Privacy & Security
What Information is Protected by HIPAA
Protected Health Information:
"individually identifiable health information"
How do we notify patients of Privacy Practices of the OTP?
What are the two types of penalties that can be faced with violation to Privacy Act?
The Office for Civil Rights may impose a penalty on a covered entity for a failure to comply with the requirements of the privacy rule.
Department of Justice can impose a criminal penalty for the failure to comply
What considerations should you factor in when leaving a message/electronic communications?
Before sending/Leaving a Message:
-Are you able to confirm that it belongs to the patient?
-Do we have an ROI to cover disclosure (best practice)
Why was 42 CFR Part 2 Created?
Ensure that a patient receiving treatment for a SUD in a Part 2 Program does not face adverse consequences in relation to issues such as criminal proceedings and domestic proceedings such as those related to child custody, divorce or employment
Who is covered by the Privacy Rule?
Any health care provider who transmits health information in electronic form:
- Health Plans
- Healthcare Providers
- Healthcare Clearinghouses
Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?
No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. HIPAA Laws to be applied to all current records and disposal.
What Wellpath Policy States: Discussions of protected patient health information occur in private, without being overheard by patients and non-health care staff?
Privacy of Care
***DOUBLE POINTS***
How can inmates or representatives Request Records from Essex County OTP - and once the request has been submitted how is follow up conducted (P&P)
2) Records to notify OTP Program Director
3) Program Sponsor & Program Director will ensure in compliance with HIPAA & 42 CFR through ECSD Attorney
An Essex County OTP patient requests you release their drug screens to the courts for their case - what is an appropriate response?
DSA for the purpose of SUD treatment are protected under 42 CFR Part 2 and not to be used for forensic purposes.
What does HIPAA stand for as part of the US Department of Health and Human Services Privacy Rule?
Health Insurance Portability and Accountability Act of 1996.
The use and disclosure of individuals' health information—called "protected health information" by organizations subject to the Privacy Rule — called "covered entities," as well as standards for individuals' privacy rights to understand and control how their health information is used.
***DOUBLE POINTS***
What agencies have permitted access to patient records for the purpose of carrying out their responsibilities in the supervision and regulation of substance abuse treatment programs and/or accreditation needs and requirements?
US Department of Health & Human Services, Substance Abuse Mental Health Services Association (SAMHSA)
State Substance Abuse Authorities including DPH, Bureau of Substance Abuse Services
Drug Enforcement Administration
State Health Authorities or Board of Pharmacy
NCCHC and other regulatory and accrediting agencies (ACA, etc.)
What are the criminal penalties for a person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule?
- criminal penalty of up to $50,000 and up to one-year imprisonment.
- criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses
- criminal penalties up to $250,000 and 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.
What are the 3 Federally Protected Considerations requiring written consent to disclose?
2) HIV/AIDS Testing, Results
3) Mental Health Records
If any elements of the authorization are incomplete or omitted is the authorization still valid in accordance to 42 CFR Part 2?
No. The authorization is then invalid and SUD information cannot be released.
When can you disclose PHI without an individual's authorization?
(1) To the Individual (unless required for access or accounting of disclosures)
(2) Treatment, Payment, and Health Care Operations
(3) Opportunity to Agree or Object
(4) Incident to an otherwise permitted use and disclosure
(5) Public Interest and Benefit Activities
(6) Limited Data Set for the purposes of research, public health or health care operations
How does BSAS Virtual Gateway Comply with Privacy Laws?
De-Identified Information
What rights do patients have under Complaints for 42 CFR Part 2
right to file a complaint directly with the Secretary for an alleged violation of Part 2.
What are the 3 most common exceptions to HIPAA?
- Medical Emergency/Imminent Danger/Mandatory Reporting for abuse or neglect
- Law enforcement/Court Order
- Consent is provided (ROI)
***DOUBLE POINTS***
What types of providers are covered programs under 42 CFR Part 2?
An individual or entity must be federally assisted and hold itself out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment.
A program is “federally assisted” if it is: 1) authorized, licensed, certified, or registered by the federal government; 2) receives federal funds in any form, even if the funds do not directly pay for the alcohol or drug abuse services; or 3) is assisted by the Internal Revenue Service through a grant of tax exempt status or allowance of tax deductions for contributions; or 4) is authorized to conduct business
***DOUBLE POINTS***
Each participant will complete an ROI to a patients community MOUD provider - the one who completes it the most HIPAA Compliant wins (Patient John Doe, admitted to the OTP 3/25/23)
What is the Essex County OTP Transfer and Storage of Service Records Policy state in terms of storing records?
7 years from the date of client's discharge/termination/transfer of services, unless required by law to do so for a longer period.
Can you redact information to comply with 42 CFR Part 2?
No. Part 2 requires each disclosure made with written patient consent to be accompanied by a written statement that the information disclosed is protected by federal law and that the recipient cannot make any further disclosure of it unless permitted by the regulations
Does HIPAA Apply to incarcerated individuals?
Yes: HIPAA allows correctional facilities to obtain or use protected health information if necessary for providing health care to an inmate; for the health and safety of inmates, officers, or staff; and for administration and maintenance of the safety, security, and good order of the correctional institution.
Is 42 CFR Part 2 Stricter than HIPAA?
When one regulation imposes a stricter standard than the other, the covered entity must follow the stricter standard. Generally, 42 CFR Part 2 imposes more strict standards than HIPAA