the ethics of a practicing therapist pamft membership conference april 11, 2014

62
1 The Ethics of a Practicing Therapist PAMFT Membership Conference April 11, 2014 Renee H. Martin, JD, RN, MSN Rhoades & Sinon, LLP 29 Dowlin Forge Road Exton, PA 19341 Tel.: (610) 423-4200 Fax: (610) 423-4201 E-mail: [email protected] 941943.2

Upload: jenny

Post on 25-Feb-2016

44 views

Category:

Documents


0 download

DESCRIPTION

The Ethics of a Practicing Therapist PAMFT Membership Conference April 11, 2014. Renee H. Martin, JD, RN, MSN Rhoades & Sinon, LLP 29 Dowlin Forge Road Exton, PA 19341 Tel.: (610) 423-4200 Fax: (610) 423-4201 E-mail: [email protected]. 941943.2. Outline. Minors ’ Rights - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

1

The Ethics of a Practicing TherapistPAMFT Membership Conference

April 11, 2014

Renee H. Martin, JD, RN, MSNRhoades & Sinon, LLP29 Dowlin Forge Road

Exton, PA 19341Tel.: (610) 423-4200Fax: (610) 423-4201

E-mail: [email protected]

941943.2

Page 2: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

2© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Outline Minors’ Rights Courts/Subpoenas Electronic/Social Media HIPAA

Page 3: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

3© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Adolescent Rights

Consent to release of mental health records of all purposes and in all circumstances other than those provided in this section shall be subject to the provisions of the “Mental Health Procedures Act,” and other applicable federal and state statutes and regulations.

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 4: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

4© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Adolescent Rights

Generally the minor shall control the release of the minor’s mental health treatment records and information to the extent allowed by law.

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 5: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

5© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Adolescent Rights

When a minor has provided consent to outpatient mental health treatment (records related to prior treatment consented to by minor), the minor shall control the records of treatment to the same extent as the minor would control the records of inpatient care or involuntary outpatient care under the “Mental Health Procedures Act” and its regulations.

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 6: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

6© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Limited Rights of P/LG

When a parent or legal guardian (“P/LG”) has consented to treatment of a minor fourteen years of age or older Outpatient Treatment, the following shall apply to the release of the minor’s records and information:

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 7: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

7© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Limited Rights of P/LG

“The P/LG may consent to release of the minor’s medical records and information, including records of prior mental health treatment for which the PL/G had provided consent, to the minor’s current mental health care treatment provider.”

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 8: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

8© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Limited Rights of P/LG

If deemed pertinent by the minor’s current mental health treatment provider, the release of information under this subsection may include a minor’s mental health records and information from prior mental health treatment for which the minor had provided consent to treatment.

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 9: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

9© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Limited Rights of P/LG

“The P/LG may consent to the release of the minor’s mental health records and information to the primary care provider if, in the judgment of the minor’s current mental health treatment provider, such release would not be detrimental to the minor.”

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 10: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

10© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Limited Rights of P/LG

Release of mental health records and information shall be limited to release directly from one provider of mental health treatment to another or from the provider of mental health treatment to the primary care provider.

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 11: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

11© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

ACT 147: Limited Rights of P/LG

The P/LG who is providing consent to outpatient mental health treatment of a minor (14+) shall have the right to:

information necessary for providing consent;symptoms;conditions to be treated;medications;other treatments;risks and benefits;expected results.

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 12: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

12© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Confidentiality of Mental Health Treatment Records§5100.25 Release to Courts

No release of records in response to a Subpoena or other Court discovery proceedings without patient consent or an additional court order

Duty to Inform Court Inform client/patient’s attorney Defense counsel for Provider may review records; minimum necessary applies Employees are to be informed; violations include civil and criminal liability

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 13: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

13© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Court Orders

Issues by a Judge Increased duty to respond Search warrant (magistrate)

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 14: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

14© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Ethical Duties and Social Media and e-mail

Provider-Patient Relationship Explaining the Limits of Confidentiality Social Media and Private Practice Use of e-mail

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 15: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

15© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Social Media refers broadly to Web-based tools that allow individuals to communicate quickly, easily and broadly.

Privacy, Confidentiality, Ethical Duties and Disclosure

• Email• Facebook• Twitter• LinkedIn

• Blogs• You Tube• Health sites

Page 16: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

16© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Confidentiality and Social Media

When is the Provider-Patient Relationship created? Contractual: implied by the actions of the parties in

seeking and providing advice and care Use of email

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 17: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

17© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Privacy, Confidentiality, Ethical Duties and Disclosure

Principle II: Confidentiality1.13 Electronic Therapy (AAMFT Code of Ethics)

2.4 Protection of Records. Marriage and family therapists store, safeguard, and dispose of client records in ways that maintain confidentiality and in accord with applicable laws and professional stands.2.7 Protection of Electronic Information. When using electronic methods for communication, billing, recordkeeping, or other elements of client care, marriage and family therapists ensure that their electronic data storage and communications are privacy protected consistent with all applicable law.

Page 18: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

18© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Social Media Guidelines & Recommendations

Professional LiabilityPolicies should remind employees and staff that online

communications are not private and may be discoverable in litigation.

Policies should clearly define the parameters of the relationships between healthcare professionals and other social media users.

Professionals should be aware of the pros and cons of making patients their Facebook “friends”.

Distinguish between personal/social relationships versus doctor/patient relationships.

Be aware of risks of “practicing medicine online” It is generally unwise to establish therapist/patient relationships online.

18

Page 19: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

19© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Social Media Guidelines & Recommendations

19

Professionals should monitor their social media/networking sites regularly.

Consider adding broad disclaimers such as a statement that your organization does not give medical advice via your website or social media sites and that users seeking specific medical advice should contact a physician or contact 911 in the event of an emergency.

Page 20: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

20© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Policies – Can They Help?

Be Proactive Not ReactiveEven if your employees don’t use or access computers at

work, they most likely do at home – and may be talking about work.

Nearly every employer in every work environment should consider how social media could impact their workforce or company.

What steps should be taken now to avoid problems down the road.

20

Page 21: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

21© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Issues To Consider in Developing a Social Media Policy Whose job will it be to monitor violations?

Who will monitor your social media activity? Use automated resources such as Google Alerts or have IT sources assist you to determine other resources available to monitor social media activity that may be impacting your company.

How will you discipline violators – consistently?

21

Page 22: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

22© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Issues To Consider After Developing a Social Media Policy Be careful about disciplining employees who engage in

concerted activity, report illegal activities and exercise freedom of speech.

Consider training employees regarding the social media policy and areas such as privacy, trade secret infringement, etc.

Re-evaluate on a regular basis. Social media is developing and changing quickly. Your attitudes and expectations regarding social media will likely change overtime – be sure your policies keep up.

22

Page 23: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

23© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Confidentiality and Social Media

American Health Information Management Association (“AHIMA”)

American Medical Association Ethical Guidelines (AMA) American Psychological Association Ethical Principles (APA) Marriage and Family Therapists (Regulations and AAMFC

Code of Ethics)

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 24: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

24© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Questions to Consider with Social Media/E-mail Is it necessary to use e-mail? Is there another equally safe way to send information? Is the disclosure necessary? Does the disclosure affect my other obligations? Should it be encrypted? How do I dispose of it? Is it part of the clinical record?

Privacy, Confidentiality, Ethical Duties and Disclosure

Page 25: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

25© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

HIPAA

Page 26: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

26© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

History of HIPAA

1996 - HIPAA enacted1999-2000 - Initial Privacy & Security Regulations Issued2002 - Final Privacy Rules Issued2005 - Final Security Rules Issue2009 - HITECH ACT – Interim Final Rule-Breach

Notification2010 - Enforcement Rules Published2013 - HIPAA Final Omnibus Rule

Page 27: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

27© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Who is covered under HIPAA?

Page 28: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

28© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Who Is Subject to HIPAA?

Covered Entities (direct)Health plans: insurance companies; HMOHealth care clearing houses (process nonstandard data

elements into standard data elements)Health care providers who transmit any health information in

electronic form in connection with a covered transactionBusiness Associates

Receive PHI from covered entity Perform a function on its behalf

Page 29: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

29© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

What is a Business Associate?

A person who, on behalf of a covered entity - -Performs or assists with a function or activity involving

Individually Identifiable InformationPerforms certain identified services

Page 30: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

30© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Business AssociateAuditorsLawyersActuaries

Clearing Houses

Management Firms

Covered Entity

Billing FirmsOther

CoveredEntities

TPAs

ConsultantsVendors

AccreditationOrganizations

Page 31: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

31© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Third Parties and Business Associate?

Covered entities may disclose PHI to a business associate As necessary to permit the business associate to perform

functions and activities on behalf of the covered entityBusiness associate cannot use PHI for its own purposes

Page 32: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

32© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Individually Identifiable Health Information (IIHI)

Health information including demographics that:Is created or received by a health care provider, health plan,

or health care clearing house andRelated to the past, present or future physical or mental

health or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that Identifies the individual or with respect to which

there is a reasonable basis to believe the information can be used to identify the individual.

Page 33: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

33© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Protected Health Information (PHI)

Individually identifiable health information that is:Transmitted by electronic mediaMaintained in any electronic mediaTransmitted or maintained in any other form (including oral

or written PHI)

Page 34: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

34© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

PHI and the Medical Record

The HIPAA Privacy Rule defines a Designated record set as follows:

(1) A group of records maintained by or for a covered entity that is: The medical records and billing records about individuals

maintained by or for a covered health care provider; Used, in whole or in part, by or for the covered entity to make

decisions about individuals. (2) the term record means any item, collection, or grouping of

information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

Page 35: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

35© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Privacy Rule Summary

A covered entity may not use or disclose PHI except:After is gives written Notice about its health information

practices to the individualIn accordance with an individual’s written authorization*When requested by the Department of Health and Human

Services Office of Civil rights

Note: MFT Rules of Ethics require authorization from individual in “unit” to permit disclosures.

Page 36: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

36© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

General Rule: Required Disclosure

To individual upon individual’s request; some exceptions apply

To HHS in connection with its enforcement and compliance review actions

Page 37: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

37© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

General Rule: Permitted Disclosures

Notice of Privacy Practices: Treatment, Payment, Health Care Operations

Authorization – always noted legal mandated exception

Statutory/Regulatory Disclosures (Duty to Warn, etc.)

Page 38: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

38© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Scope of the Omnibus Rule

Revised breach notification standard Patient access to information contained in an electronic

health record (right already granted to paper records) Regulation of business associates (“BAs”) and

subcontractors Prohibition on “sale” of PHI without authorization

Page 39: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

39© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Privacy, Confidentiality and Disclosure HIPAA Permitted Disclosures to Avert Serious Threat to

Health and Safety (§164.512(j))

1. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure (emphasis added):

Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

It to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat;

Page 40: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

40© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Privacy, Confidentiality and DisclosureHIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j))

Is necessary for law enforcement authorities to identify or apprehend an individual:

Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or

Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody

Page 41: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

41© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Privacy, Confidentiality and Disclosure

HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j))

Use or disclosure not permitted if the information described in this section is learned by the CE

In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure…[during], or counseling or therapy; or

Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy…

Page 42: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

42© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Privacy, Confidentiality and Disclosure

HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j))

Limit on information that may be disclosed.

Presumption of good faith belief.

Page 43: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

43© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Scope of the Omnibus Rule Patients’ right to restrict data sharing with payers Requirements to modify and redistribute NPP Clarifies and strengthen OCRs role in enforcement,

imposition of civil monetary penalties (CMPs) and CMP liability for acts of Business Associates and subcontractors

Page 44: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

44© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Duty to Notify in Case of Breach HITECH Act: Required Notification of Breach of

“Unsecured PHI” What is a “breach”?

“the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security or privacy of the PHI”

If definition is met, notification is required

*Applies to both electronic and hard copy information*

Page 45: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

45© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Duty to Notify in Case of Breach What is NOT a “breach”? Determined by:

1. Definition of “breach”2. Exceptions to definition of a breach

Page 46: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

46© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Not a Breach by Definition Unintentional acquisition, access or use of PHI by

a workforce member or person acting under the authority of a Covered

Entity (CE) or Business Associate (BA) if the acquisition, access, or use was made in good

faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted

Page 47: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

47© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Not a Breach by Definition Applies only to “Unsecured PHI”:

If CEs and BAs apply the technologies and methodologies specified in the April 17, 2009 Guidance for PHI, the PHI is “secure” and no notice required.

Per the Guidance, “Secure PHI” is PHI that is rendered unusable, unreadable

or indecipherable to unauthorized individuals (i.e., encrypted or destroyed as detailed in the exhaustive list of technologies and methodologies)

Page 48: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

48© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Omnibus Rule Breach Notification Standard

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised”

Determining whether or not there is a low probability data has been “compromised” requires analysis of what happened (or may have happened) to the data

Focus now switched to what happened to PHI?

Page 49: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

49© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Breach Notification – Risk Assessment

CE/BA should perform risk assessment post-breach discovery and must consider at least the following:Nature and extent of PHI involved, including types of

identifiers and likelihood of re-identificationWho was the recipient of the PHIWas the PHI actually acquired or viewedThe extent to which the risk to misuse of the PHI has been

mitigated

Page 50: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

50© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Breach Notification – Burden of Proof

If no risk assessment performed, the default is notification

Burden of demonstrating low probability that PHI is compromised is on the CE/BA

Decision not to notify must be documented in case of review

Page 51: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

51© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Breach Notification – Obligations to Notify

CEs must notify individuals (although can delegate this to BAs)

BAs must notify CEs

Subcontractors must be obligated to notify their contracting partner so the information can go back up the chain

Page 52: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

52© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Breach Notification – Examples of Risk Analysis Criteria Likelihood of identification or re-identification:

A list of client names on letterhead – not low probabilityClient discharge data, client not specified – can clients be re-identified? – could

be low probability (depends on the circumstances) Who is the unauthorized recipient:

A HIPAA covered entity – low probability, as long as you have evidence the risk has been mitigated

PHI actually acquired or viewed:Untampered with laptop – low probabilityInformation mailed to wrong person – not low probabilityIssue then is of course, risk of harm

Has improper use been mitigated Satisfactory assurances of destruction from a known person – low probability

Page 53: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

53© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Right to Request Restrictions to Payors

The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI.

Final Rule created an exception, and requires a CE to agree to a restriction if:

the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and

the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full.

Page 54: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

54© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Individual Right to Access PHI

HIPAA currently requires, with limited exceptions, that individuals have a right to review or obtain copies of their PHI to the extent such information is maintained in a designated record set.

The Final Rule made significant changes to the individual’s right to access their PHI.

Page 55: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

55© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Patient Access to Electronic Health Information

If PHI held electronically, individual entitled to an electronic copy if in a “designated record set” (not just the information in an “EHR”)

Must be in the format requested if “readily producible”; if not, in a readable electronic form and format agreed upon by the entity and the individual

Note required to buy new software to do this – but must have capability to provide some electronic copy

If individual declines to accept electronic formats entity makes available, can default to hard copy

Not required to accept patient’s device – but can’t require individuals to purchase a device from you if they don’t want to

Page 56: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

56© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Patient Access – Reasonable Safeguards Must have reasonable safeguards in place to

protect transmission of ePHI – but…If an individual wants information by unencrypted e-mail,

entity can send if they advise the individual that such transmission is risky

Can’t force individuals to accept unsecureNot them responsible for breach – document individual

acknowledgement of risk

Omnibus allows 30 days to produce with one, 30 day extension for a total of 60 days-OCR urges entities to make information available sooner when possible

If over 30 days must notify patient in writing and inform why extension is needed

Page 57: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

57© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Patient Access – Third Parties

Individuals can have the copy directedto another person/entity – but the choicemust be in writing and clearly identify the individual/entity

Information must be protected and entity must implement reasonable policies and procedures to sending to the right place (e.g., type e-mail correctly)

“In writing” can be electronic

Fees charged are restricted to labor costs for copying – cannot include cost of retrieval, or portion of capital costs

Charge can include supplies provided to individual upon request

Page 58: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

58© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Business Associates/Subcontractors

Omnibus rule conforms HIPAA regulations to HITECH Act changes

Before HITECH, BAs regulated through business associatecontracts or agreements (“BAAs”)

After HITECH, BAs and subcontractors are regulated directlyunder HIPAA

Must comply with Security Rule (rule is flexible to accommodate small BAs)

Must comply with some of Privacy Rule and provisions of BAA Still need BAA Agreement

Page 59: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

59© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Notice of Privacy Practices (NPP)

NPPs must include:Statements regarding certain uses and disclosures

requiring authorization – e.g., psychotherapy notes (where appropriate), marketing, sales of PHI, right to restrict disclosures to health plans (provider only), and right to be notified of breach; and

General statement that all uses and disclosures not described in NPP also require authorization

New patients get revised by 9/23/13, other patients as they come in to be seen

Page 60: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

60© 2014 Rhoads & Sinon LLP. All Rights Reserved.

What the OCR says about Enforcement

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a client’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Director OCRLeon Rodriguez

Page 61: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

61© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Enforcement Rule – BAs, Investigations, Reviews

Civil monetary penalties (CMPs) can be assessed directly to business associates

Complaint investigations and compliance reviewsRequired whenever there is evidence of a possible HIPAA

violation due to willful neglectDiscretionary in the absence of possible willful neglectEvery complaint will be investigated preliminarilySecretary has discretion to move directly to imposition of

CMPs without informal resolution

Page 62: The Ethics of a Practicing Therapist PAMFT  Membership Conference April  11, 2014

62© 2014 Rhoads & Sinon LLP. All Rights Reserved.

Enforcement - Coordination

Secretary may disclose PHI to another agency on request

Coordination of Department of Justice and FTC (http://www.hhs.gov.ocr/enforcement)

Coordination with State Attorneys General to assist with their direct enforcement