Ch 15 Access, Use, Disclosure and Release of Health Information

Confidentiality Protections for HIV/AIDS

+ release for epidemiological studies when the patient is not identified is generally allowable + most state laws also require a specific written authorization that must include the purpose or need for information and a very specific descriptiion of the extent or nature of the information to be disclosed regarding HIV/AIDS patients

UHCDA (Uniform Health-Care Descisions Act) decison-making priority order for an individual's Next-of-Kin list:

1. Spouse 2. Adult Child 3. Parent 4. Adult Sibling 5. If no one is available who is so related to the individual, authority may be granted to an adult who has exhibited special care and concern for the iindividual , who is familiar with the patient's personal values, and who is willing and able to makea health care decision for the patient. 6. Absent an unrelated adult who exhibits the above characteristics, a healthcare provder may seek appointment of an decision maker by the court having jurisdiction

Human Gnome Projecy

ability to capture genetic information

Nondisclosure Agreement

employees and others discussed in this section of the chapter should be required to sign a nondisclosure agreement relating to the confidentiality and privacy of patient information as a condition of employment

Homeland Security Act of 2002

to prevent terrorist attacks in the US while reducing vulnerability to terrorism, minimizing its damages, and assisting the recovery froom attacks in the US

National Human Genome Research Insititutioon (NHGRI)

+ project involved the identification and mapping of all hman DNA

Primary data source

contains information about the patient as documented by professionals who provided the care or services to the patient

Next-to-Kin

if a surrogate has not been named, then a person related to the adult, can step forward and assume responsibility.

Use

the sharing , employment, application, utilization, examinatioon, or analysis of individually identifiable health information within an entity that maintains such informationn.

Laboratory Improvement Amendments of 1988 ( Laboratory Testing Results) [CLIA]

+ CMS regulates all laboratory testing performed in the US except for research, to go through the federal CLIA + It permits clinical laboratories to release test results to the individuals responsible for ordering the test and the lab that initated the request

Employers

+ Employhers that may or mmay not be HIPAA-covered healtthcare entities may request patient information for several reasos, including family medical leave certification, return to work certification for work-related injuries, and information for company physicians. + Patient authorization is required for such disclosures, but in some states, the patient's employer, employer's insurerer, and employer's and employee's attorneys do not need patient authorization too obtain health information for workers' cmpensation purpose.

Deceased Patients (HITECH modifications to HIPAA porvides fo flexibillity in the disclosure of decedent's PHI by:

+ HIPAA states that an individual has the same privacy rights in death as they did in life but leaves it up to the states in terms of who qualifies as the deceased person's legal or personal representative for access, use, and discclosure purposes 1. Removing the PHI status from health records 50 years following the patient's death and 2. Permitting covered entities (healthcare providers) to dsclose decednt records to family members and others involved in the patient's care or payment of care unless doing so would be inconsistent with any known preference of the patient

Fair and Accurate Credit Transaction Act of 2003 (FACTA) Consumer Reporting Agencies

+ Medical Information Bureau (MIB) exhange confidential information with Insurance companies on individuals who apply for life, health, disability, long-term care, or critical illness insurance + FACTA amended the Fair Credit Reporting Act, related to obtaining and using medical information in connection with credit eligibility determination + the rule prohibits a creditor from obtaining and using mmedical information to decide a consummer's credit eligibility

Physicians

+ Physicians are classified in numerous ways and thus must be considered according to their classifications for access purposes: attending physicians, fellows, residents, interns, house staff members in the post-doctoral programs, reserarchers, physicans of record versus referring physicians, consulting physicians versus follow-up physicians,, treating physicians versus non-treating physicians.

Employer, Employee, and Other Members of the Workforce

+ The HIPAA Privacy Rule broadly defines "workforce" as employees, volunteers, trainees, and other persons, whether paid or not, who work for and are under the direct control of the covered entitu (CE) . + Access to and disclosure of patient information to various workforce members varies by the job and rewponsibility.

Psychotherapy notes

+ a mental health professional's documentation or analysis of conversations related to private, group, join, or family counseling sessions + they are kept seperate from behavioral health record, which contains information related to an individual's diagnosis, prescriptions and medication monitoring, treatment modalities and test results + the access, use, and disclosure of behavioral health records are mainly addressed by individual state statues.

Noncustodial parent

+ a parent who does not have legal custody of the child + noncustodial parents are legally endowed with parental rights, which generally allow them to access the healthcare information of their minor children subject to the situations stated above regarign minors. + this right, which is explicitly stated in state laws and the HIPAA Privacy Rule, may be overridden if a court determiness that denial of the parental right is in the best interests of the child.

Release of Information to Adopted Person

+ a right of access exists for an adoptee's own health records, including birth record, with all information that identifies the biological parents redacted (removed) + untill the adoptee reaches the age of majority, this right of access belongs to the adoptive parents + policies for the collection and maintenance of adoption information vary from state to state; however, all states have porvisions in statutes that allow access to nonidentifying information by an adoptive parent or guardian of an adoptee who is still a minor and then to the adoptee once they reach the age of majority.

Incompetent Adult

+ an individual who is at or above the age of majority becomes incacitated due to illness or injury, either permanently or temporarily, he or she may be designated Incompetent. + another person should be designated to make decisions for that individual, including decisions about the use and disclosure of the individual's PHI + that person may be a parent, sibling, agent, attorney, or surrogate.

Attorneys

+ attorneys may or may not be employees of a healthcare organization. + those who are employed by a healthcare organization ( for example, privacy officer, risk manager, compliance officer) are considered memebers of the workforce and do not require authorization prior to accessing a patient's healthcare information for such purposes as defending lawsuits, handling collections, and dealing with other legal issues. + a nonemployee attorney who is retained to provide legal representation to a healthcare organization orprovider does not require patient authorization prior to accessing patient information; however, a business associate agreement is required per the HIPAA Privacy Rule for access to occur. + if a patient has hired an attorney and requests thgat his or her attorney receive the patient's information, then the attorney must present a signed authorization from the patient that authorizes the release of the patient's informmation to the attorney.

Special Access, Request, and Disclosure Situations

+ based on legal requirements + best interest of the patient, or other parties, or both + individuals responding to requests must be trained to deal with each request in accoordance with federal and state laws and organizational policy and procedure.

Parental Authorization Required

+ because minors are generally legally incompetent and unable to make decisions regarding the access, use, and disclosure of their own healthcare information, this authority usually belongs to the minor's parent(s) unless an exception applies. + However, several categories of parents are recognized by laws, including the following: 1. Married biological parents 2. Separated or divorced biological parents 3. Stepparents 4. Adoptive parents 5. Foster parents 6. Grandparents (childern living with grandparentswho are not legal guardians) 7. Legal Guardians 8. Others, such as a parent in the service or overseas who has transferred guardianship to a relative or friend with whom the child is temporarily living Generally, only one parent's signature is required to authorize the access, use, or diclosure of a minor's PHI

Minors

+ defined as an individual under the age of 18 who has not been legally emancipated (declared an adult) by the court. + because of their age, minors are generally deemd legally incompetent - unable to consent for their own mmedical treatment or to access, use, amend, or disclose their health information. + however, special situations and exceptions that allow minors to do so are explained later, because HIPAA defers to state law on the issue of minors, applicable state laws must be consulted regarding who has authorization to access, use, or disclose a minor's PHI

Emancipated Minor (Parental Authorization Not Required)

+ defined by state stautory or regulatory provisions + one who is under the age of majority and self-supporting with parents who have surrendered their rights of custody, care, and support. + generally may authorize the access, use, and disclosure of their own PHI + If the minor is married, previously married, or in the military, the minor controls his or her PHI + If the minor is under the age of 18 and is the parent of a child,the minor may authorize the access, use, and disclosure of his or her own PHI as well as that of his or her child. + In this case, the minor falls under the provisions set forth for parental authorization as discussed above. + If the patient is a minor at the time of treatment or hopitalization and reaches the age of majority during this period, the patient may authorize the access, use, or disclosure of his or her PHI + the fact that the parents, parents' insurance, or other third-party payer is paying the bill does not matter; the patient retains control over his or her PHI

Confidentiality of Alcohol and Drug Abuse Patient Records Regulation

+ in 1987, congress enacted a regulation to encourage individuals to seek substance abuse treatment "without fear of their health information being disclosed.

National Instant Criminal Background Check System (NICS)

+ in an effort to reduce gun violence in 2016, the Department of Health and Human Services(HHS) amended the HIPAA Privacy Rule to permit but not require states and certain HIPAA CEs flexibility to disclose limited PHI about an individual to the Federal Bureau of Invesgtigation (FBI)

Substace Abuse and Mental Health Services Adinistration (SAMHSA)

+ in collaboration with the ONC, published two sets of frequently asked questions (FAQs). + one was specific to releasing information to HIEs, and the other related to applying substance abuse confidentiality regulations in general.

Mandatory HIV Testing of Personnel and Reporting of HIV/AIDS

+ many state laws provide for mandatory HIV testing for certain classes of individuals who may have been exposed to blood in a high-risk situation such as law enforcement officers, paramedics, emergency response employees, firefighters, first response workers, emergency medical technicians, and volunteers making an authorized emergency response.

Autopsy ( Disclosure of Information to Medical Examiner or Coroner)

+ may be required to determine the patient's cause of death + the Privacy Rule allows the release of PHI without authorization to a medical examiner or coroner for identifyiing a deceased person, determining cause of death and other authorized purposes

Students

+ students enrolled in healh related educational progreams (i.e. medicine, nursing, allied health), who are involved in direct or indirect patient care should have access to patient health records and information without patient authorization as part of their training programs

Adoption (Adoption Information)

+ the parental rights and responsibilities of one set of parents are legally terminated and a new parental relationship is established by law. + health records may nnot be included in the definition of adoption records, they are nonetheless crucial because of the idetifying information and health information they contain.

Authorization for Disclosure (Release) of Information from Subtance Abuse Facilities

+ the program may not use or disclose any information about any patient unless the patient has consented in writing or unless another very limited exception specified in the regulations applies. +any disclosure must be limited to the information necessary to carry out the purpose of the disclosure.

Vendors

+ vendors present in a healthcare organization will often have access to ptient information in the course of their work. + Such vendors include consultants, those who sell equipment and supplies, those who perform release-of-information functions and transcription services, and those who provide laundry, food, or equipment repair services.

Secondary Data Source

+created when data are taken from a priimmary data source ( Health Record) and used for purposes other than their original intended use" + May be internal to an organization such as a hospital cancer or trauma registry. + can also be external, such as a statewide cancer or trauman registry or any number of local, state, and federal, agency or compahy data sets. Ownership of a secondary data source belongs to the entity that created or authorized it, however, contract, copyright or patient laws may also affect owenership.

Behavioral health

+encompasses the treatment of mental disorders, and intellectual and developmetnal disabilities. + patient information generated through behavioral health treatment is highly sensitive

The regulations define facilities covered by the law as those institutions providing a federally assisted alcohol and drug program. "Program" is defined in 42 CFR 2.11 Part 2 as:

1. An individual or entity (other than a general medical care facility) which holds itself out as providing and which actually provides alcohol or drug abuse diagnosis, treatment, or referral for treatment. 2. An identified unit within a general medical facility which holds itself out as porviding and which actually provides alcohol or drug abuse diagnosis, treatment, or referral for treatment 3. Referral or medical personnel or other staff in a general medical facility whose priimary function is the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment and who are identified as such porviders.

The Part 2 authorization form must include the elements listed below in addition to a written statement that the information cannot be redisclosed:

1. Namme or general designation of the program or person permitted to make the disclosure 2. name or title of the individual or name of the organization to which disclosure is to be made 3. Name of the patient 4. Purpose of the disclosure 5. How much and wht kind of information is to be disclosed 6. Signature of patient (and, in some states, a parent or guardian) 7. Date on which authorization is signed 8. Statement that the authorizationn is subject to revocation at any time except to the extent that the program has already acted on it 9. Date, event, or condition upon wich authhorization will expire if not previously revoked

The mental health professional cannot be compelled to testify or disclose information without the authorization of the patient in a judicial situation. Exceptions to such statutes usually include the following situations:

1. the patient brings up the issue ofthe mental or emotional condition 2. the health professional performs an examination under a court order 3. a psychiatrist in an involuntary commitment procedure recommends admission and confinement of the patient ot avoid harm to the patient or others.

Americans with Disabilities Act (ADA)

Act addresses rights of individuals with disabilities in employment and public accommodations, information regarding an employee medical evaluation is confidential.

Highly Sensitive Health Information

Certain types of patient information that require special handling in regard to access, requests, uses, and disclosures due to the nature of the information

Freedom of Information Act (FOIA)

Gives all citizens the right to inspect all records of federal agencies except those containing military, intelligence, or trade secrets; increases accountability of bureaucracy

Patriot Act (2001) ( Antiterrorism Initiatives)

Law responding to 9/11. Expands anti-terrorist powers (wiretapping, surveillance); 4th Amendment concern for civil liberties. + allows the director of the FBI or a designee to apply for a production order through the court system to produce tangible items suvh as documents and records. + also provides sanctions for any unaurthoized disclosures of information obtained by others not involved in the investigation + a healthcare provider who in good faith porvided information requested under order would not be held liable for releasing information (AHIMA Homeland Security Work Group 2010)

Permissible Disclosures under Federal Drug and Alcohol Regulations

Situations in which information can be disclosed without the patient's written authorization include medical emergencies and scientific research, audits, and program evaluations where the individual patient is not identified.

Genetic Information Nondiscrimination Act (GINA)

U.S act that prohibits discrimination against individuals on the basis of their genetic information in both employment and health insurance.

National Conference of State Legislatures (NCSL)

a bipartisan organization that serves the legislators and staff of the nation's states and territories

Personal Representative

a competent adult may also wish to appoint another person to be their personal representative, a personal representative is legaly authorized to make healthcare decisisons on an individual's behalf or to act on behalf of a deceased individual or that individual's estate + a personal representative could include, for example, a spouse or next-of-kin as defined by state law, an agent, or an individual who holds a durable power of attorney (DPOA) or a durable power of attorney for healthcare decisions (DPOA-HCD) for the patient. + The personal representative has the right too request and receive information about the adult's personal affairs and physical and mental health, includinng legal and health records.

Duty to Warn

a required disclosure of information to an intended victim when a ptient threatens to harm an individually identifiable person or persons and the psychiatrist or other mental health provider believes that the patient is likely to actually harm the individual(s).

Uniform Health-Care Decisions Act (UHCDA)

allows a competent adult to communicate to a supervising healthcare provider the selection of a "surrogate"(personal representative) who may make healthcare decisions for the adult.

Cmpetent Adult

an individual who is mentally and physically competent to manage to his or her own affairs and has reached the age of majority.

Health Information Exchanges (HIE's)

electronic movement of health related infformation among organizations within a region or community that facilitates access to and retrieval of clinical data in support of safe, tiimely, efficient, and effective patient-centered care; and organizatiion or entity that forms to create an electronic framework to connect physicians to pharmacies, hoospitals, and other healthcare entities.

HIV/AIDS, STDs and Other Communicable Disease Information

healthcare organizations must comply with applicable state laws to porect the privacy and confidentiality of patientss with human immunodeficiency virus (HIV) or aquire immune deficiency syndrom (AIDS), sexually transmitted diseases (STDs), and in viral hepatitis or other communicable dieseases.

Legal Gaurdian

in the absence of an advance directive, the court system, with support from the apporpriate medical community, will declare the individual incompetent & the court will appoint a legal guardian to handle the matters of the incompetent adult

Occupational Health Record

known as an employee health record, refers to record kept on an employee that contains information on the health status of the employee

Privilege Statutes

legally protect confidential communications between porvider and patient related to diagnosis and treatment from disclosure during civil and som criminal misdemeanor litigations

Syndromic Survellance

public health authorities are granted authority through local, state, and federal laws to engage this type of surveillance refers to "systematic gathering and analysis of health data to rapidly detect clusters fo symptoms and health complaints that might indicate an infectious-disease outbreak or other publlic health threat"

Release of Information

referes to providing access to PHI to an individual or entity authorized to receive or revew it Protecting the privacy and confidentiality of health information is a major priority for healthcare orgaizations andpproviders who must adhere ot state and federal laws.

Open record Laws (public record laws, sunshine laws)

state freedom of information laws that grant public access to records maintained by state agencies

Criminal Liability Related to HIV

state law may impose crimal liability for knowingly infecting another with HIV and, likewise, may porlvide immunity from liabilitty for informing another person of potential HIV infection.

Age of Majority

the age of majority in most stattes is 18 years old or older. A competent adult mmay consent to treatment, the adult may authorize the access or disclosure of his or her health information

Disclosure

the release, transfer, porvision of, access to or divulging in any other manner of information outside the entity holding the information

Acces

the right of an individual to inspect and obtain a copy of his or her own health informmation that is contained in a designated record

Active Record (Disclosure of Active Records of Currently Hospitalized or Ambulatory Care Patients)

used to denote the health records of individuals who are currently hopitalized inpatients or outpatients