corporate compliance and regulation final

Public Interest and benefit activities 9. Research

"Research" is any systematic investigation designed to develop or contribute to generalizable knowledge. The Privacy Rule permits a covered entity to use and disclose PHI for research purposes, without an individual's authorization, provided the covered entity obtains either: -Documentation that an alteration or waiver of individuals' authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board. -Representations from the researcher that the use or disclosure of the protected PHI is solely to prepare a research protocol or for similar purpose, that the researcher will not remove any PHI from the covered entity, and that PHI is necessary for the research A covered entity also may use or disclose, without an individuals' authorization, a Limited Data Set of protected health information for research purposes.

Freedom of Information Act Exemptions ❑ Information compiled for law enforcement purposes that:

- Could interfere with enforcement proceeding ▪ Would deprive a person of a right to a fair trial or an impartial adjudication ▪ Could reasonably be expected to constitute an unwarranted invasion of personal privacy ▪ Could reasonably be expected to disclose the identity of a confidential source ▪ Would disclose techniques and procedures for law enforcement investigations or prosecutions, ▪ Could reasonably be expected to endanger the life or physical safety of any individual

New York State Confidentiality Law and HIV Informed Consent Consent for HIV related testing is not required under the following circumstances:

- For the purpose of research if the testing is performed in a manner which the identity of the test subject is not known and may not be retrieved by the researcher ▪ On a deceased person, when such test is conducted to determine the cause of death for epidemiological purposes

Covered Entities who maintain or transmit health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards:

- To ensure integrity and confidentiality of the information -To protect against any reasonably anticipated: -threats or hazards to the security or integrity of the information -Unauthorized uses or discloses of the information -To ensure compliance with this part by the officers and employees of such person.

Red Flags Rule Examples of Red Flags

-An individual presents suspicious documents for health care services, such as a photo ID not consistent with existing patient documentation. ▪ An individual uses suspicious personally identifying information or is unable to provide/confirm current or previous identifying information such as address, phone number, date of birth, social security number or insurance. ▪ There is suspicious or unusual use of a patient account. ▪ A patient complains about a bill for products or services not received.

New York State Freedom of Information Law NYS make available for public inspection and copying all records, but State agencies may deny access to records that:

-Are specifically exempted from disclosure by state or federal statute ▪ If disclosed would constitute an unwarranted invasion of personal privacy under the provisions of subdivision two of section eighty-nine of this article ▪ If disclosed would impair present or imminent contract awards or collective bargaining negotiations

The privacy rule excludes from protected health information:

-Employment records that a covered entity maintains in its capacity as an employer. -Education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C.

Health care providers definition

-Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. -The transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions. -Using electronic technology, such as email, does not mean a health care provider is a covered entity. The transmission must me in connection with a standard transaction. -The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf.

Conflict of Interest/ NYS Public Integrity Law/ Public Officers Law The New York State Public Integrity Reform Act of 2011 ("PIRA") established the Joint Commission on Public Ethics ("JCOPE"). The following groups must adhere to PIRA:

-Executive Branch officers and employees, including employees of SUNY & CUNY ▪ Four Statewide Elected Officials and candidates for those offices ▪ Members of the Legislature and candidates for those offices ▪ Legislative employees ▪ Lobbyists, Clients and Public Corporations ▪ Political Party Chairpersons

Disclosure of Substance Disorder Records HIPAA respects individual autonomy by placing certain limitations on sharing health information with family members, friends, and others without the patient's agreement.

-For patients with decision-making capacity: A health care provider must give a patient the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual's care or payment for care. ▪ The provider is not permitted to share health information about patients who currently have the capacity to make their own health care decisions, and object to sharing the information, unless there is a serious and imminent threat of harm to health as described above.

Disclosure Accounting. Individuals have a right to an accounting of the disclosures of their PHI by a covered entity's business associates. The Privacy Rule does not require accounting for disclosures:

-For treatment, payment, or health care operations -To the individual or the individual's personal representative -For notification of or to persons involved in an individual's health care or payment for health care, for disaster relief, or for facility directories; -Pursuant to an authorization -Of a limited data set -For national security or intelligence purposes -To correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody -Incident to otherwise permitted or required uses or disclosures.

Disclosure of Substance Disorder Records HIPAA recognizes patient's personal representatives according to state law

-HIPAA provides a patient's personal representative the right to request and obtain any information about the patient that the patient could obtain, including a complete medical record. ▪ This authority may be established through: o The parental relationship between the parent or guardian of an unemancipated minor o A written directive o Health care power of attorney o Appointment of a guardian o A determination of incompetency

Does HITECH Act and HIPAA reinforce each other?

-HITECH Act and HIPAA are two separate and unrelated laws but they reinforce each other in certain ways . The HITECH stipulates that technologies and technology standards created under HITECH will not compromise HIPAA privacy and security laws. The HITECH Act requires business associates to comply with the HIPAA Security Rule to protect electronic PHI (e-PHI) and to report breaches of PHI.

HIPAA was written as an amended to the Internal Revenue Code of 1986 to:

-Improve the portability and continuity of health insurance coverage. -Combat waste, fraud, and abuse in health insurance and health care delivery. -Promote the use of medical savings accounts. -Improve access to long-term care services and coverage. -Simply the administration of health insurance

Genetic Information means information about:

-Individual's genetic tests ▪ Genetic tests of family members of an individual ▪ Manifestation of a disease or disorder in family members of an individual ▪ Inclusion of genetic services and participation in genetic research, including any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by an individual or a family member of an individual Genetic Information does not include information about the sex or age of any individual.

Freedom of Information Act Exemptions

-Information that is classified to protect national security. -Information related solely to the internal personnel rules and practices of an agency. -Information that is prohibited from disclosure by another federal law. Trade secrets or commercial or financial information that is confidential or privileged. -Privileged communications within or between agencies, including those protected by the: -Deliberative Process Privilege (provided the records were created less than 25 years before the date on which they were requested) -Attorney-work product privilege -Attorney-Client Privilege -Information that, if disclosed, would invade another individual's personal privacy. -Information that concerns that supervision of financial institutions. -Geological information on wells.

New York State Confidentiality Law and HIV Informed Consent

-Informed consent for HIV related testing is valid until the consent is revoked. ▪ Each time an HIV related test is ordered pursuant to an informed consent, the physician or other practitioner must orally notify the subject (or when the subject lacks the capacity to consent, the subject's authorized representative) that an HIV related test will be conducted. ▪ The physician or other practitioner must document the notification in the patient's record. A person authorized to order an HIV related tests must provide the patient, an opportunity to remain anonymous through the use of a coded system with no linking of individual identity to the test request or results. A health care provider who is not authorized by the Department of Health to provide HIV related tests on an anonymous basis must refer the patient to a test site which does provide anonymous testing

Protected Health Information (PHI)

-Is any 'individually identifiable health information" held or transmitted by covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

individually identifiable health information

-Means any information including demographic information collected form an individual, that: -Is created or received by a health care provider, health plan, employer, or health clearinghouse -Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and identifies the individual with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Individually Identifiable Health Information

-Name -address -Social security -number -Phone number -Medical record number -Email Address or URL -Diagnosis -Test results -photographs -Physician notes -Health plan information

Disclosure of Substance Disorder Records In general, Part 2 Programs are prohibited from disclosing any information that would identify a person as having or having had a SUD unless that person provides written consent. Part 2 specifies a set of requirements for consent forms, including but not limited to the:

-Name of the patient ▪ Names of individuals/entities that are permitted to disclose or receive patient identifying information ▪ Amount of the information being disclosed ▪ Kind of information being disclosed ▪ Purpose of the disclosure.

Conflict of Interest/ NYS Public Integrity Law/Public Officers Law What must be Disclosed?

-Offices or any positions of authority held in a business entity or organization, political party or political organization ▪ Ownership in, or professional affiliation with, any business entity ▪ If the business entity renders services related to certain State work, such as procurement contracts, legislative lobbying, grants, or other matters before State agencies, additional disclosures may be required. ▪ Ownership in, and income from, financial interests, investments, securities, real property, and other assets

Public Interest and benefit activities 2. Public health activities Covered entities may disclose protected health information to:

-Public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect. -Entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post marketing surveillance. -Individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law. -Employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law.

Discrimination Based on Genetic Information Employers are prohibited from:

-Refusing to hire or terminating an employee, or otherwise discriminate against any employee because of genetic information ▪ Limiting, segregating or classifying an employees in any way that would deprive an employee of employment opportunities or otherwise adversely affect the status of the employee, because of genetic information

Disclosure of Substance Disorder Records HIPAA allows health care professionals to disclose some health information without a patient's permission under certain circumstances, including:

-Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interests of an incapacitated or unconscious patient and the information shared is directly related to the family or friend's involvement in the patient's health care or payment of care. ▪ Informing persons in a position to prevent or lessen a serious and imminent threat to a patient's health or safety.

New York State Confidentiality Law and HIV Informed Consent Consent for HIV related testing is not required under the following circumstances: ▪ In situations involving occupational exposures which create a significant risk of contracting or transmitting HIV provided that:

-The person who is the source of the occupational exposure is deceased, comatose, or is determined by his or her attending health care provider to lack the mental capacity to consent to the HIV related test and is not reasonably expected to recover in time for the exposed person to receive appropriate medical treatment, as determined by the exposed person's health care provider who would order or provide such treatment o There is no person available or reasonably likely to become available who has the legal authority to consent to the HIV related test on behalf of the source person in time for the exposed person to receive appropriate medical treatment o The exposed person will benefit medically by knowing the source person's HIV test results, as determined by the exposed person's health care provider and documented in the exposed person's medical record

Required disclosures. A covered entity must disclose protected health information in only 2 situations:

-To individuals (or their personal representatives specifically when they request access to, or an accounting of disclosures of, their protected health information. -To DHHS when it is undertaking a compliance investigation investigation or review or enforcement action.

Restriction Requests. Individuals have the right to request that a covered entity restrict use or disclosure of PHI for treatment, payment or health care operations:

-To persons involved in the individual's health care or payment for health care, -To notify family members or others about the individual's general condition, location, or death A covered entity is under no obligation to agree to requests for restrictions. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.

Permitted uses and disclosures. A covered entity is permitted, but not required to use and disclose protected health information, without an individual's authorization, for the following purposes or situations:

-To the Individual (unless required for access or accounting of disclosures) -Treatment, payment and health care operations -Opportunity to agree or object -Public interest and benefit activities -Limited data set for the purposes of research, public health or health care operations

HIPAA violations include unauthorized:

-Use of PHI or actions that enable the of PHI by an unauthorized individual -Access to PHI -Disclosure of PHI to an unauthorized person

Acquisition of Genetic Information It is unlawful for an employer to request, require, or purchase genetic information for an employee or a family member of the employee except:

-Where an employer inadvertently requests or requires family medical history of the employee or family member of the employee ▪ Where health or genetic services are offered by the employer, including such services offered as part of a wellness program ▪ The employee provides prior, voluntary, and written authorization -Only the employee (or family member if the family member is receiving genetic services) and the licensed health care professional or board certified genetic counselor involved in providing such services receive individually identifiable information concerning the results of such services ▪ Any individually identifiable genetic information provided is only available for purposes of genetic services and shall not be disclosed to the employer except in aggregate reports that do not identify employees -where an employer requires family medical history from the employee to comply with the Family and Medical Leave Act of 1993 ▪ where an employer purchases documents that are commercially and publicly available (including newspapers, magazines, periodicals, and books, but not including medical databases or court records) that include family medical history ▪ where the employer conducts DNA analysis for law enforcement purposes as a forensic laboratory or for purposes of human remains identification, and requests or requires genetic information of employees, but only to the extent that genetic information is used for analysis of DNA

Acquisition of Genetic Information It is unlawful for an employer to request, require, or purchase genetic information for an employee or a family member of the employee except: ▪ Where the information involved is to be used for genetic monitoring of the biological effects of toxic substances in the workplace, but only if:

-Where the information involved is to be used for genetic monitoring of the biological effects of toxic substances in the workplace, but only if: o The employer provides written notice of the genetic monitoring to the employee o The employee provides prior, voluntary, and written authorization o The genetic monitoring is required by federal or state law o The employee is informed of individual monitoring results o The monitoring is in compliance with federal genetic monitoring regulations, including any such regulations o The employer, excluding any licensed health care professional or board certified genetic counselor that is involved in the genetic monitoring program, receives the results of the monitoring only in aggregate reports that do not disclose the identity of employees

Breach Notification Requirements Individual Notice Individual notification must be provided no later than 60 days following the discovery of a breach and must include, to the extent possible:

-a brief description of the breach -a description of the types of information that were involved in the breach the steps affected individuals should take to protect themselves from potential harm -a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches -as well as contact information for the covered entity

New York State Confidentiality Law and HIV Informed Consent When communicating test results to a patient, the provider who ordered the HIV related test must: ▪ When a test indicates evidence of HIV infection, provide the patient (or an authorized person) with counseling or referrals for counseling:

-for coping with the emotional consequences of learning the result o -regarding the discrimination problems that disclosure of the result could cause o -for behavior change to prevent transmission or contraction of HIV infection - to inform such person of available medical treatments - regarding the need to notify his or her contacts

Creditors that fall under the Red Flags Rule are only those who regularly and in the ordinary course of business:

1. Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction 2. Furnish information to certain consumer reporting agencies in connection with a credit transaction 3. Advance funds to or on behalf of a person, based on the person's obligation to repay the funds or on repayment from specific property pledged by them or on their behalf

There are 3 exceptions to the definition of "breach"

1. The first exception applies to the unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. 2. The second exception applies to the inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. 3. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

To de-identify patient data, it must be stripped of 18 elements:

1. names 2. social security numbers 3. telephone numbers 4. Fax numbers 5. All geographic subdivision smaller than State, including street address, city, country, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if, according to the current publicly available data from the Bureau of the census: a. This geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people. b. This initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. 6. all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 7. Electronic mail addresses 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images, other comparable images or image which can readily identify the individual 18. Any other unique identifying number, characteristic or code

Who is covered by the Privacy Rule? HIPAA applies to covered entities:

1.) A health plan 2.) A health care care clearinghouse 3.) A health care provider who transmits any health information in electronic form in connection with a transaction.

What is a breach?

A Breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the data. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: 1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated

Business Associate definition

A business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. -Business associate functions or activities on behalf of a covered entity include claims processing, data aggregation, management, administrative, accreditation or financial services.

For notification and other purposes

A covered entity may rely on an individual's informal permission to disclose to the individual's family, relatives, or friends, or to other persons whom the individual identifies, PHI directly relevant to the person's involvement in the individual's care or payment for care.

General Principle for Uses and Disclosures

A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual's PHI may be used or disclosed by covered entities. A covered entity may not use or disclose PHI, except: -As the Privacy Rule permits or requires -As the patient or the patient's representative authorizes in writing

FOIA/FOIL

Allows individuals the right to request access to records from any federal agency. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as: ▪ Personal privacy ▪ National security ▪ Law enforcement

Public Interest and Benefit Activities 11. Essential Government Functions

An authorization is not required to use or disclose PHI for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.

New York State Freedom of Information Law NYS make available for public inspection and copying all records, but State agencies may deny access to records that:

Are trade secrets or are submitted to an agency by a commercial enterprise or derived from information obtained from a commercial enterprise and which if disclosed would cause substantial injury to the competitive position of the subject enterprise ▪ Are compiled for law enforcement purposes and which, if disclosed, would interfere with law enforcement investigations or judicial proceedings; deprive a person of a right to a fair trial or impartial adjudication; identify a confidential source or disclose confidential information relating to a criminal investigation; or reveal criminal investigative techniques or procedures, except routine techniques and procedures ▪ If disclosed could endanger the life or safety of any person

Penalties for violating HIPAA

Civil Penalty: per violation - $100 to $50,000 Calendar year cap - $1,500,000 Criminal penalty: Knowing obtaining or disclosing PHI - up to $50,000 1 year in prison. Wrongful conduct involved false pretense - up to - $100,000 5 years in prison Malicious Conduct with Intent to sell, Transfer or Use PHI - up to - $250,000 10 years of prison

Disclosure of Substance Disorder Records Title 42 of the Code of Federal Regulations (CFR) Part 2:

Confidentiality of Substance Use Disorder Patient Records (Part 2) was first promulgated in 1975 to address concerns about the potential use of Substance Use Disorder (SUD) information in non-treatment based settings such as administrative or criminal hearings related to the patient. Part 2 is intended to ensure that a patient receiving treatment for a SUD in a Part 2 Program does not face adverse consequences in relation to issues such as criminal proceedings and domestic proceedings such as those related to child custody, divorce or employment. Part 2 protects the confidentiality of SUD patient records by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Public Interest and Benefit Activities 12. Workers' compensation

Covered entities may disclose PHI as authorized by, and to comply with, workers' compensation laws and other similar programs providing benefits for work related injuries or illnesses.

Public Interest and Benefit Activities 10. Serious Threat to Health or safety.

Covered entities may disclose PHI that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal

Public Interest and Benefit Activities 5. Judicial and administrative proceedings

Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.

Public Interest and Benefit Activities 7. Decedents

Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.

Public Interest and Benefit Activities 4. Health oversight activities

Covered entities may disclose protected health information to health oversight agencies (as defined in the Rule) for purposes of legally authorized health oversight activities, such as audits and investigations necessary for oversight of the health care system and government benefit programs.

Public Interest and Benefit Activities 6. Law enforcement purposes

Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: -As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests. -To identify or locate a suspect, fugitive, material witness, or missing person -In response to a law enforcement official's request for information about a victim or suspected victim of a crime -To alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death -When a covered entity believes that protected health information is evidence of a crime that occurred on its premises -By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.

Public Interest and Benefit Activities 1. Required by law.

Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).

Public Interest and benefit activities 8. Cadaveric organ, eye, or tissue donation

Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue

Breach Notification Requirements Individual Notice

Covered entities must notify affected individuals following the discovery of a breach of unsecured PHI. The notice must be in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.

Breach Notification Requirements DHHS OCR Notice

Covered entities must notify the Office for Civil Rights of breaches of unsecured PHI. If a breach affects 500 or more individuals, covered entities must notify the OCR no later than 60 days following a breach. If a breach affects fewer than 500 individuals, the covered entity may notify the OCR of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals must be made to the OCR no later than 60 days after the end of the calendar year in which the breaches are discovered.

Breach Notification Requirements Media Notice

Covered entities that have a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction. Covered entities will provide the notification in the form of a press release to appropriate media outlets serving the affected area. The media notification must be made no later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

Disclosure of Substance Disorder Records HIPAA anticipates that a patient's decision-making capacity may change during the course of treatment.

Decision-making incapacity may be temporary and situational, and does not have to rise to the level where another decision maker has been or will be appointed by law. If a patient regains the capacity to make health care decisions, the provider must offer the patient the opportunity to agree or object before any additional sharing of health information. ▪ If a patient's capacity returns and the patient objects to future information sharing, the provider may still share information to prevent or lessen a serious and imminent threat to health or safety

Red Flags Rule Health care organizations are required to have written policy and procedures approved by the Board of Directors that include:

Detecting identity theft red flags ▪ Training staff to detect identity theft red flags ▪ Designating a staff member to investigate potential red flags ▪ Outlining the procedure for investigating possible red flags ▪ Notifying patients when identity theft is suspected ▪ Mitigating risks associated with identity theft

New York State Freedom of Information Law Who is subject to the Freedom of Information Law?

Every New York State or municipal department, board, bureau, division, commission, committee, public authority, public corporation, council, office or other governmental entity performing a governmental or proprietary function is subject to the Law. Each of those governmental entities is an "agency." The courts are outside its coverage but often must disclose records under other provisions of law. The State Legislature is covered by the Freedom of Information Law, but is treated differently from agencies generally. Private corporations or companies are not subject to the Freedom of Information Law.

Breach Notification Requirements

Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the OCR, and, in certain circumstances, to the media. Business associates must notify covered entities if a breach occurs at or by the business associate.

Confidentiality Of Genetic Information Relationship to HIPAA Regulations

GINA does not prohibit a covered entity under HIPAA from use or disclosure of health information that is authorized for the covered entity.

Medical Information That Is Not Genetic Information

GINA is not violated when an employer, employment agency, labor organization, or joint labor-management committee uses, acquires, or discloses medical information that is not genetic information about a disease, disorder, or pathological condition of an employee.

Freedom of Information Act Requesting Information

Generally any person - United States citizen or not - can make a FOIA request. The request must be in writing and describe the records sought. Each federal agency handles its own records in response to requests. There are currently one hundred agencies subject to the FOIA with several hundred offices that process FOIA requests.

HIPAA Privacy Rule for Sharing Information Related to Mental Health Discussing mental health information with patients parents or other family members

HIPAA allows the provider to share or discuss the patient's mental health information with family members or other persons involved in the patient's care or payment for care. In all cases, the health care provider may share or discuss only the information that the person involved needs to know about the patient's care or payment for care.

HIPAA required what?

HIPAA required Department of Health and Human Services (DHHS) to issue privacy regulations governing individually identifiable health information. -The Privacy Rule (45 CFR Part 160 and Part 164) was published December 28, 2000. -The Privacy Rule was amended and published on August 14, 2002.

HITECH Act of 2009

Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 is legislation that was created to promote the use of electronic health records (EHR) by covered entities. The HITECH ACT expanded the requirements for: -Data breach notifications -The protection of electronic PHI Under the HITECH Act, health care providers are offered financial incentives for demonstrating meaningful use of electronic health records.

Amendment. The Rule gives individuals the right to have covered entities amend their PHI in a designated record set when that information is inaccurate or incomplete.

If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the covered entity knows might rely on the information to the individual's detriment. If the request is denied, covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record.

Confidentiality Of Genetic Information Treatment of Information as Part of Confidential Medical Record

If an employer, employment agency, labor organization, or joint labor - management committee possesses genetic information about an employee, such information shall be maintained on separate forms and in separate medical files and be treated as a confidential medical record of the employee or member.

Red flags rule

In November 2007, the Federal Trade Commission established the Red Flags Rule that requires certain companies to develop and implement a written identity theft prevention and detection program to protect consumers. The original publication of the Red Flags Rule did not specifically indicate that health care facilities were required to adhere to the law; therefore on December 18, 2010, the Red Flag Program Clarification Act was established.

Public Interest and Benefit Activities 3. Victims of abuse, neglect or domestic violence

In certain circumstances, covered entities may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence.

Uses and disclosures with opportunity to agree or object

Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgement, the use of disclosure is determined to be in the best interest of the individual.

Facility Directories

It is a common practice in many health care facilities, such as hospitals, to maintain a directory of patient contact information. A covered health care provider may rely on an individual's informal permission to list in its facility directory the individual's name, general condition, religious affiliation and location in the provider's facility. The provider may then disclose the individual's condition and location in the facility to anyone asking for the individual by name, and also may disclose religious affiliation to clergy.

health plan definition

Means an individual or group plan that provides, or pays the cost of medical care, A group health plan that: -Has 50 or more participants -Is administered by an entity other than the employer who established and maintains the plan. -A health insurance issuer -A health maintenance organization -Part A or part B of the medicare program, and Medicare supplemental policy. -The Medicaid program -A long-term care policy, including a nursing home fixed indemnity policy -The health care program for active military personnel -The veterans' health care program -The Civilian Health and Medical Program of the Uniformed Services -The Indian health service program under the Indian Health Care Improvement act -The Federal employees Health Benefit Plan

HIPAA Privacy Rule for Sharing Information Related to Mental Health Does a parent have a right to receive a copy of psychotherapy notes about a child's mental health treatment?

Parents generally are the personal representatives of their minor child and, as such, are able to receive a copy of their child's mental health information contained in the medical record, including information about diagnosis, symptoms, treatment plans, etc. Although the Privacy Rule does not provide a right for a patient or personal representative to access psychotherapy notes regarding the patient, HIPAA generally gives providers discretion to disclose the individual's own PHI (including psychotherapy notes) directly to the individual or the individual's personal representative.

Enforcement and Penalties for Noncompliance Civil Money Penalties.

Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity's failure to comply was due to willful neglect.

Conflict of Interest/ NYS Public Integrity Law/Public Officers Law Financial Disclosure Who is required to file?

Political Party Chairpersons as defined in Public Officers Law §73(k) ▪ The four Statewide elected officials, Legislators, and candidates for those offices ▪ Officers, members, directors and employees of any State agency, public authority, public benefit corporation, commission, or legislative employees who are: o Designated as a Policy Makers o Threshold Filers (those who have an annual salary in excess of the $91,821 threshold as of April 1, 2015)

HIPAA Privacy Rule for sharing information related to mental health Generally, the Privacy Rule applies uniformly to all PHI, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections.

Psychotherapy notes do not include any information about: ▪ medication prescription and monitoring, ▪ counseling session start and stop times, ▪ the modalities and frequencies of treatment furnished ▪ results of clinical tests ▪ summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date

The Breach Notification Rule

Requires covered entities and their business associates to notify the OCR and patients impacted of a breach of unsecured PHI.

Access. Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a covered entity's designated record set.

The "designated record set" is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider's medical and billing records about individuals or a health plan's enrollment, payment, claims adjudication, and case or medical management record systems.

Genetic Information Nondiscrimination Act Prohibition Against Retaliation

The Civil Rights Act of 1964 prohibits discrimination against any individual because they object to any unlawful act or practice or because an individual made a charge, testified, assisted, or participated in any manner in an investigation, proceeding, or hearing.

Enforcement and Penalties for Noncompliance Compliance.

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing the Privacy Rule and may conduct complaint investigations and compliance reviews. Covered entities that fail to comply with the standards may be subject to civil monetary penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.

Genetic Information Nondiscrimination Act Remedies and Enforcement

The Equal Employment Opportunity Commission and the Attorney General has the authority to enforce GINA, including prosecution, cost and fees associated with prosecution, and damages for conviction.

Genetic Information Nondiscrimination Act

The Genetic Information Nondiscrimination Act of 2008 was established to prohibit health insurance and employment discrimination based on genetic information.

When was HIPAA enacted?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996.

HIPAA Privacy Rule for Sharing Information Related to Mental Health Does HIPAA permit a doctor to contact a patient's family or law enforcement if the doctor believes that the patient might hurt themselves or someone else?

The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. This is the duty to warn. When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. A health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm.

Public Interest and Benefit Activities

The Privacy Rule permits use and disclosure of protected health information, without an individual's authorization or permission, for 12 national priority purposes. These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context.

Incidental use and disclosure

The privacy rule does not require that every risk of an incidental use or disclosure of PHI be eliminated. A use or disclosure of PHI that occurs as a result of, or as "incident to," a permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the privacy rule, and the information being shared was limited to the "minimum necessary" as required by the Privacy Rule.

Health Care Clearinghouse

The term 'health care clearinghouse' means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

Health Information definition

The term 'health information' means any information, whether oral or recorded in any form or medium, that: -Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse. -Relates to the past, present, or future: -physical or mental health or condition of an individual -provision of health care to an individual -Payment for the provision of health care to an individual

De-identified Health Information

There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies not provides a reasonable basis to identity an individual. These are 2 ways to de-identify information: 1.) A formal determination by a qualified statistician. 2.) The removal of specified identifiers of the individual and of the individual's relatives, household members, and employers is required and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

New York State Confidentiality Law and HIV

Under New York State Public Health Law, Article 27-F, no person shall order the performance of an HIV related test without first having received informed consent from the person who is the subject of the test. This subject of the test must have the capacity to provide informed consent or when the subject lacks capacity to consent, an authorized person may consent on behalf of the subject.

Business associate contract

When a covered entity uses a contractor or other non-workforce member to perform "business associate" services or activities, the covered entity must include in the contract certain protections for the information in a Business Associate Agree (BAA) The BAA must include written safeguards for individually identifiable health information used or disclosed by the business associate. A covered entity may not authorize its business associate to use or disclosure protected health information that would violate the Privacy Rule.

Acquisition of Genetic Information It is unlawful for an employer to request, require, or purchase genetic information for an employee or a family member of the employee except:

Where the employer conducts DNA analysis for law enforcement purposes as a forensic laboratory or for purposes of human remains identification that require genetic information of an employer's employees, but only to the extent that such genetic information is used for analysis of DNA

Genetic Test means

an analysis of human DNA, RNA, chromosomes, proteins, that detects genotypes, mutations, or chromosomal changes.

HIPAA Privacy Rule for Sharing Information Related to Mental Health. Why are psychotherapy notes treated differently from other mental health information?

because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations, other than by the mental health professional who created the notes.

Breach Notification Requirements Notification by a Business Associate

f a breach of unsecured PHI occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.

New York State Confidentiality Law and HIV Informed Consent Consent for HIV related testing is not required under the following circumstances: ▪ In situations involving occupational exposures which create a significant risk of contracting or transmitting HIV in which case:

o A provider must order an anonymous HIV test of the source person o The results of such anonymous test, but not the identity of the source person, must be disclosed only to the attending health care provider of the exposed person in making appropriate decisions regarding post exposure medical treatment o The results of the test must not be disclosed to the source person or placed in the source person's medical record

Genetic monitoring means

the periodic examination of employees to evaluate acquired modifications to their genetic material, such as chromosomal damage or evidence of increased occurrence of mutations, that may have developed in the course of employment due to exposure to toxic substances in the workplace, in order to identify, evaluate, and respond to the effects of or control adverse environmental exposures in the workplace.