the ethics of a practicing therapist pamft membership conference april 11, 2014

1

The Ethics of a Practicing TherapistPAMFT Membership Conference

April 11, 2014

Renee H. Martin, JD, RN, MSNRhoades & Sinon, LLP29 Dowlin Forge Road

Exton, PA 19341Tel.: (610) 423-4200Fax: (610) 423-4201

E-mail: [email protected]

941943.2

mailto:[email protected]

2© 2014 Rhoads & Sinon LLP. All Rights Reserved.

.

Outline Minors’ Rights Courts/Subpoenas Electronic/Social Media HIPAA


.

ACT 147: Adolescent Rights

Consent to release of mental health records of all purposes and in all circumstances other than those provided in this section shall be subject to the provisions of the “Mental Health Procedures Act,” and other applicable federal and state statutes and regulations.

Privacy, Confidentiality, Ethical Duties and Disclosure


.


Generally the minor shall control the release of the minor’s mental health treatment records and information to the extent allowed by law.



.


When a minor has provided consent to outpatient mental health treatment (records related to prior treatment consented to by minor), the minor shall control the records of treatment to the same extent as the minor would control the records of inpatient care or involuntary outpatient care under the “Mental Health Procedures Act” and its regulations.



.

ACT 147: Limited Rights of P/LG

When a parent or legal guardian (“P/LG”) has consented to treatment of a minor fourteen years of age or older Outpatient Treatment, the following shall apply to the release of the minor’s records and information:



.


“The P/LG may consent to release of the minor’s medical records and information, including records of prior mental health treatment for which the PL/G had provided consent, to the minor’s current mental health care treatment provider.”



.


If deemed pertinent by the minor’s current mental health treatment provider, the release of information under this subsection may include a minor’s mental health records and information from prior mental health treatment for which the minor had provided consent to treatment.



.


“The P/LG may consent to the release of the minor’s mental health records and information to the primary care provider if, in the judgment of the minor’s current mental health treatment provider, such release would not be detrimental to the minor.”



.


Release of mental health records and information shall be limited to release directly from one provider of mental health treatment to another or from the provider of mental health treatment to the primary care provider.



.


The P/LG who is providing consent to outpatient mental health treatment of a minor (14+) shall have the right to:

information necessary for providing consent;symptoms;conditions to be treated;medications;other treatments;risks and benefits;expected results.



.

Confidentiality of Mental Health Treatment Records§5100.25 Release to Courts

No release of records in response to a Subpoena or other Court discovery proceedings without patient consent or an additional court order

Duty to Inform Court Inform client/patient’s attorney Defense counsel for Provider may review records; minimum necessary applies Employees are to be informed; violations include civil and criminal liability



.

Court Orders

Issues by a Judge Increased duty to respond Search warrant (magistrate)



.

Ethical Duties and Social Media and e-mail

Provider-Patient Relationship Explaining the Limits of Confidentiality Social Media and Private Practice Use of e-mail



.

Social Media refers broadly to Web-based tools that allow individuals to communicate quickly, easily and broadly.


• Email• Facebook• Twitter• LinkedIn

• Blogs• You Tube• Health sites

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=s5e_sdoPFzHAGM&tbnid=JnzQcG533mdHHM:&ved=0CAUQjRw&url=https://communities.vmware.com/community/linkedin/&ei=Op45U76sFqfKsASe8oHYBQ&bvm=bv.63808443,d.dmQ&psig=AFQjCNEOly-mCdyrsEMXsLNBPiKha9HU9Q&ust=1396371361790739


.

Confidentiality and Social Media

When is the Provider-Patient Relationship created? Contractual: implied by the actions of the parties in

seeking and providing advice and care Use of email



.


Principle II: Confidentiality1.13 Electronic Therapy (AAMFT Code of Ethics)

2.4 Protection of Records. Marriage and family therapists store, safeguard, and dispose of client records in ways that maintain confidentiality and in accord with applicable laws and professional stands.2.7 Protection of Electronic Information. When using electronic methods for communication, billing, recordkeeping, or other elements of client care, marriage and family therapists ensure that their electronic data storage and communications are privacy protected consistent with all applicable law.


Social Media Guidelines & Recommendations

Professional LiabilityPolicies should remind employees and staff that online

communications are not private and may be discoverable in litigation.

Policies should clearly define the parameters of the relationships between healthcare professionals and other social media users.

Professionals should be aware of the pros and cons of making patients their Facebook “friends”.

Distinguish between personal/social relationships versus doctor/patient relationships.

Be aware of risks of “practicing medicine online” It is generally unwise to establish therapist/patient relationships online.

18


Social Media Guidelines & Recommendations

19

Professionals should monitor their social media/networking sites regularly.

Consider adding broad disclaimers such as a statement that your organization does not give medical advice via your website or social media sites and that users seeking specific medical advice should contact a physician or contact 911 in the event of an emergency.


Policies – Can They Help?

Be Proactive Not ReactiveEven if your employees don’t use or access computers at

work, they most likely do at home – and may be talking about work.

Nearly every employer in every work environment should consider how social media could impact their workforce or company.

What steps should be taken now to avoid problems down the road.

20


Issues To Consider in Developing a Social Media Policy Whose job will it be to monitor violations?

Who will monitor your social media activity? Use automated resources such as Google Alerts or have IT sources assist you to determine other resources available to monitor social media activity that may be impacting your company.

How will you discipline violators – consistently?

21


Issues To Consider After Developing a Social Media Policy Be careful about disciplining employees who engage in

concerted activity, report illegal activities and exercise freedom of speech.

Consider training employees regarding the social media policy and areas such as privacy, trade secret infringement, etc.

Re-evaluate on a regular basis. Social media is developing and changing quickly. Your attitudes and expectations regarding social media will likely change overtime – be sure your policies keep up.

22


.

Confidentiality and Social Media

American Health Information Management Association (“AHIMA”)

American Medical Association Ethical Guidelines (AMA) American Psychological Association Ethical Principles (APA) Marriage and Family Therapists (Regulations and AAMFC

Code of Ethics)



.

Questions to Consider with Social Media/E-mail Is it necessary to use e-mail? Is there another equally safe way to send information? Is the disclosure necessary? Does the disclosure affect my other obligations? Should it be encrypted? How do I dispose of it? Is it part of the clinical record?



.

HIPAA


.

History of HIPAA

1996 - HIPAA enacted1999-2000 - Initial Privacy & Security Regulations Issued2002 - Final Privacy Rules Issued2005 - Final Security Rules Issue2009 - HITECH ACT – Interim Final Rule-Breach

Notification2010 - Enforcement Rules Published2013 - HIPAA Final Omnibus Rule


.

Who is covered under HIPAA?


.

Who Is Subject to HIPAA?

Covered Entities (direct)Health plans: insurance companies; HMOHealth care clearing houses (process nonstandard data

elements into standard data elements)Health care providers who transmit any health information in

electronic form in connection with a covered transactionBusiness Associates

Receive PHI from covered entity Perform a function on its behalf


.

What is a Business Associate?

A person who, on behalf of a covered entity - -Performs or assists with a function or activity involving

Individually Identifiable InformationPerforms certain identified services


.

Business AssociateAuditorsLawyersActuaries

Clearing Houses

Management Firms

Covered Entity

Billing FirmsOther

CoveredEntities

TPAs

ConsultantsVendors

AccreditationOrganizations


.

Third Parties and Business Associate?

Covered entities may disclose PHI to a business associate As necessary to permit the business associate to perform

functions and activities on behalf of the covered entityBusiness associate cannot use PHI for its own purposes


.

Individually Identifiable Health Information (IIHI)

Health information including demographics that:Is created or received by a health care provider, health plan,

or health care clearing house andRelated to the past, present or future physical or mental

health or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that Identifies the individual or with respect to which

there is a reasonable basis to believe the information can be used to identify the individual.


.

Protected Health Information (PHI)

Individually identifiable health information that is:Transmitted by electronic mediaMaintained in any electronic mediaTransmitted or maintained in any other form (including oral

or written PHI)


.

PHI and the Medical Record

The HIPAA Privacy Rule defines a Designated record set as follows:

(1) A group of records maintained by or for a covered entity that is: The medical records and billing records about individuals

maintained by or for a covered health care provider; Used, in whole or in part, by or for the covered entity to make

decisions about individuals. (2) the term record means any item, collection, or grouping of

information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.


.

Privacy Rule Summary

A covered entity may not use or disclose PHI except:After is gives written Notice about its health information

practices to the individualIn accordance with an individual’s written authorization*When requested by the Department of Health and Human

Services Office of Civil rights

Note: MFT Rules of Ethics require authorization from individual in “unit” to permit disclosures.


.

General Rule: Required Disclosure

To individual upon individual’s request; some exceptions apply

To HHS in connection with its enforcement and compliance review actions


.

General Rule: Permitted Disclosures

Notice of Privacy Practices: Treatment, Payment, Health Care Operations

Authorization – always noted legal mandated exception

Statutory/Regulatory Disclosures (Duty to Warn, etc.)


Scope of the Omnibus Rule

Revised breach notification standard Patient access to information contained in an electronic

health record (right already granted to paper records) Regulation of business associates (“BAs”) and

subcontractors Prohibition on “sale” of PHI without authorization


.

Privacy, Confidentiality and Disclosure HIPAA Permitted Disclosures to Avert Serious Threat to

Health and Safety (§164.512(j))

1. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure (emphasis added):

Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

It to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat;


.

Privacy, Confidentiality and DisclosureHIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j))

Is necessary for law enforcement authorities to identify or apprehend an individual:

Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or

Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody


.

Privacy, Confidentiality and Disclosure

HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j))

Use or disclosure not permitted if the information described in this section is learned by the CE

In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure…[during], or counseling or therapy; or

Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy…


.

Privacy, Confidentiality and Disclosure

HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j))

Limit on information that may be disclosed.

Presumption of good faith belief.


Scope of the Omnibus Rule Patients’ right to restrict data sharing with payers Requirements to modify and redistribute NPP Clarifies and strengthen OCRs role in enforcement,

imposition of civil monetary penalties (CMPs) and CMP liability for acts of Business Associates and subcontractors


Duty to Notify in Case of Breach HITECH Act: Required Notification of Breach of

“Unsecured PHI” What is a “breach”?

“the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security or privacy of the PHI”

If definition is met, notification is required

*Applies to both electronic and hard copy information*


Duty to Notify in Case of Breach What is NOT a “breach”? Determined by:

1. Definition of “breach”2. Exceptions to definition of a breach


Not a Breach by Definition Unintentional acquisition, access or use of PHI by

a workforce member or person acting under the authority of a Covered

Entity (CE) or Business Associate (BA) if the acquisition, access, or use was made in good

faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted


Not a Breach by Definition Applies only to “Unsecured PHI”:

If CEs and BAs apply the technologies and methodologies specified in the April 17, 2009 Guidance for PHI, the PHI is “secure” and no notice required.

Per the Guidance, “Secure PHI” is PHI that is rendered unusable, unreadable

or indecipherable to unauthorized individuals (i.e., encrypted or destroyed as detailed in the exhaustive list of technologies and methodologies)


Omnibus Rule Breach Notification Standard

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised”

Determining whether or not there is a low probability data has been “compromised” requires analysis of what happened (or may have happened) to the data

Focus now switched to what happened to PHI?


Breach Notification – Risk Assessment

CE/BA should perform risk assessment post-breach discovery and must consider at least the following:Nature and extent of PHI involved, including types of

identifiers and likelihood of re-identificationWho was the recipient of the PHIWas the PHI actually acquired or viewedThe extent to which the risk to misuse of the PHI has been

mitigated


Breach Notification – Burden of Proof

If no risk assessment performed, the default is notification

Burden of demonstrating low probability that PHI is compromised is on the CE/BA

Decision not to notify must be documented in case of review


Breach Notification – Obligations to Notify

CEs must notify individuals (although can delegate this to BAs)

BAs must notify CEs

Subcontractors must be obligated to notify their contracting partner so the information can go back up the chain


Breach Notification – Examples of Risk Analysis Criteria Likelihood of identification or re-identification:

A list of client names on letterhead – not low probabilityClient discharge data, client not specified – can clients be re-identified? – could

be low probability (depends on the circumstances) Who is the unauthorized recipient:

A HIPAA covered entity – low probability, as long as you have evidence the risk has been mitigated

PHI actually acquired or viewed:Untampered with laptop – low probabilityInformation mailed to wrong person – not low probabilityIssue then is of course, risk of harm

Has improper use been mitigated Satisfactory assurances of destruction from a known person – low probability


Right to Request Restrictions to Payors

The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI.

Final Rule created an exception, and requires a CE to agree to a restriction if:

the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and

the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full.


Individual Right to Access PHI

HIPAA currently requires, with limited exceptions, that individuals have a right to review or obtain copies of their PHI to the extent such information is maintained in a designated record set.

The Final Rule made significant changes to the individual’s right to access their PHI.


Patient Access to Electronic Health Information

If PHI held electronically, individual entitled to an electronic copy if in a “designated record set” (not just the information in an “EHR”)

Must be in the format requested if “readily producible”; if not, in a readable electronic form and format agreed upon by the entity and the individual

Note required to buy new software to do this – but must have capability to provide some electronic copy

If individual declines to accept electronic formats entity makes available, can default to hard copy

Not required to accept patient’s device – but can’t require individuals to purchase a device from you if they don’t want to


Patient Access – Reasonable Safeguards Must have reasonable safeguards in place to

protect transmission of ePHI – but…If an individual wants information by unencrypted e-mail,

entity can send if they advise the individual that such transmission is risky

Can’t force individuals to accept unsecureNot them responsible for breach – document individual

acknowledgement of risk

Omnibus allows 30 days to produce with one, 30 day extension for a total of 60 days-OCR urges entities to make information available sooner when possible

If over 30 days must notify patient in writing and inform why extension is needed


Patient Access – Third Parties

Individuals can have the copy directedto another person/entity – but the choicemust be in writing and clearly identify the individual/entity

Information must be protected and entity must implement reasonable policies and procedures to sending to the right place (e.g., type e-mail correctly)

“In writing” can be electronic

Fees charged are restricted to labor costs for copying – cannot include cost of retrieval, or portion of capital costs

Charge can include supplies provided to individual upon request


Business Associates/Subcontractors

Omnibus rule conforms HIPAA regulations to HITECH Act changes

Before HITECH, BAs regulated through business associatecontracts or agreements (“BAAs”)

After HITECH, BAs and subcontractors are regulated directlyunder HIPAA

Must comply with Security Rule (rule is flexible to accommodate small BAs)

Must comply with some of Privacy Rule and provisions of BAA Still need BAA Agreement


Notice of Privacy Practices (NPP)

NPPs must include:Statements regarding certain uses and disclosures

requiring authorization – e.g., psychotherapy notes (where appropriate), marketing, sales of PHI, right to restrict disclosures to health plans (provider only), and right to be notified of breach; and

General statement that all uses and disclosures not described in NPP also require authorization

New patients get revised by 9/23/13, other patients as they come in to be seen


What the OCR says about Enforcement

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a client’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Director OCRLeon Rodriguez


Enforcement Rule – BAs, Investigations, Reviews

Civil monetary penalties (CMPs) can be assessed directly to business associates

Complaint investigations and compliance reviewsRequired whenever there is evidence of a possible HIPAA

violation due to willful neglectDiscretionary in the absence of possible willful neglectEvery complaint will be investigated preliminarilySecretary has discretion to move directly to imposition of

CMPs without informal resolution


Enforcement - Coordination

Secretary may disclose PHI to another agency on request

Coordination of Department of Justice and FTC (http://www.hhs.gov.ocr/enforcement)

Coordination with State Attorneys General to assist with their direct enforcement

http://www.hhs.gov.ocr/enforcement

the ethics of a practicing therapist pamft membership conference april 11, 2014

Documents

minors mental health

records of treatment

minors records

rhoads sinon llp

adolescent rights consent

mental health procedures

release of information

ethical duties