|
|
Confidentiality and Modern Technology
(Excerpt from 2006 Edition of Confidentiality And Communication, A Guide to the Federal Drug & Alcohol Confidentiality Law and HIPAA by Legal Action Center
The technology explosion has changed the way most people do business. Programs must now preserve the confidentiality of patient records using systems that electronically transfer information.
How can programs take advantage of time-saving and portable equipment, such as desk and laptop computers and cellular telephones, without violating confidentiality. How can programs respond to the increased use of electronic data collection and transfer systems to evaluate service needs and utilization and to pay for services? The following offers answers to some common questions about confidentiality in the electronic age.
(a) Computers and electronic transfer of information
(1) Computers
In the days when records were exclusively on paper, their location was more knowable and securable. A paper file exists in a specific place and can be locked in a file drawer. Now, that same patient record can be kept on the hard drive of a desk top computer that may be linked via a network to other computers in a clinic or even to an employee's home. It can also be faxed or copied onto a disc and carried form one location to another.
The original intent behind passing HIPAA was to address the growing need to control and protect health related information as the health care industry became more dependent on electronic means to share and communicate such sensitive information. To this end, HIPAA contains two parts: the privacy standards, which governs the use and disclosure of protected health information (discussed throughout this book), and the electronic security standards, which require covered entities to implement a series of technical electronic measures, such as data code sets, access restrictions and electronic signature standards, to control access to, and the dissemination and content of , protected health information that is electronically stored and transmitted. The security standards are contained in 45 C.F.R. Parts 142 and 162. A detailed discussion of the security provisions are beyond the scope of this book, but programs should consult with their technical consultants and computer support staff to assure that the requisite risk assessments are performed and the appropriate electronic security measures are put in place.
Although 42 C.F.R. Part 2 predates the widespread use of computers, its basic principles guiding the collection, storage and disclosure of patient records apply regardless of electronic or paper format. The ease of collecting and transferring information makes the protection against the widespread disclosure of personal alcohol and drug information more important than ever. The potential for wrongful disclosure of confidential information has expanded right along with the enhanced capability of computer to disseminate information. Thus, the fundamental principles remain that a program may not disclose patient-identifying information without patient consent, or unless the disclosure meets one of the exceptions to the consent requirement.
* Access to electronic files
The use of networks and discs increases the number of people who may have access to patient records at their fingertips. For example, a hospital might computerize all patient records, running the risk that patient information would be accessible to all hospital staff. Such unfettered access to patient ?identifying information would clearly violate both HIPAA and 42 C.F.R. Part 2. Even in a free-standing drug and alcohol program, making electronic patient files accessible to anyone other than those who need the information in order to provide treatment and prevention services would violate both laws.
The solution is to create a parallel system to the locked file cabinet by using computer file security. In fact, HIPAA requires covered entities to control access to patient information through both the security standards mentioned above, and through the ?minimum necessary? standard which requires programs to identify members of the workforce who need access to protected health information to carry out their duties, the categories of information to which staff needs access and any conditions to their access.
* National Health Information System
An Executive Order issued in 2004 calls for the development and adoption of an interoperable electronic health record (EHR) within 10 years. The goals of the National Health Information Network (NHIN) are to interconnect physicians, personalize care for consumers and improve public health.
As this book is going to print, a number of outstanding issues related to the confidentiality of the health care records contained in the NHIN have not been resolved. It is unclear if participation in the NHIN will be voluntary or mandatory, if the system will be designed to allow providers to block access to certain types of personal health information protected by State or Federal law, and if entities other than health care providers, such the criminal justice and welfare system, will have access to information contained in the NHIN.
Privacy considerations implicated under HIPAA
HIPAA permits health care providers to share personal health information (PHI) for treatment purposes without first obtaining patient consent. It does not allow for the sharing of PHI to entities other than health care providers without consent. HIPAA also require providers to follow State laws that relate to health privacy and provide protections that are "more stringent" than HIPAA. 45 C.F.R. § 160.203(b). Many States have such laws, particularly to protect sensitive information such as that which is related to one's HIV status, other sexually transmitted diseases or mental health. Because there is no indication at this time that participation in the NHIN would be voluntary, and because there does not appear to be any mechanism to block access to certain sensitive personal health information, providers who exchange information that is protected by a more stringent State law would violate both HIPAA and the State law. To remedy this conflict, we believe that participation in the NHIN should be voluntary, not mandatory, and that the system designed to allow providers to block access to certain types of PHI protected by State of Federal law. But those are our views and will not necessarily be what the law provides.
Privacy considerations implicated under 42 C.F.R. Part 2
While HIPAA allows disclosure of information for treatment purposes, 42 C.F.R Part 2 does not permit such a disclosure unless a patient first provides a voluntary, written consent. Before a treating professional who is covered under 42 C.F.R. Part 2 can make a disclosure of PHI - even if it is to another health care provider, let alone to other entities such as the criminal justice or welfare systems - the patient must sign a consent form, utilizing the specific and detailed consent form required by 42 C.F.R. Part 2, section 2.31. Consequently, alcohol and drug treatment programs should not be required to participate in the NHIN, since their compliance would depend upon each patient agreeing to sign a consent form, unless there is an exception for the records of patients who refuse to consent. Otherwise, if any patient decided not to sign the consent form, which is certainly within the patient?s rights, the program could not comply with both 42 C.F.R. Part 2 and the NHIN. But again, those are the views of the Legal Action Center and not necessarily what will occur.
* E-Prescribing
When it comes to e-prescribing (sending prescriptions electronically to pharmacies), as with other aspects of care, treatment of people for alcohol and drug problems raises many specific and sometimes difficult issues that warrant special attention. E-prescribing has the potential to improve the delivery of health care and enhance the safe use of medications. However, the confidentiality implications ? and how best to address them- require serious consideration before this new technology is put into place.
HIPAA allows most if not all of the disclosures necessary to implement e-prescribing without the patient's written consent since the disclosures are for the purposes of providing medical treatments and payment. However, 42 C.F.R Part 2 requires written patient consent before these disclosures can be made. Before a treating professional who is covered under 42C.F.R Part 2 can make a disclosure to a pharmacy ? by e-mail or otherwise- the patient must sign a specific and detailed consent form required by 42 C.F.R. Part 2, section 2.31.
After a patient has signed such a consent, the treating professional can then make the disclosure but must also transmit the notice prohibiting redisclosure required by section 2.32 of the regulations. Any redisclosures made by the pharmacy or others who receive confidential information pursuant to this consent form, such as to an insurer, must also be authorized by a signed consent form.
Initial disclosures and subsequent redisclosures can be authorized by the same consent form as long as all the required elements authorizing each disclosure are contained in the signed form. These rules apply not just to disclosures relating to the transmission of an e-prescription, but also to any other disclosures between the treatment physician and the pharmacist that may be necessary, such as discussion of medical history or other factors pertinent to the prescription.
In addition to addressing security issues, software and other technology for e-prescribing must contain and comply with the requisite consent forms, notices prohibiting disclosure, and redisclosure limitations required by 42 C.F.R. Part 2.
* Laptops
Some programs have asked whether staff should be allowed to travel with laptop computers, which contain patient files or permit e-mail access to patient files through remote computers. The answer is that it is permissible as long as all of the HIPAA electronic security requirements are met and the files are secured to protect patient-identifying information form disclosure. Care should also be taken to secure the computer and to restrict access to files on it. Thus, the person using the computer should not work on patient-identifying files in a public area, such as an airport waiting area, if that could lead to an inadvertent disclosure. Similarly, access to the laptop should be limited to the staff person for work purposes.
* Email
Before sending patient information by email, programs must assure their network and computer systems are in full compliance with HIPAA's electronic security standards. Practically speaking, programs must take extreme caution when sending patient information electronically. Typing an incorrect email address could instantly put confidential information on the computer screens of unauthorized people.
Where possible, programs should omit patient-identifying information from email by using initials or other codes. Again, in many circumstances HIPAA require covered entities to use certain transaction codes, data code sets and encryption techniques.
(2) Mobile telephones
Mobile telephones present some new challenges to programs. Before the use of mobile telephones, conversations about confidential matters could take place in rooms or booths where some degree of privacy could be achieved. With mobile telephones, conversations about confidential matters can take place anywhere and be overheard by anyone. Although neither HIPAA nor 42C.F.R. Part 2 specifically address the use of mobile telephones, a mixture of common sense and restraint will satisfy conversation about a patient in an area where there is an obvious risk of being overheard, like in a public gathering or aboard public transportation.
Some programs have also limited staff use of mobile telephones to discuss patients because there have been occasions where such conversations are inadvertently overheard on another mobile telephone. If this is a persistent problem in a particular area, limitations should be imposed.
(3) Voice mail
Voice mail systems have also raised concerns among providers. The primary concern within a program is that messages are recorded and stored on a central system. When a program itself uses a voice mail system for messages, the rule governing all internal program communications should guide how those telephone messages are stored. (See pages 201-202.) That is, only those who need the information to provide alcohol or drug services should have access to another person?s voice mail messages. The information voice mail should be given the same security as messages on paper.
Programs have also asked whether they should leave patient-identifying information on voice mail systems they are calling. The answer will depend on where they call and who has access to the voice mail, which is addressed to an individual, the patient-identifying information can probably be left. However, program staff should be cautious about leaving such information on a voice mail system when they do not know or are not satisfied about the degree of confidentiality provided. (See pages 208-210, on contacting patients at home.)
(4) Facsimile Machines
Facsimile machines add convenience and speed to communications. But can a program release information on the basis of a consent form sent by facsimile? And is there a danger that information about a patient that is faxed by a program will end up in the wrong place?
Neither HIPAA nor 42 C.F.R Part 2 require programs to have patient's "original" signed consent form in their possession to make disclosures. As long as the program acts with reasonable caution, it may accept a facsimile or a photocopy of a consent form. The key concern when faxing patient-identifying records is to know whether the facsimile will be received in a confidential manner. It makes sense for a program to find out where a receiving facsimile machine is located and who has access to it. For example, is the machine located in a private office where access is limited, or is it in a busy common area where documents might easily be retrieved by unauthorized persons? To reduce the possibility of the facsimile being retrieved by the wrong person, the program could ask the recipient to stand by the machine and wait for it. The program may also wish to first fax the third party a "test sheet" and (only if that works) then fax the required information. Alternatively, the program should confirm the facsimile number and dial very carefully.
Finally, faxed records containing patient-identifying information must always be accompanied by the notice prohibiting redisclosure (see pages 35-36.)
(5) Telemedicine
Telemedicine is a new approach whereby, with the help of telecommunications, people receive health care without being in the same room as their health care provider. It typically occurs in rural areas where people do not have access to a full array of providers. A patient can enter the office of one provider, who hooks up via telecommunications with one or more other providers. The provider(s) and patient can communicate via any combination of computer, telephone and video.
Naturally, telemedicine poses new challenges for maintaining confidentiality because, among other things, several providers may be involved, at different sites, with persons listening to or viewing the telemedicine session unbeknownst to the patient. In addition, communications could be intercepted or redisclosed to unauthorized persons.
The same confidentiality principles apply to telemedicine as to in-person treatment. Moreover, if protected health information is being transmitted or stored electronically then the HIPAA electronic security standards will need to be implemented. Special care must be taken to ensure that records are available only to authorized personnel and that sessions (individual or group) with alcohol or drug patients are not witnessed by unauthorized persons. Most telemedicine sessions that involve the disclosure of alcohol or drug information will require a consent form to be in place. The consent must list all parties participating in the telemedicine conference, including technical support individuals operating the video cameras or other equipment, and of course all are prohibited from making redisclosures without authorization. Provisions also must be made to ensure the security of the tapes after the conference is completed.
(b) Centralized data banks
States are increasingly interested in collecting patient-identifying information from alcohol and drug programs they fund or regulate, to match consumers with needed services, track patients as they move through the state's network of treatment and other services, and conduct research, evaluate services, monitor service delivery and utilization, or engage in health planning.
The computerization of data is particularly helpful in these efforts because each relies ion the collection and analysis of large amounts of data to compare outcomes or track activities of programs or patients over time. The fact that technology eases the gathering or analysis of computerized data from treatment programs, however, does not change the need to comply with the requirements of both HIPAA and 42 C.F.R. Part 2.
How many states collect and use patient-identifying information for these purposes?
(1) consent
Written patient consent is the easiest and most direct method of authorizing the establishment of a computerized data bank for evaluation, health planning, or monitoring service utilization. A single consent form can authorize the recipient of patient-identifying information to redisclose the information to third parties. For example, a state alcohol and drug agency?s centralized intake unit take referrals of applicants for treatment from a variety of programs and wants to match those applicants with available treatment slots. The consent form can authorize information about the applicant to be disclosed by the referring program to the central intake unit, and then redisclosed by the central unit to another program participating in this "matching" initiative.
Similarly, a state may want to see whether and how many patients in alcohol or drug treatment are also receiving state-regulated mental health services or welfare. To get an accurate count, the state may want to match identifying information about the alcohol and drug patients with those served in the other systems. The state could obtain written consent from patients allowing disclosure of their treatment status for the limited purpose of comparing that information to lists of those receiving mental health services or welfare.
Of course, where a state agency relies on consent for generating a data bank, it should remember that consents can be revoked at will and patient-identifying information must be deleted from the data bank upon revocation.
(2) Research
Both HIPAA and 42 C.F.R. Part 2 permit a program to disclose patient-identifying information to qualified researchers but only if certain safeguards are put in place. HIPAA requires covered entities to obtain patient consent or a waiver approved by either an IRB or privacy board and requires any covered entity that conducts certain electronic "covered transactions" to have the appropriate electronic security standards and safeguards in place.
Under 42 C.F.R. Part 2 researchers may not redisclose patient-identifying information except back to the program that provided it. A researcher who needs to redisclose patient-identifying information, for example, to other agencies to evaluate utilization patterns would have to obtain each patient?s written consent to do so. Absent consent, the research entity would have to conduct the cross referencing itself, without disclosing any patient-identifying information., For example, the researcher could obtain the databases from the other agencies, cross check the names, and then return the databases.
HIPAA also permits the program to release the information as part of a limited data set, as long as all pieces of identifying information are removed n accordance with the regulations and the requisite agreement is in place.
(3) Audits and evaluations
Government funders or regulators and private agencies may obtain patient-identifying information without consent to conduct an audit or evaluation. (See pages 75-76.) If information is transferred electronically to an outside agency conducting an audit or evaluation, the HIPAA electronic security standards must be in place and 42 C.F.R. Part 2?s provisions governing the copying or removal of records applies. This means that the entity performing the audit or evaluation must agree in writing to (1) maintain the security of patient-identifying information as required under HIPAA and 42 C.F.R. Part 2, and (2) destroy all patient-identifying information upon completion of the audit or evaluation. Once again, adequate electronic security safeguards should be set out in the written agreement and implemented before any audit or evaluation begins.
In addition, patient-identifying information obtained for the purpose of conducting an audit or evaluation may be used only to carry out that audit or evaluation (or to investigate or prosecute a program as authorized by a proper court order), and it may be redisclosed only back to the program from which it was obtained. Any computerized information must, therefore, be segregated from agency, with access limited to those authorized to use it to carry out the audit or evaluation. If the agency conducting the audit needs to share the information with other state agencies for purposes of comparing databases, it would need patient consent or a court order.
Finally, the requirement that patient-identifying information be destroyed once an audit or evaluation is completed also has repercussions for data collected and stored electronically. Patient-identifying data on computer hard drives, back-up files, and discs must be deleted or otherwise destroyed at the end of the audit or evaluation.
|
