NJ HFMA CARE Forum - HFMA NJ Chapter - Home Page · (“OHCA”) in which the CE participates, but...
Transcript of NJ HFMA CARE Forum - HFMA NJ Chapter - Home Page · (“OHCA”) in which the CE participates, but...
Protecting Privacy and Releasing Information through networked
Health Information Exchange
presented by
Helen Oscislawski, Esq. March 10, 2015
NJ HFMA CARE Forum
Copyright ©2015 Oscislawski LLC. This document may NOT be copied, distributed or used except by current clients of Oscislawski LLC.
DISCLAIMER: The diagrams and information in this document are EXAMPLES ONLY and do not reflect all of the potential organizations or connections that may be a part of
a particular Health Information Organization. The information provided here is does NOT represent any official position or decision by the State of New Jersey.
All diagrams and proposed contractual arrangements are subject to change.
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
What are we going to cover?
• Overview of Federal and New Jersey laws that set the
standards or otherwise affect how patients’ health
information may be used and disclosed through networked
Health Information Exchange (HIE) or a Health Information
Organization (HIO)
• Consent forms that cover data sharing in HIE & HIO
• Leveraging the HIPAA Notice of Privacy Practices
• Recent HIE/HIO developments at ONC/HHS/OCR
• Recent privacy lawsuits which use HIPAA as a standard of
care for protecting privacy
Presentation
about ...
Old McDonald had a Farm,
H-I-E HI-O ….
© 2015 Oscislawski LLC Connecting Healthcare with Legal ExcellenceSM
State Health Information
Network
National Health Information
Network
HIO
HIO
Integrated Delivery Network (IDN)
MD Practice
Long Term care
Hospital
Hospital
Radiology Group
IPA
MD Practice
MD Practice
MD Practice
MD Practice
HIE/HIO – What is it?
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
“HIE” vs. “HIO” – What’s the Difference?
“Health Information Exchange” or “HIE” is used as a verb to refer to the act of sharing health information among two or more providers through an organized exchange network.
“Health Information Organization” (or “HIO”) is used to refer to the technical and operational infrastructure, including the governing body, that is created to support electronic sharing of health information.
These terms were defined in the Report to the Office of National Coordinator for HIT on Defining Key Health Information Technology Terms prepared by the National Alliance for Health Information Technology. Posted on ONC’s website in June of 2008 at http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__reports/1239).
The Law
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Patient Privacy
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Privacy Laws
HIPAA Covered Entity
Organized Health Care Arrangement
Business Associate
Treatment, Payment & Health Care Operations
42 C.F.R. Part 2
State Law Facility Licensing Laws
Provider licensing laws
Information-specific (i.e., “sensitive information”)
New Jersey Identity Theft Prevention Act (breaches)
HIPAA
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
Applicability
• Applies to “Covered Entities” • Health care provider conducting electronic standard
transaction • Health Plans • Health Care Clearinghouse
• Applies to Protected Health Information (PHI):
• Any information which relates to the past, present or
future physical or mental health of an individual,
including provision or payment for care (up to 50
years after death).
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
HIPAA: “Organized Health Care Arrangement”
45 CFR 160.103 of the HIPAA Privacy Rule:
(1) A clinically integrated care setting in which individuals typically receive health
care from more than one health care provider; [OR]
(2) An organized system of health care in which more than one covered entity
participates and in which the participating covered entities:
(i) Hold themselves out to the public as participating in a joint arrangement; and
(ii) Participate in joint activities that include at least one of the following:
A) Utilization review, in which health care decisions by participating covered entities are reviewed
by other participating covered entities or by a third party on their behalf;
(B) Quality assessment and improvement activities, in which treatment provided by participating
covered entities is assessed by other participating covered entities or by a third party on their behalf;
[OR]
(C) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by
participating covered entities through the joint arrangement and if protected health information
created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.
[additional provisions applicable to health plans omitted]
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
HIPAA: “Business Associate”
45 C.F.R. §160.103. A Business Associate is a person/entity who/that:
(i) on behalf of such CE or of an organized health care arrangement (“OHCA”) in which the CE participates, but other than in the capacity of a
member of the workforce of such CE or arrangement, performs, or assists in
the performance of:
A. a function or activity involving the use or disclosure of PHI, including claims processing or administration, data analysis, processing or
administration, utilization review, quality assurance, billing, benefit
management, practice management, and re-pricing; or
B. any other function or activity regulated by this subchapter;
OR
(ii) Provides, other than in the capacity of a member of the workforce of such
CE, legal, actuarial, accounting, consulting, data aggregation (as defined in
§164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such CE, or to or for an OHCA in which the CE participates, where the provision of the service involves the disclosure of PHI
from such CE or arrangement.
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
HIPAA: HITECH changes
Adds BA’s sub-contractors
Specifically includes HIOs, RHIOs, e-prescribing gateways,
and PHR vendors providing service on behalf of a covered
entity.
Any person or entity that transmits PHI or requires access to PHI
on a “routine” basis.
Excludes “Conduits” for data transmission. Conduits are NOT BAs (e.g.,
access PHI on a random or infrequent basis)
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
HIPAA: “Conduit”
“Permitted” Activities:
Data transmission that does not require access to PHI on a routine basis
Access to PHI on a random or infrequent basis
Temporary storage that is incident to the transmission of the data (but not retained)
“Prohibited” Activities:
Access to PHI on a routine basis, or more than on a random or
infrequent basis
Managing record locator services (RLS) in connection with the data
transmission and/or storage
Providing direct oversight and/or control over the electronic health
information exchange through the network
Storing the PHI for any longer than transient period – i.e., storage for a
persistent period of time
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
HIPAA: “Permitted” Uses & Disclosures
Treatment – provision, coordination or management of
health care and related services by one or more health
care providers
Payment – activities for obtaining payment or
reimbursement for the provision of health care and
activities relating to premiums, coverage and provision
of benefit.
Health care operations – quality assessment and
improvement activities, competency assurance
activities, medical reviews/audits/legal services,
specific insurance functions, business planning and management, and other administrative activities.
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
HIPAA: “Permitted” Uses & Disclosures (con’t)
Research
Public Health
Required by Law
Others…
42 C.F.R. Part 2
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
Part 2 Applicability
Protects confidentiality of alcohol/drug abuse
treatment and rehabilitation with regard to any
information which could identify the patient as a
current or former drug/alcohol patient.
Applies only to those patient records maintained in
alcohol/drug treatment and rehabilitation programs
which receive direct or indirect federal assistance.
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
“Federally-Assisted” “Programs”
• “Program” – any person or organization that provides
(specifically-dedicated) alcohol or drug diagnosis,
treatment, referral for treatment or prevention.
• “Federally assisted” – federal funds, whether direct or
indirect.
• $$ received in any form, even if it does not pay directly for
alcohol/drug abuse services
• Receives tax exempt status or tax deductions from IRS
• Authorized to conduct business by federal government
• Conducted directly by federal/state/local government
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
Consent for Disclosure
In general, disclosure of patient
records is strictly prohibited without patient written consent unless would
otherwise be permitted or required
under an exception in 42 CFR Part 2.
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
• Internal communications
• De-identified information
• Medical emergencies
• QSO pursuant to QSOA
• Audits/evaluations
• Crimes/threat of crime on premises of program or against
program personnel
• Initial reports of child abuse/neglect
• Research
• Court order
Permitted Disclosures w/o Consent
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
Written Consent + Notice Requirement
• Multiple consents may be required by 42 CFR Part 2 for
each type of disclosure as well as each recipient.
• Two-Way and Multi-party consents allow the exchange
of information between necessary parties
• Qualified Service Organization Agreements (QSOA)
• “Minimum necessary”
• Statement prohibiting Redisclosure
• Revocable
• Conditioning of Treatment
CONSENT
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Consent to What ?
Before we can answer the question of if
(as a matter of law, policy or otherwise)
the patient’s consent is or should be required,
or whether the patient should or must, at a minimum, be
afforded a right to “opt-in” or “opt-out”, we must first
ask and answer:
“What is the patient consenting to”?
“What is the patient ‘opting in’ to or ‘opting out’ of” ?
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
Layer 1 Question: Is consent legally required to allow the
patient’s data to be released to an HIO to hold and store on
behalf of the entity contributing the patient data?
Answer:
No, under HIPAA - the HIO is a HIPAA BA for this purpose.
Under Part 2, an HIO may qualify as a QSO for this purpose.
Under NJ Law, most likely no additional consent required if
treated like any other “vendor” servicing the entity.
Also known as “Opt-In”.
Consent is a Multi-Layer Question: Layer 1
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
Consent is a Multi-Layer Question: Layer 2
Layer 2 Question: If patient information has been
transmitted to an HIO for storage, is the patient legally
entitled to a right to “opt-out” of networked HIE before
transmission or access starts?
Answer:
No, under HIPAA. Does not address opt-out for HIE.
Part 2 is also silent on opt-out for HIE.
New Jersey law silent about opt-out or consent in
HIE/HIO context; but, NJDOH & NJHIT Commission have
published documents supporting the patient’s right to
“opt-out” of having their information shared through
networked HIE.
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
Layer 3 Question: After data is stored by the HIO and the opt-
out opportunity has been presented, who can it be transmitted to and who can access that information, and is
any additional patient consent required before any such
transmission and/or access?
Answer:
• HIPAA says no additional consent required for Treatment,
Payment & Health Care Operations, and certain other use cases
(i.e. public health; required by law etc.)
• Part 2 will require consent to disclose to any 3rd party.
• NJ Law exceptions say no additional consent required for certain
exceptions. DEPENDS on type of info, who is getting the
information, and for what purpose (more on this later…). Also
depends on how broad entity’s registration consent is and if it
covers disclosures contemplated by networked HIE.
Consent is a Multi-Layer Question:
Layer 3
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
GWU 2010 Whitepaper: HIE Consumer
Consent Options for HIE
No Consent
Opt-Out
Opt-Out, with Granularity of Choice
Opt-In
Opt-In, with Granularity of Choice
* Consumer Consent Options for Electronic Health Information Exchange:
Policy Considerations and Analysis, Department of Health Policy, School of
Public Health and Health Services, George Washington University medical
Center (March 23, 2010).
State Law
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Consent Standards by Type of Provider
Provider Type Consent Standard Exceptions (No Consent Required)
Licensed Physicians General Confidentiality. Allowed to share info in “professional
judgment” & “best interests of patient” (even without consent) N.J.A.C. 13:35-6.5(d), (e)
Acute Care Hospital patient “approval” N.J.A.C. 8:43G-4.1(a)(21)
1) transfer to another health care facility
2) required & permitted by law
3) Required & permitted by payor contract
4) required & permitted medical peer review
5) required and permitted by NJDOHSS
6) de-identified aggregated data
Long Term Care Facility resident “approval”. N.J.A.C. 8:39-4.1(a)
Same as hospitqal, but not peer review or de-
identified aggregated data. N.J.A.C. 8:39-4.1(a)
Assisted Living Facility resident “approval”. N.J.A.C. 8:36-4.1
Same as LTCF. N.J.A.C. 8:36-4.1
Ambulatory Care Facility “written consent” of the patient. N.J.A.C. 8:43A-13.5(a), (b).
Same as for hospital. N.J.A.C. 8:43A-16.2(a)9
Residential HC Facilities “written consent” of resident“. N.J.A.C. 8:43-4.6(a)
Same as LTCF, but allows disclosure to
“authorized government agencies”. N.J.A.C. 8:43-4.6(a
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Consent Standards for Special Providers
Provider Type Consent Standard Exceptions (No Consent Required)
42 CFR Part 2 Facility or Program
Prior Informed Consent. 1) Internal Communication within the Part 2 Program or entity with direct administrative control.
2) De-identified Information
3) Research 4) Medical Emergency 5) Court Order 6) Audits and program evaluations 7) State reporting 8) Qualified Service Organizations/BA
Mental Health Providers (licensed by
Department Human
Services or contracted
with State Division)
Valid, written authorization or judicial order to release records. NJAC 10:41-52(a).
1) As directed by the Attorney General in response to plaintiff in tort claim or civil action;
2) To the DHS directly related to its admin; 3) To family friends that patient lists out;
4) To transferee facility 5) To Medical Staff outside the Dept who have
assumed temporary medical responsibility for the individual shall have access to information and records as necessary for the treatment of the patient;
6) To law enforcement to locate missing person; 7) To an agency investigating abuse or neglect 8) Licensure or audits of facility;
9) Guardianship actions
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Type of Information Consent Standard Exceptions (No Consent Required)
HIV/AIDS Prior written informed
consent.
N.J.S.A. 26:5C-8.a
#1 Scientific IRB-approved research
#2 Certain audit functions, but info must be de
identified unless vital to the audit
#3 Qualified personnel directly involved in medical
Education
#4 Qualified personnel directly involved in treatment
of the person
#5 Reporting to NJDOHSS as required by law
#6 As permitted by NJDOHSS for disease prevention & control
#7 If authorized by State or federal law. N.J.S.A 26:5C-8.b(3).
Venereal Disease (STD) Silent. (see chart)
Genetic Info Informed Consent (see chart)
42 CFR Part 2 Record
(re-disclosure) Prior Informed Consent See Part 2 Facilities
Emancipated Minor
Care Consent MD discretion in certain cases
“Paid for Out of
Pocket” HIPAA Authorization none
Consent by Type of Information
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
New Jersey Law – Quick Table
Implementing “Opt-Out”
in a Networked HIE Community
Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC
Legal Framework
• HIPAA BA Agreements with “facilitator”
• End User Agreements to bind end user to standards
• “Data-Exchange Agreements” (aka “Trust Agreements”
or “Participation Agreement”) to bind participating
entities to same standards, and to allocate responsibility
• Policies governing terms & conditions of networked HIE
• Patient Educational Brochure
• 2-Layer Notice of Privacy Practices (notice of HIE)
• Opt-Out process
• Consents where required by law, or required for particular type of provider or information.
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
NPP Sample HIE Language
• As a [member/participant] with [HIO Name] we may use or disclose your Personal Health Information to [HIO Name] and also to the other members/participants of [HIO Name].
• Other health care providers, such as physicians, hospitals and other health
care facilities, may have access to this information for treatment, payment and other purposes, to the extent permitted by law.
• You have the right to “opt-out” or decline to participate in networked Health
Information Exchange (HIE). • If you choose to opt-out of the HIE, this will prevent your information from
being available to be shared through [HIO Name], however it will not prevent how your information otherwise is typically accessed and released to authorized individuals in accordance with the law, including being transmitted through other secure mechanisms (i.e., by fax or an equivalent technology.)
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
NPP Acknowledgment Signature
Other Recent
Developments
Connecting Healthcare with Legal ExcellenceSM
© 2015 Oscislawski LLC
ONC Interoperability Roadmap
• http://www.healthit.gov/policy-researchers-
implementers/interoperability
• Proposes critical actions for both public and private
stakeholders that will advance our nation towards an
interoperable health IT ecosystem, advance research and
ultimately achieve a learning health.
• Health IT that facilitates secure, efficient and effective
sharing an use of electronic health information when and
where it is needed is essential to better care, smarter spending and a healthier nation.
• Public comment being accepted until April 3, 2015
Thank you. Any questions?
Check out our blog www.legalhie.com
and our Health Law Diagnosis articles posted on www.oscislaw.com
Helen Oscislawski, Esq.
Principal, Attorneys at Oscislawski LLC
609-385-0833