H I P A A Case Studies for

H. I. P. A. A. Case Studies for Office Based FP’s David E. Kolva, M. D. Clinical Associate Professor SUNY Upstate Medical University

H. I. P. A. A. n Health Insurance Portability and Accountability Act of 1996 Original Intent: Protect workers from loss of insurance if job changes & eliminate ‘preexisting conditions’ exclusions n Ultimate Result: Added uniform standards for DATA SHARING, PRIVACY, and SECURITY of Personal Health Information n

Eventual HIPAA Advantages Increase TRUST that Information is SECURE and PRIVATE n Better Financial Efficiency by Reducing Processing Costs n Portable Electronic Medical Record for ALL Americans n

Key HIPAA Components Fall 2002 – Electronic Data Exchange standards n April 2003 – Compliance with PRIVACY standards for ALL INSTITUTIONS (FP offices) Induced Panic!!! n April 2005 – Compliance with SECURITY Standards n May 2007 – NPI National Provider Identifier n Civil and Criminal Penalties for Non-Compliance if No ‘Good Faith Effort’ n

Key HIPAA Components n Details of Data Sharing Standards and Electronic Security Standards are beyond scope of today’s talk. Advanced Practice Management skills for future managers/executives/regulators n Today’s Case Studies devoted to PRIVACY of P. H. I. = Protected Health Information

From This: n n n n n Section 306(k) of the Public Health Service Act (42 U. S. C. 242 k(k)) is amended-(1) in paragraph (1), by striking "16" and inserting "18"; (2) by amending paragraph (2) to read as follows: "(2) The members of the Committee shall be appointed from among persons who have distinguished themselves in the fields of health statistics, electronic interchange of health care information, privacy and security of electronic information, population-based public health, purchasing or financing health care services, integrated computerized health information systems, health services research, consumer interests in health information, health data standards, epidemiology, and the provision of health services. Members of the Committee shall be appointed for terms of 4 years. "; (3) by redesignating paragraphs (3) through (5) as paragraphs (4) through (6), respectively, and inserting after paragraph (2) the following: "(3) Of the members of the Committee-"(A) 1 shall be appointed, not later than 60 days after the date of the enactment of the Health Insurance Portability and Accountability Act of 1996, by the Speaker of the House of Representatives after consultation with the Minority Leader of the House of Representatives; "(B) 1 shall be appointed, not later than 60 days after the date of the enactment of the Health Insurance Portability and Accountability Act of 1996, by the President pro tempore of the Senate after consultation with the Minority Leader of the Senate; and "(C) 16 shall be appointed by the Secretary. "; (4) by amending paragraph (5) (as so redesignated) to read as follows: redesignated) "(5) The Committee-"(A) shall assist and advise the Secretary-"(i) to delineate statistical problems bearing on health and health services which are of national or international interest; "(ii) to stimulate studies of such problems by other organizations and agencies whenever possible or to make investigations of such problems through subcommittees; "(iii) to determine, approve, and revise the terms, definitions, classifications, and guidelines for assessing health status and health services, their distribution and costs, for use (I) within the Department of Health and Human Services, (II) by all programs administered or funded by the Secretary, including the Federal-State-local cooperative health statistics system referred to in subsection (e), and (III) to the extent possible as determined by the head of the agency involved, by the Department of Veterans Affairs, the Department of Defense, and other Federal agencies concerned with health and health services; "(iv) with respect to the design of and approval of health statistical and health information systems concerned with the collection, processing, and tabulation of health statistics within the Department of Health and Human Services, with respect to the Cooperative Health Statistics System established under subsection (e), and with respect to the standardized means for the collection of health information and statistics to be established by the Secretary under subsection (j)(1); "(v) to review and comment on findings and proposals developed by other organizations and agencies and to make recommendations for their adoption or implementation by local, State, national, or international agencies;

Key Privacy Concepts HIPAA establishes a “FLOOR” for PRIVACY Rights. Uniform across 50 States. Minimum standards that preempt existing State law. n Individual States may set STRICTER privacy rights, or higher “CEILING” for their citizens for certain conditions: n n New York State protects rights for reproductive/contraceptive matters, STD/HIV, Psychotherapy, and MINOR’S Access to care.

Glossary n P. H. I. Protected Health Information: ANY Information about an INDIVIDUAL’S Past, Present, or Future Medical History, Conditions, or Treatments THAT Contains Patient IDENTIFIERS such as NAME, ADDRESS, PHONE #’s, etc. In ANY form of STORAGE or TRANSMISSION.

Glossary n Notice of Privacy Practices: A WRITTEN Document that describes the privacy policy and procedures of your medical practice. [see SJHHC FPC sample] Establishes PRIVACY OFFICER who is responsible for practice’s HIPAA matters. n Acknowledgement of Receipt: Patients SIGN to indicate they understand privacy policy of practice

Glossary n CONSENT: Upon presentation of the Notice of Privacy Practices, and signing the Acknowledgement of Receipt, the patient grants the right for the practice to use PHI for CERTAIN COVERED ACTIVITIES without further written permission.

Glossary n T. P. O. Activities Treatment Activity Payment Activity Healthcare Operations Activity * These types of activities are covered by patient’s consent. You may freely use PHI for these activities without further permission. *

TREATMENT Activities Upon CONSENT, you may share PHI with any other licensed health professional [MD/DO, DDS, Ph. D. , LPN/RN, R. Ph. , PT, etc. ] who is, or may be, involved in the care of the patient. n Covers written, electronic and verbal communication. n Covers referrals and coordination of care by persons who have yet to see patient thus unable to obtain consent. n

Payment Activities Upon CONSENT, you may share PHI with business entities involved with BILLING and PAYMENT for Medical Services Rendered, Health Insurance Claims Processing, and Collections. n Some other payment activities are NOT HIPAA Protected: Disability Income Insurance, Worker’s Compensation, Credit card Insurance. These require further written authorization from patient to share PHI n

Healthcare Operations n Upon CONSENT, you may share PHI with other business entities for Quality Assessment, Planning, Licensing and Audits, and Healthcare Teaching n There are special rules governing LAW ENFORCEMENT activities, so these require special caution.

Authorization n Authorization is SPECIFIC written permission from the patient to use PHI for non-TPO activities. Must be detailed document and specify: Description of PHI to be used n Person authorized to make disclosure n Recipient of PHI n Purpose of disclosure n Expiration Date n

CASE #1 n You receive a call from the Dr. ERDOC about your patient Mr. X who presented to the ER with an Acute MI. Dr. ERDOC asks you about Mr. X’s medical history and wants his last EKG faxed to the ER. n What is your response?

Case #1 Answer n You may share any and all PHI with Dr. ERDOC about Mr. X. This is a TREATMENT activity. n Even if you were not sure if Mr. X has signed his Acknowledgement of Receipt of Privacy Notice, HIPAA allows for good-faith exercise of judgment by physicians if disclosure of PHI is critical to avert harm to patient.

Case #2 n Mr. X’s insurance company calls for information about Mr. X to see if he has a pre-existing cardiac condition in order to approve payment for the ER services. They want 5 years of office records faxed for review. n What is your response?

Case #2 Answer This is a PAYMENT activity and you may send records without further permission. HOWEVER, n Some information in the records may contain HIV/STD, Psychotherapy, or Drug/Alcohol Treatment records that are protected by STRICTER STATE of FEDERAL LAW that MAY need Mr. X’s further written permission to disclose. n

Case #3 n Since Mr. X is the Police Chief of Syracuse, a newspaper reporter calls your office to ask “if he will be able to fulfill his duties with this deadly condition? ” You feel that the public has a right to know this. n What is your response?

Case #3 Answer n Are you crazy? n NO!! There is NO T. P. O. activity involved and you MUST NOT share any PHI with the reporter. Only the patient can grant AUTHORIZATION.

Case #4 n You enter Mr. X’s hospital room on day of discharge and his wife and friends are there waiting. Both Mr. X and his friend ask you questions about his post-MI rehabilitation. n What do you say?

Case #4 Answer n This is permitted because the patient agreed, or did not object, to the friend’s presence. HIPAA allows for practitioners to share PHI with caregivers who are involved with treatment activities, or payment activities…. HOWEVER The practitioner should disclose only the MINIMUM NECESSARY information to satisfy the treatment activities

MINIMUM NECESSARY STANDARD n HIPAA allows covered entities some flexibility to address unique circumstances when sharing PHI to render good care, but still avoid unnecessary or imprudent disclosure of PHI. n Reasonableness standard consistent with prudent professional judgment.

Case #5 Ms. X is a 15 year-old patient who reveals to you that she is pregnant. She requests referral for an elective termination of pregnancy. One week later, her father, Mr. X asks why you didn’t call him about the office visit because she is a minor, and he is paying the bills. He says that HIPAA allows you to disclose PHI for Payment activities. n What do you say? n

Case #5 YOU MUST NOT DISCUSS ANY ASPECT OF THIS VISIT! n New York State Law prevails because it provides STRICTER privacy rights for Minors in regards to reproductive/contraceptive and HIV/STD treatment [NY Public Health Law 2504(4)] n Great Diplomacy is Needed in these situations. n

Case #6 Ms. Z is a 13 year old patient who reveals to you that she is depressed, and also that she is being physically abused by her mother. You arrange for safe harboring with her grandparents, who are acceptable to the patient, and start antidepressant therapy. Ms. Z tells you “not to tell anyone about this!” n What is your response? n

Case #6 Answer n You are required to report suspected child abuse by State Law.

Case #7 Mr. THC is a 42 year old male with chronic pain on long-term MS-Contin. His Urine Drug Screen is positive for opioids AND marijuana. You discover that he is employed as a nuclear power plant operator. You feel that his employer should know of his marijuana use to avoid a nuclear catastrophe. n Can you call the employer to discuss this? n

Case #7 Answer Absolutely NOT! The PHI is not being used for TPO activities. n HOWEVER, if the company sends him to your office for a job-required fitness-for-duty EXAM that includes urine drug screening, then the employer IS entitled to results FROM THAT EXAM without the patient’s authorization. This now becomes a Healthcare Operations use of PHI. n

Case #8 Mrs. LBP had an L 4 compression fracture 5 years ago. She also had acute depression following an extra-marital affair 7 years ago. She recently hurt her back at work and files a Worker’s Compensation claim. She writes a note to you SPECIFICALLY forbidding release of information to anyone about these two conditions. n What is your response? n

Case #8 You MUST report the previous back problem on her Worker’s Comp. claim form report. State Law requires disclosure of relevant pre-existing conditions. n The extra-marital affair is NOT relevant to her claim and must not be disclosed. n

Case #9 n You receive critical lab results from the lab on your patient, and want him to come to your office ASAP. You call his home and get his answering machine. n What Do You Say?

Case #9 Unless a patient specifically requests not to receive information this way, HIPAA allows practitioners to leave messages on answering machines, or with family members. HOWEVER, n Remember the Minimal Necessary Rule and just leave your number and request for urgent callback. DO NOT LEAVE LAB RESULTS ON MACHINES! n

Case # 10 n A person breaks into a doctor’s office at night, and pries open the medical record file with a crowbar to gain confidential information about a patient. n Can the privacy officer of the practice be prosecuted for this HIPAA violation?

Case #10 n No. HIPAA only requires that practices make a good -faith and reasonable effort to safeguard PHI. You might wish to safeguard highly sensitive information about high profile patients off-site if it is not needed for day-to-day healthcare operations or treatment.

Resources n http: //www. cms. hhs. gov/HIPAA Gen. Info/ n AAFP. org HIPAA related articles