Confidentiality of Medical Information

1
Confidentiality of Medical Information

• Public Health Nursing and
• Professional Development Unit
• Eunice B. Inman, RN, BSN Pamela Serrell, RN,
  BSN
• Ellen Shope, RN, BSN Lynn Conner, RN,
  BSN
• Gay G. Welsh, RN, BSN, MPH

2
Introduction

• Objectives for this presentation include
• Identify laws that require NC Local Health
  Departments to keep patient information
  confidential.
• Identify which information is confidential.
• Describe when confidential information may be
  disclosed.
• Describe how best to document disclosures of
  confidential information.

3
Introduction

• This presentation is meant to introduce an
  overview of confidentiality laws and how those
  laws address some of the issues that arise in NC
  local health departments.
• It is not meant to be comprehensive. Please
  consult an attorney if you need more information
  or advice for a specific situation.

4
Vocabulary

• Confidential
• as defined by
• Webster is
• private, secret.

5
Confidentiality

• The general ethic in the provision of health care
  is that a patients secrets uttered in confidence
  must be safeguarded by the physician, other
  health care providers, and the agencys workforce
  (employees, volunteers, trainees, and other
  persons whose conduct, in the performance of
  their duties, is under the direct control of the
  agency, whether or not they are paid by the
  agency).

6
Laws Affecting LHDs in NC

• HIPAA Privacy Rule (45 CFR Parts 160 164)
  Federal law that governs when covered entities
  a term that includes most health care providers,
  including LHDs may and may not use and disclose
  PHI without a clients permission. (Other federal
  and NC laws must also be considered in
  conjunction with HIPAA requirements.)

7
HIPPA Privacy Rulecont.

• Requires covered entities to have written
  policies procedures designed to comply with the
  Privacy Rule.
• Requires the implementation of administrative,
  technical, and physical safeguards to protect the
  privacy of individually identifiable health
  information.
• Requires mitigation, to the extent possible, when
  breaches occur that violate the Privacy Rule or
  the covered entities policies/procedures when
  the breach is known by the covered entity.

8
HIPAA Privacy Rulecont.

• HIPAA Definitions
• PHI Protected Health Information
• Individually identifiable health information
  (IIHI) that is transmitted electronically or
  maintained in any form or medium by a covered
  entity.
• T Treatment activities of a healthcare
  provider
• Includes provision, coordination, management of
  health care related services, referrals,
  consultations, etc.

9
HIPAA Privacy Rulecont.

• P Payment for treatment
• Includes reimbursement for services, benefit
  coverage, eligibility, billing, collections, etc.
• O Health Care Operations that support the
  activities of healthcare provider
• Includes QI, credentialing, financial and medical
  review audits, business management, etc.
• Please refer to the HIPAA Privacy Rule for more
  detailed explanations.

10
ARRA - American Recovery Reinvestment Act

• ARRA Federal Law
• Effective 02/18/09
• primarily found at 45 CFR Part 164, Subpart D (45
  CFR 164.400 - 164.414)
• Contains the HITECH Act that exceeds HIPAA in
  protecting PHI.

11
ARRA - American Recovery Reinvestment Act

• Within ARRA is the Health Information Technology
  for Economic Clinical Health Act (HITECH Act)
• Broadens and supplements HIPAA privacy and
  security requirements, and various state privacy
  breach notifications.
• Safeguards PHI above and beyond current HIPAA
  requirements.
• Extends requirements to certain non-covered
  entities, covered entities, and to business
  associates of covered entities
• Includes breach notification requirements for a
  privacy breach.

12
ARRA - American Recovery Reinvestment Act

• AARA HITECT Act (continued)
• HITECH Act may be found at http//www.hhs.gov/ocr
  /privacy/hipaa/administrative/enforcementrule/hite
  chenforcementifr.html
• Guidance for managing breaches
  http//www.sog.unc.edu/node/1040 under Security
  Breaches.

13
NC Identity Theft Protection Act

• NC Identity Theft Protection Act (GS 75-60,
  Article 2A)
• NC law requiring private businesses and
  government agencies to protect personally
  identifying information that could be used for
  identity theft.
• Includes specific actions private businesses and
  government agencies must take when experiencing a
  security breach involving personally identifying
  information that is not encrypted (not
  necessarily electronic encryption).
• Requires notifications of breaches to
  individuals, media, and NC Attorney Generals
  Office in specific situations.

14
NC Identity Theft Protection Act

• NC Identity Theft Protection Act found at
• http//www.ncga.state.nc.us/EnactedLegislation/Sta
  tutes/HTML/ByArticle/Chapter_75/Article_2A.html
• Guidance may be found at
• http//www.sog.unc.edu/node/1045
• Scroll down to What does The Identity Theft Act
  Mean for Local Health Departments.

15
Other NC State Laws re Confidentiality

• Public Health Patient Confidentiality Law (GS
  130A-12) (revised, effective 01/01/12)
• NC law that applies only to LHDs, DHHS DEHNR
  
• Medical records held by either are confidential
  and are not subject NCs public records law.
• Disclosure of information only may occur with
  appropriate authorization or as required by
  federal or state law.

16
Other NC State Laws re Confidentiality

• Privilege Laws (GS 8-53 and GS 8-53.13)
• NC laws meant to prevent information from being
  introduced into court proceedings against the
  patients will.
• GS 8-53 Communications between patients and
  their physicians (and others working under the
  direction of the physician) are privileged.
• GS 8-53.13 Communications between patients and
  nurses are privileged.
• Privileged information may be introduced in two
  circumstances
• The patient gives permission for the disclosure
• The judge orders the disclosure after finding
  that it is necessary for the proper
  administration of justice.

17
Laws Protecting Specific Situations

• Title X Family Planning (45 CFR59.11)
• Federal law that requires providers to keep
  information about Title X Clients confidential
  and disclose it only with the clients documented
  consent (permission), unless the disclosure is
  necessary to provide services to the client or is
  required by law.

18
Law Protecting Specific Situations

• Communicable Disease Confidentiality
• (GS 130A-143) (revised, effective 01/01/12)
• State Law that applies to information or
  records that identify a person who has or may
  have a reportable communicable disease or
  condition. Such information may be disclosed
  only when the disclosure fits into one of eleven
  circumstances specified in the statute. (Please
  consult the statute for these.)

19
Law Protecting Specific Situations

• Family Education Rights Privacy Act
• Under FERPA school nurses must protect access to
  and disclosure of student education records.
• FERA may be found at
• Title 34, Part 99--Family Educational
  Rights and Privacy
• Schools may also fall under HIPAA.
• Helpful QA re HIPAA FERPA in schools may be
  found at http//www.sog.unc.edu/node/832

20
Law Protecting Specific Situations

• Employees working with aspects of mental health
  or substance abuse clients may be subject to laws
  affecting those services.
• Please consult appropriate sources for legal
  resources applicable to these services.

21
Pharmacy Records Law

• Availability of pharmacy records
• (G.S 90-85.36)
• Pharmacy, whether written or electronic, orders
  are not public records and may only be provided
  to the following persons.
• Persons for whom the prescription was written
• Parent, Guardian or Persons standing in loco
  parentis of a minor child or disabled adult
• Pharmacy owner Pharmacist filling the
  prescription
• Healthcare provider writing the prescription or
  otherwise treating the patient

22
Pharmacy Records Law

• (List continued)
• Anyone presenting an authorization for the
  release or subpoena for pharmacy information
• Includes researchers
• Any business entity responsible for paying for
  the medical care of the person for whom the
  prescription was written
• Pharmacy Board members
• HIPAA covered entity or non-covered health care
  provider for TPO purposes

23
Licensure Laws

• Components of Nursing Practice for the Registered
  Nurse (21 NCAC 36 .0224)
• (g)(4) is the specific section of administrative
  code that says the nurse must uphold
  confidentiality.
• (g) Collaborating involves communicating and
  working cooperatively with individuals whose
  services may have a direct or indirect effect
  upon the client's health care and includes
• (4) safeguarding confidentiality.

24
Licensure Laws

• Components of Nursing Practice for the
• Licensed Practical Nurse (21 NCAC 36.0225)
• (g)(3) is the specific section of administrative
  code that says the LPN must uphold
  confidentiality as delegated by the registered
  nurse.
• (g) Collaborating involves communicating and
  working cooperatively with individuals whose
  services may have a direct or indirect effect
  upon the client's health care and includes
• (3) safeguarding confidentiality.

25
Ethics and Policies

• ANA Code of Ethics Interpretive Statement,
• Provision 3.2
• the nurse has the duty to maintain
  confidentiality of all patient information.
• To do less
• Jeopardizes the patients welfare
• Destroys trust in the nurse/patient relationship
  which jeopardizes the nurses ability to provide
  quality care.

26
Ethics and Policies

• AMA Code of Ethics Opinion 5.05 Confidentiality
  
• The information disclosed to a physician by a
  patient should be held in confidence.
• The patient should feel free to make a full
  disclosure of information to the physician in
  order that the physician may most effectively
  provide needed services.
• The patient should be able to make this
  disclosure with the knowledge that the physician
  will respect the confidential nature of the
  communication.

27
Ethics and Policies

• Local Health Department Policy Procedure
• Safeguards Policies covered entities must have
  in place appropriate administrative, technical,
  and physical safeguards to protect the privacy of
  PHI.
• Safeguard policies/procedures include, but are
  not limited to
• Policy sets forth guidance to safeguard and
  maintain the integrity of the designated record
  set (financial and medical records as defined by
  HIPAA) and how best to protect the rights of
  clients while affording the providers of care
  appropriate access.

28
Which Information is Confidential?

• Agency Confidentiality Policy Affirms the
  agencys resolve to abide by the laws presented.
• Any IIHI about a client is confidential assume
  that it is all confidential.
• It is not just the medical status or treatment
  information that is protected.
• Even the fact that they are a client is
  protected.
• Any (IIHI) individually identifiable health
  information the LHD has on a person who is not a
  client is most likely confidential.
• Example blood lead information cared for by a
  local pediatrician and environmental health is
  doing a home investigation.

29
Which Information is Confidential?

• Individually Identifiable Health information
• (IIHI) includes
• the clients demographic information (name,
  address, age, date of birth, etc.).
• information that is created or received by a
  health care provider, health plan, employer, or
  health care clearinghouse.
• information related to the past, present, or
  future physical or mental health condition of the
  individual, provision of health care, or the
  past, present, or future payment for the
  provision of health care.
• any information that identifies the client, or to
  which there is reasonable basis to believe that
  the information can be used to identify the
  client.

30
Which Information is Confidential?

• Protected Health Information includes
• IIHI that is transmitted electronically or
  maintained in any form or medium by the covered
  entity.
• And everything else mentioned if not addressed in
  laws for specific services.

31
When may LHDs Disclose Patient Information?

• With the clients (or personal representatives)
• permission.
• Permission must be in the proper format.
• In most cases the permission must be in writing.
• Must be on an appropriate HIPAA compliant
  authorization form.

32
When may LHDs Disclose Patient Information?

• Under certain circumstances without the
• clients (or personal representatives)
• permission as specified by law.
• Broadly these include
• Treatment, payment and healthcare operations as
  defined by HIPAA, G.S. 130A-12,
• G.S. 130A-143.
• Please consult your HIPAA Officer or County
  Attorney regarding these definitions.

33
When may LHDs Disclose Patient Information?

• When it is required by another law.
• The following slides will address these.
• Subpoenas other court orders
• Response guidance for LHDs from the NC School of
  Government may be found at http//shopping.netsui
  te.com/s.nl/c.433425/it.I/id.218/.f?sc7category
  49

34
Laws requiring disclosure of info.

• NC law requires the disclosure of confidential
  information or records for specific purposes for
  each of the following (The following is a
  partial list of those who may demand records or
  information.)
• HIPAA covered entities must verify the identity
  of the individual demanding the information and
  their authority to obtain the information.
• G.S. 130A-385 Chief medical examiner or county
  medical examiner when a death is under
  investigation.
• G.S. 130A-209 Diagnoses of cancer to central
  cancer registry

35
Laws requiring disclosure of info.

• List cont.
• GS 7B-301 Any person or institution must report
  known or suspected child abuse/neglect or child
  deaths believed to be due to maltreatment to DSS.
• GS 7B-302 Records or information relevant to
  the investigation of known or suspected cases of
  child abuse or neglect may be released to
  director of social services
• GS 7B-601 or guardian ad litem representing the
  child
• GS 7B-1413 The N.C. Child Fatality Prevention
  Team, a community child protection team, and N.C.
  Child Fatality Task Force may review information
  they deem relevant to their task.

36
Laws requiring disclosure of info.

• List cont.
• GS 108A-102 Report suspected abuse of elderly
  or disabled adults to Social Services Director.
• GS 130A-5 and 130A-15 NC Secretary of HHS may
  see patient records when the patients physician
  and a DHHS physician agree that there is a clear
  danger to public health and other health
  hazards.
• GS 130A-135 et seq. Outbreaks of reportable
  communicable diseases.
• G.S. 130A-144 Local Health Directors or State
  Health Director may demand medical records
  pertaining to the diagnosis, treatment, or
  prevention of communicable disease.

37
Laws requiring disclosure of info.

• List cont.
• G.S. 51-2 Disclose relevant medical information
  of minors seeking to marry to court appointed
  guardian ad litem.
• G.S.90-21.20 Report wounds/injuries to law
  enforcement if there appears to be criminal
  violence involved.
• G.S. 130A-153 and 10A NCAC 41A.0406 Disclosures
  of immunizations to specific providers, schools,
  etc.
• 
  

38
Laws requiring disclosure of info.

• List cont.
• G.S. 130A-456 Physicians must be report
  occupational injuries on farms and other
  reportable occupational diseases and illnesses to
  DHHS.
• G.S. 130A-458 Persons in charge of laboratories
  that provide diagnostic services must report
  findings related to reportable occupational
  diseases and illnesses to DHHS.
• 
  

39
Laws requiring disclosure of info.

• List cont.
• G.S. 130A-476(b) Authorizes State Health
  Director to issue temporary order requiring
  health care providers to report specifically
  requested medical information to local health
  director or State Health Director to investigate
  a possible bioterrorist incident.
• State and federal auditors of programs such as
  Medicaid may review patient records under
  applicable state and federal regulations.
• 
  

40
Other exceptions requiring disclosure.

• Responding to a court order, subpoena, warrant,
• other law enforcement and judicial requests
• Response guidance for LHDs from NC SOG may be
  found at
• http//shopping.netsuite.com/s.nl/c.433425/it.I/id
  .218/.f?sc7category49
• LHDs may disclose information without a patients
  permission upon receipt of a proper court order
  provided only the PHI disclosed is expressly
  authorized by the court order.
• A subpoena must never be ignored however,
  depending on the type of subpoena, automatic
  disclosure of information is not always
  appropriate. (Consult the above guidance and
  local attorney.)

41
Other exceptions requiring disclosure.

• Health department should have a carefully crafted
  policy for handling subpoenas, court orders and
  law enforcement judicial requests.
• All the above requests should be brought to the
  attention of the health director immediately.
• Consulting the LHD Attorney about the above types
  of legal requests prior to disclosing
  information is a good idea.

42
Obtaining Consent For TPO

• "Consent" as defined by HIPAA means that the
  client is giving the covered entity permission to
  use and disclose their protected health
  information for treatment, payment, and other
  health care operations.
• Obtaining consent for TPO is optional under
  HIPAA and is no longer required by NC law
  (G.S.130A-12(3), revised, effective 01/01/12.)

43
Obtaining Consent For TPO

• Consentcont.
• It is no longer recommended that local health
• departments obtain consent for TPO.
• Continuing to obtain consent for TPO may result
  in barriers to care in specific circumstances and
  lost reimbursement if a client refuses to sign
  the consent for TPO as the mandated services are
  still required to be provided.

44
Verification Requirements

• Prior to disclosing requested PHI to a person
• or entity the HIPAA Privacy Rule requires
• covered entities to verify two things
• the requesting persons identity (personal
  identity or as an appropriate designee of a
  requesting entity).
• the requesting persons authority to receive the
  information.
• Covered entities must have internal Verification
  Policies Procedures and must have trained their
  staff on the policy/procedure.

45
Obtaining Permission to Disclose Information
(Authorization)

• HIPAA Authorization Forms
• Must contain specific elements.
• Must be used for disclosures outside the realm of
  TPO.
• Please see the following references
• IOG http//www.sog.unc.edu/node/818
• DPH http//publichealth.nc.gov/lhd/
• See Problem Oriented Health Record topic and
  select DHHS Form 4056.

46
Obtaining Permission for Treatment

• "Consent for Treatment"
• Obtaining informed consent to treat a patient is
  an entirely different legal obligation as opposed
  to obtaining consent for TPO, which is not a
  legal obligation.
• Consent for Treatment means that the client is
  giving permission to the health care provider to
  provide medical care and treatment to the client.
  (G.S. 90-21.13)
• Obtaining consent for TPO, which is no longer
  recommended, means the client is giving the
  covered entity permission to use and disclose
  their PHI for treatment and payment activities as
  well as health care operations.
• Health departments still need informed consent to
  treat a patient.

47
Obtaining Permission for Treatment

• GS 90-21.13 Informed consent to healthcare or
  procedure.
• Valid consent means that a reasonable person
  under all the surrounding circumstances would be
  
• mentally and physically competent to give
  consent.
• able to understand the implications, risks and
  hazards of the treatment or procedure.
• consent voluntarily to the treatment or
  procedure, and without coercion from the
  requestor.

48
Documenting Disclosures

• When information is disclosed with clients
• consent (via HIPAA compliant authorization)
• Put copy of signed authorization in clients
  record.
• HIPAA requires that the client be given a copy
  of
• the signed authorization.
• Make a note in the record when the information
  is actually released.
• Disclosures made with the clients authorization
  are not required to be included in the Accounting
  of Disclosures.
• (The client has the right to ask for an
  accounting of disclosures. See http//www.sog.unc.
  edu/node/818 for guidance on accounting of
  disclosure requirements.)

49
Documenting Disclosures

• When information is disclosed without permissio
• when meeting a legal requirement to disclose,
• documentation in the clients record should
  include
• the date and the fact of its disclosure,
• to whom it was disclosed
• why it was disclosed
• the name of staff member that disclosed the
  information
• the signature/initials of the staff member
  recording the documentation in the record
• -Disclosures made without client authorization
  are required to be included in the Accounting of
  Disclosures.

50
Questions

• Now a few minutes for questions.