Temple University Public Health Law Discussion In NYS, if a healthcare provider has an occupational exposure to the blood or body fluid of a patient whose

Temple University Public Health Law Discussion In NYS, if a healthcare provider has an occupational exposure to the blood or body fluid of a patient whose HIV status is unknown, and the patient is unable to consent to testing, and there is no proxy/surrogate available to consent for testing, an anonymous rapid HIV test can be performed. Other criteria/particulars permitting this anonymous testing are contained in the Powerpoint for Lecture 12 (attached). The results of that test are convey from the lab to the provider caring for the exposed healthcare provider ONLY. The results of that test are not placed in the source patient’s medical record. What do you believe are the public health reasons for keeping this information from the source patient? Do you agree with those reasons. Please comment and discuss.Also comment on this student’s comments below:“This is a very interesting law. I am not sure how I feel about it either but I can speculate why this maybe the case. I think that the main reason for why the test results aren’t placed in the patient’s chart has to do with the intent behind receiving the test itself and why the results need to be gathered. Those test results are meant for a reason unrelated to the care of that specific patient and is simply information to determine if the use of HIV post-exposure prophylaxis is appropriate for the person who was exposed or stuck with the needle. There are several NYS laws governing disclosure of HIV status (I cited NYS PHL 27-F in my midterm). I would gather that disclosure of HIV status even to the patient himself and relevant healthcare providers with access to his medical records where informed consent was not able to be obtained is illegal. Providers care for patients with unknown HIV status every day. An occupational injury like a needle stick should not supersede the informed consent process and charting thereafter. But the HIV testing and subsequent results were not obtained for the patient’s benefit.“ – Nicholas HIPAA/Patient Privacy and Health
Care Records
Lecture 12
Adjunct Professor
Barbara Kukowski
1
HIPAA/Patient Privacy and Health Care
Records
• Medical Record – Means of Communication
Documentation of a patient’s:
– Illness
– Symptoms
– Diagnosis
– Treatment
• Planning tool for patient care
• Document communication (e.g., progress
notes)
2
HIPAA/Patient Privacy and Health Care
Records
Medical Record – Means of Communication
Protects legal interests of patient, organization,
& practitioner
• Provides database for use in statistical
reporting
• Continuing education
• Research
• Provides info necessary for 3rd-party billing
3
HIPAA/Patient Privacy and Health Care
Records
Medical Record Contents – Admission record
• Age
• Address
• Reason for admission, social security number
• Marital status
• Religion
• Health insurance
• Advance Directives
4
HIPAA/Patient Privacy and Health Care
Records
Medical Record – Contents
• History
• Chief complaint
• Social history
• History of present
illness
• Family history
• Past medical history
• Reproductive History
• Allergies
• Current Medications
5
HIPAA/Patient Privacy and Health Care
Records
Medical Record Contents – Physical
–
– Cardiovascular
–
– Abdomen
–
– Genitalia
–
– Rectum
–
– Musculoskeletal
–
– Neurologic
–
– Assessment
• Plan
–
General appearance
Vital signs
Skin
Lymph nodes
HEENT
Neck
Thorax, Lungs
Female & male breasts
• Problem list
6
HIPAA/Patient Privacy and Health Care
Records
Medical Record Contents
• Consent Forms
• Fluid intake & output charts
• Assessments (e.g., nursing, functional,
nutritional, social, and discharge planning).
• Treatment plan
• Physicians’ orders
7
HIPAA/Patient Privacy and Health Care
Records
• Medical Record Contents
• Progress notes
– Nursing notes
– Notations of other disciplines
•
•
•
•
•
Diagnostic reports (e.g., laboratory and imaging)
Consultation reports
Discharge planning/social service notes & reports
Patient education
Discharge summaries
8
HIPAA/Patient Privacy and Health Care
Records
Medical Record Contents
• Vital signs charts
• Fluid intake & output charts
• Pain management records
• Anesthesia assessment
• Operative reports
• Medication administration records
9
HIPAA/Patient Privacy and Health Care
Records
Ownership & Release of Medical Records
• Ownership resides with organization or
professional rendering treatment
• Right to privacy
10
HIPAA/Patient Privacy and Health Care
Records
Retention of Information
• Length of time medical records must be
retained varies state to state
• HIPAA has a minimum standard of 6 years;
stricter standard (HIPAA or state law) controls
11
HIPAA/Patient Privacy and Health Care
Records
• HIPAA – Privacy Provision
• Patients able to access their records & request
correction of errors
• Patients must be informed of how personal info will be
used
• Patient consent for release of info for marketing
purposes required
• Patients may ask insurers & providers to take
reasonable steps to ensure their communications are
confidential
• Patients may file privacy-related complaints
12
HIPAA/Patient Privacy and Health Care
Records
HIPAA – Privacy Provision
• Health insurers & providers document their
privacy procedures
• Health insurers & providers designate a privacy
officer & train their employees
• Providers may use patient info without patient
consent for
– providing treatment
– obtaining payment for services
– performing non-treatment operational tasks of the
provider’s business.
13
HIPAA/Patient Privacy and Health Care
Records
What is Protected Health Information?
• Information, including demographic
information, created or received by a health
care provider related to:
a. the person’s health condition,
b. the provision of care to the person; or
c. the payment for that care,
• that identifies the person, or can be used to
identify the person 45 CFR §160.103
14
HIPAA/Patient Privacy and Health Care
Records
Examples of PHI
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Names (Full or last name and initial)
All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from
the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000
people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
Dates (other than year) directly related to an individual
Phone Numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health insurance beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers (including serial numbers and license plate numbers)
Device identifiers and serial numbers;
Web Uniform Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger, retinal and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
(HIPAA Journal, April 2, 2018)
15
HIPAA/Patient Privacy and Health Care
Records
HIPAA – Security Requirements
• Written P & Ps must be adopted, and must reflect how entity will comply
with HIPAA – P&Ps must:
• Require assignment of Privacy Officer for developing & implementing
P&Ps
• Reference management oversight & organization buy-in to comply with
documented security controls
• Identify employees who will have access to PHI, and address proper
workstation use
• Restrict access to PHI in all forms to employees who have a need for it to
complete job function [George Clooney]
• Address access authorization, establishment, modification, & termination
• Document scope, frequency, & procedures of routine and events-based
audits
• Document instructions for addressing & responding to security breaches.
16
HIPAA/Patient Privacy and Health Care
Records
HIPAA Security Requirements
– Ongoing training program
– Contingency plan for responding to emergencies
– Back up data & have disaster recovery procedures
in place – recovery plan should document data
priority & failure analysis, testing activities, &
change control procedures
– Conduct internal audits to review operations with
goal of identifying potential security violations
17
HIPAA/Patient Privacy and Health Care
Records
HIPAA – Security Requirements – Business Associate
Agreement (“BAA”) – Providers must ensure that
vendors have framework to comply with HIPAA, and
take care to determine if vendor further out-sources
any data handling functions to other vendors, while
monitoring whether appropriate contracts &
controls are in place – must have a BAA in place
with vendors, and vendors must have “downstream”
BAAs in place with subcontractors, if the vendor is
within the definition of a “Business Associate” under
HIPAA.
18
HIPAA/Patient Privacy and Health Care
Records
HIPAA Security Requirements – What is a Business
Associate?
• Any individual or entity that provides any service on
behalf of a healthcare provider (referred to as the
“Covered Entity”), where such individual or entity will
have other than incidental access to, use, or disclose,
PHI.
• What does a BAA require of a BA?
– Data security mechanisms
– Notification of breaches and coordination in breach
investigation
– Restrictions on use of PHI
19
HIPAA/Patient Privacy and Health Care
Records
HIPAA Physical Safeguards
• Responsibility for security must be assigned to a
specific person or department
• Controls must govern the introduction and removal of
hardware and software from the network
• When equipment is retired, it must be disposed of
properly to ensure that PHI is not compromised
• Access to equipment containing health info must be
carefully controlled & monitored
• Access to hardware & software must be limited to
properly authorized individuals
20
HIPAA/Patient Privacy and Health Care
Records
HIPAA Physical Safeguards
• Required access controls consist of facility
security plans, maintenance records, & visitor
sign-in and escorts
• Workstations should be removed from hightraffic areas and monitor screens should not
be in direct view of the public
• Remember to train vendor staff as well as to
physical access responsibilities and restrictions
21
HIPAA/Patient Privacy and Health Care
Records
HIPAA Technical Safeguards
• Info systems housing PHI must be protected from
intrusion
• When info flows over open networks, some form
of encryption must be utilized
• If closed systems/networks are utilized, existing
access controls are considered sufficient &
encryption is optional
• Covered Entities must ensure that data within its
systems has not been changed or erased in an
unauthorized manner
22
HIPAA/Patient Privacy and Health Care
Records
HIPAA Technical Safeguards
• Data corroboration, including use of check sum,
double-keying, message authentication, & digital
signature may be used to ensure data integrity;
Covered entities must also authenticate entities
with which they communicate
• Authentication consists of corroborating that an
entity is who it claims to be
• Covered entities must make documentation of
their HIPAA practices available to the government
23
HIPAA/Patient Privacy and Health Care
Records
HIPAA Technical Safeguards
• Info technology documentation should also
include a written record of all configuration
settings on components of the network
because these components are complex,
configurable, & always changing
• Documented risk analysis & risk management
programs are required
24
HIPAA/Patient Privacy and Health Care
Records
In the Event of a Breach
Reporting requirements:
• For all breaches, Covered Entity must notify the
individuals whose PHI was disclosed
• If 500 or more individuals are affected by an
unauthorized disclosure of PHI, Covered Entity must
report the breach to the HHS Office of Civil Rights
(“OCR”)
• OCR must post the breach on its website
• For smaller breaches, Covered Entities must report to
OCR on a yearly basis
25
HIPAA/Patient Privacy and Health Care
Records
Federal versus State Law
• HIPAA establishes minimum protections for
protected health information and permits
disclosures, under certain circumstances,
without the patient’s authorization
• If State law is more proscriptive/offers greater
privacy, even if HIPAA permits the disclosure,
State law prevails
26
HIPAA/Patient Privacy and Health Care
Records
New York State Patient Confidentiality Laws
§ 4504 of the Civil Practice Law and Rules
•
Unless the patient waives the privilege, a person authorized to practice medicine,
registered professional nursing, licensed practical nursing, dentistry, podiatry or
chiropractic shall not be allowed to disclose any information which he acquired in
attending a patient in a professional capacity, and which was necessary to enable him to
act in that capacity.
•
The relationship of a physician and patient shall exist between a medical corporation, as
defined in article forty-four of the public health law, a professional service corporation
organized under article fifteen of the business corporation law to practice medicine, a
university faculty practice corporation organized under section fourteen hundred
twelve of the not-for-profit corporation law to practice medicine or dentistry, and the
patients to whom they respectively render professional medical services.
27
HIPAA/Patient Privacy and Health Care
Records
Professional Misconduct
• NYS Education Law §6530 applicable to
Physicians, Physician Assistants and Specialists
Assistants – includes in the definition of
professional misconduct:
• (23) Revealing of personally identifiable facts,
data, or information obtained in a professional
capacity without the prior consent of the patient,
except as authorized or required by law;
28
HIPAA/Patient Privacy and Health Care
Records
NYS Regulations
405.7(b) (13) Hospital responsibilities • The hospital shall afford to each patient the right to:
– confidentiality of all information and records pertaining to the patient’s
treatment, except as otherwise provided by law
29
HIPAA/Patient Privacy and Health Care
Records
NYS Privacy Exceptions
• Guns shot wounds and serious stab wounds must be
reported to the police N.Y. Penal Law Section 265.25
• NYS law allows psychologists and psychiatrists to
breach confidentiality and notify law enforcement
and/or an endangered person if a patient presents an
imminent danger – but this isn’t a mandate . NYS
Mental Hygiene Law Section 33.13(c)(6) (compare to
Tarasoff case in California)
• Mandating disclosure of dental records for purposes of
identification NYS CPLR 4504(b)
30
HIPAA/Patient Privacy and Health Care
Records
NYS Privacy Exceptions cont’d
• Mandatory reporting of suspected cases of child abuse and neglect
•
Mandatory reporting to the Vulnerable Persons Central Register
•
Sexual Assault Victims – Police are contacted “upon consent of the patient” 10
NYCRR §405.9(c)(1)(vi)
•
Deaths reportable to the Westchester County Medical Examiners Office –
unattended deaths, suspicious deaths (homicide, suicide, accidental), deaths in
legal custody, due to trauma, related to therapeutic, diagnostic or operative
procedure, poisoning, maternal deaths, etc.
31
HIPAA/Patient Privacy and Health Care
Records
NYS Privacy Exceptions Cont’d
•
NYS SAFE Act Reporting Obligation under MHL §9.46
•
“ . . .when a mental health professional currently providing treatment services to a person
determines, in the exercise of reasonable professional judgment, that such person is likely
to engage in conduct that would result in serious harm to self or others, he or she shall be
required to report, as soon as practicable, to the director of community services
•
•
Online:
www.omh.ny.gov
•
NY SAFE Act Reporting:
•
Information about the professional making the report
•
Whether the person is currently hospitalized
•
Demographics about the person being reported
•
Reason the professional believes the person is likely to engage in conduct that would result in
serious harm to self or others
32
HIPAA/Patient Privacy and Health Care
Records
§ 33.13 NYS Mental Hygiene Law – Confidentiality
Patient records, including information identifying patients, are not to be disclosed except in
certain specific circumstances. For example:
• Pursuant to a court order – interests of justice outweigh the need for
confidentiality
• Mental Hygiene Legal Services
• Attorneys of patients where AOT or involuntary hospitalization is at issue
• The Justice Center
• With the patient’s consent – and to the patient or “qualified person” under
MHL Section 33.16
• OPMC
• With the consent of the Commissioner under certain circumstances (example
to be discussed)
• DA when investigating patient or child abuse
• Endangered person/law enforcement
• Appropriate persons/entities when necessary to protect the public
concerning a specific sex offender
33
HIPAA/Patient Privacy and Health Care
Records
Section 31.11 of the NYS MHL – Duty to Report a Crime
It shall be the duty of every holder of an operating certificate, . . .
• 2. making such reports as are necessary to provide notification to the
district attorney or other appropriate law enforcement official and the
commissioner or his or her authorized representative as soon as possible,
or in any event within three working days, if it appears that a crime may
have been committed against a patient receiving services from such
provider, unless it appears that the crime includes an employee, intern,
volunteer, consultant, contractor, or visitor and the alleged conduct
caused physical injury or the patient was subject to unauthorized sexual
contact, or if it appears the crime is endangering the welfare of an
incompetent or physically disabled person pursuant to section 260.25 of
the penal law, or if the crime was any felony under state or federal law,
then the district attorney or other appropriate law enforcement official
must be contacted immediately, and in any event no later than twentyfour hours
34
HIPAA/Patient Privacy and Health Care
Records
NYS Mental Hygiene Law – Missing Persons/criminal
investigations:
• MHL Section 33.13 (c)(9)(ii) With the consent of
the Commissioner, patient information may be
disclosed to persons and agencies needing
information to locate missing persons or to
governmental agencies in connection with
criminal investigations
• Information to be limited to identifying data
concerning hospitalization
35
HIPAA/Patient Privacy and Health Care
Records
Substance Use Disorder Patient
Office of Alcoholism and Substance Abuse Services Regulations prohibit
treatment programs from releasing information without a court order containing
certain language.
•
However exceptions include:
•
where the information is related to crimes and threats to commit crimes
on the premises; and
•
where participation in the program is a condition disposition of a criminal
proceeding
36
HIPAA/Patient Privacy and Health Care
Records
Penalties for Breaching Patient Privacy
• Jail for former Transformations Autism Treatment Center Employee – 30 days
jail, 3 years supervised release, $14,941.36 restitution
• UCLA surgeon sentenced to 4 months in jail and $2,000 fine for viewing health
records of his supervisor, co-workers and several celebrities
• Dermatology practice lost an unencrypted flash drive with patient information
and was fined $150,000 and required to implement a corrective action plan.
• Brigham and Women’s Hospital and Massachusetts General Hospital were
fined nearly $1 million for inviting television crews to film a documentary
without first obtaining patient authorization
• The University of Texas MD Anderson Cancer Center ordered to pay $4.3
million due to 3 data breaches including the theft of an unencrypted laptop
from an employee’s home and loss of 2 unencrypted thumb drives
• NY Presbyterian Hospital settled with OCR for $2.2 million for permitting ABC
to film without patient authorization
•
•
Sources: Mp/Med Prodisposal, 20 Catastrophic HIPAA Violation Cased to Open Your Eyes, June 2, 2017;
Simbus Information Security Compliance – Several HIPAA violation cased in the past involved poor decisions and behavior on the part of health care industry
employees, April 24, 2019
37
Quality Assurance Confidentiality
What is Discoverable/What is
Confidential
38
Confidentiality- Public Health Law
§2805-m
Information required to be collected and maintained as part
of:
• The Hospital’s medical, dental and podiatric malpractice
prevention program, and/or
• Its Credentialing Process/ Investigations prior to granting or
renewing privileges, and/or
• Reports required to be submitted as an adverse event
Except that the above information is to be shared with the
DOH or with another hospital in response to its request as
part of their Credentialing Process/ Investigations prior to
granting or renewing privileges
39
Confidentiality Cont’d
• With limited exceptions, none of the records,
documentation or committee actions or
records created pursuant to a hospital’s
medical malpractice prevention program,
credentialing process or required adverse
event reporting is subject to disclosure under
article six of the public officers law (a/k/a
FOIL) or article thirty-one of the civil practice
law and rules (in litigation)
40
Confidentiality and an Exception
• No person in attendance at a meeting of any
such committee shall be required to te…
Purchase answer to see full
attachment