Today’s Letter is S, S is for Sharing Mental Health Information
Allowing Providers to Share
In certain circumstances HIPAA allows mental health providers to determine when to share mental health information based on professional judgment, when it is in the best interests of the patient, or to prevent or lessen a risk of harm.
If there is a risk of harm to themselves or others,or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgmentto identify the potential or likely risk and determine who can help lessen it.
Ways to Share
There are several ways the provider may address the situation.
If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient’s personal representative (if applicable), or with family or friends involved in their care if it’s determined in the patients’ best interest.
A provider may contact anyone reasonably able to lessen the risk of harm when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.
OCR Wont’t Second Guess
The Office for Civil Rights (OCR)states it won’t second guess mental health provider’s judgement when a patient is a threat to himself or others.
Technical safeguards are important due to technology advancements in the health care industry. Healthcare organizations are faced with the challenge of protecting electronic protected health information (EPHI), such as electronic health records, from various internal and external risks.
Covered Entity Must Comply
It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so.
Define “The Security Rule”
The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” It is based on the fundamental concepts of flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified.
Implementing “The Rule”
The Rule allows the use of security measures that allows it reasonably and appropriately to implement the standards and implementation specifications. A covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.
The Department of Health and Human Services has published a notice on April 30th that it is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.
Pending further rule making HHS will now apply different cumulative annual CMP limits instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. HHS will use the new penalty structure until further notice.
The Four Categories
Based on four categories of culpability:
For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.
For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.
For Willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.
The highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.
To read this important Notice visit the Federal Register using the link below.
Reasonable Safeguards are precautions that a prudent person should take to prevent a disclosure of PHI. These must be applied to protect all forms of PHI: verbal, paper, and electronic. They help prevent unauthorized uses or disclosures of PHI.
Reasonable Safeguards must be applied to all of your verbal disclosures of PHI. When you are working with a patient, first determine who is with the patient before discussing PHI. Do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure; or ask the persons to leave the room providing the patient an opportunity to object.
The use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred which is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.
The HIPAA Security Rule allows the transmission of electronic PHI (ePHI) as long it is safeguarded. It is up to the healthcare provider to decide on the use of encryption based on the results of its risk assessment.
The encryption standard is confusing because it is defined as an addressable requirement which should be implemented if it is a reasonable and appropriate safeguard for the protection of ePHI.
No Specific Requirements
When the Security Rule was enacted, it was recognized that due to rapid advances in technology it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards that could be soon outdated.
Alternative to Encryption
Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate and present their alternative to protect ePHI or it may decide to do neither and determine the standard may otherwise be met. The provider should document its reasons for its decision.
Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible.
HIPAA permits disclosures to law enforcement in certain situations. It is always okay when there is a signed authorization from the patient or their legal representative.
When to Respond
Disclosures are permitted when required by law, for example to respond to subpoena’s and court orders when specific requirements are met. Also, for investigation of a crime, to locate a missing person and to prevent serious threats to public health and safety. State law reporting may be required by law for reports of child and adult abuse and neglect, and for certain injury and disease reporting.
Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA and, in that case, state law is followed.
This is your HIPAA ABCs brought to you by HIPAA Associates. Contact us for more information on this important topic and HIPAA training for you and your company. Follow us on Facebook and Twitter.
A covered entity must have a procedure for individuals to file a complaint regarding its privacy practices or for an alleged violation of the Privacy Rule.71 The Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights.
The privacy officer or designee investigates all complaints involving privacy of protected health information and should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.
On behalf of the covered entity the Privacy Officer responds to inquiries initiated by the Office for Civll Rights as it investigates complaints.
Under the HIPAA Rules there is a no retaliation for making a privacy complaint.
This is your HIPAA ABCs brought to you by HIPAA Associates. Contact us for more information on this important topic. Follow us on Facebook and Twitter.
B is for Breaches. A breach is an impermissible use or disclosure of protected health information or PHI that compromises its privacy or security. This is presumed to be a breach unless the covered entity or business associate can demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:
Nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
The unauthorized person to whom the disclosure was made.
Whether the PHI was acquired or viewed.
The extent to which the risk to the patient was mitigated.
Examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.
Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site.
All of these have been the subject of Office for Civil Rights penalties.
Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.
For more information about breaches or about HIPAA please contact us. Follow us on Facebook or Twitter.
Social media offers many benefits for health care organizations because it allows interaction with patients and others, offering education, and services. It is an essential communication and marketing tool and part of strategic marketing plans. In their role as employer, organizations turn to social media to communicate with their employees.
Authorization to use PHI
However, it is possible to violate HIPAA Rules and patient privacy while using social media if not managed correctly. It is important for health care organizations to disclose protected health information or PHI only with patient authorization for interviews, photographs and marketing communications.
The Risk of Social Media
For employees posts of PHI will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts aren’t a permissible use or disclosure of PHI. The ability to post simultaneously in several platforms increases the risk for an organization. Remember in order to de-identify PHI all 18 identifiers must be removed and there must be low risk it could be used to identify the patient. This includes removal of facial images, and other identifiers such as tattoos.
To prevent risk Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment. Many organizations deal with the issue through development of a social media use policy and monitoring of social media activity.
A covered entity may use and disclose PHI for a number of different purposes and stay in compliance with HIPAA permitted uses and disclosures. It is always permitted to use and disclose PHI for treatment, payment and health care operations.
Sharing with Health Care Providers
Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI. For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.
Sharing for Care Coordination
We now see the need to share data with health care providers for purposes of care coordination. This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan. A health care provider may disclose PHI to another for this treatment purposes without patient authorization.
Get Free Videos to Your Email
We want to show you why you should consider our video training series.