 All righty, all y'all people who are brave, we are back to round two. So we're gonna continue to review the HIPAA and high-tech regulations as they pertain to maintaining confidentiality and security of PHI. So again, remember that HIPAA indicates which situations information may, it doesn't have to be, may be disclosed under HIPAA. However, many agencies and providers are bound by other regulations such as CFR 42 part two as well as state regulations. So this is, it's kind of like ethical and ethics. You know, legal is the bare minimum. HIPAA is kind of your bare minimum standards for confidentiality and accessibility. Your state may have something that is even more stringent in terms of what you can and can't release and how it has to be done. Again, I'm not a lawyer, so seek guidance from a qualified legal professional regarding implementation of HIPAA and confidentiality requirements. And we're gonna continue with the highlights from the HIPAA code. A covered entity, that's us. May user disclose protected health information for public health activities and purposes described in this paragraph two. So if we have information about a client, we can give it to a public health authority that's authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. So like the CDC or the Department of Health and Human Services in certain circumstances will collect de-identified client information. So they will get, for example, a number of how many clients did you have come through your facility in the past year that were suffering from major depressive disorder? And that is something that we may use. A is de-identified, so we're not releasing anything that can be traced back to the person and as a public health authority. Now, if we're dealing with somebody, something like a communicable disease and you have to report that to your local health department, that's not gonna be de-identified. So because they're gonna try to figure out the vector and all that kind of stuff. Now, that doesn't mean you can tell everybody that they've been associated with, but you may be required to report to your public health department. It's important to know if your mental health, this doesn't come up near as much, but it is important to know whether you're required to report cases of different sexually transmitted diseases, HIV, hepatitis, and anything else that you may be required to report. And I'm not saying your agency requires that. I'm just saying those are the things that may be required by your public health department to be reported. You can release information, disclose information to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect, our mandatory reporting statutes. That would include in most states as well, elder abuse or neglect. Make sure that that applies in your state. A person subject to the jurisdiction of the Food and Drug Administration with respect to an FDA regulated product or activity to collect or report adverse events or to track FDA regulated products and enable product recalls. If your client is on certain psychotropic medications and is having a bad reaction, then they will, we want to encourage them to let their physician know, and their physician is the one that's generally gonna make this FDA report. I've never been in a situation where I've had to make an FDA report, but the prescribing physician may. A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition. Now, in some states, not all, in some states it's a felony to disclose this information. In some states, if you know that, for example, John Smith has a communicable disease and he is endangering his significant other by contact or whatever. In some states, and I know I've emphasized that enough, you may be allowed to breach confidentiality and let that person know duty to warn, but in other states, it's a felony to do so. So the covered entity or public health authority who notifies someone who may be at risk of contracting or spreading a disease must be authorized by law to notify such a person. So that's one of those really sticky wickets. You may disclose PHI to an employer about an individual who is a member of the workforce of the employer if you are working for Acme products 101 and they happen to have the money to be able to have a clinician on staff or they have hired you to be the staff psychologist. You know, that's wonderful, that's great, but you may have the ability to disclose PHI and or they may try to get you to disclose PHI. If you provide healthcare or mental healthcare to the individual at the request of the employer to conduct an evaluation related to medical surveillance of the workplace, injury or illness rates, workplace safety and enhancement. Now, for example, in law enforcement, it's not uncommon to have a mental health clinician on staff and that mental health clinician is trying to help prevent stress, PTSD, all that kind of stuff. So potentially we might fall under this and or to evaluate whether the individual has a work related injury. So if someone is claiming that they've got post-traumatic stress or the environment was so stressful that they've become clinically depressed and they go to the clinician who's employed by the employer, the employee clinician may be able to release information, PHI to the employer about that employee. The PHI disclose must only consist of findings concerning a work related illness or an injury or a workplace related medical surveillance and the employer must need such findings in order to comply with his obligations under the law. So you can't just randomly tell a clinician who's employed at your facility, you need to tell me everything Jane says to you about what's going on at work, that ain't gonna work. There needs to be a reason that the employer has to have this information. And the covered healthcare provider provides written notice to the individual that they're protected health information relating to the medical surveillance of workplace and work related illnesses and injuries. That has to be provided at the time the care is provided not afterwards, but before you start having that conversation, just so you know, what we talk about here could potentially be, I could potentially have to reveal some of that. In many circumstances, I've known employees to go outside of the agency even if they could get free mental healthcare at the agency for this reason. Now, again, there has to be a reason the employer needs that information such as, you know, dealing with a worker's compensation or something like that. But if you're in a position where you are employed by an agency and basically they're kind of your client, it's important to let any of your actual clients know ahead of time what the limits of confidentiality are. And it has to be provided in writing. And it doesn't have to be a written handout. You can have it posted on the wall, but you need to make sure that they saw it. We may disclose PHI about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority authorized by law to receive such reports. So our mandatory reporting thing again, to the extent the disclosure is required by law and it complies with and is limited to the relevant requirements of such a law. So if you have Jane Smith in session with you and she's a victim of domestic violence and her significant other, you know, obviously he's a batterer, but he's also selling cocaine and using drugs and violating his probation. The agency to which you're reporting the domestic violence doesn't need, I mean, you might really want to tell them all the other stuff, but they don't need that information that he's selling drugs. That's relatively irrelevant to the abuse that's going on. So we need to be careful and only disclose what we have to in order to help protect Jane Doe. If the individual agrees to the disclosure or if it is required by statute, when I do mandatory reportings, in an instance where I don't, most of the time when I do mandatory reportings for domestic violence or whatever, I encourage the person to do the report themselves while they're in my office. And I get the name of the operator that receives it and the case number and all that kind of stuff. So I have it for the chart, but I want to empower them to do what they need to do. Now, if they won't, you know, at the beginning of treatment, we had this discussion about the limits of confidentiality. So I notify them that I'm going to have to make this call or make this report. You know, ethically and legally, it's kind of what we have to do. If the individual's unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the information which is sought is not intended to be used against the individual. For example, and there are very few cases of this except for the identified one here that I could ever think of, but where an individual would be incapacitated, we'd have to give them information and that information could potentially be used against them. But one circumstance would be if you have a client show up under the influence of illicit substances. You know, maybe they took a hit of what they thought was oxy before they came in and it turns out it was laced with fentanyl and they pass out, you have to call EMS. Well, if you have an idea, maybe they admitted to you that they were using opiates, then we need to know that the information we're giving law enforcement EMS, it's not going to be used against them, but it's going to be used to save their life. And that immediate enforcement activity that depends upon the disclosure would be material and adversely affected by waiting until the individual is able to agree to the disclosure. For again, the need for Narcan. If the person has overdosed on opiates and you suspect that it is an opiate overdose, then telling EMS as soon as they get there so they can administer it obviously is preferable than waiting till maybe they wake the person up and they can give consent. If it's needed to give appropriate medical treatment, the person is non-responsive or not able to give the information they need to EMS, then we can get the limited amount of information necessary. The other time where this can be called into play is if you have a wellbeing check. You have a client who either said they were suicidal or hasn't shown up for the last three sessions and you really truly believe that there may be a problem and you believe it meets the standard of sending law enforcement out to do a wellbeing check. Waiting for the person to show up in your office to disclose or to answer the phone may be waiting too long, especially if they were suicidal. So there are certain circumstances where you can articulate your need to release limited health information in order to protect the individual. Obviously, if you're having somebody do a wellbeing check, law enforcement's gonna be like, why? And so you'll need to articulate enough information so they know where the person lives, what their name is, what they look like and why you think that they are in imminent danger. A covered entity that makes a disclosure permitted by the previous section must promptly inform the individual that a report has been or will be made, except. If in the exercise of your judgment, you believe informing the individual would place them at risk of serious harm. If you're on the phone with somebody and they are suicidal, I've had clients call the clinic and their current clients, past clients, whatever, were able to get the information about where they are or we know where they live. In some instances, telling them ahead of time that law enforcement or EMS is on the way, you may be able to articulate the fact that if you would have told them that, they would have hung up and either killed themselves right then or fled the scene. So sometimes you need to wait and not do it as promptly in order to protect the safety of that person but you need to be able to articulate why you didn't tell them that you were breaching confidentiality. The covered entity would be informing a personal representative. So you're not informing the client themselves and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect or other injury and that informing such person would not be in the best interest of the individual. So if you've got a child patient who you believe is abused and you need to make an abuse report, promptly calling the parent and going, well, little Johnny told me that you've been abusing him and I made a report to the authorities, you can see where that would be really bad. So sometimes there are going to be exceptions to notifying the sign or if you will on the release of information. Most of this is common sense 101 but just kind of going with this knowing that HIPAA actually does protect you in certain circumstances when you're releasing information without a consent. We may disclose PHI to a health oversight agency for oversight activities authorized by law including audit civil administrative or criminal investigations inspections, licensure or disciplinary actions, civil administrative or criminal proceedings or actions or other activities necessary for appropriate oversight of the healthcare system. This happens sometimes if your agency accepts Medicare, Medicaid and even sometimes private insurance but I see it more if an oversight agency comes in looking for instances of Medicare or Medicaid fraud. Government benefit programs for which health information is relevant to beneficiary eligibility such as disability insurance. Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards. I couldn't think of any examples for this one. An entity subject to civil rights laws for which health information is necessary for determining compliance. Examples of this and I'm not sure if we were held for the, would have been held up for civil rights laws but if you receive funding from the federal government and someone makes a complaint against you claiming that there's civil rights have been violated then you may need to use and disclose that information to defend the agency and it may be subpoenaed and you may have to reveal some of it. So there are exceptions which again, most people are gonna be pretty obvious that yeah, this is something we gotta do but you are backed up. You may disclose PHI in the course of any judicial or administrative proceeding in response to a court order or administrative tribunal provided that the covered entity discloses only the PHI expressly authorized by such an order. So again, if you get a court order for the client's records, we need more information. What exactly are we disclosing? And most of the time, if it is, and again this is a legal question, my experience has been when we've gotten a vague court order for client records that included everything but progress notes. So your monthly reviews, your treatment plan, your assessment, even drug tests but not progress notes. Now that is my experience in one state. So I'm not telling you that's what's there but you do wanna have as much articulation about what they need to not give them any more than needed. You can also release it in response to a subpoena discovery request or other lawful process that's not accompanied by a court order if now this again gets into very uncomfortable territory for a lot of clinicians. The covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure the individual who is the subject of the PHI has been given notice of the request. So if an attorney contacts you and they say we have done everything we can to try to reach John Smith to get the information that we need and get a release signed. But we haven't been able to and the court needs it for some unknown reason or known at that point. Then theoretically it could be released. The covered entity received satisfactory assurance as described from the party seeking the information that reasonable efforts have been made to secure a qualified protective order. So a qualified release of information and they've done their best to like actually access the person. A covered entity receives satisfaction assurances from the party seeking PHI. This is what the other agency has to do. If there's no release, if you don't have a release signed whoever's wanting this information needs to have a written statement demonstrating that they tried in good faith to provide written notice to the individual. The notice included sufficient information about the case in which the PHI is requested and the stuff in brackets I paraphrased and is requested to permit the individual to object. So, thinking legal proceedings if there's a civil case for child custody, for example and there isn't a release of information the opposing counsel's attorney hasn't been able to get in touch with the person. They have sent them written information and given them opportunity to object to their PHI being released in this case. And the time for the individual to raise objections has elapsed and no objections were filed or all objections filed have been resolved. So, they have to give them a reasonable amount of time. They send the letter asking for a release give them a reasonable amount of time whatever that attorney deems or and or your attorney deems is reasonable. They have a period to object and either they don't or any objections they have are resolved and then we can release the information. So, there's a big process before we can release it without a sign release of information. If there's a crime on the premises you may disclose information to law enforcement, PHI that you believe in good faith constitutes evidence of criminal conduct that occurred on the premises. If somebody's selling drugs on your facility and you call law enforcement on them and the person selling drugs is one of your clients if you know their name, their address, you're not gonna give them their life history but you are authorized to give the law enforcement enough information so they can pursue the case against that individual. Violence, rape, assault and theft are three other instances where this may come up. This one, well, I've got personal stories for this one too a covered entity may disclose to a correctional institution or law enforcement official having lawful custody of an inmate or other individual, PHI about the person. If the correctional institution or such law enforcement official represents that such PHI is necessary for provision of healthcare to the individual. Okay, so you've got a situation where you've got a client who is either getting picked up and going to jail and the law enforcement officer is like, what do we need to know? Or you've got a client who's on in a residential facility and we've had this happen. Law enforcement comes, arrests them but they have medications they have to be on. So we had to go to the nurses station, get the medications and all the information that law enforcement needed in order to maintain continuity of care for that person while they were in the correctional facility. So sometimes it's not just calling the jail and letting them know. The health and safety of the individual, other inmates or law enforcement officers on the premises. And this is where my story comes in. One place that I worked and you know, I love the facility, but the jail in that county deemed it appropriate to discontinue any psychotropic medications for any inmates. And if that inmate, once the medications were discontinued, then became ungovernable, then they might consider putting the inmate back on psychotropic medication. So they arrested them, destabilized them and then only if that person became a danger to themselves or others where they actually put back on medication, grinds my gears. But so it's important that as clinicians, we be able to articulate why it is vital that this person stay on the medication that they're on. And for this particular jail, it wasn't that they didn't have medical staff on premises, it's that they didn't wanna pay for the medication. And I know for a fact that that's what it came down to. Health and safety of the officers or employees or others at the correctional facility. This likely does not include HIV status or progress notes. Again, consult your state regulations about, if you've got a client that is arrested from your facility and goes to a correctional institution, are you required or are you even allowed to tell the receiving facility that this client is HIV positive? Most likely not. Most correctional facilities use protocols and they assume or act as if everyone has a blood-borne disease and take great precautions at that point in time. Administration and the maintenance of the safety, security and good order of the correctional institution. And this goes back to why we need to sometimes give a little more information than we might in order to make sure that clients are maintained on their meds while they are in custody. The covered entity must provide the access requested by individuals if a client wants access to their own record within 30 days. So you can drag your feet for a little while. And this used to be a big issue when we had paper records because we'd have clients who had been with us on and off for seven, 10, 12 years. And some of their records would be in storage. So we would have to go to storage and it would be something that we couldn't just produce in 24 hours. With electronic health records, that's not so much the case anymore. But there are procedures that every agency has to follow in terms of making sure that the client gets access to their records in a way that's safe and non-harmful. The covered entity may provide the individual with the summary of the PHI in lieu of providing access to the actual chart or may provide an explanation of the PHI to which access has been provided. If the individual agrees in advance to a summary or explanation and if the individual agrees in advance to the fees imposed. So if you're gonna have a clinician write a summary of this client's chart, it's gonna take time. And most agencies will charge for that time. Now you can charge for that time. However, if the individual does not agree to a summary, then you can't provide it. You need to actually provide the PHI. The individual's request must be in writing signed by him and clearly identify the designated person and where to send a copy of the protected health information. So a lot of times they're not gonna review it in your office. We usually encourage people to review their chart at our office and we would go through it with them and talk to them about it. And depending on your state, they may or may not have had access to progress notes. What I always tell my clinicians and I practice myself is I always assume every note I write, the client is going to read. So I stick to objective facts and I make sure that what I'm putting in there would be is accurate, obviously, and is as non-harmful as possible. If the client relapses, I'm gonna put that in there or if something else happens, I may have to put that in there. But if it's something that they may find offensive or hurtful, that generally is something that's subjective, not objective. Fees, the covered entity may impose a reasonable cost-based fee, provided that the fee includes only the cost of labor, supplies, postage, and if you're doing an explanation or summary of the PHI, only the cost of the person's time preparing it. Individuals have the right, somewhat, to have a covered entity amend protected health information or a record about them in a designated record set as long as the PHI is maintained. Most agencies maintain their PHI for seven years from the last date of contact. So that's a pretty long time, but people can come back six years and 11 months later and go, you know what? I wanna have this taken out of my record because I don't think it's accurate. A covered entity may deny an individual's request for amendment if it determines that the PHI or record that is the subject of the request was not created by the covered entity unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment. So basically, if you've inherited a case load from somebody and that person is no longer in practice or a smaller agency got bought out by a larger agency, potentially you could deny access to certain PHI. I think that would, I personally think, this is not a legal statement, but I think that would probably get pretty sticky. It is not part of the designated record set. So if they come to you and you're part of a, one of those community mental health or community health systems that now has integrated care. So they have mental health care and physical, you know, physical health, you can potentially give access to the mental health care record because that's your record set is the mental health care, but not necessarily the physical health care record set. They would have to request that from that other department. If it would not be available for inspection for some reasons, and you can go look at it, but generally it's always available for inspection or, and I find this one a little bit troubling ethically, if the agency determines the record is accurate and complete. So, you know, sometimes clients disagree with a therapist's interpretation or take on events or what happened, but according to HIPAA, an agency may deny an individual's request for amendment if it's accurate and complete. In agencies I've worked for before, what we've done is allowed the person to review their protected health information if they think they need to make an amendment, they submit the amendment, it's reviewed by the team, and then if they decide not to amend the record, the record stays as is, but the person's request for amendment was added to the record. So there was documentation that the person did request to have it amended. Now, that's how it's been handled in agencies that I've worked at. Your agency may have a different policy. If your agency or you as the clinician grant the requested amendment in whole or in part, you must take the action. So if you agree to let the person amend protected health information, which is what we were doing, if we didn't want to amend the actual record, you know, we thought the notes were accurate and complete, then putting their restatement in there, it is amending the record, it is adding a different point of view. If the covered entity denies the required amendment or the requested amendment in whole or in part, it must provide the individual with a written denial. Accounting of disclosures. Now, this one is kind of interesting. A lot of people misunderstand it and think they need to do more work than they do. HIPAA is a lot of work. But in this particular instance, in order, whenever you have to account for disclosures, it is because it's something out of the ordinary. If you are making a disclosure to the individual for the purposes of continuity of care, as required by statute, or if the person has signed a release of information that is complete and yada yada, you don't have to keep a record of the disclosure. If for some reason maybe the person was suicidal and you did a well-being check, you didn't have a signed release of information for that, well, in that case, you're going to make an accounting of the disclosure, identifying who you disclosed information to, what you disclosed, what information you disclosed, and why you disclosed it. And the person can request for the duration of the maintenance of the record to see any disclosures that you make. The accounting must also include the date of the disclosure and a brief statement about the purpose. So HIPAA and HITECH impact every aspect of handling client information, verbal, written, and electronic. So we talked a lot about electronic today and securing your computer, and I think you'll probably be even more aware, maybe creeped out when you're searching the internet and you see how targeted these ads are that they're serving you and how much data they're collecting that you don't even really kind of recognize that they're collecting. But that also gives you pause about what kind of walls and security do you have so they can't see any client information on your computer. There are many reasons for disclosure of PHI that are exempted from requiring a written authorization, including crime, incapacity. Now if they're incapacitated, it's a limited release of information just enough to keep them safe. Court order and mandatory reporting. Information transmitted on the internet must be encrypted point to point. And again, remember from part one, your ISP is not a business associate. You don't have to have a signed business associate agreement with them, but you do with your email provider, you do with your billing services person or agency if you're using an outside billing agency. Any sort of outside agency that you contract with that will have any access to PHI is going to be considered a business associate. You need to maintain a record of the business associate agreement. And when you get it, note what date it was signed and if there's an expiration date on it. You know how with, well, Microsoft is notorious for it. Adobe and other places regularly update their terms of service or their whatever and you have to agree to it before you can use their program. The same thing is true when your electronic health record does updates. You need to make sure that your business associate agreement is still in effect. If it is able to be accessed by someone other than the attendant, it's a violation of security. So again, if you're sitting down at an unmanned desk, you can open up a computer and access client records. I have been given laptops before at agencies I've worked at or places that I've worked that still had client information and it wasn't wiped, it wasn't encrypted, it wasn't anything. It was still all there from the last clinician and these were not current active clients. Major HIPAA mojo. There are a lot of other things with client information that you need to be careful with. Unauthorized personnel accessing records, either electronic or physical. So how do you throw away your records? If you have something written, even if it's not a client chart or a note, sometimes you may answer a phone call and jot something down on a pad of paper. Do you ball it up and throw it away or do you shred it? If it's got the client name on it other than like a first name, you might consider shredding it. So making sure that however your records are disposed of, they're done so safely. But also making sure that you have access to records when you need them for the entire duration of the period that you're required to maintain them, which again is usually seven years. Make sure you're using an email provider and if you're using a virtual office that you have a business associate agreement with them. Now, if your virtual office, quote unquote, is just a website where it's your name and your telephone number and stuff and clients never put their name in or access you through that website, then that's not really what I'm talking about with a virtual office. What I'm talking about is the virtual offices where you keep your billing, you keep your progress notes, clients sign in and make appointments on their software. In that case, they are very most definitely a business associate and you need to have a signed copy of the business associate agreement. When in doubt, refer to the guidelines and they can be somewhat treacherous. A little hint, if you get HIPAA on a document as a PDF, if you do control F on most computers, I don't know what it is on Apple devices, but you can search the document for keywords. So if you're looking for something related to authorization for release of information or some other keyword, you can find the parts of the HIPAA document that actually apply pretty quickly instead of going through the hundreds of pages that HIPAA is. I took notes on it and my abridged note version was 68 pages, so I mean, it's not a small task. Also remember that if you're doing what you need to do in good faith, most of the time, you're going to be closely complying with PHI. The biggest things that people fall short on is if they're using computers, not having it encrypted, not having the written policies for maintaining computer security and how they dispose of information and not having a disaster awareness plan. Those are the things that you wanna maybe tighten up a little bit. For most people that are an individual private practice, it's not as huge of a deal because you've got a small hard drive and you're backing up periodically, but where are those backups stored? If you are working for an agency, you probably don't need to worry yourself with that because your agency is handling the disaster backup. But if you're going around the clinic and you see something that is a violation of HIPAA, like an unsecured printer, it's important to point that out to your supervisor or at least consider pointing it out to your supervisor. Some things that can be especially tricky or sticky, talking to parents of un-emancipated minors, talking to law enforcement when they make a request, we would regularly have law enforcement show up at our detox and go, is John Smith here? Or they got smart later and they knew we know that John Smith is here, bring him to us, even if they didn't know. And maybe John Smith wasn't there, but if they stated it that way, gave them more ability to demand. With regard to report and communicable diseases, what can you and what do you have to report? Upon receipt of a subpoena in a legal or criminal case, what needs to be in that subpoena to keep you on the right side of HIPAA? And again, like I said, in general, my experience has been if they require the client's records, quote unquote, that does not include psychotherapy notes unless it specifically says the client's records and psychotherapy notes. I have never had an experience where a judge has demanded psychotherapy notes because they do recognize the potential harm that could cause not only to that particular client, but by setting the precedent. And the ability to amend PHI, if you don't have a policy, you need to make sure you have a policy. Alrighty, well, thank you for bearing with me on the HIPAA high tech and confidentiality brief review. Like I said, I will be putting together an on-demand class that includes the full text of HIPAA and high tech and has some notes in it for you to kind of get you through it in case you haven't had that before or you really want to just read all the information for yourself. Based on the length of the document, it'll probably end up being like a 12 to 15 hour course when I get finished with it.