The Ethics of a Practicing Therapist PAMFT Membership Conference April 11, 2014 Renee H. Martin, JD, RN, MSN Rhoades & Sinon, LLP 29 Dowlin Forge Road Exton, PA 19341 Tel.: (610) 423-4200 Fax: (610) 423-4201 E-mail: rmartin@rhoads-sinon.com 941943.2 1 Outline Minors’ Rights Courts/Subpoenas Electronic/Social Media HIPAA . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 2 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Adolescent Rights Consent to release of mental health records of all purposes and in all circumstances other than those provided in this section shall be subject to the provisions of the “Mental Health Procedures Act,” and other applicable federal and state statutes and regulations. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 3 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Adolescent Rights Generally the minor shall control the release of the minor’s mental health treatment records and information to the extent allowed by law. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 4 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Adolescent Rights When a minor has provided consent to outpatient mental health treatment (records related to prior treatment consented to by minor), the minor shall control the records of treatment to the same extent as the minor would control the records of inpatient care or involuntary outpatient care under the “Mental Health Procedures Act” and its regulations. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 5 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG When a parent or legal guardian (“P/LG”) has consented to treatment of a minor fourteen years of age or older Outpatient Treatment, the following shall apply to the release of the minor’s records and information: . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 6 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG “The P/LG may consent to release of the minor’s medical records and information, including records of prior mental health treatment for which the PL/G had provided consent, to the minor’s current mental health care treatment provider.” . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 7 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG If deemed pertinent by the minor’s current mental health treatment provider, the release of information under this subsection may include a minor’s mental health records and information from prior mental health treatment for which the minor had provided consent to treatment. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 8 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG “The P/LG may consent to the release of the minor’s mental health records and information to the primary care provider if, in the judgment of the minor’s current mental health treatment provider, such release would not be detrimental to the minor.” . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 9 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG Release of mental health records and information shall be limited to release directly from one provider of mental health treatment to another or from the provider of mental health treatment to the primary care provider. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 10 Privacy, Confidentiality, Ethical Duties and Disclosure ACT 147: Limited Rights of P/LG The P/LG who is providing consent to outpatient mental health treatment of a minor (14+) shall have the right to: information necessary for providing consent; symptoms; conditions to be treated; medications; other treatments; risks and benefits; expected results. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 11 Privacy, Confidentiality, Ethical Duties and Disclosure Confidentiality of Mental Health Treatment Records §5100.25 Release to Courts No release of records in response to a Subpoena or other Court discovery proceedings without patient consent or an additional court order Duty to Inform Court Inform client/patient’s attorney Defense counsel for Provider may review records; minimum necessary applies Employees are to be informed; violations include civil and criminal liability . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 12 Privacy, Confidentiality, Ethical Duties and Disclosure Court Orders Issues by a Judge Increased duty to respond Search warrant (magistrate) . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 13 Privacy, Confidentiality, Ethical Duties and Disclosure Ethical Duties and Social Media and e-mail Provider-Patient Relationship Explaining the Limits of Confidentiality Social Media and Private Practice Use of e-mail . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 14 Privacy, Confidentiality, Ethical Duties and Disclosure Social Media refers broadly to Web-based tools that allow individuals to communicate quickly, easily and broadly. • • • • Email Facebook Twitter LinkedIn • Blogs • You Tube • Health sites . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 15 Privacy, Confidentiality, Ethical Duties and Disclosure Confidentiality and Social Media When is the Provider-Patient Relationship created? Contractual: implied by the actions of the parties in seeking and providing advice and care Use of email . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 16 Privacy, Confidentiality, Ethical Duties and Disclosure Principle II: Confidentiality 1.13 Electronic Therapy (AAMFT Code of Ethics) 2.4 Protection of Records. Marriage and family therapists store, safeguard, and dispose of client records in ways that maintain confidentiality and in accord with applicable laws and professional stands. 2.7 Protection of Electronic Information. When using electronic methods for communication, billing, recordkeeping, or other elements of client care, marriage and family therapists ensure that their electronic data storage and communications are privacy protected consistent with all applicable law. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 17 Social Media Guidelines & Recommendations Professional Liability Policies should remind employees and staff that online communications are not private and may be discoverable in litigation. Policies should clearly define the parameters of the relationships between healthcare professionals and other social media users. Professionals should be aware of the pros and cons of making patients their Facebook “friends”. Distinguish between personal/social relationships versus doctor/patient relationships. Be aware of risks of “practicing medicine online” It is generally unwise to establish therapist/patient relationships online. © 2014 Rhoads & Sinon LLP. All Rights Reserved. 118 Social Media Guidelines & Recommendations Professionals should monitor their social media/networking sites regularly. Consider adding broad disclaimers such as a statement that your organization does not give medical advice via your website or social media sites and that users seeking specific medical advice should contact a physician or contact 911 in the event of an emergency. © 2014 Rhoads & Sinon LLP. All Rights Reserved. 119 Policies – Can They Help? Be Proactive Not Reactive Even if your employees don’t use or access computers at work, they most likely do at home – and may be talking about work. Nearly every employer in every work environment should consider how social media could impact their workforce or company. What steps should be taken now to avoid problems down the road. © 2014 Rhoads & Sinon LLP. All Rights Reserved. 220 Issues To Consider in Developing a Social Media Policy Whose job will it be to monitor violations? Who will monitor your social media activity? Use automated resources such as Google Alerts or have IT sources assist you to determine other resources available to monitor social media activity that may be impacting your company. How will you discipline violators – consistently? © 2014 Rhoads & Sinon LLP. All Rights Reserved. 221 Issues To Consider After Developing a Social Media Policy Be careful about disciplining employees who engage in concerted activity, report illegal activities and exercise freedom of speech. Consider training employees regarding the social media policy and areas such as privacy, trade secret infringement, etc. Re-evaluate on a regular basis. Social media is developing and changing quickly. Your attitudes and expectations regarding social media will likely change overtime – be sure your policies keep up. © 2014 Rhoads & Sinon LLP. All Rights Reserved. 222 Privacy, Confidentiality, Ethical Duties and Disclosure Confidentiality and Social Media American Health Information Management Association (“AHIMA”) American Medical Association Ethical Guidelines (AMA) American Psychological Association Ethical Principles (APA) Marriage and Family Therapists (Regulations and AAMFC Code of Ethics) . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 23 Privacy, Confidentiality, Ethical Duties and Disclosure Questions to Consider with Social Media/E-mail Is it necessary to use e-mail? Is there another equally safe way to send information? Is the disclosure necessary? Does the disclosure affect my other obligations? Should it be encrypted? How do I dispose of it? Is it part of the clinical record? . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 24 HIPAA . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 25 History of HIPAA 1996 - HIPAA enacted 1999-2000 - Initial Privacy & Security Regulations Issued 2002 - Final Privacy Rules Issued 2005 - Final Security Rules Issue 2009 - HITECH ACT – Interim Final Rule-Breach Notification 2010 - Enforcement Rules Published 2013 - HIPAA Final Omnibus Rule . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 26 Who is covered under HIPAA? . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 27 Who Is Subject to HIPAA? Covered Entities (direct) Health plans: insurance companies; HMO Health care clearing houses (process nonstandard data elements into standard data elements) Health care providers who transmit any health information in electronic form in connection with a covered transaction Business Associates Receive PHI from covered entity Perform a function on its behalf . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 28 What is a Business Associate? A person who, on behalf of a covered entity - Performs or assists with a function or activity involving Individually Identifiable Information Performs certain identified services . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 29 Business Associate Billing Firms Clearing Houses Management Firms Auditors Lawyers Actuaries Covered Entity Consultants Vendors Other Covered Entities TPAs Accreditation Organizations . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 30 Third Parties and Business Associate? Covered entities may disclose PHI to a business associate As necessary to permit the business associate to perform functions and activities on behalf of the covered entity Business associate cannot use PHI for its own purposes . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 31 Individually Identifiable Health Information (IIHI) Health information including demographics that: Is created or received by a health care provider, health plan, or health care clearing house and Related to the past, present or future physical or mental health or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 32 Protected Health Information (PHI) Individually identifiable health information that is: Transmitted by electronic media Maintained in any electronic media Transmitted or maintained in any other form (including oral or written PHI) . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 33 PHI and the Medical Record The HIPAA Privacy Rule defines a Designated record set as follows: (1) A group of records maintained by or for a covered entity that is: The medical records and billing records about individuals maintained by or for a covered health care provider; Used, in whole or in part, by or for the covered entity to make decisions about individuals. (2) the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 34 Privacy Rule Summary A covered entity may not use or disclose PHI except: After is gives written Notice about its health information practices to the individual In accordance with an individual’s written authorization* When requested by the Department of Health and Human Services Office of Civil rights Note: MFT Rules of Ethics require authorization from individual in “unit” to permit disclosures. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 35 General Rule: Required Disclosure To individual upon individual’s request; some exceptions apply To HHS in connection with its enforcement and compliance review actions . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 36 General Rule: Permitted Disclosures Notice of Privacy Practices: Treatment, Payment, Health Care Operations Authorization – always noted legal mandated exception Statutory/Regulatory Disclosures (Duty to Warn, etc.) . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 37 Scope of the Omnibus Rule Revised breach notification standard Patient access to information contained in an electronic health record (right already granted to paper records) Regulation of business associates (“BAs”) and subcontractors Prohibition on “sale” of PHI without authorization © 2014 Rhoads & Sinon LLP. All Rights Reserved. 38 Privacy, Confidentiality and Disclosure HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j)) 1. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure (emphasis added): Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and It to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 39 Privacy, Confidentiality and Disclosure HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j)) Is necessary for law enforcement authorities to identify or apprehend an individual: Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 40 Privacy, Confidentiality and Disclosure HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j)) Use or disclosure not permitted if the information described in this section is learned by the CE In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure…[during], or counseling or therapy; or Through a request by the individual to initiate or to be referred for the treatment, counseling, or therapy… . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 41 Privacy, Confidentiality and Disclosure HIPAA Permitted Disclosures to Avert Serious Threat to Health and Safety (§164.512(j)) Limit on information that may be disclosed. Presumption of good faith belief. . © 2014 Rhoads & Sinon LLP. All Rights Reserved. 42 Scope of the Omnibus Rule Patients’ right to restrict data sharing with payers Requirements to modify and redistribute NPP Clarifies and strengthen OCRs role in enforcement, imposition of civil monetary penalties (CMPs) and CMP liability for acts of Business Associates and subcontractors © 2014 Rhoads & Sinon LLP. All Rights Reserved. 43 Duty to Notify in Case of Breach HITECH Act: Required Notification of Breach of “Unsecured PHI” What is a “breach”? “the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security or privacy of the PHI” If definition is met, notification is required *Applies to both electronic and hard copy information* © 2014 Rhoads & Sinon LLP. All Rights Reserved. 44 Duty to Notify in Case of Breach What is NOT a “breach”? Determined by: 1. Definition of “breach” 2. Exceptions to definition of a breach © 2014 Rhoads & Sinon LLP. All Rights Reserved. 45 Not a Breach by Definition Unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted © 2014 Rhoads & Sinon LLP. All Rights Reserved. 46 Not a Breach by Definition Applies only to “Unsecured PHI”: If CEs and BAs apply the technologies and methodologies specified in the April 17, 2009 Guidance for PHI, the PHI is “secure” and no notice required. Per the Guidance, “Secure PHI” is PHI that is rendered unusable, unreadable or indecipherable to unauthorized individuals (i.e., encrypted or destroyed as detailed in the exhaustive list of technologies and methodologies) © 2014 Rhoads & Sinon LLP. All Rights Reserved. 47 Omnibus Rule Breach Notification Standard An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised” Determining whether or not there is a low probability data has been “compromised” requires analysis of what happened (or may have happened) to the data Focus now switched to what happened to PHI? © 2014 Rhoads & Sinon LLP. All Rights Reserved. 48 Breach Notification – Risk Assessment CE/BA should perform risk assessment post-breach discovery and must consider at least the following: Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification Who was the recipient of the PHI Was the PHI actually acquired or viewed The extent to which the risk to misuse of the PHI has been mitigated © 2014 Rhoads & Sinon LLP. All Rights Reserved. 49 Breach Notification – Burden of Proof If no risk assessment performed, the default is notification Burden of demonstrating low probability that PHI is compromised is on the CE/BA Decision not to notify must be documented in case of review © 2014 Rhoads & Sinon LLP. All Rights Reserved. 50 Breach Notification – Obligations to Notify CEs must notify individuals (although can delegate this to BAs) BAs must notify CEs Subcontractors must be obligated to notify their contracting partner so the information can go back up the chain © 2014 Rhoads & Sinon LLP. All Rights Reserved. 51 Breach Notification – Examples of Risk Analysis Criteria Likelihood of identification or re-identification: A list of client names on letterhead – not low probability Client discharge data, client not specified – can clients be reidentified? – could be low probability (depends on the circumstances) Who is the unauthorized recipient: A HIPAA covered entity – low probability, as long as you have evidence the risk has been mitigated PHI actually acquired or viewed: Untampered with laptop – low probability Information mailed to wrong person – not low probability Issue then is of course, risk of harm Has improper use been mitigated Satisfactory assurances of destruction from a known person – low probability © 2014 Rhoads & Sinon LLP. All Rights Reserved. 52 Right to Request Restrictions to Payors The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI. Final Rule created an exception, and requires a CE to agree to a restriction if: the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full. © 2014 Rhoads & Sinon LLP. All Rights Reserved. 53 Individual Right to Access PHI HIPAA currently requires, with limited exceptions, that individuals have a right to review or obtain copies of their PHI to the extent such information is maintained in a designated record set. The Final Rule made significant changes to the individual’s right to access their PHI. © 2014 Rhoads & Sinon LLP. All Rights Reserved. 54 Patient Access to Electronic Health Information If PHI held electronically, individual entitled to an electronic copy if in a “designated record set” (not just the information in an “EHR”) Must be in the format requested if “readily producible”; if not, in a readable electronic form and format agreed upon by the entity and the individual Note required to buy new software to do this – but must have capability to provide some electronic copy If individual declines to accept electronic formats entity makes available, can default to hard copy Not required to accept patient’s device – but can’t require individuals to purchase a device from you if they don’t want to © 2014 Rhoads & Sinon LLP. All Rights Reserved. 55 Patient Access – Reasonable Safeguards Must have reasonable safeguards in place to protect transmission of ePHI – but… If an individual wants information by unencrypted e-mail, entity can send if they advise the individual that such transmission is risky Can’t force individuals to accept unsecure Not them responsible for breach – document individual acknowledgement of risk Omnibus allows 30 days to produce with one, 30 day extension for a total of 60 days-OCR urges entities to make information available sooner when possible If over 30 days must notify patient in writing and inform why extension is needed © 2014 Rhoads & Sinon LLP. All Rights Reserved. 56 Patient Access – Third Parties Individuals can have the copy directed to another person/entity – but the choice must be in writing and clearly identify the individual/entity Information must be protected and entity must implement reasonable policies and procedures to sending to the right place (e.g., type e-mail correctly) “In writing” can be electronic Fees charged are restricted to labor costs for copying – cannot include cost of retrieval, or portion of capital costs Charge can include supplies provided to individual upon request © 2014 Rhoads & Sinon LLP. All Rights Reserved. 57 Business Associates/Subcontractors Omnibus rule conforms HIPAA regulations to HITECH Act changes Before HITECH, BAs regulated through business associate contracts or agreements (“BAAs”) After HITECH, BAs and subcontractors are regulated directly under HIPAA Must comply with Security Rule (rule is flexible to accommodate small BAs) Must comply with some of Privacy Rule and provisions of BAA Still need BAA Agreement © 2014 Rhoads & Sinon LLP. All Rights Reserved. 58 Notice of Privacy Practices (NPP) NPPs must include: Statements regarding certain uses and disclosures requiring authorization – e.g., psychotherapy notes (where appropriate), marketing, sales of PHI, right to restrict disclosures to health plans (provider only), and right to be notified of breach; and General statement that all uses and disclosures not described in NPP also require authorization New patients get revised by 9/23/13, other patients as they come in to be seen © 2014 Rhoads & Sinon LLP. All Rights Reserved. 59 What the OCR says about Enforcement “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a client’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” Director OCR Leon Rodriguez © 2014 Rhoads & Sinon LLP. All Rights Reserved. 60 Enforcement Rule – BAs, Investigations, Reviews Civil monetary penalties (CMPs) can be assessed directly to business associates Complaint investigations and compliance reviews Required whenever there is evidence of a possible HIPAA violation due to willful neglect Discretionary in the absence of possible willful neglect Every complaint will be investigated preliminarily Secretary has discretion to move directly to imposition of CMPs without informal resolution © 2014 Rhoads & Sinon LLP. All Rights Reserved. 61 Enforcement - Coordination Secretary may disclose PHI to another agency on request Coordination of Department of Justice and FTC (http://www.hhs.gov.ocr/enforcement) Coordination with State Attorneys General to assist with their direct enforcement © 2014 Rhoads & Sinon LLP. All Rights Reserved. 62