SlideShare a Scribd company logo

HIPAA, PHI, & 42 CFR Part 2

Hatch Compliance, Inc.
Hatch Compliance, Inc.

HIPAA, PHI, & 42 CFR Part 2

Healthcare
1 of 64
Introduction to HIPAA, PHI, and 42 CFR Part 2 for Healthcare Professionals Protecting Protected Health Information in your Organization
Introduction ■ This educational module is intended to help students understand the fundamentals of HIPAA prior to beginning work at clinical sites. ■ Many sites or agencies will expect you to complete an orientation to their specific approach to HIPAA policies.
What is HIPAA and Why Should I Care? ■ The Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to improve the efficiency and effectiveness of the health care system. ■ Part of HIPAA directly affects your clinical work and the operations of any facility where you will train. ■ Understanding the fundamentals of HIPAA will prepare you to step into training sites with a clear understanding of how to comply with requirements for respecting the privacy of protected health information (PHI).
Content I. The Importance of Protecting Patient Health Information II. General HIPAA and Privacy Rule Overview III. Permitted Uses and Disclosures IV. Patients’ Rights to Control their Health Information V. Administrative Requirements
The Importance of Protecting Patient Health Information Employees with access to patient data may use or disclose it only on a “need to know” basis: ■ Keep this information confidential. ■ Access or use this information only as required to perform your job. ■ Provide the minimum necessary information when responding to information requests. ■ Do not discuss this information with others unless it is administratively or clinically necessary to do so. ■ Do not use any electronic media to copy or transmit information unless you are specifically authorized to do so.
The Importance of Protecting Patient Health Information Additional examples of actions to protect patient privacy: ❑ At nursing stations, keep computer monitors that display patient information turned away from public view. ❑ Log off from patient records before leaving a data terminal. ❑ If you must leave for a few moments, do not leave records face up on your desk or work area. ❑ Place fax machines used to receive confidential records in locations with appropriately limited access. ❑ Avoid elevator and hallway consultations involving patients.
Consequences of Violations Inappropriate disclosure of confidential information is subject to discipline, up to and including discharge from employment. For licensed professionals, it is also subject to discipline by licensing and credentialing bodies There are civil and criminal penalties for violations of patient privacy: ■ Fines up to $25,000 for multiple violations of the same standard in a calendar year ■ Fines up to $250,000 and/or imprisonment up to 10 years for deliberate misuses of individually identifiable health information.
HIPPA rules are not a barrier to good care: ■ The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. ■ Staff and students are free to communicate as required for quick, effective, and high-quality health care. ■ The Privacy Rule also recognizes that overheard communications may be unavoidable and allows for these incidental disclosures.
HIPAA and Privacy Rule Overview: The Health Insurance Portability and Accountability Act (HIPAA) has many parts. Most relevant to students in the health professions are the “Administrative Simplification” provisions including national standards for electronic health care transactions, codes, identifiers, security, and the privacy of personal health information.
The Privacy Rule applies to protected health information (PHI). Protected health information (PHI) is “identifiable” health information acquired in the course of serving patients. Any of the following data make health information “identifiable”: ■ Name ■ Social security number ■ Street and email addresses ■ Employer ■ Telephone and fax numbers ■ Member or account numbers ❑ (e.g. medical record number, health plan identification number) ■ Relatives’ names ■ Date of service, birth or death ■ Fingerprints, photographs, voice recordings ■ Certificate or license numbers ■ Any other linked number, code, characteristic (e.g. device identifiers, serial numbers)
HIPAA generally defers to state law concerning the relative rights of parents and minors. In this module, the terms “individual” or “patient” mean: ❑ Parents and legal guardians may generally exercise the HIPAA rights of their minor children; ❑ Patients 18 or older, or with emancipated or "mature minor" status, may exercise their own rights under HIPAA. ■ If you are in doubt about a patient’s status or have questions about the legal definition of emancipation or "maturity," check with the agency’s legal counsel. ❑ A minor patient may exercise HIPAA rights regarding matters involving diagnosis or treatment relating to certain conditions (e.g., sexually transmitted diseases, drug or alcohol dependency, and pregnancy). The Privacy Rule: Parents and Minors
Permitted Uses and Disclosures of PHI An agency may use or disclose PHI for the following purposes: ❑ In order to treat a patient. ❑ Justifying payment for treating a patient. ❑ Certain administrative, financial, legal, and quality-improvement activities that are necessary to “run the business” (such activities are called “health care operations”).
Additional Permitted Uses and Disclosures of PHI If the disclosure complies with and is limited to what the law requires, agencies are permitted to disclose PHI: ❑ To public health authorities and health oversight agencies ❑ To coroners, medical examiners, and funeral directors ❑ For organ procurement ❑ To respond to court orders and subpoenas
Permitted Uses and Disclosures of PHI There are certain disclosures that agencies may make if the patient is given the opportunity to agree or object: ❑ A patient’s location and condition (in general terms) if the patient is asked for by name or for disaster relief purposes. ❑ PHI relevant to care, or to family/close friends who are designated by the patient.
Permitted Uses and Disclosures of PHI Written permission or authorization from the patient is required to use or disclose PHI for purposes other than treatment, payment, health care operations, or as required by law or for public health reasons.
PHI and Research Specific procedures may allow PHI to be used or disclosed for research purposes: ❑ Records can be de-identification. ❑ Written authorization may be obtained from the patient for research use or discloser. ❑ The Institutional Review Board (IRB) may grant a waiver of written authorization. ❑ Only data needed to prepare work for research purposes only may be disclosed. ❑ Special provisions may allow for research using a decedent’s PHI.
General Data Disclosures An agency may use or disclose demographic information and the dates of treatment for the purpose of raising funds for its own benefit, without an authorization. ❑Example: “Between January and June we treated 47 patients under 18, 20% of whom had family incomes under $25,000 per year.
General data disclosures An agency must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of uses, disclosures, or requests.
Incidental Disclosures An incidental disclosure that occurs as a by- product of an otherwise permitted use or disclosure is permitted: ❑If it cannot be reasonably prevented. ❑If it is limited in nature. ❑To the extent that reasonable safeguards exist.
Permitted Uses and Disclosures to Carry Out Treatment, Payment, and Health Care Operations An entity may use or disclose PHI for its own “Treatment,” “Payment,” or “Health Care Operations”: ❑ “Treatment” generally means the providing, coordinating, or managing health care and related services among health care providers or by a health care provider with a third party; consultation between health care providers regarding a patient; or the referral of a patient for health care from one health care provider to another. ❑ “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill coverage responsibilities, and to provide benefits under the plan. ❑ “Health Care Operations” are certain administrative, financial, legal, training, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.
Disclosures of PHI for Treatment, Payment, and Health Care Operations of Another Entity This is appropriate for: ❑ Treatment activities of a health care provider. ❑ Payment activities of the entity that receives the PHI. ❑ Several specific uses included in the health care operations of the entity that receives the PHI, if both the sending and the receiving entities either have or had a relationship with the individual who is the subject of the PHI and the PHI is related to this relationship. The permitted disclosure may be for the purpose of ■ Health care fraud and abuse detection or compliance, ■ Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, or contacting of health care providers and patients with information about Treatment alternatives. ■ Reviewing the competence or qualifications of health care professionals, evaluating practitioner or health plan performance; conducting training programs for students or practitioners; or accreditation, licensing, or credentialing activities.
“Public Good” Uses and Disclosures An agency may use or disclose PHI without the written authorization of the individual in the situations listed below: ❑ Uses and disclosures required by law. ❑ Uses and disclosures for public health activities (i.e., public health, child abuse and neglect, FDA, communicable diseases, employment workplace medical surveillance). ❑ Disclosures about victims of abuse, neglect, or domestic violence. ❑ Uses and disclosures for health oversight activities. ❑ Disclosures for judicial and administrative proceedings. ❑ Disclosures for law enforcement purposes. ❑ Uses and disclosures about decedents (i.e., to coroners and funeral directors). ❑ Uses and disclosures for cadaveric organ, eye, or tissue donation purposes ❑ Uses and disclosures for research purposes. ❑ Uses and disclosures to avert a serious threat to health or safety. ❑ Uses and disclosures for specialized government functions (i.e.. military and veterans activities, national security and intelligence activities, protective services for the president and others, medical suitability determinations, or correctional institutions and other law enforcement custodial situations). ❑ Disclosures for workers’ compensation.
“Public Good” Uses and Disclosures State Law and other Federal Laws that are more protective of individual’s privacy should be followed. Agencies are required to track most disclosures and to provide individuals with a listing of them upon their request.
Authorization Requirements HIPAA requires the agency to obtain a written authorization to disclose or release any PHI that is not for treatment, payment, or health care operations, or otherwise permitted by the rules Examples of disclosures requiring written authorization under HIPAA: Schools, camps, airlines, hotels, aid organizations, outside attorneys These authorizations must contain the following elements: ❑ A description of the information to be used or disclosed. ❑ Who is authorized to make the use or disclosure. ❑ To whom the disclosure may be made. ❑ A description of each purpose of the disclosure. ❑ An expiration date or an expiration event. ❑ Signature of the individual and date. ❑ Required statements: ■ The individual’s right to revoke the authorization and directions how to revoke. ■ The ability or inability to condition treatment or payment. ■ The risk that redisclosure by the recipient may occur.
Additional Written Authorizations Agencies must typically obtain written authorization to disclose or release patient information in situations beyond what HIPAA requires. Examples of practices that typically requires permission or consent to release information: ❑ Photographs and videos for treatment and training. ❑ Transports. ❑ Sharing patient information with outside providers at the patient’s request or at the request of another provider. ❑ Second opinions. ❑ Making requests for patient information from other providers.
Clinical research is uniquely affected by the regulations. From a clinical investigator perspective, the new regulations will control access to existing health information (medical/database record reviews) and handling of identifiable information created as part of clinical research. There are specific methods that allow PHI to be used or disclosed for research purposes: ❑ All data are de-identified (according to the specific standards of the Privacy Rule). ❑ A limited data set is collected and released (according to the specific standards of the Privacy Rule). ❑ A patient gives a written authorization that his or her data may be used and/or disclosed. ❑ The Institutional Review Board (IRB) may grant a waiver of written authorization. ❑ Data are collected for preparatory work for research purposes only (according to the specific standards of the Privacy Rule). ❑ Special provisions are in place for research on a decedent’s PHI.
Incidental Disclosures An incidental disclosure that occurs as a by-product of an otherwise permitted use or disclosure is permitted: ■ If it cannot be reasonably prevented. ■ If it is limited in nature. ■ To the extent that reasonable safeguards exist. Examples: ■ Keep patient information on white boards/locator boards to a minimum. ■ Reduce unnecessary incidental disclosures during check-in processes and in waiting rooms. ■ Take care to limit the amount of information disclosed on an answering machine. ■ Do not discuss patients in public areas. ■ Consider location when posting patient schedules and storing patient charts. ■ Keep voices low when discussing patient issues in joint treatment areas. ■ Position workstations so screen does not face public areas; consider using screen filters.
Notice of a Person’s Rights to Control His or Her PHI An agency must distribute to each patient at the first treatment encounter, and obtain written acknowledgment of receipt of, a “Right to receive Notice of Privacy Practices”: ❑ Describing how the agency may use and disclose PHI. ❑ Describing the rights the individual has to control his or her health information.
Notice of a Person’s Rights to Control Their PHI Patients should receive a listing of disclosures required by law, public health, health oversight, child abuse reporting, FDA reporting, communicable disease exposure, wound or injury reporting, response to legal process, law enforcement, coroner or medical examiner, organ procurement, research protocols where the IRB has waived the individual’s authorization requirement, or workers’ compensation.
Notice of a Person’s Rights to Control Their PHI People have a right to request confidential forms of communication. Agencies must accommodate reasonable requests to receive confidential communications. People have a right to request restricted uses and disclosures of PHI: ❑ Permitting such restrictions not required. ❑ Requests for restrictions should be made in writing to the institution’s privacy officer.
Notice of a Person’s Rights to Control Their PHI People have a right to inspect and obtain a copy of their health information. Individuals have the right to inspect and obtain a copy of health information in the medical or billing record. People have a right to request amendment to medical and billing records. People have a right to file a formal complaint about violations of privacy with the agency or the Department of Health and Human Services.
The Notice of Privacy Practices The Notice of Privacy Practices describes how the agency may use and disclose PHI and describes the rights the individual has to control his or her health information. The agency must distribute the notice to each patient at the first treatment encounter and obtain written acknowledgment of receipt.
Tracking Disclosures or the “Accounting of Disclosures Log” An individual has a right to receive a listing of certain disclosures. The listing must include disclosures made to individuals or entities outside of agency for the following purposes: ❑ Required by law ❑ Public health activities ❑ Health oversight activities ❑ Child, elder, or handicapped abuse reporting ❑ FDA reporting ❑ Communicable disease exposure ❑ Wound or injury reporting ❑ Response to legal process ❑ Law enforcement activities ❑ Coroner or medical examiner ❑ Organ procurement ❑ Research protocols where the IRB has waived the individual’s authorization requirement ❑ Workers’ compensation
“Accounting of Disclosures Log” The listing must include a description of: ❑To whom information was disclosed– When it was disclosed ❑What was disclosed ❑Why it was disclosed
Right to Request Amendment Individuals have the right to request amendment to PHI included in their medical and billing records. The patient may approach the author of the entry, point out the error, and ask the author to correct it. Uncontested changes requested to the author of the entry can be corrected by the author. If the author does not agree with the request, then the patient may contact the facility’s privacy officer, who may conduct a review of the relevant record, consult with the treating physician, evaluate the individual’s request, and consult with other hospital professionals, as appropriate.
Administrative Requirements: Business Associates Overview ■ A Business Associate is a person or entity to whom an agency discloses PHI so that the person or entity may carry out, assist with, or perform a function on behalf of the agency (e.g., billing). ■ The agency is required to have “satisfactory assurance” that any business associate will “appropriately safeguard” PHI received or created by the business associate in the course of performing services for the agency. ■ The agency must document the satisfactory assurances through a written contract. ■ The business associate provision does not apply to providers who receive information for treatment purposes.
Practical Examples of Appropriate Behavior Under HIPAA The following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby: ❑ Orally coordinate services at hospital nursing stations. ❑ Discuss a patient's condition over the phone with the patient, a provider, or family member. ❑ Discuss lab results with a patient or other provider in a joint treatment area. ❑ Discuss a patient's condition or treatment regimen in the patient's semi private room. ❑ Discuss a patient's condition during training rounds in an academic or training institution.
Personal HIPAA Compliance Checklist When I reach my worksite I will remember to ask my supervisor: ❑ Whether I need to review the site’s specific HIPAA policies. ❑ When and where patients must be given HIPAA notices. ❑ Other site-specific HIPAA implementation policies. When reviewing records or discussing patients I will be mindful of the privacy rules. If I have any questions about the appropriateness of a request for information, I will check with my on-site supervisor or an institutional staff member.
What is 42 CFR Part 2? In addition to HIPAA, there are special privacy protections afforded to alcohol and drug abuse patient records by 42 Code of Federal Regulations (“CFR”) Part 2. The privacy provisions in 42 CFR Part 2 were motivated by the understanding that stigma and fear of prosecution might dissuade persons with substance use disorders from seeking treatment.
What is 42 CFR Part 2? Why is Part 2 important to people living with substance use disorders? Confidentiality is a cornerstone of any treatment relationship. For people receiving SUD treatment, strict confidentiality protections mean that you can share information about past and current drug use without worrying that it will be used against you by the police or a landlord, employer, judge, or social worker. Until we have eliminated the stigma and criminalization of substance use disorders, patients need the right to access treatment without worrying that their records will not be used to take away their children, housing, employment, insurance, public benefits, or freedom.
42 CFR Part 2 To add an extra layer of protection on these records, the regulations outline under what limited circumstances information about a patient’s treatment may be disclosed with and without the patient’s consent. But WHO & WHAT are covered can be confusing! So let’s learn more about what 42 CFR Part 2 says.
42 CFR Part 2 Let’s look at the difference between Part 2 & HIPAA: Both Part 2 and HIPAA protect patient privacy by regulating the way that patient information can be shared and disclosed. HIPAA applies to many types of patient information, not just SUD information, and generally is less protective of patient privacy than Part 2. Unlike HIPAA, Part 2’s privacy protections follow the records even after they are disclosed – the recipient of the records is now bound by Part 2’s privacy and security requirements for the Part 2 records.
42 CFR Part 2 ■ 42 CFR Part 2 applies to any individual or entity that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment. ■ For-profit programs and private practitioners that do not receive federal assistance are subject to the requirements of 42 CFR Part 2 IF the State licensing or certification agency requires them to comply. ■ In addition - Any clinician who uses a controlled substance for detoxification or maintenance treatment of a substance use disorder requires a federal DEA registration and THEN becomes subject to the regulations through the DEA license.
42 CFR Part 2 The information protected by 42 CFR Part 2 is any information disclosed by a covered program that identifies an individual directly or indirectly as having a current or past drug or alcohol problem, or as a participant in a covered program.
42 CFR Part 2 With limited exceptions, 42 CFR Part 2 requires patient consent for disclosures of protected health information even for the purposes of treatment, payment, or health care operations. Consent for disclosure must be in writing.
Before we get into this further - let’s look at some definitions… Under 42 CFR § 2.11: “Patient” means “any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program.” Remember that this could also be regulated by your state or the DEA. “Records” mean “any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program.”
Under 42 CFR § 2.11: “Disclose or disclosure” means the “communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the records of a patient who has been identified.” “Patient identifying information” means the “name, address, social security number, fingerprints, photographs of similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.”
So to sum up the regulation: The information protected by Part 2 is any information disclosed by a Part 2 program that identifies an individual directly or indirectly as having a current or past drug or alcohol problem, or as a participant in a Part 2 program.
DISCLOSURE OF INFORMATION Does 42 CFR Part 2 permit the disclosure of information without a patient’s consent for the purposes of treatment, payment, or health care operations?
DISCLOSURE OF INFORMATION Unlike HIPAA, which generally permits the disclosure of protected health information without patient consent or authorization for the purposes of treatment, payment, or health care operations, Part 2, with limited exceptions (i.e., medical emergencies and audits and evaluations), requires patient consent for such disclosures. Some types of exchange, however, may take place without patient consent when a qualified service organization agreement (QSOA) exists or when exchange takes place between a Part 2 program and an entity with administrative control over that program.
What is a Qualified service Organization (QSO)? (QSO) means a person or organization that: 1) Provides services to a [Part 2] program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting or other professional services or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and 2) Has entered into a written agreement with a program under which that person a) acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the programs, it is fully bound by these regulations; and b) if necessary, will resist in judicial proceedings any efforts to obtain access to patient records, except as permitted by these regulations.
What is a a QSOA? A QSOA is an agreement between the provider and a entity in which PHI is shared. When a Part 2 program has entered into a QSOA with an entity that provides any of the covered services, and where the information exchanged is needed to provide the covered services, patient consent is not required.
What is a a QSOA? In addition, patient consent is not required when information is exchanged within your Organization or between an Organization and an entity that has direct administrative control over the program. When a substance use disorder unit is a component of a larger behavioral health Organization or of a general health program, specific information about a patient arising out of that patient’s diagnosis, treatment or referral to treatment can be exchanged without patient consent among the Organization’s personnel and with administrative personnel who, in connection with their duties, need to know information.
Requirements of Consent A written consent to a disclosure under the Part 2 regulations must be in writing and include all of the following items (42 CFR § 2.31): 1) The specific name or general designation of the program or person permitted to make the disclosure; 2) The name or title of the individual or the name of the organization to which disclosure is to be made; 3) The name of the patient; 4) The purpose of the disclosure; 5) How much and what kind of information to be disclosed;
Requirements of Consent 6. The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign in lieu of the patient; 7. The date on which the consent is signed;
Requirements of Consent 8. A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third party payer; and 9. The date, event or condition upon which the consent will expire if not revoked before. This data, event, or condition must insure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given.
Requirements of Consent Can a single consent form be used to authorize the disclosure of Part 2 information to an HIO, as well as authorize the redisclosure of that information to other identified parties? Yes. Under Part 2, a single consent form can authorize a disclosure of information about a patient to one recipient, and simultaneously authorize that recipient to redisclose that information to an additional entity or entities (such as an EMR or affiliated health care providers identified in the consent form), provided that the purpose for the disclosure is the same.
Requirements of Consent However… The required statement prohibiting redisclosure must accompany the information disclosed through consent, so that each subsequent recipient of that information is notified of the prohibitions on redisclosure.
Requirements of Consent Depending on your State, patients may choose to opt out of having their information shared through your EMR or any other Health Information/SAAS Platform utilized by your Organization. In these states, if the patient opts out, no information can be accessed by a person or other Organization if there is no consent on file. Even in an emergency.
Requirements of Consent Opt-Out states currently include: ■ Arizona ■ California ■ Florida ■ Kansas ■ Maryland ■ Minnesota ■ Nevada ■ New Mexico ■ Ohio
Requirements of Consent For all other states, the general rule is that the program may not say to a person outside the program that a client attends the program, or disclose any information identifying a patient as an alcohol or drug abuser unless: ■ The patient consents in writing ■ The disclosure is allowed by a court order and a subpoena. ■ The disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit or program evaluations
Requirements of Consent There are a few limited exceptions when providers can make disclosures without a patient’s written consent, including: ■ Internal communications ■ Medical emergencies ■ Reports of alleged child abuse or neglect (if required by state law) ■ Reports of a crime on program premises or against program personnel ■ Qualified audits or evaluations of the program ■ Research ■ Qualified service organization agreement
Requirements of Consent When can Law Enforcement demand treatment records? Part 2 generally requires a special court order before your records can be shared with law enforcement or a court. A subpoena, general court order, search warrant, or official request is not enough for law enforcement to access your treatment information.
Requirements of Consent You have reached the end of this training! We ask that you return to the main training page and review SAMHSA’s 42 CFR Part 2 Fact Sheet and the Center of Excellence for PHI’s Tips on Telehealth and Privacy.

Recommended

HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI TrainingHatch Compliance, Inc.
 
Upholding confidentiality
Upholding confidentialityUpholding confidentiality
Upholding confidentialityTheresa Tapley
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
Confidentiality
ConfidentialityConfidentiality
Confidentialityblutoothe
 
Tips for Handling Patient Complaints
Tips for Handling Patient ComplaintsTips for Handling Patient Complaints
Tips for Handling Patient ComplaintsTexas Medical Liability Trust
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityLLSS64
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 

Recommended

HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI TrainingHatch Compliance, Inc.
 
Upholding confidentiality
Upholding confidentialityUpholding confidentiality
Upholding confidentialityTheresa Tapley
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
Confidentiality
ConfidentialityConfidentiality
Confidentialityblutoothe
 
Tips for Handling Patient Complaints
Tips for Handling Patient ComplaintsTips for Handling Patient Complaints
Tips for Handling Patient ComplaintsTexas Medical Liability Trust
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityLLSS64
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Security & Privacy for Health Data
Security & Privacy for Health DataSecurity & Privacy for Health Data
Security & Privacy for Health DataNawanan Theera-Ampornpunt
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Confidentiality
Confidentiality Confidentiality
Confidentiality pcsamuels10
 
MODULE 8 - PRIVACY AND CONFIDENTIALITY
MODULE 8 - PRIVACY AND CONFIDENTIALITYMODULE 8 - PRIVACY AND CONFIDENTIALITY
MODULE 8 - PRIVACY AND CONFIDENTIALITYDr Ghaiath Hussein
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
Confidentiality
ConfidentialityConfidentiality
Confidentialitykajal pradhan
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 
Hippa 2021
Hippa 2021Hippa 2021
Hippa 2021John Reardon
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA ComplainceFarhatParveen10
 
2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse Training2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse TrainingWindstoneHealth
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialityptamayo1958
 
Confidentiality New Employee Training (First-Week)
Confidentiality New Employee Training (First-Week)Confidentiality New Employee Training (First-Week)
Confidentiality New Employee Training (First-Week)ChildrensHomeIllinois
 
Patients’ privacy and confidentiality
Patients’ privacy and confidentialityPatients’ privacy and confidentiality
Patients’ privacy and confidentialitybernardsanch
 
Protecting patients confidentiality slide presentation
Protecting patients confidentiality slide presentationProtecting patients confidentiality slide presentation
Protecting patients confidentiality slide presentationplunkk
 
Cyber security for kids
Cyber security for kidsCyber security for kids
Cyber security for kidsChris Burrows
 
Internet Safety for Children Powerpoint
Internet Safety for Children Powerpoint Internet Safety for Children Powerpoint
Internet Safety for Children Powerpoint bgmartinez1971
 
Confidentiality Training
Confidentiality TrainingConfidentiality Training
Confidentiality TrainingAmy Fiesler-Garner
 
Release of Information (ROI) Training
Release of Information (ROI) TrainingRelease of Information (ROI) Training
Release of Information (ROI) TrainingHatch Compliance, Inc.
 
Healthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevHealthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevblk70130
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPAtlantic Training, LLC.
 
Healthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNHealthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNAtlantic Training, LLC.
 

More Related Content

What's hot

HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Confidentiality
Confidentiality Confidentiality
Confidentiality pcsamuels10
 
MODULE 8 - PRIVACY AND CONFIDENTIALITY
MODULE 8 - PRIVACY AND CONFIDENTIALITYMODULE 8 - PRIVACY AND CONFIDENTIALITY
MODULE 8 - PRIVACY AND CONFIDENTIALITYDr Ghaiath Hussein
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 
2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse Training2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse TrainingWindstoneHealth
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentialityptamayo1958
 
Confidentiality New Employee Training (First-Week)
Confidentiality New Employee Training (First-Week)Confidentiality New Employee Training (First-Week)
Confidentiality New Employee Training (First-Week)ChildrensHomeIllinois
 
Patients’ privacy and confidentiality
Patients’ privacy and confidentialityPatients’ privacy and confidentiality
Patients’ privacy and confidentialitybernardsanch
 
Protecting patients confidentiality slide presentation
Protecting patients confidentiality slide presentationProtecting patients confidentiality slide presentation
Protecting patients confidentiality slide presentationplunkk
 
Cyber security for kids
Cyber security for kidsCyber security for kids
Cyber security for kidsChris Burrows
 
Internet Safety for Children Powerpoint
Internet Safety for Children Powerpoint Internet Safety for Children Powerpoint
Internet Safety for Children Powerpoint bgmartinez1971
 
Healthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevHealthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevblk70130
 

What's hot (20)

Security & Privacy for Health Data
Security & Privacy for Health DataSecurity & Privacy for Health Data
Security & Privacy for Health Data
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
 
Confidentiality
Confidentiality Confidentiality
Confidentiality
 
MODULE 8 - PRIVACY AND CONFIDENTIALITY
MODULE 8 - PRIVACY AND CONFIDENTIALITYMODULE 8 - PRIVACY AND CONFIDENTIALITY
MODULE 8 - PRIVACY AND CONFIDENTIALITY
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
 
Hippa 2021
Hippa 2021Hippa 2021
Hippa 2021
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse Training2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse Training
 
Patient confidentiality
Patient confidentialityPatient confidentiality
Patient confidentiality
 
Confidentiality New Employee Training (First-Week)
Confidentiality New Employee Training (First-Week)Confidentiality New Employee Training (First-Week)
Confidentiality New Employee Training (First-Week)
 
Patients’ privacy and confidentiality
Patients’ privacy and confidentialityPatients’ privacy and confidentiality
Patients’ privacy and confidentiality
 
Protecting patients confidentiality slide presentation
Protecting patients confidentiality slide presentationProtecting patients confidentiality slide presentation
Protecting patients confidentiality slide presentation
 
Cyber security for kids
Cyber security for kidsCyber security for kids
Cyber security for kids
 
Internet Safety for Children Powerpoint
Internet Safety for Children Powerpoint Internet Safety for Children Powerpoint
Internet Safety for Children Powerpoint
 
Confidentiality Training
Confidentiality TrainingConfidentiality Training
Confidentiality Training
 
Release of Information (ROI) Training
Release of Information (ROI) TrainingRelease of Information (ROI) Training
Release of Information (ROI) Training
 
Healthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bevHealthcare confidentiality training.2013bev
Healthcare confidentiality training.2013bev
 

Similar to HIPAA, PHI, & 42 CFR Part 2

Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPAtlantic Training, LLC.
 
Healthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNHealthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNAtlantic Training, LLC.
 
This training program is designed to introduce staff
This training program is designed to introduce staffThis training program is designed to introduce staff
This training program is designed to introduce staffsawanda
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiAtlantic Training, LLC.
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
Health care confidentiality and privacy
Health care confidentiality and privacyHealth care confidentiality and privacy
Health care confidentiality and privacysawanda
 
HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101benefitexpress
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarcEtienne6
 
Introduction to HIPAA and Confidentiality for Employees
Introduction to HIPAA and Confidentiality for EmployeesIntroduction to HIPAA and Confidentiality for Employees
Introduction to HIPAA and Confidentiality for EmployeesHouse of New Hope
 
The importance of confidentiality
The importance of confidentialityThe importance of confidentiality
The importance of confidentialityswilson0050
 
Welcome to the hippa, privacy and security
Welcome to the hippa, privacy and securityWelcome to the hippa, privacy and security
Welcome to the hippa, privacy and securityveve1728
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 Meg Oser
 

Similar to HIPAA, PHI, & 42 CFR Part 2 (20)

Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUP
 
Healthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONNHealthcare Compliance and Privacy/Security Training by UCONN
Healthcare Compliance and Privacy/Security Training by UCONN
 
HIPAA Training by UCSD
HIPAA Training by UCSDHIPAA Training by UCSD
HIPAA Training by UCSD
 
This training program is designed to introduce staff
This training program is designed to introduce staffThis training program is designed to introduce staff
This training program is designed to introduce staff
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 
Health care confidentiality and privacy
Health care confidentiality and privacyHealth care confidentiality and privacy
Health care confidentiality and privacy
 
HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
Introduction to HIPAA and Confidentiality for Employees
Introduction to HIPAA and Confidentiality for EmployeesIntroduction to HIPAA and Confidentiality for Employees
Introduction to HIPAA and Confidentiality for Employees
 
Hippa
HippaHippa
Hippa
 
The importance of confidentiality
The importance of confidentialityThe importance of confidentiality
The importance of confidentiality
 
Confidentiality powerpoint
Confidentiality powerpointConfidentiality powerpoint
Confidentiality powerpoint
 
Welcome to the hippa, privacy and security
Welcome to the hippa, privacy and securityWelcome to the hippa, privacy and security
Welcome to the hippa, privacy and security
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017
 
HIPAA
HIPAA HIPAA
HIPAA
 

More from Hatch Compliance, Inc.

High Alert & Look-Alike/Sound-Alike Medications
High Alert & Look-Alike/Sound-Alike MedicationsHigh Alert & Look-Alike/Sound-Alike Medications
High Alert & Look-Alike/Sound-Alike MedicationsHatch Compliance, Inc.
 

More from Hatch Compliance, Inc. (9)

Understanding Substance Use Disorder
Understanding Substance Use DisorderUnderstanding Substance Use Disorder
Understanding Substance Use Disorder
 
The Value of Outstanding Patient Care
The Value of Outstanding Patient CareThe Value of Outstanding Patient Care
The Value of Outstanding Patient Care
 
Safety Culture & Good Catch Program
Safety Culture & Good Catch ProgramSafety Culture & Good Catch Program
Safety Culture & Good Catch Program
 
Infection Control Training
Infection Control TrainingInfection Control Training
Infection Control Training
 
Incident Report Training
Incident Report TrainingIncident Report Training
Incident Report Training
 
High Alert & Look-Alike/Sound-Alike Medications
High Alert & Look-Alike/Sound-Alike MedicationsHigh Alert & Look-Alike/Sound-Alike Medications
High Alert & Look-Alike/Sound-Alike Medications
 
Harassment & Discrimination Training
Harassment & Discrimination TrainingHarassment & Discrimination Training
Harassment & Discrimination Training
 
Hand Off Communication
Hand Off CommunicationHand Off Communication
Hand Off Communication
 
Hand Hygiene Training
Hand Hygiene TrainingHand Hygiene Training
Hand Hygiene Training
 

Recently uploaded

Learn Tips for Managing Chemobrain or Mental Fogginess
Learn Tips for Managing Chemobrain or Mental FogginessLearn Tips for Managing Chemobrain or Mental Fogginess
Learn Tips for Managing Chemobrain or Mental Fogginessbkling
 
The future of change - strategic translation
The future of change - strategic translationThe future of change - strategic translation
The future of change - strategic translationHelenBevan4
 
Medisep insurance policy , new kerala government insurance policy for govrnm...
Medisep insurance policy , new kerala government insurance policy for govrnm...Medisep insurance policy , new kerala government insurance policy for govrnm...
Medisep insurance policy , new kerala government insurance policy for govrnm...LinshaLichu1
 
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfUnderstanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfSasikiranMarri
 
Your Radiotherapy Destination Gokuldas Hospital.
Your Radiotherapy Destination Gokuldas Hospital.Your Radiotherapy Destination Gokuldas Hospital.
Your Radiotherapy Destination Gokuldas Hospital.Gokuldas Hospital
 
Family Adoption Programme first year mbbs.pptx
Family Adoption Programme first year mbbs.pptxFamily Adoption Programme first year mbbs.pptx
Family Adoption Programme first year mbbs.pptxKritikaMishra43
 
Disseminated Intravascular Coagulation.ppt
Disseminated Intravascular Coagulation.pptDisseminated Intravascular Coagulation.ppt
Disseminated Intravascular Coagulation.pptSameer Jain
 
Mark-Klimek-Lectures-1-To-12 NCLEX EXAMINATION
Mark-Klimek-Lectures-1-To-12 NCLEX EXAMINATIONMark-Klimek-Lectures-1-To-12 NCLEX EXAMINATION
Mark-Klimek-Lectures-1-To-12 NCLEX EXAMINATIONes5735583
 
Presentation for Alzheimers Disease.pptx
Presentation for Alzheimers Disease.pptxPresentation for Alzheimers Disease.pptx
Presentation for Alzheimers Disease.pptxravisutar1
 
The Rise of Telehealth in Weight Loss - Revolutionizing Health .pdf
The Rise of Telehealth in Weight Loss - Revolutionizing Health .pdfThe Rise of Telehealth in Weight Loss - Revolutionizing Health .pdf
The Rise of Telehealth in Weight Loss - Revolutionizing Health .pdfmodmd8654
 
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptxCASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptxdrsriram2001
 
Speedy patient rehabilitation by Panchmukhi Train Ambulance Services in Patna...
Speedy patient rehabilitation by Panchmukhi Train Ambulance Services in Patna...Speedy patient rehabilitation by Panchmukhi Train Ambulance Services in Patna...
Speedy patient rehabilitation by Panchmukhi Train Ambulance Services in Patna...Panchmukhi Air& Train Ambulance Services
 
Subconjunctival Haemorrhage,causes,treatment..pptx
Subconjunctival Haemorrhage,causes,treatment..pptxSubconjunctival Haemorrhage,causes,treatment..pptx
Subconjunctival Haemorrhage,causes,treatment..pptxvideosfildr
 
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are HeardAdvance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are HeardVITASAuthor
 
arpita 1-1.pptx management of nursing service and education
arpita 1-1.pptx management of nursing service and educationarpita 1-1.pptx management of nursing service and education
arpita 1-1.pptx management of nursing service and educationNursing education
 
Text Neck Syndrome and its probable way out.pptx
Text Neck Syndrome and its probable way out.pptxText Neck Syndrome and its probable way out.pptx
Text Neck Syndrome and its probable way out.pptxProf. Satyen Bhattacharyya
 
2024 Compliatric Webinar Series - OSV Overview and Panel Discussion April 202...
2024 Compliatric Webinar Series - OSV Overview and Panel Discussion April 202...2024 Compliatric Webinar Series - OSV Overview and Panel Discussion April 202...
2024 Compliatric Webinar Series - OSV Overview and Panel Discussion April 202...Compliatric Where Compliance Happens
 
Leading big change: what does it take to deliver at large scale?
Leading big change: what does it take to deliver at large scale?Leading big change: what does it take to deliver at large scale?
Leading big change: what does it take to deliver at large scale?HelenBevan4
 

Recently uploaded (20)

Learn Tips for Managing Chemobrain or Mental Fogginess
Learn Tips for Managing Chemobrain or Mental FogginessLearn Tips for Managing Chemobrain or Mental Fogginess
Learn Tips for Managing Chemobrain or Mental Fogginess
 
The future of change - strategic translation
The future of change - strategic translationThe future of change - strategic translation
The future of change - strategic translation
 
Medisep insurance policy , new kerala government insurance policy for govrnm...
Medisep insurance policy , new kerala government insurance policy for govrnm...Medisep insurance policy , new kerala government insurance policy for govrnm...
Medisep insurance policy , new kerala government insurance policy for govrnm...
 
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdfUnderstanding Cholera: Epidemiology, Prevention, and Control.pdf
Understanding Cholera: Epidemiology, Prevention, and Control.pdf
 
Your Radiotherapy Destination Gokuldas Hospital.
Your Radiotherapy Destination Gokuldas Hospital.Your Radiotherapy Destination Gokuldas Hospital.
Your Radiotherapy Destination Gokuldas Hospital.
 
Family Adoption Programme first year mbbs.pptx
Family Adoption Programme first year mbbs.pptxFamily Adoption Programme first year mbbs.pptx
Family Adoption Programme first year mbbs.pptx
 
Disseminated Intravascular Coagulation.ppt
Disseminated Intravascular Coagulation.pptDisseminated Intravascular Coagulation.ppt
Disseminated Intravascular Coagulation.ppt
 
Mark-Klimek-Lectures-1-To-12 NCLEX EXAMINATION
Mark-Klimek-Lectures-1-To-12 NCLEX EXAMINATIONMark-Klimek-Lectures-1-To-12 NCLEX EXAMINATION
Mark-Klimek-Lectures-1-To-12 NCLEX EXAMINATION
 
Presentation for Alzheimers Disease.pptx
Presentation for Alzheimers Disease.pptxPresentation for Alzheimers Disease.pptx
Presentation for Alzheimers Disease.pptx
 
The Rise of Telehealth in Weight Loss - Revolutionizing Health .pdf
The Rise of Telehealth in Weight Loss - Revolutionizing Health .pdfThe Rise of Telehealth in Weight Loss - Revolutionizing Health .pdf
The Rise of Telehealth in Weight Loss - Revolutionizing Health .pdf
 
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptxCASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
CASE STUDY ON CHRONIC KIDNEY DISEASE.pptx
 
Speedy patient rehabilitation by Panchmukhi Train Ambulance Services in Patna...
Speedy patient rehabilitation by Panchmukhi Train Ambulance Services in Patna...Speedy patient rehabilitation by Panchmukhi Train Ambulance Services in Patna...
Speedy patient rehabilitation by Panchmukhi Train Ambulance Services in Patna...
 
Subconjunctival Haemorrhage,causes,treatment..pptx
Subconjunctival Haemorrhage,causes,treatment..pptxSubconjunctival Haemorrhage,causes,treatment..pptx
Subconjunctival Haemorrhage,causes,treatment..pptx
 
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are HeardAdvance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
Advance Directives and Advance Care Planning: Ensuring Patient Voices Are Heard
 
arpita 1-1.pptx management of nursing service and education
arpita 1-1.pptx management of nursing service and educationarpita 1-1.pptx management of nursing service and education
arpita 1-1.pptx management of nursing service and education
 
Check Your own POSTURE & treat yourself.pptx
Check Your own POSTURE & treat yourself.pptxCheck Your own POSTURE & treat yourself.pptx
Check Your own POSTURE & treat yourself.pptx
 
Text Neck Syndrome and its probable way out.pptx
Text Neck Syndrome and its probable way out.pptxText Neck Syndrome and its probable way out.pptx
Text Neck Syndrome and its probable way out.pptx
 
DELIRIUM psychiatric delirium is a organic mental disorder
DELIRIUM psychiatric delirium is a organic mental disorderDELIRIUM psychiatric delirium is a organic mental disorder
DELIRIUM psychiatric delirium is a organic mental disorder
 
2024 Compliatric Webinar Series - OSV Overview and Panel Discussion April 202...
2024 Compliatric Webinar Series - OSV Overview and Panel Discussion April 202...2024 Compliatric Webinar Series - OSV Overview and Panel Discussion April 202...
2024 Compliatric Webinar Series - OSV Overview and Panel Discussion April 202...
 
Leading big change: what does it take to deliver at large scale?
Leading big change: what does it take to deliver at large scale?Leading big change: what does it take to deliver at large scale?
Leading big change: what does it take to deliver at large scale?
 

HIPAA, PHI, & 42 CFR Part 2

  • 1. Introduction to HIPAA, PHI, and 42 CFR Part 2 for Healthcare Professionals Protecting Protected Health Information in your Organization
  • 2. Introduction ■ This educational module is intended to help students understand the fundamentals of HIPAA prior to beginning work at clinical sites. ■ Many sites or agencies will expect you to complete an orientation to their specific approach to HIPAA policies.
  • 3. What is HIPAA and Why Should I Care? ■ The Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to improve the efficiency and effectiveness of the health care system. ■ Part of HIPAA directly affects your clinical work and the operations of any facility where you will train. ■ Understanding the fundamentals of HIPAA will prepare you to step into training sites with a clear understanding of how to comply with requirements for respecting the privacy of protected health information (PHI).
  • 4. Content I. The Importance of Protecting Patient Health Information II. General HIPAA and Privacy Rule Overview III. Permitted Uses and Disclosures IV. Patients’ Rights to Control their Health Information V. Administrative Requirements
  • 5. The Importance of Protecting Patient Health Information Employees with access to patient data may use or disclose it only on a “need to know” basis: ■ Keep this information confidential. ■ Access or use this information only as required to perform your job. ■ Provide the minimum necessary information when responding to information requests. ■ Do not discuss this information with others unless it is administratively or clinically necessary to do so. ■ Do not use any electronic media to copy or transmit information unless you are specifically authorized to do so.
  • 6. The Importance of Protecting Patient Health Information Additional examples of actions to protect patient privacy: ❑ At nursing stations, keep computer monitors that display patient information turned away from public view. ❑ Log off from patient records before leaving a data terminal. ❑ If you must leave for a few moments, do not leave records face up on your desk or work area. ❑ Place fax machines used to receive confidential records in locations with appropriately limited access. ❑ Avoid elevator and hallway consultations involving patients.
  • 7. Consequences of Violations Inappropriate disclosure of confidential information is subject to discipline, up to and including discharge from employment. For licensed professionals, it is also subject to discipline by licensing and credentialing bodies There are civil and criminal penalties for violations of patient privacy: ■ Fines up to $25,000 for multiple violations of the same standard in a calendar year ■ Fines up to $250,000 and/or imprisonment up to 10 years for deliberate misuses of individually identifiable health information.
  • 8. HIPPA rules are not a barrier to good care: ■ The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. ■ Staff and students are free to communicate as required for quick, effective, and high-quality health care. ■ The Privacy Rule also recognizes that overheard communications may be unavoidable and allows for these incidental disclosures.
  • 9. HIPAA and Privacy Rule Overview: The Health Insurance Portability and Accountability Act (HIPAA) has many parts. Most relevant to students in the health professions are the “Administrative Simplification” provisions including national standards for electronic health care transactions, codes, identifiers, security, and the privacy of personal health information.
  • 10. The Privacy Rule applies to protected health information (PHI). Protected health information (PHI) is “identifiable” health information acquired in the course of serving patients. Any of the following data make health information “identifiable”: ■ Name ■ Social security number ■ Street and email addresses ■ Employer ■ Telephone and fax numbers ■ Member or account numbers ❑ (e.g. medical record number, health plan identification number) ■ Relatives’ names ■ Date of service, birth or death ■ Fingerprints, photographs, voice recordings ■ Certificate or license numbers ■ Any other linked number, code, characteristic (e.g. device identifiers, serial numbers)
  • 11. HIPAA generally defers to state law concerning the relative rights of parents and minors. In this module, the terms “individual” or “patient” mean: ❑ Parents and legal guardians may generally exercise the HIPAA rights of their minor children; ❑ Patients 18 or older, or with emancipated or "mature minor" status, may exercise their own rights under HIPAA. ■ If you are in doubt about a patient’s status or have questions about the legal definition of emancipation or "maturity," check with the agency’s legal counsel. ❑ A minor patient may exercise HIPAA rights regarding matters involving diagnosis or treatment relating to certain conditions (e.g., sexually transmitted diseases, drug or alcohol dependency, and pregnancy). The Privacy Rule: Parents and Minors
  • 12. Permitted Uses and Disclosures of PHI An agency may use or disclose PHI for the following purposes: ❑ In order to treat a patient. ❑ Justifying payment for treating a patient. ❑ Certain administrative, financial, legal, and quality-improvement activities that are necessary to “run the business” (such activities are called “health care operations”).
  • 13. Additional Permitted Uses and Disclosures of PHI If the disclosure complies with and is limited to what the law requires, agencies are permitted to disclose PHI: ❑ To public health authorities and health oversight agencies ❑ To coroners, medical examiners, and funeral directors ❑ For organ procurement ❑ To respond to court orders and subpoenas
  • 14. Permitted Uses and Disclosures of PHI There are certain disclosures that agencies may make if the patient is given the opportunity to agree or object: ❑ A patient’s location and condition (in general terms) if the patient is asked for by name or for disaster relief purposes. ❑ PHI relevant to care, or to family/close friends who are designated by the patient.
  • 15. Permitted Uses and Disclosures of PHI Written permission or authorization from the patient is required to use or disclose PHI for purposes other than treatment, payment, health care operations, or as required by law or for public health reasons.
  • 16. PHI and Research Specific procedures may allow PHI to be used or disclosed for research purposes: ❑ Records can be de-identification. ❑ Written authorization may be obtained from the patient for research use or discloser. ❑ The Institutional Review Board (IRB) may grant a waiver of written authorization. ❑ Only data needed to prepare work for research purposes only may be disclosed. ❑ Special provisions may allow for research using a decedent’s PHI.
  • 17. General Data Disclosures An agency may use or disclose demographic information and the dates of treatment for the purpose of raising funds for its own benefit, without an authorization. ❑Example: “Between January and June we treated 47 patients under 18, 20% of whom had family incomes under $25,000 per year.
  • 18. General data disclosures An agency must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of uses, disclosures, or requests.
  • 19. Incidental Disclosures An incidental disclosure that occurs as a by- product of an otherwise permitted use or disclosure is permitted: ❑If it cannot be reasonably prevented. ❑If it is limited in nature. ❑To the extent that reasonable safeguards exist.
  • 20. Permitted Uses and Disclosures to Carry Out Treatment, Payment, and Health Care Operations An entity may use or disclose PHI for its own “Treatment,” “Payment,” or “Health Care Operations”: ❑ “Treatment” generally means the providing, coordinating, or managing health care and related services among health care providers or by a health care provider with a third party; consultation between health care providers regarding a patient; or the referral of a patient for health care from one health care provider to another. ❑ “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill coverage responsibilities, and to provide benefits under the plan. ❑ “Health Care Operations” are certain administrative, financial, legal, training, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.
  • 21. Disclosures of PHI for Treatment, Payment, and Health Care Operations of Another Entity This is appropriate for: ❑ Treatment activities of a health care provider. ❑ Payment activities of the entity that receives the PHI. ❑ Several specific uses included in the health care operations of the entity that receives the PHI, if both the sending and the receiving entities either have or had a relationship with the individual who is the subject of the PHI and the PHI is related to this relationship. The permitted disclosure may be for the purpose of ■ Health care fraud and abuse detection or compliance, ■ Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, or contacting of health care providers and patients with information about Treatment alternatives. ■ Reviewing the competence or qualifications of health care professionals, evaluating practitioner or health plan performance; conducting training programs for students or practitioners; or accreditation, licensing, or credentialing activities.
  • 22. “Public Good” Uses and Disclosures An agency may use or disclose PHI without the written authorization of the individual in the situations listed below: ❑ Uses and disclosures required by law. ❑ Uses and disclosures for public health activities (i.e., public health, child abuse and neglect, FDA, communicable diseases, employment workplace medical surveillance). ❑ Disclosures about victims of abuse, neglect, or domestic violence. ❑ Uses and disclosures for health oversight activities. ❑ Disclosures for judicial and administrative proceedings. ❑ Disclosures for law enforcement purposes. ❑ Uses and disclosures about decedents (i.e., to coroners and funeral directors). ❑ Uses and disclosures for cadaveric organ, eye, or tissue donation purposes ❑ Uses and disclosures for research purposes. ❑ Uses and disclosures to avert a serious threat to health or safety. ❑ Uses and disclosures for specialized government functions (i.e.. military and veterans activities, national security and intelligence activities, protective services for the president and others, medical suitability determinations, or correctional institutions and other law enforcement custodial situations). ❑ Disclosures for workers’ compensation.
  • 23. “Public Good” Uses and Disclosures State Law and other Federal Laws that are more protective of individual’s privacy should be followed. Agencies are required to track most disclosures and to provide individuals with a listing of them upon their request.
  • 24. Authorization Requirements HIPAA requires the agency to obtain a written authorization to disclose or release any PHI that is not for treatment, payment, or health care operations, or otherwise permitted by the rules Examples of disclosures requiring written authorization under HIPAA: Schools, camps, airlines, hotels, aid organizations, outside attorneys These authorizations must contain the following elements: ❑ A description of the information to be used or disclosed. ❑ Who is authorized to make the use or disclosure. ❑ To whom the disclosure may be made. ❑ A description of each purpose of the disclosure. ❑ An expiration date or an expiration event. ❑ Signature of the individual and date. ❑ Required statements: ■ The individual’s right to revoke the authorization and directions how to revoke. ■ The ability or inability to condition treatment or payment. ■ The risk that redisclosure by the recipient may occur.
  • 25. Additional Written Authorizations Agencies must typically obtain written authorization to disclose or release patient information in situations beyond what HIPAA requires. Examples of practices that typically requires permission or consent to release information: ❑ Photographs and videos for treatment and training. ❑ Transports. ❑ Sharing patient information with outside providers at the patient’s request or at the request of another provider. ❑ Second opinions. ❑ Making requests for patient information from other providers.
  • 26. Clinical research is uniquely affected by the regulations. From a clinical investigator perspective, the new regulations will control access to existing health information (medical/database record reviews) and handling of identifiable information created as part of clinical research. There are specific methods that allow PHI to be used or disclosed for research purposes: ❑ All data are de-identified (according to the specific standards of the Privacy Rule). ❑ A limited data set is collected and released (according to the specific standards of the Privacy Rule). ❑ A patient gives a written authorization that his or her data may be used and/or disclosed. ❑ The Institutional Review Board (IRB) may grant a waiver of written authorization. ❑ Data are collected for preparatory work for research purposes only (according to the specific standards of the Privacy Rule). ❑ Special provisions are in place for research on a decedent’s PHI.
  • 27. Incidental Disclosures An incidental disclosure that occurs as a by-product of an otherwise permitted use or disclosure is permitted: ■ If it cannot be reasonably prevented. ■ If it is limited in nature. ■ To the extent that reasonable safeguards exist. Examples: ■ Keep patient information on white boards/locator boards to a minimum. ■ Reduce unnecessary incidental disclosures during check-in processes and in waiting rooms. ■ Take care to limit the amount of information disclosed on an answering machine. ■ Do not discuss patients in public areas. ■ Consider location when posting patient schedules and storing patient charts. ■ Keep voices low when discussing patient issues in joint treatment areas. ■ Position workstations so screen does not face public areas; consider using screen filters.
  • 28. Notice of a Person’s Rights to Control His or Her PHI An agency must distribute to each patient at the first treatment encounter, and obtain written acknowledgment of receipt of, a “Right to receive Notice of Privacy Practices”: ❑ Describing how the agency may use and disclose PHI. ❑ Describing the rights the individual has to control his or her health information.
  • 29. Notice of a Person’s Rights to Control Their PHI Patients should receive a listing of disclosures required by law, public health, health oversight, child abuse reporting, FDA reporting, communicable disease exposure, wound or injury reporting, response to legal process, law enforcement, coroner or medical examiner, organ procurement, research protocols where the IRB has waived the individual’s authorization requirement, or workers’ compensation.
  • 30. Notice of a Person’s Rights to Control Their PHI People have a right to request confidential forms of communication. Agencies must accommodate reasonable requests to receive confidential communications. People have a right to request restricted uses and disclosures of PHI: ❑ Permitting such restrictions not required. ❑ Requests for restrictions should be made in writing to the institution’s privacy officer.
  • 31. Notice of a Person’s Rights to Control Their PHI People have a right to inspect and obtain a copy of their health information. Individuals have the right to inspect and obtain a copy of health information in the medical or billing record. People have a right to request amendment to medical and billing records. People have a right to file a formal complaint about violations of privacy with the agency or the Department of Health and Human Services.
  • 32. The Notice of Privacy Practices The Notice of Privacy Practices describes how the agency may use and disclose PHI and describes the rights the individual has to control his or her health information. The agency must distribute the notice to each patient at the first treatment encounter and obtain written acknowledgment of receipt.
  • 33. Tracking Disclosures or the “Accounting of Disclosures Log” An individual has a right to receive a listing of certain disclosures. The listing must include disclosures made to individuals or entities outside of agency for the following purposes: ❑ Required by law ❑ Public health activities ❑ Health oversight activities ❑ Child, elder, or handicapped abuse reporting ❑ FDA reporting ❑ Communicable disease exposure ❑ Wound or injury reporting ❑ Response to legal process ❑ Law enforcement activities ❑ Coroner or medical examiner ❑ Organ procurement ❑ Research protocols where the IRB has waived the individual’s authorization requirement ❑ Workers’ compensation
  • 34. “Accounting of Disclosures Log” The listing must include a description of: ❑To whom information was disclosed– When it was disclosed ❑What was disclosed ❑Why it was disclosed
  • 35. Right to Request Amendment Individuals have the right to request amendment to PHI included in their medical and billing records. The patient may approach the author of the entry, point out the error, and ask the author to correct it. Uncontested changes requested to the author of the entry can be corrected by the author. If the author does not agree with the request, then the patient may contact the facility’s privacy officer, who may conduct a review of the relevant record, consult with the treating physician, evaluate the individual’s request, and consult with other hospital professionals, as appropriate.
  • 36. Administrative Requirements: Business Associates Overview ■ A Business Associate is a person or entity to whom an agency discloses PHI so that the person or entity may carry out, assist with, or perform a function on behalf of the agency (e.g., billing). ■ The agency is required to have “satisfactory assurance” that any business associate will “appropriately safeguard” PHI received or created by the business associate in the course of performing services for the agency. ■ The agency must document the satisfactory assurances through a written contract. ■ The business associate provision does not apply to providers who receive information for treatment purposes.
  • 37. Practical Examples of Appropriate Behavior Under HIPAA The following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby: ❑ Orally coordinate services at hospital nursing stations. ❑ Discuss a patient's condition over the phone with the patient, a provider, or family member. ❑ Discuss lab results with a patient or other provider in a joint treatment area. ❑ Discuss a patient's condition or treatment regimen in the patient's semi private room. ❑ Discuss a patient's condition during training rounds in an academic or training institution.
  • 38. Personal HIPAA Compliance Checklist When I reach my worksite I will remember to ask my supervisor: ❑ Whether I need to review the site’s specific HIPAA policies. ❑ When and where patients must be given HIPAA notices. ❑ Other site-specific HIPAA implementation policies. When reviewing records or discussing patients I will be mindful of the privacy rules. If I have any questions about the appropriateness of a request for information, I will check with my on-site supervisor or an institutional staff member.
  • 39. What is 42 CFR Part 2? In addition to HIPAA, there are special privacy protections afforded to alcohol and drug abuse patient records by 42 Code of Federal Regulations (“CFR”) Part 2. The privacy provisions in 42 CFR Part 2 were motivated by the understanding that stigma and fear of prosecution might dissuade persons with substance use disorders from seeking treatment.
  • 40. What is 42 CFR Part 2? Why is Part 2 important to people living with substance use disorders? Confidentiality is a cornerstone of any treatment relationship. For people receiving SUD treatment, strict confidentiality protections mean that you can share information about past and current drug use without worrying that it will be used against you by the police or a landlord, employer, judge, or social worker. Until we have eliminated the stigma and criminalization of substance use disorders, patients need the right to access treatment without worrying that their records will not be used to take away their children, housing, employment, insurance, public benefits, or freedom.
  • 41. 42 CFR Part 2 To add an extra layer of protection on these records, the regulations outline under what limited circumstances information about a patient’s treatment may be disclosed with and without the patient’s consent. But WHO & WHAT are covered can be confusing! So let’s learn more about what 42 CFR Part 2 says.
  • 42. 42 CFR Part 2 Let’s look at the difference between Part 2 & HIPAA: Both Part 2 and HIPAA protect patient privacy by regulating the way that patient information can be shared and disclosed. HIPAA applies to many types of patient information, not just SUD information, and generally is less protective of patient privacy than Part 2. Unlike HIPAA, Part 2’s privacy protections follow the records even after they are disclosed – the recipient of the records is now bound by Part 2’s privacy and security requirements for the Part 2 records.
  • 43. 42 CFR Part 2 ■ 42 CFR Part 2 applies to any individual or entity that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment. ■ For-profit programs and private practitioners that do not receive federal assistance are subject to the requirements of 42 CFR Part 2 IF the State licensing or certification agency requires them to comply. ■ In addition - Any clinician who uses a controlled substance for detoxification or maintenance treatment of a substance use disorder requires a federal DEA registration and THEN becomes subject to the regulations through the DEA license.
  • 44. 42 CFR Part 2 The information protected by 42 CFR Part 2 is any information disclosed by a covered program that identifies an individual directly or indirectly as having a current or past drug or alcohol problem, or as a participant in a covered program.
  • 45. 42 CFR Part 2 With limited exceptions, 42 CFR Part 2 requires patient consent for disclosures of protected health information even for the purposes of treatment, payment, or health care operations. Consent for disclosure must be in writing.
  • 46. Before we get into this further - let’s look at some definitions… Under 42 CFR § 2.11: “Patient” means “any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse at a federally assisted program.” Remember that this could also be regulated by your state or the DEA. “Records” mean “any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program.”
  • 47. Under 42 CFR § 2.11: “Disclose or disclosure” means the “communication of patient identifying information, the affirmative verification of another person’s communication of patient identifying information, or the communication of any information from the records of a patient who has been identified.” “Patient identifying information” means the “name, address, social security number, fingerprints, photographs of similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.”
  • 48. So to sum up the regulation: The information protected by Part 2 is any information disclosed by a Part 2 program that identifies an individual directly or indirectly as having a current or past drug or alcohol problem, or as a participant in a Part 2 program.
  • 49. DISCLOSURE OF INFORMATION Does 42 CFR Part 2 permit the disclosure of information without a patient’s consent for the purposes of treatment, payment, or health care operations?
  • 50. DISCLOSURE OF INFORMATION Unlike HIPAA, which generally permits the disclosure of protected health information without patient consent or authorization for the purposes of treatment, payment, or health care operations, Part 2, with limited exceptions (i.e., medical emergencies and audits and evaluations), requires patient consent for such disclosures. Some types of exchange, however, may take place without patient consent when a qualified service organization agreement (QSOA) exists or when exchange takes place between a Part 2 program and an entity with administrative control over that program.
  • 51. What is a Qualified service Organization (QSO)? (QSO) means a person or organization that: 1) Provides services to a [Part 2] program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, medical, accounting or other professional services or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and 2) Has entered into a written agreement with a program under which that person a) acknowledges that in receiving, storing, processing or otherwise dealing with any patient records from the programs, it is fully bound by these regulations; and b) if necessary, will resist in judicial proceedings any efforts to obtain access to patient records, except as permitted by these regulations.
  • 52. What is a a QSOA? A QSOA is an agreement between the provider and a entity in which PHI is shared. When a Part 2 program has entered into a QSOA with an entity that provides any of the covered services, and where the information exchanged is needed to provide the covered services, patient consent is not required.
  • 53. What is a a QSOA? In addition, patient consent is not required when information is exchanged within your Organization or between an Organization and an entity that has direct administrative control over the program. When a substance use disorder unit is a component of a larger behavioral health Organization or of a general health program, specific information about a patient arising out of that patient’s diagnosis, treatment or referral to treatment can be exchanged without patient consent among the Organization’s personnel and with administrative personnel who, in connection with their duties, need to know information.
  • 54. Requirements of Consent A written consent to a disclosure under the Part 2 regulations must be in writing and include all of the following items (42 CFR § 2.31): 1) The specific name or general designation of the program or person permitted to make the disclosure; 2) The name or title of the individual or the name of the organization to which disclosure is to be made; 3) The name of the patient; 4) The purpose of the disclosure; 5) How much and what kind of information to be disclosed;
  • 55. Requirements of Consent 6. The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign in lieu of the patient; 7. The date on which the consent is signed;
  • 56. Requirements of Consent 8. A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third party payer; and 9. The date, event or condition upon which the consent will expire if not revoked before. This data, event, or condition must insure that the consent will last no longer than reasonably necessary to serve the purpose for which it is given.
  • 57. Requirements of Consent Can a single consent form be used to authorize the disclosure of Part 2 information to an HIO, as well as authorize the redisclosure of that information to other identified parties? Yes. Under Part 2, a single consent form can authorize a disclosure of information about a patient to one recipient, and simultaneously authorize that recipient to redisclose that information to an additional entity or entities (such as an EMR or affiliated health care providers identified in the consent form), provided that the purpose for the disclosure is the same.
  • 58. Requirements of Consent However… The required statement prohibiting redisclosure must accompany the information disclosed through consent, so that each subsequent recipient of that information is notified of the prohibitions on redisclosure.
  • 59. Requirements of Consent Depending on your State, patients may choose to opt out of having their information shared through your EMR or any other Health Information/SAAS Platform utilized by your Organization. In these states, if the patient opts out, no information can be accessed by a person or other Organization if there is no consent on file. Even in an emergency.
  • 60. Requirements of Consent Opt-Out states currently include: ■ Arizona ■ California ■ Florida ■ Kansas ■ Maryland ■ Minnesota ■ Nevada ■ New Mexico ■ Ohio
  • 61. Requirements of Consent For all other states, the general rule is that the program may not say to a person outside the program that a client attends the program, or disclose any information identifying a patient as an alcohol or drug abuser unless: ■ The patient consents in writing ■ The disclosure is allowed by a court order and a subpoena. ■ The disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit or program evaluations
  • 62. Requirements of Consent There are a few limited exceptions when providers can make disclosures without a patient’s written consent, including: ■ Internal communications ■ Medical emergencies ■ Reports of alleged child abuse or neglect (if required by state law) ■ Reports of a crime on program premises or against program personnel ■ Qualified audits or evaluations of the program ■ Research ■ Qualified service organization agreement
  • 63. Requirements of Consent When can Law Enforcement demand treatment records? Part 2 generally requires a special court order before your records can be shared with law enforcement or a court. A subpoena, general court order, search warrant, or official request is not enough for law enforcement to access your treatment information.
  • 64. Requirements of Consent You have reached the end of this training! We ask that you return to the main training page and review SAMHSA’s 42 CFR Part 2 Fact Sheet and the Center of Excellence for PHI’s Tips on Telehealth and Privacy.