HIPPA FAQ's / PRODUCTS

• HIPAA does not require any consent for the use and disclosure of protected health information (PHI) for Treatment, Payment and Health Care Operations (TPO); HOWEVER, it also expressly states that you should NOT use HIPAA as a reason to back off from existing clients’ privacy rights.

• OMH does not require consent for the use and disclosure of PHI for TPO, even beyond unified services counties. Their policy is that licensure by the Office of Mental Health is sufficient. However, the Tiered Certification standards that OMH standards compliance analysts follow require consents for all disclosures. This is a starred item requiring reductions in operating certificates for non-compliance. There’s a contradiction within OMH between policy and practice.

  APRIL UPDATE: OMH has taken the requirement for consent out of its tiered certification model for outpatient and for residential services.

  
  On the other hand, the NYS DEPARTMENT OF HEALTH, (under which we bill Medicaid) has interpreted NY Law to require a one-time only consent for use and disclosure of PHI for TPO.

  
  APRIL UPDATE: Ropes and Gray has informed us that DOH is now backing away from the requirement for a General Consent for Treatment, Payment and Health Care Operations. It is causing complications for providers. ACLAIMH’s sample Notice of Privacy includes this at the end. If you want to delete the General Consent it is probably a low risk to do so. If you have already given it to clients with the General Consent attached, just modify for future clients, and post the new one at all sites now.

• The majority of ACLAIMH’S MEMBERS report that they always get consents for the disclosure of PHI for treatment updated every six months or on a one-time basis for some situations, and that they get consents for disclosure of PHI for payment through the residency agreement (updated yearly.) They also give clients the right to revoke consent. Remember that HIPAA expressly states that it should not be used to back away from existing practices that afford clients more rights.

We are suggesting that you continue to do what you have always done if that practice goes beyond what HIPAA and OMH require.

• Because HIPAA and OMH both state that you do NOT need consent for Treatment, Payment and Health Care Operations, you do not need to start getting specific consents now.

• Although HIPAA does not require consent for Treatment, Payment and Health Operations so that these functions are unencumbered, they recognized that privacy dictates that consent should be gotten for other types of disclosures not mandated by law or by oversight entities. Therefore, they came up with the Individual Authorization. This is remarkably similar to the “Consent for Release of Information” that you use now, and is quite specific. It asks the who, what, and when questions.

1. For ease of use and understanding, and to avoid mistakes by staff, you can import anything from your current “Consent for Release of Information” form into the “Individual Authorization” and use it for all circumstances when you get specific consent. DO NOT REMOVE ANY LANGUAGE THAT IS IN THE SAMPLE INDIVIDUAL AUTHORIZATION. IT IS HIPAA SPECIFIC AND NECESSARY FOR ALL DISCLOSURES THAT REQUIRE AN INDIVIDUAL AUTHORIZATION UNDER HIPAA. USE THE NAME “INDIVIDUAL AUTHORIZATION” AND STOP USING THE NAME “CONSENT FOR RELEASE OF INFORMATION.” This is a bit complicated in the short run, but will be simpler in the long run.
   
   
2. OR - Continue to use the Consent for Release of Information for Treatment - the Residency Agreement for payment - the General Consent for Health Care Operations mentioned above. You would then use the Individual Authorization for all disclosures that require it under HIPAA. This requires you and your staff to have an understanding of when to use which, and is a more complicated in the long run.

APRIL UPDATE: Because OMH has taken out the requirement of consent from the tired certification model, you will have to decide if you will continue to get consents at all for treatment, payment and health care operations. Remember that HIPAA investigations are complaint driven and the HIPAA expressly states that you should not use it as an excuse to restrict rights given now.

• If your agency is not on the lease, and you do not pay the landlord directly, but you provide the landlord with PHI, you don’t need a Business Associates Agreement, but do get the individual authorization from the client to be prudent.

• It is prudent to get an individual authorization, although you can probably make the argument that the consumer’s act of going to the interview is “implied” consent. You do not need a Business Associates Agreement because you do not have a business relationship.

• April 14, 2003

• HIPAA requires a good faith effort to get a signature. If the client refuses to sign, handle it the way you would normally handle this type of situation, e.g., make a note right on the Notice of Privacy that the client refused to sign and put it in the chart.

• Yes. We left it in because some of our providers have facility directories of some sort; e.g. large single site facilities might have a switchboard with a directory, or a small facility might have names on mailboxes that are open to the general public. For these agencies, it is wise to leave this in and to give clients an opportunity to object. On fundraising – if you believe that you will never do fundraising take it out, but given the fiscal times we are in, you might change your minds. On Marketing, if you ever use a client’s name or face on a brochure, in a newsletter, or in an ad, you should leave this in.

• Business associates are persons or organizations outside the residential program who "perform or assist in the performance of a function or activity involving the use or disclosure of individually identifiable health information..."
  
  
  Examples of services provided by business associates are:
  • claims processing or administration;
  • data analysis, processing or administration;
  • utilization review;
  • quality assurance;
  • billing;
  • benefit management;
  • practice management;
  • repricing;
  • legal, actuarial, accounting or consulting services;
  • data aggregation;
  • accreditation services;
  • management or administrative services;
  • financial services;
  • landlords in certain limited circumstances;
  • cleaning companies in certain circumstances.

Disclosing information includes making biometric indicators available – this includes a person’s face.

• If the landlord knows that the tenant is a consumer of mental health services, and the agency pays the landlord directly, then the landlord is a business associate that was given PHI, and the agency should get a Business Associate Agreement signed (particularly in the case of a landlord in a small building or 2 family house where the landlord becomes involved to some degree in the person’s care, e.g. will alert staff when someone seems to be decompensating); OR
  
  
• If you disclose to the landlord that the tenant is a consumer of mental health services, but the consumer is on the lease, not the agency, and the agency does not send money directly to the landlord, then it is wise to get an individual authorization from the client to disclose the client’s status to the landlord, but you would not need a Business Associate Agreement; OR
  
  
• If agency staff is helping the client find an apartment and the landlord is NOT told that the client is a consumer of mental health services, and the agency has NO business relationship with the landlord, then nothing is required.

  APRIL UPDATE: Some agencies have reported that they have asked landlords to sign but they refused, It would be unrealistic and unreasonable to expect that an agency would break a lease and move a client. Some agencies are not asking landlords for B.A. agreements; some are documenting the refusal to sign and going on with their business. Although this is not Ropes and Gray’s advice, we think that as an industry it is low risk to leave out the landlords –HIPAA could not have anticipated moving clients from their homes for lack of a B.A. Agreement.

• One is a sample from HHS, which balances the agency and the business associates’ interests. The other is one that was specifically written for ACLAIMH’s members by Ropes and Gray that is more protective of your interests. We provided both for comparison. We recommend you use the one on Section Four NOT the one titled “HHS Sample.”

• These have been taken out of the security regulations, and no longer apply. A Partner is a term that was found in the Security Regulations before February 20, 2003, for which you would have had to get a Chain of Trust Agreement. HHS determined that all Partners must logically be Business Associates and so have folded them, and any specific requirements from the Chain of Trust Agreement, into the requirements for Business Associates, and Business Associates Agreements. ACLAIMH’s sample Business Associate Agreement is current. Ignore all references to Partners and Chain of Trust Agreements.

• No. It includes the clinical record but is greatly expanded beyond the clinical record. A designated record set is any group of records containing protected health information that may be used to make decisions about individual residents or their treatment. Under the Privacy Rule, designated record sets would include:
  • Mental health records maintained by the residential program or a business associate of the residential program;
  • Case records maintained by the residential program or a business associate of the residential program;
  • Billing records maintained by the residential program or a business associate of the residential program;
  • Any enrollment, payment, claims adjudication, and case or medical management records maintained for a health plan or insurer by the residential program or a business associate of the residential program; and
  • Any other group of records maintained by the residential program or business associate to make decisions about individual residents.

• Residential programs should note that the United States Department of Health and Human Services (“HHS”) has not provided clear guidance on what records would represent records maintained by the residential program or business associate to make decisions about individual residents. HHS has stated that the designated record set includes “records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access [to records].” This suggests that the “catch-all” category could include quality assurance reports, peer review records, and other compliance reports and materials, which, on some level, are used to make decisions about individuals. HHS has also stated, however, that quality assurance records “typically would not be used to make decisions about individuals, and, thus, typically would not be part of a designated record set.” HHS has warned that it does “not agree that records in these categories are never used to affect the interests of individuals.
  
  
• Given the contradictory nature of the advice from HHS, each agency must analyze categories of records, decide to what extent the records direct treatment of individuals, and ultimately make a business decision about whether or not to include the records.

• Incident Review Committee Meeting Minutes: They are part of the designated record set to the extent that they may be used to direct treatment in the future.
  
• Incident Reports: – Same as above.

• Before disclosing the record, other clients’ information must be redacted. This is true for any other records that might be shown to a resident, e.g. staff logs, billing records.

• You should describe the entire set, and ask what parts they want to see. However, you may deny access under the following circumstances:

(1)    The request is not in writing;^[i]

(2)    The information requested is not contained in a designated record set maintained by the residential program or any of its business associates;^[ii]

(3)    The request is to inspect or copy psychotherapy notes;^[iii]

·          Psychotherapy notes are notes by a mental health professional that (1) document or analyze the contents of a conversation during a private counseling session, or during a group, joint, or family counseling session, and (2) that are maintained separately from the resident’s designated record set.  If a mental health professional’s notes are for any reason placed in the resident’s designated record set, they are no longer psychotherapy notes.

(4)    The information was obtained from someone other than a healthcare provider, and (1) the residential program agreed to keep the identity of that person confidential, and (2) the Records Department staff^[iv] determine that providing the resident with access to the information requested would reveal the identity of that person.^[v]

(5)    An authorized officer from a correctional institution certifies that granting an inmate’s request to copy his or her information would (1) jeopardize the health, safety, security, custody or rehabilitation of that inmate or other inmates, or (2) jeopardize the safety of any other person at the correctional institution, including those who are supervising or transporting inmates.  However, the inmate’s request to inspect his or her information cannot be denied on these grounds.^[vi]

(6)    A licensed health care professional (such as a physician, physician’s assistant, or nurse)^[vii] at the residential program has determined that granting the resident’s request is reasonably likely to endanger the life or physical safety of the resident or another person.^[viii]

·          The danger must be to life or physical safety.  The request cannot be denied simply because the information is sensitive or has the potential to cause emotional or psychological harm to the resident or another person.

(7)    The information requested refers to another person, and a licensed health care professional (such as a physician, physician’s assistant, or nurse) has determined that granting the resident access to this information is reasonably likely to cause substantial harm to that other person.  However, access may not be denied if the person who may be harmed is a health care provider.^[ix]

·          EXAMPLE:  A staff person at the residential program has incorporated information about several residents in his notes in the staff log.  One of the residents requests access to the staff log, including the section that contains these notes.  The resident’s request may be denied if a health care professional believes that releasing the information contained in the notes in the staff log is reasonably likely to cause substantial physical, emotional, or psychological harm to one or more of the other residents referred to in the notes in the staff log.^[x]

(8)    The information is a mental health record or an alcohol and substance abuse treatment record prepared in anticipation of litigation. 

(9)    The information is HIV/AIDS information contained in a mental health or alcohol and substance abuse record prepared in anticipation of litigation. 

• To the extent that it directs treatment.
  • Some agencies are moving to a loose-leaf binder with dividers by client so that all client related information is in the loose-leaf binder. They will direct staff to keep notes about other residents anonymous. The staff log would then be confined to program related notes.
  • If you do not do the above, then any time you show a client the staff log you should be sure to copy the relevant pages and redact information about other clients. You do not have to show the original because you would have to deface it in order to redact it successfully.

• Yes

• Exact duplicates do not have to be shown, but they have to be EXACT duplicates for this rule to apply. If a duplicate is different then both must be made available. For example, copies of actual prescriptions are in the client chart. Those prescriptions may be transcribed onto a medication sheet that is in the chart, onto a supervision log for staff to sign off on when a medication is taken, and on the medication cabinet to indicate quickly the time of day that the medications must be given. All are part of the Designated Record Set. The two lists may be identical, and so both would not be shown. The copies of the actual prescriptions, however, have the doctor’s name and license number so these are not identical to the lists, and the staff supervision log has staff initials, so the log is not identical. One list, the copies of the prescriptions, and the medication log would have to be offered.

• Yes

• Not-For-Profit law related to this topic states the following. “If the certificate of incorporation vests the management of the corporation, in whole or in part, in one or more persons other than the board, individually or collectively, such other person or persons shall be subject to the same obligations and the same liabilities for managerial acts or omissions as are imposed upon directors by this chapter.” Section 701(b) of the Not-For-Profit Corporation Law, Chapter 35, Article 7.
  
  
• Under OMH regulations (see Part 595.6(d)(7)), the Board of Directors is responsible to approve agency policies, which includes policies related to confidentiality. There are no provisions in the regulations that allow this to be delegated to staff.

• No.

• For the most part – NO. New York law is more stringent than HIPAA on the use and disclosure of confidential HIV information and so you should generally continue to follow your current practices. However, there are areas where HIPAA and NY Law must be integrated. ACLAIMH has a Guide To Developing Policies For HIV Information that is part of the manual that was created. This Guide along with Guides For Mental Health Information, Substance Abuse Information, And The Designated Record Set are available separately. See below for information.

• Leave out a PEEL AND STICK label sheet, and have the client sign the label. The person giving out the bus tokens can then peel off the label, and attach it to a sheet that she has protected from public view. This suggestion came to us from Clearview staff.

• Only if the programs provide treatment, and maintain or create protected health information.

• No post-test is necessary. However, you do need documentation of the training.

• Yes. Volunteers and interns are considered part of your work force.

• Give the Notice of Privacy to the child. There are instances where an un-emancipated minor can exercise his/her privacy rights. It is good practice to also send a copy to the patent, legal guardian if other than the parent or personal representative.

• Yes. Substance Abuse Treatment facilities will send information to you but stamped with a notice that is directive in terms of re-disclosure. You then re-disclose in compliance with the law. HIPAA has NO EFFECT on this.

• NO. Your interactions with them are “treatment” related and so do not necessitate a Business Associates Agreement.