This document provides an overview of HIPAA and 42 CFR Part 2 regulations regarding protected health information. HIPAA establishes national standards for secure handling of health data, while 42 CFR Part 2 provides additional privacy protections for substance abuse treatment records. Both laws restrict disclosure of personal health information without patient consent, with 42 CFR Part 2 requiring written consent even for common uses like treatment, payment, and healthcare operations. The document defines key terms and outlines permitted uses and disclosures, consent requirements, and exceptions under each regulation.
2. HIPAA
Health Insurance Portability and
Accountability Act
•
• Federal Law, enacted 1996
• National standards for security of health data
• Administrative Guidelines Privacy, Security &
Standard Transactions
Health Information Technology for Economic
and Clinical Health Act (HITECH)
Included in the American Recovery and
Reinvestment Act (ARRA) of 2009
Omnibus Rule (2013)
3. Important Definitions
Covered Entity
A Covered Entity is a
healthcare delivery
option that includes
doctors, clinics,
hospitals, dentists,
nursing homes and
pharmacies that
transmit data, health
plan and healthcare
clearinghouses
Business Associate
A Business Associate is
any person or
organization that
functions on behalf of a
covered entity that
involves use or
disclosure of
identifiable health
information. Examples
include billing and
coding vendors
4. What is Protected Health
Information (PHI)?
Name
Address
Dates directly related to
patient
Telephone number
Fax Number
Email addresses
Social Security Number
Medical Record Number
Health Plan Beneficiary
Number
Account Number
Certification/License
Number
Any vehicle license
number
Any device serial number
Web URL, IP address
Finger or voice prints
Photographic images
Any other unique number,
characteristic or code
Age greater than 89
5. PHI Details
What information is
Protected?
All Medical Records and
Other Individually
Identifiable Health
Information (PHI) Used
or Disclosed by a
Covered Entity in any
Form; Electronic, on
Paper or Orally
What is Included?
Individually Identifiable
Information that was
provided by the client,
created by you, created
by another and
forwarded to you and
forwarded to you for
payment, treatment or
healthcare operations.
6. Covered Entities Permitted Uses
and Disclosures
A CE is permitted, but not required, to use and
disclose PHI without an authorization, for the
following purposes:
◦ To the individual
◦ Treatment, Payment and Health Care
Operations (TPO)
◦ Opportunity to Agree (having someone in the
room during the session)
◦ Incident to an otherwise permitted use
◦ Limited Data Set for purposes of research,
public health or health care operations
7. Privacy Rules
The goal of the HIPAA Privacy Rule is to
properly protect individual’s health
information and to use PHI appropriately
while protecting the privacy of people who
seek care and healing
9. 42 CFR Part 2
42 CFR Part 2 (commonly referred to as "Part 2")
are the federal regulations governing the
confidentiality of drug and alcohol abuse
treatment and prevention records.
Privacy protections afforded to alcohol and drug
abuse patient records
Motivated by the understanding that stigma and
fear of prosecution might dissuade persons from
seeking treatment
10. Who is Covered?
42 CFR Part 2 applies to any individual or
entity that is federally assisted and
provides alcohol or drug abuse treatment
or referral for treatment (42 CFR § 2.11)
Includes funding, treatment provided and
clinical licenses that are at the federal
level (DEA license)
11. Regulations
Restrict the disclosure and use of alcohol
and drug client records
Any information disclosed by a covered
program that “would identify a patient as
an alcohol or drug abuser” (42 CFR
§2.12(a) (1)
With limited exceptions, 42 CFR Part 2
requires client consent for disclosures of
PHI even for the purposes of TPO.
Consent must be in writing
12. US Government Publishing Office
Includes the electronic codes of federal
regulations
Introduction, General Provisions, Disclosures
with Patient Consent, Disclosures without
Patient Consent, Court Orders Authorizing
Disclosure and Use
http://www.ecfr.gov/cgi-bin/text-
idx?rgn=div5;node=42%3A1.0.1.1.2
42 CFR Changes coming
https://www.federalregister.gov/articles/2016
/02/09/2016-01841/confidentiality-of-
substance-use-disorder-patient-records
13. Written Consent
The primary way in which patient substance
abuse information may be disclosed is with a
patient’s written consent. Substance abuse
programs and providers must give patients a
written summary of the federal laws and
regulations that protect the confidentiality of
patient substance abuse records and a
description of the circumstances when the
patient’s information may be disclosed without
his/her consent.
14. Consent Forms
For all other disclosures,
consent must be obtained
using a written consent
form. A single consent form
may authorize disclosure to
multiple parties or for
multiple purposes.
Consent forms must contain
specific elements (see right
column)
Patient Name
Agency making disclosure
agency name of the person or
agency to which disclosure is
made
nature and amount of
information to be disclosed
(minimum necessary),
purpose of the disclosure (as
specific as possible),
effective and expiration dates
and event or condition upon
which the consent expires
language explaining the consent
process and may include a
statement about possible denial
of services if not signed for
purposes of treatment, payment
or healthcare operations
and signatures of client,
authorized representative and
description of authority to sign
on the client’s behalf
15. Exceptions-Always work with
Privacy Officers
Program
Communications
To communicate with
Qualified Service
Organizations (QSO)
◦ Similar to other covered
entities or business
associates
Medical Emergencies
Response to a crime
against program
personnel or on
program premises
Research activities
(approved by IRB)
Audit and Evaluation
Report suspected
child abuse or neglect
Circumstances
involving certain
minors or
incompetent patients
Response to a valid
court order
Cause of death
16. HIPAA and 42 CFR Part 2
Substance use programs must comply
with both HIPAA 45 CFR and 42 CFR Part
2
If there is a conflict, the more stringent
rule applies
HIPAA/42CFR comparison
Editor's Notes
Welcome to the HIPAA Compliance Overview for CIBHS class. This class will cover, at a high level, the basics of the HIPAA 45 CFR regulations as of January 2016, what you will need to do to meet compliance and future planning needs.
HIPAA was enacted in 1996 to address the different standards noted in the slide. This class will cover the security and privacy sections of the law. HIPAA set a national standard for accessing and handling medical information. It was started by President Clinton, AKA the Kennedy Kassenbaum Act. Click on the orange bubble for more info on HITECH.
8/21/96 Included a number of titles but we are concerned with Title II, Administrative Simplification.
We mentioned a Business Associate earlier in the class. That is one of the important definitions you will need to remember as you work on your compliance efforts. A Business Associate is a person or organization that functions on behalf of the covered entity. CIBHS is considered a Business Associate to our customers who are covered entities. A covered entity is a healthcare delivery option that includes doctors, clinics, hospitals, nursing homes and pharmacies that transmit data. Also includes health plans and healthcare clearinghouses (billing services, medical reviewers).
Show BAA example.
There are 18 types of identifiers that if used alone or in combination are considered PHI. Review the list and see if you are surprised by any item. The last item, Age greater than 89, relates to a possible identification of someone just based on their age. For example, Mr. Jones is 99 and receiving services at the local MH agency. The agency has an article in the local paper talking about their services and mentions their 99 y/o client who loves coming in for services. Mr. Jones is the only 99 y/o in the town. He could be identified and his privacy breached by that remark. Mr. Jones should have signed a release of information to allow his information to be used.
All medical records and other individually identifiable health information used or disclosed by a CE in any form (electronic, paper and oral) is protected. You have to consider all of the information you have on the client; information that was provided by the client, created by you, created by another, forwarded to you for any reason including TPO.
There are some instances where a covered entity is permitted to disclose PHI without an authorization. You can use and disclose PHI to the individual, for Treatment, Payment and Healthcare Operations (TPO), and other areas noted here that may or may not come up at your agency. The government understands you have to treat your client, work together with others at your agency and receive payment for services delivered without undue hardship. Remember that any other use or disclosure falls under privacy rules.
Code of Federal Regulations.
The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
Patients rights under HIPAA:
To see their medical record
Obtain a copy of their medical record
Request amendments to their medical record
Request disclosure restrictions
Private Pay
Certain other disclosures, including research and marketing
To authorize disclosures
To receive a Notice of Privacy Practices
To have an accounting of disclosures (not TPO)
Timely notification of any breaches
Secure Communications
Confidential communications when requested
Privacy rules are more focused on the individual’s health information and how we protect it. The goal of the privacy rule is to properly protect the client’s health information and use PHI appropriately while protecting the privacy of people who seek care and healing.
June 13, 2016Obama Administration Temporarily Waives HIPAA: But Did It Have To Be?In the aftermath of the shootings in Orlando late Saturday night, President Obama applied a unique waiver to HIPAA -- allowing family and friends of the victims to gain quicker access to information about their loved ones. In most situations, information about an individual's condition would not be released to anyone but a spouse or next of kin absent a consent from the patient In normal circumstances this is a valuable protection on an individual's privacy. However, the situation this weekend was anything but normal. Family and friends were unable to obtain any information on the condition of their loved ones, and a consent was simply not possible in many circumstances.Section 1135 of the Social Security Act which was invoked allows healthcare providers flexibility in sharing protected health information ("PHI") with loved ones in emergency situations. The only other time this provision had been enacted was in the aftermath of Hurricane Katrina. For this waiver to be applied the president must declare a national emergency and the secretary of the Department of Health and Human Services must declare a public health emergency. Both of which were declared for Orlando on Sunday. The waiver applying during an "emergency period" may be no more than 72 hours, which is how long this waiver is in effect. This is also not a complete waiver of HIPAA, but only a temporary suspension on requiring patient consent before releasing PHI to loved ones who are not a spouse or next of kin. There is a question whether Section 1135 had to be invoked. The Office of Civil Rights has published opinions stating that health care providers can release PHI to loved ones if a person is incapacitated "if, in their professional judgment, doing so is in the patient's best interest." Arguably that would be the end of the discussion. However, invoking Section 1135 unequivocally insulated health care providers from even the potential of fines or sanctions for non-compliance. Absolutely necessary or not, temporarily waiving limited portions of HIPAA allowed providers to focus on the important tasks at hand rather than worrying about potential HIPAA violations.
Now we’ll discuss 42 CFR. You are aware of these regulations if you work in a substance abuse program. These regulations were developed to reduce stigma while receiving substance abuse treatment and to help address the privacy concerns client’s may have.
Read slide
Rules first enacted between 1972-75. There have been a lot of changes since then. 42CFR includes some of the same rules as HIPAA but it is a separate federal law that is often more stringent than HIPAA.
Read slide.
Ask if they remember what TPO is.
For your information, here is the link to the 42 CFR regulation.
Must get a written consent-read slide
Lots of content on this slide, but the consent form is very prescribed and MUST include these data elements.
Read slide
Both HIPAA (45 CFR) and 42 CFR Part 2 are about client privacy. The most stringent rule will apply. Here is a reference to a comparison between HIPAA and 42 CFR. In most cases, 42 CFR will be followed. There are some HIPAA requirements for form language that also must be met.
Click link to show comparison chart.