records for patients receiving mental health treatment in any setting 25

Behavioral Health Records North Carolina Mental Health Act Permits the disclosures of confidential mental health information with the consent of the client or his legally responsible person Mental health information permitted for disclosures without client s consent: To the extent necessary for a facility to fulfill its treatment responsibilities to the client To a healthcare provider who is providing emergency care to the client To referring physicians and psychologists upon specific request The fact of a client s admission or discharge to the client s next of kin whenever the responsible professional believes the disclosure is in the best interest of the client To enable the internal client advocate to fulfill her monitoring and advocacy functions In response to a court order compelling disclosure of the confidential mental health information 26

Behavioral Health Records Continued If a court orders a mental examination of a criminal defendant, the results of the examination must be sent to the clerk of court, to the district attorney or prosecuting officer, and to the client s attorney If determined by the facility director to be in the client s best interests, the facility may disclose the confidential mental health information necessary to file a petition for involuntary commitment or for an adjudication of incompetency and the appointment of a guardian for the client In competency or commitment hearing, the results of mental examinations must be sent to the client s attorney, the attorney representing the State, and to the court To an attorney who represents the facility or a facility employee, if such information is relevant to litigation, to the operations of the facility, or to the provision of services by the facility To the Department of Correction when an inmate is determined to be in need of treatment for mental illness. 27

Behavioral Health Records Continued If the responsible professional believes there is an imminent danger to the health or safety of the client or another person If the responsible professional believes the commission of a felony or violent misdemeanor is likely To the Department of Health and Human Services for the purpose of indexing clients To contract support services, if the contract service agrees in writing to maintain confidentiality To State and federal agencies to determine the client s eligibility for financial benefits For research, clinical and administrative audits and quality assurance purposes 28

Behavioral Health Records Psychotherapist / Client Privilege Does not prevent psychologists and therapists from reporting child or disabled adult abuse or neglect Provider must obtain a HIPAA compliant authorization to release notes Exceptions: Use of the notes by the originator for treatment purposes Use or disclosure of the notes by the covered entity for its own training programs Use or disclosure of the notes by the covered entity to defend itself in a legal action or other proceeding brought by the individual to whom the notes refer, and As otherwise expressly required by law 29

Behavioral Health Records Substance Abuse Records Federal and State law restrict disclosure of information about clients receiving drug or alcohol treatment Cannot assume use and disclosure of such records is for TPO Disclosure without client/responsible person consent: To medical personnel to the extent necessary to meet a bona fide medical emergency To FDA personnel who assert a reason to believe that the health of a client may be threatened by an error in the sale, manufacture, or labeling or a product To qualified individuals conducting scientific research, management or financial audits, or program evaluation, provided the identity of individual clients is not disclosed in any reports resulting from these studies If authorized by court order, granted after application showing good cause for the disclosure Redisclosure of confidential substance abuse information is prohibited without consent 30

Behavioral Health Records Continued Minor Clients Minor must consent to disclosures of confidential information 31

Behavioral Health Records Separate may not be equal Recent initiatives like interoperable implementation of electronic health records (EHRs) and the development of Health Information Exchanges has made it possible for behavioral and physical health providers to exchange information Privacy, security, policy, compliance, and other barriers have made the wide exchange of this type of sensitive information difficult... No meaningful use incentives 2 bills to advocate for equality for meaningful use incentives: S.539 & H.R. 6043 32

Behavioral Health Records Health Information Exchanges Programmed to follow HIPAA 42 C.F.R. Part 2 is more stringent and requires Reason for sharing information Who specifically can have access to the patient information Pre HIE world: identify name, title, organization Tagging metadata Confidential or not confidential? When does the sharing of the data expire? What providers may access information? No standards established 33

Behavioral Health Records Direct Messaging Supported by the ONC Allows sharing of information to coordinate care with medical partners and improves quality of care provided to the patients http://directproject.org/ 34

BHR Scenario A woman arrives to the emergency room unconscious from a car accident. The woman must immediately have surgery due to multiple fractures. Her daughter presents to the provider to inform him that she has been prescribed a long-acting opiate antagonist to treat her alcohol dependence. If true, the woman may not respond to the normal course of analgesics and could be undertreated for pain caused by the fractures. The physician needs to know the name of the medication, the time of the last administration, and the lady s medical compliance of the drug. The provider calls the substance abuse treatment program 1. Will the provider be able to receive the information needed from the substance abuse treatment program? Yes 2. Why? 35

BHR Question 1 This regulation creates major barriers for the sharing of alcohol and substance abuse information in a health information exchange because it restricts sharing information for treatment, payment, and healthcare operations (A) HIPAA (B) 42 C.F.R. Part 2 (C) Medicaid Law (D) Family Education Rights and Privacy Act 36

BHR Question 2 What does the tagging of metadata refers to? (A) Identifies expiration dates and the specific provider information it can be shared with (B) Identifies if a HIE meets HIPAA compliance (C) Informs the provider of information received via HIE (D) Sharing of information through Direct Messaging 37

BHR Question 3 There is a higher incidence of readmission for patients whose behavioral health records were not shared in an inpatient setting. TRUE OR FALSE 38

DECEASED PATIENT HEALTH RECORDS 39

Deceased Patient Health Records Standard 164.502 (f) A covered entity must comply with the requirements of the HIPAA Omnibus Rule in regards to the protected health information of a deceased individual for a period of 50 years following death of the individual. The most stringent law always trumps the concerns regarding protected health information about decedents that is sensitive, such as HIV/AIDS, substance abuse, or mental health information, or that involved psychotherapy notes, the 50-year period of protection for decedents health information under the Privacy Rule does not override or interfere with state or other laws that provide greater protection for such information, or the professional responsibility of mental health or other providers. 40

Deceased Patient Health Records Standard 164.510 (b) A covered entity may disclose PHI to persons involved in the deceased patient s care or payment unless a previously expressed preference of the individual is known. Not a record retention policy Challenges Determining the date of death of an individual One cannot assume based on the age of the patient s health record Accounting of disclosures must remain as long as the records are maintained 41

DPR Question 1 If the patient didn t die at your facility, what type of documentation should be required to validate the patient s death? ANSWER: death certificate, obituary 42

DPR Question 2 May a covered entity disclose a deceased patient s PHI to a close personal friend who was involved with the individual s health care or payment related to the individual s health care? ANSWER: Yes 43

DPR Question 3 A decedent s sister is asking about medical history of her brother. Can a covered entity release the PHI? ANSWER: No 44

QUESTIONS? 45

References AHIMA 2013 Audio Seminar Series. (2013). How Do the Modifications Affect Release of Information. AHIMA. (2013). The Privacy and Security of Occupational Health Records. Journal of AHIMA, 84(4), pp. 52-56. Beckerman, J.Z., Pritts, J., Goplerud, E., Leifer, J., Borzi, P., Rosenbaum, S., &Anderson, D. (2008). A Delicate Balance: Behavioral Health, Patient Privacy, and the Need to Know. California Healthcare Foundation. Retrieved from http://www.chcf.org/~/media/media%20library%20files/pdf/a/pdf %20ADelicateBalanceBehavioralHealthAndPrivacyIB.pdf HHS. (2003). Minimum Necessary Requirement. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/m inimumnecessary.html Lardiere, M. (2013). Unlocking and Sharing Behavioral Health Records. Journal of AHIMA, 84(4), pp.36-41. 46

References Continued Legal Reference Manual. (2011). North Carolina Health Information Management Association, 8 ed. Nicholson, R. (2002). The Dilemma of Psychotherapy Notes and HIPAA. Journal of AHIMA 73(2), pp.38-39. Privacy Networking Group. (2013). Management of Occupational Health Records Whitepaper. HIPAA COW, version 2. Schaffner, B. (2013). Privacy After Death. Retrieved from http://privacyandsecurityupdate.org/?p=695 Williams, Aja. (2013). Issue Brief: Behavioral Health & Health IT. Retrieved from http://www.healthit.gov/sites/default/files/bhandhit_issue_brief.pdf 47

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback