Confidentiality
of Medical Information
Public Health Nursing and
Professional Development Unit
Eunice B. Inman, RN, BSN Pamela Serrell, RN, BSN
Ellen Shope, RN, BSN
Lynn Conner, RN, BSN
Gay G. Welsh, RN, BSN, MPH
4/8/2015
1
Introduction
Objectives for this presentation include:
 Identify laws that require NC Local Health
Departments to keep patient information
confidential.
 Identify which information is confidential.
 Describe when confidential information
may be disclosed.
 Describe how best to document
disclosures of confidential information.
4/8/2015
2
Introduction
This presentation is meant to introduce an
overview of confidentiality laws and how
those laws address some of the issues that
arise in NC local health departments.
It is not meant to be comprehensive. Please
consult an attorney if you need more
information or advice for a specific situation.
4/8/2015
3
Vocabulary
Confidential
as defined by
Webster is
private, secret.
4/8/2015
4
Confidentiality
The general ethic in the provision of health care is that a
patient’s secrets uttered in confidence must be
safeguarded by the physician, other health care
providers, and the agency’s workforce (employees,
volunteers, trainees, and other persons whose
conduct, in the performance of their duties, is under
the direct control of the agency, whether or not they
are paid by the agency).
4/8/2015
5
Laws Affecting LHDs in NC
HIPAA Privacy Rule (45 CFR Parts 160 & 164):
Federal law that governs when covered entities –
a term that includes most health care providers,
including LHDs – may and may not use and
disclose PHI without a client’s permission. (Other
federal and NC laws must also be considered in conjunction
with HIPAA requirements.)
4/8/2015
6
HIPPA Privacy Rule…cont.
 Requires covered entities to have written policies &
procedures designed to comply with the Privacy Rule.
 Requires the implementation of administrative,
technical, and physical safeguards to protect the
privacy of individually identifiable health information.
 Requires mitigation, to the extent possible, when
breaches occur that violate the Privacy Rule or the
covered entities’ policies/procedures when the breach
is known by the covered entity.
4/8/2015
7
HIPAA Privacy Rule…cont.
 HIPAA Definitions:

PHI = Protected Health Information:


T = Treatment activities of a healthcare
provider:

4/8/2015
Individually identifiable health information (IIHI)
that is transmitted electronically or maintained in
any form or medium by a covered entity.
Includes provision, coordination, management
of health care & related services, referrals,
consultations, etc.
8
HIPAA Privacy Rule…cont.

P = Payment for treatment


O = Health Care Operations that support
the activities of healthcare provider


4/8/2015
Includes reimbursement for services, benefit
coverage, eligibility, billing, collections, etc.
Includes QI, credentialing, financial and
medical review audits, business management,
etc.
Please refer to the HIPAA Privacy Rule for
more detailed explanations.
9
ARRA - American Recovery &
Reinvestment Act
ARRA = Federal Law
Effective 02/18/09
 primarily found at 45 CFR Part 164,
Subpart D (45 CFR 164.400 - 164.414)
 Contains the HITECH Act that exceeds
HIPAA in protecting PHI.

4/8/2015
10
ARRA - American Recovery &
Reinvestment Act

Within ARRA is the Health Information
Technology for Economic & Clinical
Health Act (HITECH Act)




4/8/2015
Broadens and supplements HIPAA privacy and
security requirements, and various state privacy
breach notifications.
Safeguards PHI above and beyond current HIPAA
requirements.
Extends requirements to certain non-covered entities,
covered entities, and to business associates of
covered entities
Includes breach notification requirements for a
privacy breach.
11
ARRA - American Recovery &
Reinvestment Act
AARA & HITECT Act (continued)

HITECH Act may be found at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforceme
ntrule/hitechenforcementifr.html

Guidance for managing breaches:
http://www.sog.unc.edu/node/1040 under Security Breaches.
4/8/2015
12
NC Identity Theft Protection Act
NC Identity Theft Protection Act (GS 75-60, Article 2A)

NC law requiring private businesses and government agencies
to protect personally identifying information that could be used
for identity theft.

Includes specific actions private businesses and government
agencies must take when experiencing a security breach
involving personally identifying information that is not encrypted
(not necessarily electronic encryption).

Requires notifications of breaches to individuals, media, and
NC Attorney General’s Office in specific situations.
4/8/2015
13
NC Identity Theft Protection Act

NC Identity Theft Protection Act found at:


Guidance may be found at


4/8/2015
http://www.ncga.state.nc.us/EnactedLegislation/S
tatutes/HTML/ByArticle/Chapter_75/Article_2A.ht
ml
http://www.sog.unc.edu/node/1045
Scroll down to “What does The Identity Theft Act
Mean for Local Health Departments.”
14
Other NC State Laws re Confidentiality
Public Health Patient Confidentiality Law
(GS 130A-12): (revised, effective 01/01/12)
NC law that applies only to LHDs, DHHS & DEHNR
 Medical records held by either are confidential and
are not subject NC’s public records law.
 Disclosure of information only may occur with
appropriate authorization or as required by federal
or state law.
4/8/2015
15
Other NC State Laws re Confidentiality
Privilege Laws: (GS 8-53 and GS 8-53.13)
NC laws meant to prevent information from being introduced into
court proceedings against the patient’s will.
 GS 8-53 – Communications between patients and
their physicians (and others working under the
direction of the physician) are privileged.
 GS 8-53.13 – Communications between patients
and nurses are privileged.
Privileged information may be introduced in two circumstances:
 The patient gives permission for the disclosure
 The judge orders the disclosure after finding that it is
necessary for the proper administration of justice.
4/8/2015
16
Laws Protecting Specific Situations
Title X Family Planning: (45 CFR59.11)
Federal law that requires providers to keep information about
Title X Clients confidential and disclose it only with the client’s
documented consent (permission), unless the disclosure is
necessary to provide services to the client or is required by
law.
4/8/2015
17
Law Protecting Specific Situations
Communicable Disease Confidentiality:
(GS 130A-143) (revised, effective 01/01/12)
State Law that applies to information or records that
identify a person who has or may have a reportable
communicable disease or condition. Such
information may be disclosed only when the
disclosure fits into one of eleven circumstances
specified in the statute. (Please consult the statute
for these.)
4/8/2015
18
Law Protecting Specific Situations
Family Education Rights & Privacy Act:

Under FERPA school nurses must protect access to
and disclosure of student education records.

FERA may be found at:
Title 34, Part 99--Family Educational Rights and Privacy

Schools may also fall under HIPAA.

4/8/2015
Helpful Q&A re HIPAA & FERPA in schools may be
found at: http://www.sog.unc.edu/node/832
19
Law Protecting Specific Situations
 Employees working with aspects of mental
health or substance abuse clients may be
subject to laws affecting those services.

4/8/2015
Please consult appropriate sources for legal
resources applicable to these services.
20
Pharmacy Records Law
Availability of pharmacy records
(G.S 90-85.36):
 Pharmacy, whether written or electronic, orders are
not public records and may only be provided to the
following persons.




4/8/2015
Persons for whom the prescription was written
Parent, Guardian or Persons standing in loco parentis
of a minor child or disabled adult
Pharmacy owner & Pharmacist filling the prescription
Healthcare provider writing the prescription or
otherwise treating the patient
21
Pharmacy Records Law
(List continued…)

Anyone presenting an authorization for the
release or subpoena for pharmacy information




4/8/2015
Includes researchers
Any business entity responsible for paying for
the medical care of the person for whom the
prescription was written
Pharmacy Board members
HIPAA covered entity or non-covered health
care provider for TPO purposes
22
Licensure Laws
Components of Nursing Practice for the
Registered Nurse (21 NCAC 36 .0224):
(g)(4) is the specific section of administrative code that
says the nurse must uphold confidentiality.
(g) Collaborating involves communicating and working
cooperatively with individuals whose services may have a direct
or indirect effect upon the client's health care and includes:
(4) safeguarding confidentiality.
4/8/2015
23
Licensure Laws
Components of Nursing Practice for the
Licensed Practical Nurse (21 NCAC 36.0225):
(g)(3) is the specific section of administrative code that
says the LPN must uphold confidentiality as
delegated by the registered nurse.
(g) Collaborating involves communicating and working
cooperatively with individuals whose services may have a direct
or indirect effect upon the client's health care and includes:
(3) safeguarding confidentiality.
4/8/2015
24
Ethics and Policies
ANA Code of Ethics: Interpretive Statement,
Provision 3.2
“…the nurse has the duty to maintain confidentiality
of all patient information.”
To do less
 Jeopardizes the patient’s welfare
 Destroys trust in the nurse/patient relationship
which jeopardizes the nurse’s ability to provide
quality care.
4/8/2015
25
Ethics and Policies
AMA Code of Ethics: Opinion 5.05 Confidentiality
The information disclosed to a physician by a patient should be held
in confidence.
The patient should feel free to make a full disclosure of information
to the physician in order that the physician may most effectively
provide needed services.
The patient should be able to make this disclosure with the
knowledge that the physician will respect the confidential nature
of the communication.
4/8/2015
26
Ethics and Policies
Local Health Department Policy & Procedure:
Safeguards Policies – covered entities must have in place
appropriate administrative, technical, and physical safeguards to
protect the privacy of PHI.

Safeguard policies/procedures include, but are not
limited to:
 Policy sets forth guidance to safeguard and maintain the
integrity of the designated record set (financial and medical
records as defined by HIPAA) and how best to protect the
rights of clients while affording the providers of care
appropriate access.
4/8/2015
27
Which Information is Confidential?

Agency Confidentiality Policy – Affirms the
agency’s resolve to abide by the laws presented.

Any IIHI about a client is confidential – assume that it is
all confidential.
 It is not just the medical status or treatment
information that is protected.
 Even the fact that they are a client is protected.
Any (IIHI) individually identifiable health information the
LHD has on a person who is not a client is most likely
confidential.
 Example:
blood lead information cared for by a local
pediatrician and environmental health is doing a home
investigation.

4/8/2015
28
Which Information is Confidential?
Individually Identifiable Health information
(IIHI) includes:




4/8/2015
the client’s demographic information (name, address,
age, date of birth, etc.).
information that is created or received by a health care
provider, health plan, employer, or health care
clearinghouse.
information related to the past, present, or future
physical or mental health condition of the individual,
provision of health care, or the past, present, or future
payment for the provision of health care.
any information that identifies the client, or to which
there is reasonable basis to believe that the
information can be used to identify the client.
29
Which Information is Confidential?
Protected Health Information includes:


4/8/2015
IIHI that is transmitted electronically or maintained
in any form or medium by the covered entity.
And everything else mentioned if not addressed in
laws for specific services.
30
When may LHDs Disclose Patient
Information?
With the client’s (or personal representative’s)
permission.

Permission must be in the proper format.
 In most cases the permission must be in writing.
 Must be on an appropriate HIPAA compliant
authorization form.
4/8/2015
31
When may LHDs Disclose Patient
Information?
Under certain circumstances without the
client’s (or personal representative’s)
permission as specified by law.

4/8/2015
Broadly these include:
 Treatment, payment and healthcare operations
as defined by HIPAA, G.S. 130A-12,
& G.S. 130A-143.
 Please consult your HIPAA Officer or
County Attorney regarding these definitions.
32
When may LHDs Disclose Patient
Information?

When it is required by another law.
 The following slides will address these.

Subpoenas & other court orders
 Response guidance for LHDs from the NC
School of Government may be found at:
http://shopping.netsuite.com/s.nl/c.433425/it.I/id.218/
.f?sc=7&category=49
4/8/2015
33
Laws requiring disclosure of info.
NC law requires the disclosure of confidential
information or records for specific purposes
for each of the following: (The following is a partial
list of those who may demand records or information.)

HIPAA covered entities must verify the identity of the
individual demanding the information and their
authority to obtain the information.

G.S. 130A-385: Chief medical examiner or county
medical examiner when a death is under
investigation.
G.S. 130A-209: Diagnoses of cancer to central
cancer registry

4/8/2015
34
Laws requiring disclosure of info.
List … cont.




4/8/2015
GS 7B-301: Any person or institution must report
known or suspected child abuse/neglect or child
deaths believed to be due to maltreatment to DSS.
GS 7B-302: Records or information relevant to the
investigation of known or suspected cases of child
abuse or neglect may be released to director of social
services
GS 7B-601: or guardian ad litem representing the child
GS 7B-1413: The N.C. Child Fatality Prevention
Team, a community child protection team, and N.C.
Child Fatality Task Force may review information they
deem relevant to their task.
35
Laws requiring disclosure of info.
List … cont.
 GS 108A-102: Report suspected abuse of elderly or
disabled adults to Social Services Director.
 GS 130A-5 and 130A-15: NC Secretary of HHS may see
patient records when the patient’s physician and a DHHS
physician agree that there is a “clear danger to public health”
and other health hazards.
 GS 130A-135 et seq.: Outbreaks of reportable
communicable diseases.
 G.S. 130A-144: Local Health Directors or State Health
Director may demand medical records pertaining to the
diagnosis, treatment, or prevention of communicable disease.
4/8/2015
36
Laws requiring disclosure of info.
List … cont.
 G.S. 51-2: Disclose relevant medical information of
minors seeking to marry to court appointed guardian
ad litem.

G.S.90-21.20: Report wounds/injuries to law
enforcement if there appears to be criminal violence
involved.

G.S. 130A-153 and 10A NCAC 41A.0406:
Disclosures of immunizations to specific providers,
schools, etc.
4/8/2015
37
Laws requiring disclosure of info.
List … cont.
 G.S. 130A-456: Physicians must be report occupational
injuries on farms and other reportable occupational diseases
and illnesses to DHHS.

G.S. 130A-458: Persons in charge of laboratories that
provide diagnostic services must report findings related to
reportable occupational diseases and illnesses to DHHS.
4/8/2015
38
Laws requiring disclosure of info.
List … cont.
 G.S. 130A-476(b): Authorizes State Health Director to
issue temporary order requiring health care providers to
report specifically requested medical information to local
health director or State Health Director to investigate a
possible bioterrorist incident.

4/8/2015
State and federal auditors of programs such as
Medicaid may review patient records under applicable
state and federal regulations.
39
Other exceptions requiring disclosure.
Responding to a court order, subpoena, warrant,
& other law enforcement and judicial requests:
Response guidance for LHDs from NC SOG may be found at:
http://shopping.netsuite.com/s.nl/c.433425/it.I/id.218/.f?sc=7&c
ategory=49
 LHDs may disclose information without a patient’s
permission upon receipt of a proper court order provided
only the PHI disclosed is expressly authorized by the
court order.
 A subpoena must never be ignored; however, depending
on the type of subpoena, automatic disclosure of
information is not always appropriate. (Consult the
above guidance and local attorney.)
4/8/2015
40
Other exceptions requiring disclosure.



4/8/2015
Health department should have a carefully crafted
policy for handling subpoenas, court orders and
law enforcement & judicial requests.
All the above requests should be brought to the
attention of the health director immediately.
Consulting the LHD Attorney about the above
types of legal requests prior to disclosing
information is a good idea.
41
Obtaining Consent For TPO
"Consent" as defined by HIPAA means that the client
is giving the covered entity permission to use and
disclose their protected health information for
treatment, payment, and other health care
operations.

4/8/2015
Obtaining “consent for TPO” is optional under
HIPAA and is no longer required by NC law
(G.S.130A-12(3), revised, effective 01/01/12.)
42
Obtaining Consent For TPO
“Consent”…cont.
It is no longer recommended that local health
departments obtain “consent for TPO.”
 Continuing to obtain “consent for TPO” may result
in barriers to care in specific circumstances and
lost reimbursement if a client refuses to sign the
consent for TPO as the mandated services are still
required to be provided.
4/8/2015
43
Verification Requirements
Prior to disclosing requested PHI to a person
or entity the HIPAA Privacy Rule requires
covered entities to verify two things:
the requesting person’s identity (personal identity or
as an appropriate designee of a requesting entity).
 the requesting person’s authority to receive the
information.
Covered entities must have internal Verification Policies
& Procedures and must have trained their staff on the
policy/procedure.

4/8/2015
44
Obtaining Permission to Disclose
Information (Authorization)
HIPAA Authorization Forms:
 Must contain specific elements.
 Must be used for disclosures outside the
realm of TPO.
 Please see the following references:


IOG: http://www.sog.unc.edu/node/818
DPH: http://publichealth.nc.gov/lhd/

4/8/2015
See “Problem Oriented Health Record” topic and
select DHHS Form 4056.
45
Obtaining Permission for Treatment
"Consent for Treatment"

Obtaining informed consent to treat a patient is an entirely
different legal obligation as opposed to obtaining “consent for
TPO,” which is not a legal obligation.


“Consent for Treatment” means that the client is giving permission
to the health care provider to provide medical care and treatment to
the client. (G.S. 90-21.13)

Obtaining “consent for TPO,” which is no longer recommended,
means the client is giving the covered entity permission to use and
disclose their PHI for treatment and payment activities as well as
health care operations.
Health departments still need informed consent to treat a
patient.
4/8/2015
46
Obtaining Permission for Treatment
GS 90-21.13: Informed consent to healthcare or
procedure.
 Valid consent means that a reasonable person
under all the surrounding circumstances would be:

mentally and physically competent to give consent.

able to understand the implications, risks and hazards of
the treatment or procedure.
consent voluntarily to the treatment or procedure, and
without coercion from the requestor.

4/8/2015
47
Documenting Disclosures
When information is disclosed with client’s
consent (via HIPAA compliant authorization)
 Put copy of signed authorization in client’s record.
 HIPAA requires that the client be given a copy of
the signed authorization.
 Make a note in the record when the information is
actually released.
Disclosures made with the client’s authorization are not required to
be included in the Accounting of Disclosures.
(The client has the right to ask for an accounting of disclosures.
See http://www.sog.unc.edu/node/818 for guidance on
accounting of disclosure requirements.)
4/8/2015
48
Documenting Disclosures
When information is disclosed without permissio
when meeting a legal requirement to disclose,
documentation in the client’s record should include:





the date and the fact of its disclosure,
to whom it was disclosed
why it was disclosed
the name of staff member that disclosed the information
the signature/initials of the staff member recording the
documentation in the record
-Disclosures made without client authorization are
required to be included in the Accounting of
Disclosures.
4/8/2015
49
Questions
 Now a few minutes for questions.
4/8/2015
50