NJ HFMA CARE Forum - HFMA NJ Chapter - Home Page · (“OHCA”) in which the CE participates, but...

Protecting Privacy and Releasing Information through networked

Health Information Exchange

presented by

Helen Oscislawski, Esq. March 10, 2015

NJ HFMA CARE Forum

Copyright ©2015 Oscislawski LLC. This document may NOT be copied, distributed or used except by current clients of Oscislawski LLC.

DISCLAIMER: The diagrams and information in this document are EXAMPLES ONLY and do not reflect all of the potential organizations or connections that may be a part of

a particular Health Information Organization. The information provided here is does NOT represent any official position or decision by the State of New Jersey.

All diagrams and proposed contractual arrangements are subject to change.

Connecting Healthcare with Legal ExcellenceSM

© 2015 Oscislawski LLC

What are we going to cover?

• Overview of Federal and New Jersey laws that set the

standards or otherwise affect how patients’ health

information may be used and disclosed through networked

Health Information Exchange (HIE) or a Health Information

Organization (HIO)

• Consent forms that cover data sharing in HIE & HIO

• Leveraging the HIPAA Notice of Privacy Practices

• Recent HIE/HIO developments at ONC/HHS/OCR

• Recent privacy lawsuits which use HIPAA as a standard of

care for protecting privacy

Presentation

about ...

Old McDonald had a Farm,

H-I-E HI-O ….

© 2015 Oscislawski LLC Connecting Healthcare with Legal ExcellenceSM

State Health Information

Network

National Health Information

Network

HIO

HIO

Integrated Delivery Network (IDN)

MD Practice

Long Term care

Hospital

Hospital

Radiology Group

IPA

MD Practice

MD Practice

MD Practice

MD Practice

HIE/HIO – What is it?



“HIE” vs. “HIO” – What’s the Difference?

“Health Information Exchange” or “HIE” is used as a verb to refer to the act of sharing health information among two or more providers through an organized exchange network.

“Health Information Organization” (or “HIO”) is used to refer to the technical and operational infrastructure, including the governing body, that is created to support electronic sharing of health information.

These terms were defined in the Report to the Office of National Coordinator for HIT on Defining Key Health Information Technology Terms prepared by the National Alliance for Health Information Technology. Posted on ONC’s website in June of 2008 at http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__reports/1239).

http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__reports/1239

The Law

Connecting Healthcare with Legal ExcellenceSM © 2015 Oscislawski LLC

Patient Privacy


Privacy Laws

HIPAA Covered Entity

Organized Health Care Arrangement

Business Associate

Treatment, Payment & Health Care Operations

42 C.F.R. Part 2

State Law Facility Licensing Laws

Provider licensing laws

Information-specific (i.e., “sensitive information”)

New Jersey Identity Theft Prevention Act (breaches)



Applicability

• Applies to “Covered Entities” • Health care provider conducting electronic standard

transaction • Health Plans • Health Care Clearinghouse

• Applies to Protected Health Information (PHI):

• Any information which relates to the past, present or

future physical or mental health of an individual,

including provision or payment for care (up to 50

years after death).


HIPAA: “Organized Health Care Arrangement”

45 CFR 160.103 of the HIPAA Privacy Rule:

(1) A clinically integrated care setting in which individuals typically receive health

care from more than one health care provider; [OR]

(2) An organized system of health care in which more than one covered entity

participates and in which the participating covered entities:

(i) Hold themselves out to the public as participating in a joint arrangement; and

(ii) Participate in joint activities that include at least one of the following:

A) Utilization review, in which health care decisions by participating covered entities are reviewed

by other participating covered entities or by a third party on their behalf;

(B) Quality assessment and improvement activities, in which treatment provided by participating

covered entities is assessed by other participating covered entities or by a third party on their behalf;

[OR]

(C) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by

participating covered entities through the joint arrangement and if protected health information

created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.

[additional provisions applicable to health plans omitted]


HIPAA: “Business Associate”

45 C.F.R. §160.103. A Business Associate is a person/entity who/that:

(i) on behalf of such CE or of an organized health care arrangement (“OHCA”) in which the CE participates, but other than in the capacity of a

member of the workforce of such CE or arrangement, performs, or assists in

the performance of:

A. a function or activity involving the use or disclosure of PHI, including claims processing or administration, data analysis, processing or

administration, utilization review, quality assurance, billing, benefit

management, practice management, and re-pricing; or

B. any other function or activity regulated by this subchapter;

OR

(ii) Provides, other than in the capacity of a member of the workforce of such

CE, legal, actuarial, accounting, consulting, data aggregation (as defined in

§164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such CE, or to or for an OHCA in which the CE participates, where the provision of the service involves the disclosure of PHI

from such CE or arrangement.


HIPAA: HITECH changes

Adds BA’s sub-contractors

Specifically includes HIOs, RHIOs, e-prescribing gateways,

and PHR vendors providing service on behalf of a covered

entity.

Any person or entity that transmits PHI or requires access to PHI

on a “routine” basis.

Excludes “Conduits” for data transmission. Conduits are NOT BAs (e.g.,

access PHI on a random or infrequent basis)


HIPAA: “Conduit”

“Permitted” Activities:

Data transmission that does not require access to PHI on a routine basis

Access to PHI on a random or infrequent basis

Temporary storage that is incident to the transmission of the data (but not retained)

“Prohibited” Activities:

Access to PHI on a routine basis, or more than on a random or

infrequent basis

Managing record locator services (RLS) in connection with the data

transmission and/or storage

Providing direct oversight and/or control over the electronic health

information exchange through the network

Storing the PHI for any longer than transient period – i.e., storage for a

persistent period of time


HIPAA: “Permitted” Uses & Disclosures

Treatment – provision, coordination or management of

health care and related services by one or more health

care providers

Payment – activities for obtaining payment or

reimbursement for the provision of health care and

activities relating to premiums, coverage and provision

of benefit.

Health care operations – quality assessment and

improvement activities, competency assurance

activities, medical reviews/audits/legal services,

specific insurance functions, business planning and management, and other administrative activities.


HIPAA: “Permitted” Uses & Disclosures (con’t)

Research

Public Health

Required by Law

Others…

42 C.F.R. Part 2



Part 2 Applicability

Protects confidentiality of alcohol/drug abuse

treatment and rehabilitation with regard to any

information which could identify the patient as a

current or former drug/alcohol patient.

Applies only to those patient records maintained in

alcohol/drug treatment and rehabilitation programs

which receive direct or indirect federal assistance.



“Federally-Assisted” “Programs”

• “Program” – any person or organization that provides

(specifically-dedicated) alcohol or drug diagnosis,

treatment, referral for treatment or prevention.

• “Federally assisted” – federal funds, whether direct or

indirect.

• $$ received in any form, even if it does not pay directly for

alcohol/drug abuse services

• Receives tax exempt status or tax deductions from IRS

• Authorized to conduct business by federal government

• Conducted directly by federal/state/local government



Consent for Disclosure

In general, disclosure of patient

records is strictly prohibited without patient written consent unless would

otherwise be permitted or required

under an exception in 42 CFR Part 2.



• Internal communications

• De-identified information

• Medical emergencies

• QSO pursuant to QSOA

• Audits/evaluations

• Crimes/threat of crime on premises of program or against

program personnel

• Initial reports of child abuse/neglect

• Research

• Court order

Permitted Disclosures w/o Consent



Written Consent + Notice Requirement

• Multiple consents may be required by 42 CFR Part 2 for

each type of disclosure as well as each recipient.

• Two-Way and Multi-party consents allow the exchange

of information between necessary parties

• Qualified Service Organization Agreements (QSOA)

• “Minimum necessary”

• Statement prohibiting Redisclosure

• Revocable

• Conditioning of Treatment

CONSENT


Consent to What ?

Before we can answer the question of if

(as a matter of law, policy or otherwise)

the patient’s consent is or should be required,

or whether the patient should or must, at a minimum, be

afforded a right to “opt-in” or “opt-out”, we must first

ask and answer:

“What is the patient consenting to”?

“What is the patient ‘opting in’ to or ‘opting out’ of” ?



Layer 1 Question: Is consent legally required to allow the

patient’s data to be released to an HIO to hold and store on

behalf of the entity contributing the patient data?

Answer:

No, under HIPAA - the HIO is a HIPAA BA for this purpose.

Under Part 2, an HIO may qualify as a QSO for this purpose.

Under NJ Law, most likely no additional consent required if

treated like any other “vendor” servicing the entity.

Also known as “Opt-In”.

Consent is a Multi-Layer Question: Layer 1



Consent is a Multi-Layer Question: Layer 2

Layer 2 Question: If patient information has been

transmitted to an HIO for storage, is the patient legally

entitled to a right to “opt-out” of networked HIE before

transmission or access starts?

Answer:

No, under HIPAA. Does not address opt-out for HIE.

Part 2 is also silent on opt-out for HIE.

New Jersey law silent about opt-out or consent in

HIE/HIO context; but, NJDOH & NJHIT Commission have

published documents supporting the patient’s right to

“opt-out” of having their information shared through

networked HIE.



Layer 3 Question: After data is stored by the HIO and the opt-

out opportunity has been presented, who can it be transmitted to and who can access that information, and is

any additional patient consent required before any such

transmission and/or access?

Answer:

• HIPAA says no additional consent required for Treatment,

Payment & Health Care Operations, and certain other use cases

(i.e. public health; required by law etc.)

• Part 2 will require consent to disclose to any 3rd party.

• NJ Law exceptions say no additional consent required for certain

exceptions. DEPENDS on type of info, who is getting the

information, and for what purpose (more on this later…). Also

depends on how broad entity’s registration consent is and if it

covers disclosures contemplated by networked HIE.

Consent is a Multi-Layer Question:

Layer 3



GWU 2010 Whitepaper: HIE Consumer

Consent Options for HIE

No Consent

Opt-Out

Opt-Out, with Granularity of Choice

Opt-In

Opt-In, with Granularity of Choice

* Consumer Consent Options for Electronic Health Information Exchange:

Policy Considerations and Analysis, Department of Health Policy, School of

Public Health and Health Services, George Washington University medical

Center (March 23, 2010).

State Law


Consent Standards by Type of Provider

Provider Type Consent Standard Exceptions (No Consent Required)

Licensed Physicians General Confidentiality. Allowed to share info in “professional

judgment” & “best interests of patient” (even without consent) N.J.A.C. 13:35-6.5(d), (e)

Acute Care Hospital patient “approval” N.J.A.C. 8:43G-4.1(a)(21)

1) transfer to another health care facility

2) required & permitted by law

3) Required & permitted by payor contract

4) required & permitted medical peer review

5) required and permitted by NJDOHSS

6) de-identified aggregated data

Long Term Care Facility resident “approval”. N.J.A.C. 8:39-4.1(a)

Same as hospitqal, but not peer review or de-

identified aggregated data. N.J.A.C. 8:39-4.1(a)

Assisted Living Facility resident “approval”. N.J.A.C. 8:36-4.1

Same as LTCF. N.J.A.C. 8:36-4.1

Ambulatory Care Facility “written consent” of the patient. N.J.A.C. 8:43A-13.5(a), (b).

Same as for hospital. N.J.A.C. 8:43A-16.2(a)9

Residential HC Facilities “written consent” of resident“. N.J.A.C. 8:43-4.6(a)

Same as LTCF, but allows disclosure to

“authorized government agencies”. N.J.A.C. 8:43-4.6(a


Consent Standards for Special Providers

Provider Type Consent Standard Exceptions (No Consent Required)

42 CFR Part 2 Facility or Program

Prior Informed Consent. 1) Internal Communication within the Part 2 Program or entity with direct administrative control.

2) De-identified Information

3) Research 4) Medical Emergency 5) Court Order 6) Audits and program evaluations 7) State reporting 8) Qualified Service Organizations/BA

Mental Health Providers (licensed by

Department Human

Services or contracted

with State Division)

Valid, written authorization or judicial order to release records. NJAC 10:41-52(a).

1) As directed by the Attorney General in response to plaintiff in tort claim or civil action;

2) To the DHS directly related to its admin; 3) To family friends that patient lists out;

4) To transferee facility 5) To Medical Staff outside the Dept who have

assumed temporary medical responsibility for the individual shall have access to information and records as necessary for the treatment of the patient;

6) To law enforcement to locate missing person; 7) To an agency investigating abuse or neglect 8) Licensure or audits of facility;

9) Guardianship actions


Type of Information Consent Standard Exceptions (No Consent Required)

HIV/AIDS Prior written informed

consent.

N.J.S.A. 26:5C-8.a

#1 Scientific IRB-approved research

#2 Certain audit functions, but info must be de

identified unless vital to the audit

#3 Qualified personnel directly involved in medical

Education

#4 Qualified personnel directly involved in treatment

of the person

#5 Reporting to NJDOHSS as required by law

#6 As permitted by NJDOHSS for disease prevention & control

#7 If authorized by State or federal law. N.J.S.A 26:5C-8.b(3).

Venereal Disease (STD) Silent. (see chart)

Genetic Info Informed Consent (see chart)

42 CFR Part 2 Record

(re-disclosure) Prior Informed Consent See Part 2 Facilities

Emancipated Minor

Care Consent MD discretion in certain cases

“Paid for Out of

Pocket” HIPAA Authorization none

Consent by Type of Information


New Jersey Law – Quick Table

Implementing “Opt-Out”

in a Networked HIE Community


Legal Framework

• HIPAA BA Agreements with “facilitator”

• End User Agreements to bind end user to standards

• “Data-Exchange Agreements” (aka “Trust Agreements”

or “Participation Agreement”) to bind participating

entities to same standards, and to allocate responsibility

• Policies governing terms & conditions of networked HIE

• Patient Educational Brochure

• 2-Layer Notice of Privacy Practices (notice of HIE)

• Opt-Out process

• Consents where required by law, or required for particular type of provider or information.



NPP Sample HIE Language

• As a [member/participant] with [HIO Name] we may use or disclose your Personal Health Information to [HIO Name] and also to the other members/participants of [HIO Name].

• Other health care providers, such as physicians, hospitals and other health

care facilities, may have access to this information for treatment, payment and other purposes, to the extent permitted by law.

• You have the right to “opt-out” or decline to participate in networked Health

Information Exchange (HIE). • If you choose to opt-out of the HIE, this will prevent your information from

being available to be shared through [HIO Name], however it will not prevent how your information otherwise is typically accessed and released to authorized individuals in accordance with the law, including being transmitted through other secure mechanisms (i.e., by fax or an equivalent technology.)



NPP Acknowledgment Signature

Other Recent

Developments



ONC Interoperability Roadmap

• http://www.healthit.gov/policy-researchers-

implementers/interoperability

• Proposes critical actions for both public and private

stakeholders that will advance our nation towards an

interoperable health IT ecosystem, advance research and

ultimately achieve a learning health.

• Health IT that facilitates secure, efficient and effective

sharing an use of electronic health information when and

where it is needed is essential to better care, smarter spending and a healthier nation.

• Public comment being accepted until April 3, 2015

http://www.healthit.gov/policy-researchers-implementers/interoperability






Thank you. Any questions?

Check out our blog www.legalhie.com

and our Health Law Diagnosis articles posted on www.oscislaw.com

Helen Oscislawski, Esq.

Principal, Attorneys at Oscislawski LLC

[email protected]

609-385-0833

http://www.legalhie.com/

mailto:[email protected]

NJ HFMA CARE Forum - HFMA NJ Chapter - Home Page · (“OHCA”) in which the CE participates, but...

Documents

Transcript of NJ HFMA CARE Forum - HFMA NJ Chapter - Home Page · (“OHCA”) in which the CE participates, but...