Our Annual

1

• Our Annual
• HIV Confidentiality Update
• An Overview for
• Agency Names
• In-service on Confidentiality

2
Purpose of this In-Service

• New York State HIV Confidentiality Law Article
  27-F of the Public Health Law protects the
  confidentiality of HIV-related information about
  people who receive services from most health care
  or social services in New York.
• Our agency is one of the many providers of health
  or social services in New York that must comply
  with Article 27-Fs confidentiality requirements.
  

3
Purpose of this In-Service (cont.)

• HIPAA (federal law) requires some health care
  providers including this agency to maintain the
  confidentiality of all protected health
  information.
• More . . .

4
Purpose of this In-Service (cont.)

• Both of these laws (and regulations implementing
  them) require agencies they cover to
• have policies and procedures to ensure compliance
  with the laws privacy protections, and
• conduct annual updates on our HIV policies and
  procedures for all staff.

5
Purpose of this In-Service (cont.)

• This is your annual update.

6
What this presentation covers

• 1. The laws that protect the confidentiality of
  HIV information
• Article 27-F of the NYS Public Health Law HIV
  Confidentiality Law
• HIPAA (if applicable)
• 2. HIPAApatients rights provisions
• 3. How to respond to client/patient complaints
  about breach of confidentiality

7
Have questions?

• Speak to supervisor.
• If you cannot resolve the question internally,
  call on these resources
• NYS Department of Health Confidentiality Hotline
  800-962-5065, or
• Legal Action Center
• ask for attorney on call
• 212-243-1313 or 800-223-4044

8
Part 1

• Confidentiality of
• HIV-related Information
• Article 27-F of the
• NYS Public Health Law
• HIPAA

9
Article 27-FWhat is it?

• New York State law that governs
• HIV testing
• HIV confidentiality
• HIV case reporting partner notification
• (NYS HIV Case Reporting Partner Notification
  law is in Public Health Law Article 21, Title
  III)
• This presentation covers the confidentiality
  provisions, not those concerning testing.

10
Article 27-F Who is covered?

• ANY person or agency who receives
• HIV-related information about a protected
  individual
• while providing a covered health or social
  service
• Examples health care professionals and health
  facilities, foster care agencies, school nurses,
• OR

11
Article 27-F Who is covered (cont.)?

• 2. Anyone who receives HIV information
  pursuant to a proper written release. This means
  
• if you obtain a clients HIV information pursuant
  to his or her signed HIV release form, you must
  follow Article 27-F.
• if you disclose a clients HIV information
  pursuant to an HIV release form, the
  person/agency receiving it must follow Article
  27-F too.
• OR

12
Article 27-F Who is covered (cont.)?

• ANY New York state or local governmental agency
  that
• provides, supervises or monitors health or social
  services
• Examples DOH, OASAS, OTDA, DOCS, HRA, DSS

13
Article 27-F Does NOT apply to

• Protected individuals themselves
• Persons tested for/diagnosed with HIV or AIDS
• Friends, relatives
• Courts
• Insurers
• Federal agencies (military, federal prisons)
• Schools (except school health staff)
• Employers
• BUT . . .

14
But, while Article 27-F may not apply . . .

• OTHER laws protect the confidentiality of
  information about individuals health conditions
  (including HIV-related) in many circumstances.
• Examples
• U.S. Constitutional right to privacy applies to
  government (federal, state, local)
• Americans with Disabilities Act applies to
  employers
• Privacy Act applies to federal government

15
Recap Our agency must follow Article 27-F
because

• State how why Article 27-Fs confidentiality
  requirements apply to this agency, e.g.
• we provide covered health or social services
• we receive disclose HIV-related info about our
  clients pursuant to written release
• applicable DOH/AIDS Institute or other state
  agency regulations require us to comply
• applicable DOH/AIDS Institute or other state
  agency contract requires us to comply.

16
HIPAA What is it?

• Federal law that establishes minimum safeguards
  to protect the privacy of medical records and
  other personal health information (PHI).
• Applies to personal health information no matter
  how it is shared in electronic, written or oral
  form.

17
HIPAA Who is covered?

• Covered Entities Are
• Health Care Providers
• Health Plans
• Health Care Clearinghouses
• IF they transmit personal health information
  electronically in order to process payment or
  make eligibility determinations.

18
HIPAA Are we covered?

• State whether this agency is (or is not)
  covered by HIPAA.
• Even agencies not covered by HIPAA need to
  understand its basic requirements because many
  other agencies they interact with likely are
  covered by HIPAA.

19
HIPAA Article 27-FWho must comply with both?

• Most health care providers in New York State,
  assuming they transmit health information
  electronically for purposes of billing or
  reimbursement.

20
What happens if both HIPAA Article 27-F apply?

• Follow HIPAA unless Article 27-F is more
  stringent than the HIPAA provision.
• More stringent means provides greater privacy
  protection, or gives individuals more privacy
  rights.
• Article 27-F is usually more protective
  (stringent) than HIPAA, so you follow Article
  27-F.

21
Whats the Law? The general rule

• HIPAA Art. 27-F generally both prohibit the
  disclosure of health information about an
  individual.
• HIPAA covers nearly all personal health
  information (which it calls protected health
  information)
• Article 27-F covers only HIV-related
  information.

22
Article 27-FThe general rule (cont.)

• NO DISCLOSURE A provider may not disclose any
• HIV-related information obtained while providing
  health or social service or through a release.

23
Article 27-FThe general rule (cont.)

• HIV-related information includes
• Had an HIV test (whether positive or negative)
• Has HIV infection, HIV related illness or AIDS
• Has been treated/is being treated for HIV
• Takes medication specific to HIV disease
• Is a contact of someone with HIV (spouse,
  sexual or needle-sharing partner)

24
Article 27-F General rule Case studies nos. 1
and 3

• What information is protected?
• Case study 1 (Jane, the case manager, and her
  friend Maggie)
• In the waiting room
• Case study 3 (Don, waiting to be called in for
  HIV test results)
• Cases issues from staff here?

25
Article 27-FThe general rule (cont.)

• HIV confidentiality law protects
• Not only your clients/patients, but also
• Anyone whose HIV-related information you received
  while providing health or social service even
  someone who has had no contact with this agency.

26
Article 27-FThe general rule (cont.)

• You must always maintain the confidentiality of
  this HIV-related information
• even after you leave your job here.

27
Exceptions to the General Rule When Disclosure
is Permitted

• While the general rule is no disclosure of
  protected health information,
• Both HIPAA Article 27-F have exceptions
  that allow entities to share HIV
  information.
• Main Article 27-F exceptions permitting
  disclosure are outlined in Article 27-F flow
  chart (see slide above, and hand-out).

28
(No Transcript)
29
Main Article 27-F exceptions permitting
disclosure

• Exceptions covered by this presentation
• Written Release
• Internal communications
• Disclosures to health care providers
• Partner notification
• Note Follow Article 27-F rules governing these
  exceptions, since it is more stringent
  provides greater protections than HIPAA.

30
Exception 1 Written Release

• Requirements for release
• Voluntary
• In writing. No oral release!
• Revocable at any time.
• Revocation can be oral or written
• Document it!
• Continued. . . .

31
Written release (cont.)

• Use DOH-approved release (complies with Article
  27-F and HIPAA)
• In hand-outs
• Do not have client sign a blank or partially
  completed form.

32
Written release (cont.)

• Who signs the form?
• Person whose HIV-related information is being
  disclosed, if he or she has
• capacity to consent

33
Written release (cont.)

• What is capacity to consent?
• Regardless of age, ability to
• Understand appreciate the nature consequences
  of proposed disclosure
• AND
• Make an informed decision about whether or not to
  permit the disclosure

34
Written release (cont.)

• Minors (under age 18) can have capacity to
  consent. No age cut-off.
• If minor lacks capacity to consent, the person
  authorized by law to consent to health care for
  the minor may authorize disclosure of HIV
  information about the minor. This may be
• Biological or adoptive parent
• Guardian
• Authorized agency (ACS or DSS) if court
  granted the authority

35
Written release (cont.)

• Review of this agencys policies for completing
  the release form.
• How to describe the recipient?
• Law does not require listing name(s) of
  particular employee(s) at recipient agency
• May be general, e.g., my caseworker other
  agency staff involved in my benefits claim at X
  agency
• This agencys policy is.

36
Written release (cont.)

• Completing release form (cont.)
• Multi-party releases are permitted.
• How to specify expiration date or event?
• Release should remain in effect only as long as
  needed to fulfill specific purpose
• More on next slide

37
Written release (cont.)

• Completing release form (cont.)
• AIDS Institute requirement release form should
  expire no later than one year from date signed.
• Can specify expiration condition or one year,
  whichever is first

38
Written release (cont.)

• Questions about how to complete the release form?
• Ask your supervisor, or designate agency staff
  responsible
• Useful resources
• DOH Technical Assistance Bulletins
• Legal Action Center training materials

39
No Redisclosure

• Person receiving HIV-related information pursuant
  to release may not redisclose
• Person providing HIV related information pursuant
  to release must provide notice prohibiting
  redisclosure
• See Notice Prohibiting Redisclosure
• In hand-outs

40
Article 27-FCase studies nos. 2 and 4

• Release
• Case study 2 (Peaches and client Herb)
• Releases
• Case study 4 (Joe and client Mary)
• Cases issues from staff here?

41
Exception 2Internal communications

• The rule agency staff may share HIV related
  information IF the staff members
• Are authorized to access clients HIV related
  information in agencys written need-to-know
  protocol and
• Have a reasonable need to know or share the
  information to carry out their authorized duties.

42
Internal communications (cont.)

• HIPAA has similar minimum necessary standard
• Must make reasonable efforts to limit use and
  disclosure of information to the minimum
  necessary to accomplish the intended purpose

43
Internal communications (cont.)

• Review of this agencys
• need to know list (include job titles and
  functions justifying access)
• categories of information to which they need
  access
• any conditions to or restrictions on their access

44
Internal communications (cont.)

• Review of this agencys policy for charting
  HIV-related information
• Article 27-F must record HIV information in
  medical record IF required to keep medical record
  
• Charting/record-keeping requirements under
  regulations that apply to this agency
• Where else and how else to record?

45
Article 27-FCase study no. 5

• Charting HIV information
• Case study 5 (Paddy and client Finn)
• Cases and issues relating to charting or
  record-keeping from staff here?

46
Exception 3 Health Care Providers

• May disclose HIV related information without
  release to an outside health care provider or
  health facility when necessary for that health
  care provider/facility to know the HIV info in
  order to provide appropriate care or treatment
  to
• 1. The protected individual, or
• 2. His or her child, or
• 3. His or her contact (spouse, sex or
  needle-sharing partner)

47
Disclosures to health care providers (cont.)

• Agency with the info not the outside health
  care provider makes the decision whether it is
  necessary for the outside provider to know the
  HIV info in order to provide the care or
  treatment in question.
• Document the disclosure.

48
Disclosures to health care providers (cont.)

• It is always preferable to seek obtain a
  release even if the disclosure is legally
  permitted without it.
• Our agencys policy is
• obtain a release whenever practicable
• disclosures without a release under health care
  provider rule are permitted if/when_________
• If in doubt, consult with designated staff
  responsible for making decisions.

49
Exception 4 Partner Notification

• What do you do . . .
• if your client/patient confides that he is
  having unprotected sex and has no intention of
  disclosing his HIV status to his partner?

50
Partner notification (cont.)

• The rule
• 1st question are you a physician? ONLY
  physicians and special Department of Health staff
  are permitted to notify identified partners of
  HIV infected individuals of the partners
  exposure risk
• NO ONE ELSE is permitted to do partner
  notification (without the HIV individuals
  specific, written release)

51
Partner notification (cont.)

• Physicians may only notify contact if
• Significant risk of infection
• Counsels patient about need to notify
• Does domestic violence screen
• Informs patient that
• Intends to notify at-risk partner, or ask DOH
  (PNAP) to do so
• Patient can choose to have DOH conduct
  notification
• Source persons name/identity wont be revealed

52
Partner notification (cont.)

• For non-physicians, possible options include
• Counseling HIV client to make disclosure
• If agency has physician(s) on staff, consult with
  him/her about doing notification to the at-risk
  partner or contacting Department of Healths
  Partner Services program OR

53
Partner notification (cont.)

• More options for non-physicians
• If you know your clients physician or health
  care provider outside your agency ask client
  to sign a release so you can disclose to that
  physician, asking him/her to do notification or
  forward the information to DOH. Or, under the
  health care provider rule (above), you may tell
  that physician without a release.

54
Partner notification (cont.)

• Key points about partner notification
• Physicians have permission but not legal duty
  to notify at-risk partners, as outlined above.
• Non-physicians have no legal duty to ensure
  at-risk partners are notified.
• Identity of HIV source patient is never
  revealed to at-risk partner (in absence of
  patients written release or a special court
  order).

55
Partner notification (cont.)

• Review of this agencys policy and procedures for
  dealing with partner notification issues

56
Article 27-FCase study no. 7

• Contact (partner) notification
• Case study 7 (Maria and her HIV client John)
• Partner notification cases and issues from staff
  here?

57
Other exceptions permitting disclosure under
Article 27-F

• Consider reviewing other exceptions that may
  apply to your work, or be relevant to your
  agencys staff, including
• Case reporting
• Physicians minors
• Foster care
• Occupational exposure
• Insurance
• Court orders
• Program evaluation
• Newborns

58
Other exceptions permitting disclosure under
Article 27-F (cont.)

• Additional details and resources explaining
  these exceptions are available through
• NYS Department of Health website and resource
  materials, including
• New York State Confidentiality Law and HIV
  Questions and Answers, at www.health.state.ny.us
• Legal Action Center website (www.lac.org),
  resources and training materials

59
Wrap-up HIV confidentiality and our policies
procedures

• as needed, note any developments, updates or
  changes since previous annual HIV confidentiality
  in-service and update
• Identify agency staff responsible for
• developing updating this agencys HIV
  Confidentiality Policies and Procedures
• ensuring/conducting initial and annual employee
  training.

60
Part 2

• HIPAA
• Patients Rights

61
HIPAA patient rights

• HIPAA provides patients with the right to
• Receive a notice of privacy protections
• Access records
• Request an amendment
• Receive an accounting
• Request restrictions
• Receive confidential communications
• Details on each to follow

62
HIPAA patient rights (cont.)

• New York State law already provided patients with
  most of these rights.
• HIPAA expanded some of these rights, but did not
  provide as much protection in other areas.
  Always follow the more protective (more
  stringent provision).

63
HIPAA privacy notice

• Providers must give patients a privacy notice.
• Must post in prominent location
• Must receive written confirmation of receipt from
  patient.
• Review agencys policies for distributing privacy
  notice.

64
HIPAA right to access records

• Patients are entitled to access to their own
  health records upon request (subject to certain
  limitations)
• Review agencys policies for processing patients
  requests for records

65
HIPAARight to request amendment

• Patients have the right to request amendments of
  their records.
• Review agencys policies for processing requests
  for amendments to patient records.

66
HIPAA Art. 27-FRight to an Accounting

• Both HIPAA Art. 27-F give patients the right to
  a list of HIV-related disclosures about them.
• Review agencys policies and procedures for
  responding to requests for such lists.

67
HIPAAConfidential Communications

• If patients make a reasonable request to
  receive communications of protected health
  information by alternative means or at
  alternative locations, the program must honor the
  request.
• For example Patients may ask that
  communications be emailed, or sent to a
  different location other than their homes.
• May not require an explanation from the patient
  as to the basis for the request, but may require
  the request to be made in writing.

68
HIPAAConfidential Communications (cont.)

• Review agencys policies for
• establishing how clients want to receive
  communications, and
• responding to requests for alternative methods of
  communication

69
HIPAA Request Restrictions

• Patients may request the program not to disclose
  health information that the law permits it to
  disclose.
• Example Client says to counselor dont tell
  any other staff here that I am HIV positive even
  though such disclosures are permitted under the
  internal communications exception.
• Continued

70
HIPAA Request Restrictions (cont.)

• The program is not required to agree to the
  patients request.
• However, if the program does agree, it must then
  abide by the restriction.
• Document all agreed upon restrictions.

71
HIPAA Privacy Official

• HIPAA requires programs to have a Privacy
  Official.
• Remind staff who the privacy official is and what
  procedures there are for forwarding information
  to the privacy official.

72
Part 3

• Responding to Complaints about Breach of
  Confidentiality

73
Responding to Complaints

• What should I do
• If my client says my agency has breached her HIV
  confidentiality?
• If my client complains that somebody else has
  violated his confidentiality rights?

74
Responding to complaints our agency

• Inform client our complaint procedure.
• Contact the designated staff responsible for
  addressing such complaints Privacy Officer, if
  HIPAA applies to agency.
• Follow agencys policies for responding to
  patient complaints about privacy violations
• Review policies procedures
• (more on next slide)

75
Responding to complaints our agency (cont.)

• Acknowledge importance of confidentiality
• Dont belittle clients complaint
• Dont give client the run around
• Conduct thorough investigation
• Talk to witnesses
• Look at documentation
• Get clients feedback

76
Case study no. 8

• Breach of HIV confidentiality by home health aide
  in your agency
• Case study 8 Annas home health aide
• Examples issues from our agency?

77
Responding to complaints involving different
agency

• What should I do
• If my client complains that someone in another
  agency has breached his HIV confidentiality?

78
Case study no. 9

• Breach of HIV confidentiality by outside
  physician
• Case study 9 (Michaels doctors office)
• Examples and issues from our clients experiences
  with other agencies ?

79
Responding to complaints involving different
agency (cont.)

• Options
• Refer client to
• Legal Action Center 212-243-1313 or
  800-223-4044. Ask to speak to a paralegal or
• Another HIV legal service provider
• Help client file complaint with NYS Department of
  Health-AIDS Institute, Special Investigation Unit
• Details in next slide . . .

80
Responding to complaints involving different
agency (cont.)

• Option 2 (cont.)
• DOH complaint process for people alleging
  breaches of HIV confidentiality in violation of
  Article 27-F
• Complaint form is on DOH website
• DOH SIU (800) 962-5065
• May ask Legal Action Center (or other HIV legal
  service provider) to represent client in this
  proceeding, but dont need a lawyer
• Usual result if a violation is found statement
  of deficiencies requiring corrective action

81
Responding to complaints involving different
agency (cont.)

• 3. Help client file complaint with other
  government agenc(ies) for
• violation of HIPAA, or
• violating professional licensing/ ethical rules
  governing the breacher.
• Though client will not receive money in these
  proceedings, client may feel vindicated if agency
  finds a violation.

82
Responding to complaints involving different
agency (cont.)

• Option 3 (cont.)
• Complaints against physicians may be filed with
  NYS Office of Professional Medical Conduct.
• OPMC phone 800-663-6114, or
• opmc_at_health.state.ny.us
• complaint form call or download

83
Responding to complaints involving different
agency (cont.)

• Option 3 (cont.)
• Complaints against other licensed professionals
  (e.g., social workers, nurses, pharmacists) may
  be filed with the NYS Education Dept., Office of
  the Professions
• OP Complaint Hot Line 800-442-8106, or
  conduct_at_mail.nysed.gov
• Complaint form call or download

84
Responding to complaints involving different
agency (cont.)

• Option 3 (cont.)
• Complaints under HIPAA may be filed with the
  U.S. Department of Health and Human Services,
  Office of Civil Rights
• Health Information Privacy Complaint
• www.hhs.gov/ocr/howtofile.html
• OCR (toll-free) 800-368-1019

85
Responding to complaints involving different
agency (cont.)

• Options (cont.)
• Conduct informal advocacy with alleged breacher
• Help client complain to management (supervisors,
  director, legal counsel) of the entity that
  breached his/her confidentiality.
• Demand thorough investigation and same steps your
  own agency would do in that situation (just
  discussed).

86
Confidentiality violations other remedies?

• Can someone be sued for violating Article 27-F or
  HIPAA?
• Yes for violations of Article 27-F by person
  whose rights were violated. Client can seek
• money for harm suffered
• change in policies
• training
• discipline for persons responsible

87
Confidentiality violations other remedies?

• Can someone be sued for violating Article 27-F or
  HIPAA? (cont.)
• No for violating HIPAA. People may not bring
  lawsuits to remedy violations of HIPAA. Only the
  federal government can enforce HIPAA. It can
  seek fines imprisonment.

88
Questions?

• Suggestions for improvements?
• Comments?
• Recommendations?
• Thank you!