(Excerpt from 2006 Edition of Confidentiality And Communication, A Guide to the Federal Drug & Alcohol Confidentiality Law and HIPAA by Legal Action Center)
The technology explosion has changed the way most people do business. Programs must now preserve the confidentiality of patient records using systems that electronically transfer information.
How can programs take advantage of time-saving and portable equipment, such as desk and laptop computers and cellular telephones, without violating confidentiality. How can programs respond to the increased use of electronic data collection and transfer systems to evaluate service needs and utilization and to pay for services? The following offers answers to some common questions about confidentiality in the electronic age.
In the days when records were exclusively on paper, their location was more knowable and securable. A paper file exists in a specific place and can be locked in a file drawer. Now, that same patient record can be kept on the hard drive of a desk top computer that may be linked via a network to other computers in a clinic or even to an employee's home. It can also be faxed or copied onto a removable device and carried from one location to another.
The original intent behind passing HIPAA was to address the growing need to control and protect health related information as the health care industry became more dependent on electronic means to share and communicate such sensitive information. To this end, HIPAA contains two parts: the privacy standards, which governs the use and disclosure of protected health information (discussed throughout this book), and the electronic security standards, which require covered entities to implement a series of technical electronic measures, such as data code sets, access restrictions and electronic signature standards, to control access to, and the dissemination and content of , protected health information that is electronically stored and transmitted. The security standards are contained in 45 C.F.R. Parts 142 and 162. A detailed discussion of the security provisions are beyond the scope of this book, but programs should consult with their technical consultants and computer support staff to assure that the requisite risk assessments are performed and the appropriate electronic security measures are put in place.
Although 42 C.F.R. Part 2 predates the widespread use of computers, its basic principles guiding the collection, storage and disclosure of patient records apply regardless of electronic or paper format. The ease of collecting and transferring information makes the protection against the widespread disclosure of personal alcohol and drug information more important than ever. The potential for wrongful disclosure of confidential information has expanded right along with the enhanced capability of computer to disseminate information. Thus, the fundamental principles remain that a program may not disclose patient-identifying information without patient consent, or unless the disclosure meets one of the exceptions to the consent requirement.
The use of networks and discs increases the number of people who may have access to patient records at their fingertips. For example, a hospital might computerize all patient records, running the risk that patient information would be accessible to all hospital staff. Such unfettered access to patient –identifying information would clearly violate both HIPAA and 42 C.F.R. Part 2. Even in a free-standing drug and alcohol program, making electronic patient files accessible to anyone other than those who need the information in order to provide treatment and prevention services would violate both laws.
The solution is to create a parallel system to the locked file cabinet by using computer file security. In fact, HIPAA requires covered entities to control access to patient information through both the security standards mentioned above, and through the “minimum necessary” standard which requires programs to identify members of the workforce who need access to protected health information to carry out their duties, the categories of information to which staff needs access and any conditions to their access.
An Executive Order issued in 2004 calls for the development and adoption of an interoperable electronic health record (EHR) within 10 years. The goals of the National Health Information Network (NHIN) are to interconnect physicians, personalize care for consumers and improve public health.
As this book is going to print, a number of outstanding issues related to the confidentiality of the health care records contained in the NHIN have not been resolved. It is unclear if participation in the NHIN will be voluntary or mandatory, if the system will be designed to allow providers to block access to certain types of personal health information protected by State or Federal law, and if entities other than health care providers, such the criminal justice and welfare system, will have access to information contained in the NHIN.
HIPAA permits health care providers to share personal health information (PHI) for treatment purposes without first obtaining patient consent. It does not allow for the sharing of PHI to entities other than health care providers without consent. HIPAA also require providers to follow State laws that relate to health privacy and provide protections that are "more stringent" than HIPAA. 45 C.F.R. § 160.203(b). Many States have such laws, particularly to protect sensitive information such as that which is related to one's HIV status, other sexually transmitted diseases or mental health. Because there is no indication at this time that participation in the NHIN would be voluntary, and because there does not appear to be any mechanism to block access to certain sensitive personal health information, providers who exchange information that is protected by a more stringent State law would violate both HIPAA and the State law. To remedy this conflict, we believe that participation in the NHIN should be voluntary, not mandatory, and that the system designed to allow providers to block access to certain types of PHI protected by State of Federal law. But those are our views and will not necessarily be what the law provides.
While HIPAA allows disclosure of information for treatment purposes, 42 C.F.R Part 2 does not permit such a disclosure unless a patient first provides a voluntary, written consent. Before a treating professional who is covered under 42 C.F.R. Part 2 can make a disclosure of PHI - even if it is to another health care provider, let alone to other entities such as the criminal justice or welfare systems - the patient must sign a consent form, utilizing the specific and detailed consent form required by 42 C.F.R. Part 2, section 2.31. Consequently, alcohol and drug treatment programs should not be required to participate in the NHIN, since their compliance would depend upon each patient agreeing to sign a consent form, unless there is an exception for the records of patients who refuse to consent. Otherwise, if any patient decided not to sign the consent form, which is certainly within the patient’s rights, the program could not comply with both 42 C.F.R. Part 2 and the NHIN. But again, those are the views of the Legal Action Center and not necessarily what will occur.
When it comes to e-prescribing (sending prescriptions electronically to pharmacies), as with other aspects of care, treatment of people for alcohol and drug problems raises many specific and sometimes difficult issues that warrant special attention. E-prescribing has the potential to improve the delivery of health care and enhance the safe use of medications. However, the confidentiality implications - and how best to address them - require serious consideration before this new technology is put into place.
HIPAA allows most if not all of the disclosures necessary to implement e-prescribing without the patient's written consent since the disclosures are for the purposes of providing medical treatments and payment. However, 42 C.F.R Part 2 requires written patient consent before these disclosures can be made. Before a treating professional who is covered under 42C.F.R Part 2 can make a disclosure to a pharmacy – by e-mail or otherwise- the patient must sign a specific and detailed consent form required by 42 C.F.R. Part 2, section 2.31.
After a patient has signed such a consent, the treating professional can then make the disclosure but must also transmit the notice prohibiting redisclosure required by section 2.32 of the regulations. Any redisclosures made by the pharmacy or others who receive confidential information pursuant to this consent form, such as to an insurer, must also be authorized by a signed consent form.
Initial disclosures and subsequent redisclosures can be authorized by the same consent form as long as all the required elements authorizing each disclosure are contained in the signed form. These rules apply not just to disclosures relating to the transmission of an e-prescription, but also to any other disclosures between the treatment physician and the pharmacist that may be necessary, such as discussion of medical history or other factors pertinent to the prescription.
In addition to addressing security issues, software and other technology for e-prescribing must contain and comply with the requisite consent forms, notices prohibiting disclosure, and redisclosure limitations required by 42 C.F.R. Part 2.
Some programs have asked whether staff should be allowed to travel with laptop computers, which contain patient files or permit e-mail access to patient files through remote computers. The answer is that it is permissible as long as all of the HIPAA electronic security requirements are met and the files are secured to protect patient-identifying information form disclosure. Care should also be taken to secure the computer and to restrict access to files on it. Thus, the person using the computer should not work on patient-identifying files in a public area, such as an airport waiting area, if that could lead to an inadvertent disclosure. Similarly, access to the laptop should be limited to the staff person for work purposes.
Before sending patient information by email, programs must assure their network and computer systems are in full compliance with HIPAA's electronic security standards. Practically speaking, programs must take extreme caution when sending patient information electronically. Typing an incorrect email address could instantly put confidential information on the computer screens of unauthorized people.
Where possible, programs should omit patient-identifying information from email by using initials or other codes. Again, in many circumstances HIPAA require covered entities to use certain transaction codes, data code sets and encryption techniques.
Mobile telephones present some new challenges to programs. Before the use of mobile telephones, conversations about confidential matters could take place in rooms or booths where some degree of privacy could be achieved. With mobile telephones, conversations about confidential matters can take place anywhere and be overheard by anyone. Although neither HIPAA nor 42 C.F.R. Part 2 specifically address the use of mobile telephones, a mixture of common sense and restraint will satisfy conversation about a patient in an area where there is an obvious risk of being overheard, like in a public gathering or aboard public transportation.
Some programs have also limited staff use of mobile telephones to discuss patients because there have been occasions where such conversations are inadvertently overheard on another mobile telephone. If this is a persistent problem in a particular area, limitations should be imposed.
Voice mail systems have also raised concerns among providers. The primary concern within a program is that messages are recorded and stored on a central system. When a program itself uses a voice mail system for messages, the rule governing all internal program communications should guide how those telephone messages are stored. (See pages 201-202.) That is, only those who need the information to provide alcohol or drug services should have access to another person's voice mail messages. The information voice mail should be given the same security as messages on paper.
Programs have also asked whether they should leave patient-identifying information on voice mail systems they are calling. The answer will depend on where they call and who has access to the voice mail, which is addressed to an individual, the patient-identifying information can probably be left. However, program staff should be cautious about leaving such information on a voice mail system when they do not know or are not satisfied about the degree of confidentiality provided. (See pages 208-210, on contacting patients at home.)
Facsimile machines add convenience and speed to communications. But can a program release information on the basis of a consent form sent by facsimile? And is there a danger that information about a patient that is faxed by a program will end up in the wrong place?
Neither HIPAA nor 42 C.F.R Part 2 require programs to have patient's "original" signed consent form in their possession to make disclosures. As long as the program acts with reasonable caution, it may accept a facsimile or a photocopy of a consent form. The key concern when faxing patient-identifying records is to know whether the facsimile will be received in a confidential manner. It makes sense for a program to find out where a receiving facsimile machine is located and who has access to it. For example, is the machine located in a private office where access is limited, or is it in a busy common area where documents might easily be retrieved by unauthorized persons? To reduce the possibility of the facsimile being retrieved by the wrong person, the program could ask the recipient to stand by the machine and wait for it. The program may also wish to first fax the third party a "test sheet" and (only if that works) then fax the required information. Alternatively, the program should confirm the facsimile number and dial very carefully.
Finally, faxed records containing patient-identifying information must always be accompanied by the notice prohibiting redisclosure (see pages 35-36.)
Telemedicine is a new approach whereby, with the help of telecommunications, people receive health care without being in the same room as their health care provider. It typically occurs in rural areas where people do not have access to a full array of providers. A patient can enter the office of one provider, who hooks up via telecommunications with one or more other providers. The provider(s) and patient can communicate via any combination of computer, telephone and video.
Naturally, telemedicine poses new challenges for maintaining confidentiality because, among other things, several providers may be involved, at different sites, with persons listening to or viewing the telemedicine session unbeknownst to the patient. In addition, communications could be intercepted or redisclosed to unauthorized persons.
The same confidentiality principles apply to telemedicine as to in-person treatment. Moreover, if protected health information is being transmitted or stored electronically then the HIPAA electronic security standards will need to be implemented. Special care must be taken to ensure that records are available only to authorized personnel and that sessions (individual or group) with alcohol or drug patients are not witnessed by unauthorized persons. Most telemedicine sessions that involve the disclosure of alcohol or drug information will require a consent form to be in place. The consent must list all parties participating in the telemedicine conference, including technical support individuals operating the video cameras or other equipment, and of course all are prohibited from making redisclosures without authorization. Provisions also must be made to ensure the security of the tapes after the conference is completed.
States are increasingly interested in collecting patient-identifying information from alcohol and drug programs they fund or regulate, to match consumers with needed services, track patients as they move through the state's network of treatment and other services, and conduct research, evaluate services, monitor service delivery and utilization, or engage in health planning.
The computerization of data is particularly helpful in these efforts because each relies on the collection and analysis of large amounts of data to compare outcomes or track activities of programs or patients over time. The fact that technology eases the gathering or analysis of computerized data from treatment programs, however, does not change the need to comply with the requirements of both HIPAA and 42 C.F.R. Part 2.
Written patient consent is the easiest and most direct method of authorizing the establishment of a computerized data bank for evaluation, health planning, or monitoring service utilization. A single consent form can authorize the recipient of patient-identifying information to redisclose the information to third parties. For example, a state alcohol and drug agency's centralized intake unit take referrals of applicants for treatment from a variety of programs and wants to match those applicants with available treatment slots. The consent form can authorize information about the applicant to be disclosed by the referring program to the central intake unit, and then redisclosed by the central unit to another program participating in this "matching" initiative.
Similarly, a state may want to see whether and how many patients in alcohol or drug treatment are also receiving state-regulated mental health services or welfare. To get an accurate count, the state may want to match identifying information about the alcohol and drug patients with those served in the other systems. The state could obtain written consent from patients allowing disclosure of their treatment status for the limited purpose of comparing that information to lists of those receiving mental health services or welfare.
Of course, where a state agency relies on consent for generating a data bank, it should remember that consents can be revoked at will and patient-identifying information must be deleted from the data bank upon revocation.
Both HIPAA and 42 C.F.R. Part 2 permit a program to disclose patient-identifying information to qualified researchers but only if certain safeguards are put in place. HIPAA requires covered entities to obtain patient consent or a waiver approved by either an IRB or privacy board and requires any covered entity that conducts certain electronic "covered transactions" to have the appropriate electronic security standards and safeguards in place.
Under 42 C.F.R. Part 2 researchers may not redisclose patient-identifying information except back to the program that provided it. A researcher who needs to redisclose patient-identifying information, for example, to other agencies to evaluate utilization patterns would have to obtain each patient’s written consent to do so. Absent consent, the research entity would have to conduct the cross referencing itself, without disclosing any patient-identifying information., For example, the researcher could obtain the databases from the other agencies, cross check the names, and then return the databases.
HIPAA also permits the program to release the information as part of a limited data set, as long as all pieces of identifying information are removed n accordance with the regulations and the requisite agreement is in place.
Government funders or regulators and private agencies may obtain patient-identifying information without consent to conduct an audit or evaluation. (See pages 75-76.) If information is transferred electronically to an outside agency conducting an audit or evaluation, the HIPAA electronic security standards must be in place and 42 C.F.R. Part 2's provisions governing the copying or removal of records applies. This means that the entity performing the audit or evaluation must agree in writing to (1) maintain the security of patient-identifying information as required under HIPAA and 42 C.F.R. Part 2, and (2) destroy all patient-identifying information upon completion of the audit or evaluation. Once again, adequate electronic security safeguards should be set out in the written agreement and implemented before any audit or evaluation begins.
In addition, patient-identifying information obtained for the purpose of conducting an audit or evaluation may be used only to carry out that audit or evaluation (or to investigate or prosecute a program as authorized by a proper court order), and it may be redisclosed only back to the program from which it was obtained. Any computerized information must, therefore, be segregated from agency, with access limited to those authorized to use it to carry out the audit or evaluation. If the agency conducting the audit needs to share the information with other state agencies for purposes of comparing databases, it would need patient consent or a court order.
Finally, the requirement that patient-identifying information be destroyed once an audit or evaluation is completed also has repercussions for data collected and stored electronically. Patient-identifying data on computer hard drives, back-up files, and discs must be deleted or otherwise destroyed at the end of the audit or evaluation.
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
Salt Lake County Behavioral Health Services (SLCoBHS) understands that your personal information is private. Protecting your health information is important. We follow strict federal and state laws that require us to maintain the confidentiality of your health information.
When you receive treatment services from SLCoBHS and its providers, we may use your personal information for treating you, billing for services, and conducting our normal business known as health care operations. Examples of how we use your information
We keep records of the care and services provided to you. Our providers use these records to deliver quality care to meet your needs. For example, your therapist may share your health information with a specialist who will assist in your treatment. Some health records, including confidential
communications with a mental health professional and substance abuse treatment records have additional restrictions for use and disclosure under state and federal laws.
We keep billing records that include payment information and documentation of the services provided to you. Your information may be used to obtain payment from you, your insurance company, or other third party. We may also contact your insurance company to
verify coverage for your care or to notify them of upcoming services that may need prior notice or approval. For example, we may disclose information about the services provided to you to claim and obtain payment from your insurance company or Medicare.
We use health information to improve the quality of care, train staff and students, provide customer service, manage costs, conduct required business duties, and make plans to better serve our communities. For example, we may use your health information
to evaluate the quality of treatment and services provided by our therapists and other health care workers.
We may also use your health information to:
For more information about the practices and rights described in this notice:
There are limited situations that permit or require us to disclose health information without your signed authorization. These situations are:
All other uses and disclosures not described in this notice require your signed authorization. You may revoke your authorization at any time with a written statement. See a Privacy Coordinator at the site where you received your services or the Privacy
Officer for more information.
We are required by law to:
We reserve the right to make changes to this notice at any time and make the new privacy practices effective for all information we maintain. Current notices will be posted in SLCoBHS facilities and on our
website. You may also request a copy of any notice from the Salt Lake County Behavioral Health Services office.
You have the right to:
* Request must be made in writing. Contact SLCoBHS for
the appropriate form for your request.
This notice describes the privacy practices of Salt Lake County Behavioral Health Services (SLCoBHS) and its contracted providers. Contracted providers are not employed by SLCoBHS but are authorized to provide services to Salt Lake County residents referred by SLCoBHS or have a contractual relationship with SLCoBHS.
Providers may have different privacy practices from those described in this notice. For more information about the privacy practices of providers, please contact them directly.
If you would like further information about your privacy rights, are concerned that your privacy rights have been violated, or disagree with a decision that we made about access to your health information; or if you would like to file a complaint, contact:
Salt Lake County Division of Behavioral Health Services
PO Box 144575
2001 S State St Ste S2-300
Salt Lake City, UT
You may also contact the provider where you received services.
We will investigate all complaints and will not retaliate against you for filing a complaint.