Privacy and Consent Primer

Similar documents
HIPAA Privacy Rule and Sharing Information Related to Mental Health

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

[Enter Organization Logo] USE AND DISCLOSURE OF MENTAL HEALTH RECORDS. Policy Number: [Enter] Effective Date: [Enter]

HIPAA-HITECH HELPBOOK NJ Physician Practices

To ensure proper disclosure and release of Protected Health Information (PHI) Division/Department: All HealthPoint Policy/Procedure #:

Session 403 -Video Surveillance and the Senior Housing Provider

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

Notice of HIPAA Privacy Practices Updates

Clarifying HIPAA Privacy Rules for Mental Health and Addiction Crises. National Council for Behavioral Health March 19, 2018

CHILDREN'S MENTAL HEALTH ACT

NOTICE OF PRIVACY PRACTICES

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

HIPAA & OPIOID RESPONSE

CAPITAL SURGEONS GROUP, PLLC

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

NEW BRIGHTON CARE CENTER

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

HIV, HBV, and HCV prevention program; purpose and scope.

The Arizona HIO Statute

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

Notice of privacy practices

Roger A. Olsen, Psy.D., L.P Slater Road, Suite 210 Eagan, MN Phone: FAX:

Curo Health Services Notice of Privacy Practices

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

Notice of Privacy Practices

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

always legally required to follow the privacy practices described in this Notice.

HIPAA & HEALTH INFORMATION EXCHANGE

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Patient Privacy Requirements Beyond HIPAA

Informed Consent and Non- Patient Specific Standing Orders. Holly M. Dellenbaugh Senior Attorney, NYSDOH August 16, 2012.

NOTICE OF PRIVACY PRACTICES

Required Local Public Health Activities

INFORMED CONSENT FOR TREATMENT

Family Cord Blood and Cord Tissue Banking Enrollment Documents Services Agreement

R. Gregory Cochran, MD, JD

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Discharge Planning for Patients Hospitalized for Mental Health Treatment Interpretative Guidelines for Oregon Hospitals

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

NOTICE OF PRIVACY PRACTICES

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Parental Consent For Minors to Receive Services

NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES

Virginia Department of Health Office of Licensure and Certification. Extract from the Code of Virginia

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

PATIENT INFORMATION. In Case of Emergency Notification

Mobile Mammo Registration Instructions

Notice of Privacy Practices

Mental Holds In Idaho

Proposed Regulations NEW YORK STATE DEPARTMENT OF HEALTH Return to Public Health Forum

PROTECTING PATIENT PRIVACY IS NOT ONLY

Health Information Privacy Policies and Procedures

DURABLE POWER OF ATTORNEY FOR HEALTH CARE DECISIONS (Medical Power of Attorney) I,, born, designate

HIPAA THE PRIVACY RULE

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

NOTICE OF PRIVACY PRACTICES

Disclosure Statement & Policies

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

Notice of Privacy Practices

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT

Privacy Issues and the Children s Hospital EMR

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

Karen LeVasseur, LCSW Calm4Kids Therapy Center, LLC 514 Main Street Bradley Beach, NJ

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Local Public Health Authorities and Mandates

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

PATIENT ADVOCATE DESIGNATION FOR MENTAL HEALTH TREATMENT NOTICE TO PATIENT

VHA Privacy Policy Training FY VHA Privacy Office

Notice of Privacy Practices for Protected Health Information

HIPAA Policies and Procedures Manual

States that Allow Prescribers and/or Dispensers to Appoint a Delegate to Access the PMP

Written Financial Policy

OAK HAMMOCK AT THE UNIVERSITY OF FLORIDA, INC. NOTICE OF PRIVACY PRACTICES. Privacy Office: (352) Effective Date: September 23, 2013

THE COUNSELING PLACE ADULT INTAKE FORM Yearly Family Income:

Cadenza Center for Psychotherapy & the Arts, Inc. ADULT INTAKE

FAFSA Completion Initiative Participation Agreement

NOTICE OF PRIVACY PRACTICES

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Healing Path Counseling Center

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

OREGON HIPAA NOTICE FORM

Minnesota Hospice Bill of Rights PER MINNESOTA STATUTES, SECTION 144A.751

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

1303A West Campus Drive

HIPAA Privacy Test Overview

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

Psychological Services Agreement

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

SAMPLE CARE COORDINATION AGREEMENT

NOTICE OF PRIVACY PRACTICES This Notice is effective September 23, 2013

Transcription:

Privacy and Consent Primer Bob Johnson e-health Project Manager, Minnesota Department of Health Stacie Christensen Director, Information Policy Analysis Division, Minnesota Department of Administration Arden Fritz Legal Affairs Coordinator, Minnesota Department of Health April 26, 2017

Agenda Understanding e-health Relevant Statutes and Regulations Government Data Practices Act Minnesota Health Records Act HIPAA 42 CFR Part 2 Focus on Public Health and Minor Health Services Health Records Public Health Reporting Minor Consent Use Cases Resources 0 2

Learning Objectives Recognize e-health s connection to privacy and consent Develop additional understanding of relevant statutes and regulations around privacy and consent, public health, and minor health services Identify resources to support privacy and consent activities 3

Coming in October: Privacy and Consent Primer: Part II

Understanding e-health Bob Johnson e-health Project Manager, Minnesota Department of Health

E-Health E-health is the adoption and effective use of electronic health record (EHR) systems and other health information technology (HIT) to improve health care quality, increase patient safety, reduce health care costs, and enable individuals and communities to make the best possible health decisions 6

Minnesota Electronic Health Record Adoption 100% community health boards 100% hospitals 98% clinics 95% nursing homes

Minnesota e-health Initiative A legislatively chartered public-private collaborative Coordinates and recommends statewide policy on e-health to Commissioner of Health Develops and acts on statewide e-health priorities Reflects the health community s strong commitment to act in a coordinated, systematic and focused way 8

Relevant Statues and Regulations Stacie Christensen Director, Information Policy Analysis Division, Minnesota Department of Administration

Government Data Practices Act Minnesota Statutes, Chapter 13 Applies to government entities in Minnesota Presumes government data are public Classifies data that are not public Provides rights for the public and data subjects Requires that data on individuals are accurate, complete, current, and secure Informed consent required when sharing private data without authority Minnesota Rules, Chapter 1205 10

Minnesota Health Records Act (MHRA): Definitions (1 of 2) Minnesota Statutes, section 144.291-144.298 Applies to providers Health record Oral or recorded information in any form Past, present, or future physical or mental health or condition Past, present, or future payment for health care 11

Minnesota Health Records Act (MHRA): Definitions (2 of 2) Minnesota Statutes, section 144.291-144.298 Patient Natural person who has received health care services, or The surviving spouse and parents of a deceased patient, or a person the patient appoints in writing as a representative, including a health care agent, or Patient includes a parent or guardian of a minor except for minors receiving services under the consent of minors for health services statutes. 12

Minnesota Health Records Act (MHRA): Consent Releasing records to an outside provider or other persons requires: Signed and dated consent, or Representation from the provider that holds a patient s consent, or Specific authorization in law A state law that is more stringent trumps HIPAA Provides greater privacy protections or greater rights for an individual to access their information (45 C.F.R. 160.202) 13

Minnesota Health Records Act (MHRA): No Consent Consent is not required: Medical emergency and unable to obtain consent Other providers within related health care entities when necessary for the current treatment of the patient. To a health care facility when a patient: Is returning to the facility and unable to provide consent, or Patient resides in the facility, has services provided by an outside source and is unable to provide consent Record locator service Information about the location of patient s records and the patient has not opted out 14

Minnesota Health Records Act (MHRA): Social Services Agencies The welfare system may provide private data, including mental health records, to a health care provider to the extent necessary to coordinate services without consent Government entities subject to Minn. Stat. 13.46 such as local social services, county welfare agencies, etc. 13.46, subd. 2 and 7 15

Minnesota Health Records Act (MHRA): Violations May be grounds for discipline by appropriate licensing board; Liability for compensatory damages, plus costs and attorney s fees; A private right of action MDH does not enforce the Minnesota Health Records Act on behalf of individual patients. 16

HIPAA Privacy, Security and Breach Notification Rules (1 of 2) Regulations under the Health Insurance Portability and Accountability Act of 1996 Applies to health plans, health-care clearing houses, and health care providers Defines protected health information (PHI) as individually identifiable health information that Identifies an individual and is created or received by a covered entity, and Relates to the past, present, or future physical or mental health or condition, or Health care, or Past, present, or future payment 17

HIPAA Privacy, Security and Breach Notification Rules (2 of 2) Privacy Consent not required for treatment, payment and health care operations Authorization required for some uses and disclosures Notice of Privacy Practices Security standards and administrative, physical and technical safeguards Breach notification required for breach of unsecured PHI 18

Alcohol and Drug Abuse Patient Records 42 CFR Part 2: Restricts disclosures of patient identifying information by federally assisted alcohol and drug abuse programs Key requirements: Confidentiality Security for records Notice Consent for disclosures Court orders/law enforcement inquiries Proposed Rule: 81 FR 6987 (February 9, 2016) allows for general consent rather than individualized, written consent 19

Health records, PHI & Government data (1 of 2) Private government data = PHI = health record PHI: Protected Health Information under HIPAA Definitions of PHI and health record are essentially the same Relevant private government data Public health data (Minn. Stat. 13.3805) Data on individuals maintained by the Department of Health, political subdivisions relating to the identification, description, prevention, and control of disease or as part of an epidemiologic investigation the commissioner designates as necessary to analyze, describe, or protect the public health 20

Health records, PHI & Government data (2 of 2) Welfare data (Minn. Stat. 13.46) Data on individuals maintained by the welfare system are private data on individuals Welfare system includes local social services agencies, county welfare agencies, child support enforcement, human services boards, community mental health center boards 21

Notice of Privacy Practices What is it? A notice that describes how medical information about a patient may be used/disclosed and how patients can access their information MDH model NPP: http://www.health.state.mn.us/e-health/privacy/docs/ps102114npp.pdf Some MN specific requirements Treatment, payment, operation releases/uses require consent Health research only with consent 22

Privacy & Security: Minimum Necessary (1 of 2) Minnesota requirement Collection and storage of private/confidential data is limited to that necessary for administration and management of a program HIPAA requirement A covered entity or business associate must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, except: Disclosures to or requests by a health care provider for treatment Uses or disclosures made to the individual Uses or disclosures made pursuant to an authorization Certain other uses or disclosures required by law 23

Privacy & Security: Minimum Necessary (2 of 2) Minimum necessary tips Access files you maintain about a client only within professional work obligations Limit discussion with colleagues Never discuss private data outside of work 24

Focus on Public Health and Minor Health Services Arden Fritz Legal Affairs Coordinator, Minnesota Department of Health

HIPAA, PRIVACY, AND PUBLIC HEALTH Under Health Records Act, patient consent not required to release medical records to MDH under disease reporting and investigation rules, and statutory authority to conduct studies and investigations. Health Data ( 13.3805) are private data on individuals, but may be disclosed by MDH Commissioner under circumstances set forth in Subd. 1(b)(2) and (3). Under HIPAA, patient consent not required for disclosure to public health authorities (MDH and LPH). Covered entity may reply upon the minimum necessary determination made by public health authorities. 26

Minor Consent Minn. Stat. 144.341-347 Minnesota law guarantees minors the right to confidential health care services, without parental consent, in certain situations: A minor who is or has been married, or borne a child ( 144.342); Reproductive care, contraceptives, sexually transmitted diseases, alcohol and drug abuse ( 144.343); Mental health care if over 16 ( 253B.04); Emergencies ( 144.344); Hepatitis B vaccinations ( 144.3441); and Abortions, in limited situations ( 144.343). 27

Minor Consent - Minn. Stat. 144.341 Notwithstanding any other law, a minor: living separate and apart from parents, with or without parental consent, regardless of the duration of the separation, managing their own personal financial affairs regardless of source or extent of income: may give effective consent to personal medical, dental, mental and other health services, and the consent of no other person is required. Note: Minnesota does not have a statute establishing emancipation. 28

Minor Consent Other Statutes If a minor claims to be able to give effective consent for purposes of receiving medical, dental, mental or other health services but who may not in fact do so, their consent shall be deemed effective if the person rendering the service relied in good faith upon the minor s representations ( 144.345). A health care provider may inform parent/legal guardian of treatment given or needed for a minor when, in the judgment of the professional, failure to inform the parent/guardian would seriously jeopardize the health of the minor patient ( 144.346). 29

Minor Consent Other Considerations (1 of 2) A minor consenting for health services assumes financial responsibility ( 144.347); HIPAA, in general, defers to state law to determine what rights a minor has and what discretion a health care provider can exercise regarding disclosure of the minor s HIPAA Protected Health information to a parent or guardian. 30

Minor Consent Other Considerations (2 of 2) Where a minor has statutory authority to consent to their own medical treatment, they are considered the patient under the Minnesota Health Records Act, and their health records including any information regarding their health conditions, health care provided, or payments for health care may not be disclosed to anyone, including parents, absent the minor s valid consent or a specific authorization under the law. The penalties under the Health Records Act may apply to any health record of a minor disclosed to a parent without the minor s authorization. 31

Sample of Use Cases: Application of relevant laws to hypothetical scenarios Stacie Christensen Director, Information Policy Analysis Division, Minnesota Department of Administration

Use Case #1 Patient in a health care home receiving county social services Issues Release of information by a provider Release of information by a non-provider (social services agency) Providers must comply with MHRA even if HIPAA allows for use and disclosure of PHI for treatment, payment and health care operations Required: NPP and consent when sharing Government providers must also comply with the Data Practices Act Required: Tennessen warning and consent when sharing Social services agency must comply with Minn. Stat. 13.46 33

Use Case #2 Coordinating care among various providers and entities Adolescent with diabetes and mental health concerns in rural setting Seen by: Primary care provider and diabetes nurse educator in small town clinic Public health nurse (follow-up care) School nurse (follow-up care) Psychotherapist at county mental health center (unstable moods) Emergency department in a different town (uncontrolled blood sugars) Psychiatrist (clinical depression) School social worker (suicidal thoughts) County crisis team (additional mental health treatment) Providers did not communicate directly with one another so education effort not coordinated Consent to share is generally required, but there could also have been some legal sharing without consent 34

Resources Bob Johnson e-health Project Manager, Minnesota Department of Health

Resources MDH s e-health Privacy and Security Webpage Minnesota Standard Consent Form to Release Health Information (PDF) A standard patient consent form for a person to release their health information. Q & A: Standard Consent Form to Release Health Information (PDF) For general questions regarding the Minnesota Standard Consent Form to Release Health Information. Minnesota Model Notice of Privacy Practices (NPP) (PDF) (Adapted for Minnesota from U.S. Department of Health and Human Services Model NPP) Summary of Proactive Monitoring Procedures for Secure Individual Identifiable Health Information (PDF) Security Risk Analysis Tip Sheet (PDF) HIPAA, Minnesota s Health Records Act, and Psychotherapy Notes (PDF) Foundations in Privacy Toolkit 36

Resources e-health: www.health.state.mn.us/e-health/ Visit MDH s e-health webpage to learn about: Privacy and Security Workgroup Participate in the workgroup Minnesota e-health Weekly Update Stay up-to-date on e-health activities Minnesota e-health Summit Network and learn about e-health in Minnesota Resources 37

Coming in October: Privacy and Consent Primer: Part II Tentative focus on stories and lessons learned from county attorneys Volunteer to share your e-health story or lessons learned Suggest additional e-health topics Email MN.eHealth@state.mn.us 38

Thank you! Comments or Questions: MN.eHealth@state.mn.us 39

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback