The Nevada Healthcare Provider’s Guide

 

to

 

The HIPAA “Standards for Privacy of Individually Identifiable Health Information”

45 CFR Parts 160 and 164

 

(including correlation with relevant Nevada law.)

 

 

Kelly Testolin

Attorney At Law

Hale Lane Peek Dennison and Howard

Offices In

Las Vegas, Reno, Carson City

Direct Dial: (775) 327-3060

 

                Rev: 1/2003

­                                                                                                                                                                                                                               

TABLE OF CONTENTS

Section                                                                                                                                                                                           Page

 

PART ONE: INTRODUCTION

 

I.............. Introduction........................................................................................................................................................................ 1

PART TWO: DEFINITIONS

II............ HIPAA Definitions............................................................................................................................................................. 4

A............ Protected Health Information............................................................................................................................. 4

B............. Health Care Provider........................................................................................................................................... 5

C............. Designated Record Sets........................................................................................................................................ 5

D............ Psychotherapy Notes.......................................................................................................................................... 5

E............. Complex Entities................................................................................................................................................ 6

F............. Business Associates.............................................................................................................................................. 6

III........... Other Privacy Law Definitions............................................................................................................................................ 6

A............ General Medical Information............................................................................................................................... 6

B............. Blood, breath or urine test results........................................................................................................................ 7

C............. Genetic information............................................................................................................................................ 7

D............ Communicable disease information...................................................................................................................... 7

E............. Mental health information.................................................................................................................................. 7

F............. Drug and alcohol abuse information..................................................................................................................... 7

PART THREE: PATIENT RIGHTS

IV........... Patient’s Rights/Access....................................................................................................................................................... 7

V............. Patient’s Rights/Confidential Communications.................................................................................................................... 8

VI........... Patient’s Rights/Privacy Practices Notice........................................................................................................................... 8

VII.......... Patient Right’s/ Disclosure Accounting................................................................................................................................ 9

VIII......... Patient Rights/Amendment and Correction of PHI............................................................................................................ 10

 

 

PART FOUR: PERSONAL REPRESENTATIVES

IX........... Personal Representatives................................................................................................................................................... 11

A............ Adults/Emancipated Minors............................................................................................................................... 11

B............. Unemancipated Minors..................................................................................................................................... 11

C............. Unemancipated Minor Consent in Nevada......................................................................................................... 12

D............ Abuse/Endangerment Situations......................................................................................................................... 12

PART FIVE: USES AND DISCLOSURE OF PHI

X............ Uses and Disclosures of PHI.............................................................................................................................................. 13

A............ General Rule: Authorization Required................................................................................................................ 13

B............. Exceptions........................................................................................................................................................ 13

C............. Business Associates............................................................................................................................................ 13

XI........... The Minimum Necessary Rule........................................................................................................................................... 14

XII.......... Healthcare Treatment, Payment and Operations (“TPO”) Purposes................................................................................. 14

A............ Treatment......................................................................................................................................................... 14

B............. Payment........................................................................................................................................................... 14

C............. Operations........................................................................................................................................................ 15

D............ Special Law Considerations in Nevada............................................................................................................... 15

XIII........ Marketing......................................................................................................................................................................... 16

XIV......... Fundraising........................................................................................................................................................................ 18

XV.......... Other Permitted Uses and Disclosures of PHI without Patient Authorization.................................................................... 19

A............ Public and Governmental Purposes.................................................................................................................... 19

B............. Coroners and Law Enforcement........................................................................................................................ 20

C............. Uses and Disclosures to Avert a Serious Threat to Health or Public Safety......................................................... 22

D............ Correctional Institutions and Custody................................................................................................................ 22

XVI......... Permitted Disclosures of PHI with Notice and Opportunity to Object............................................................................... 22

A............ Facility Directories............................................................................................................................................ 23

B............. To Others Involved in the Patient’s Care or for Notification Purposes............................................................. 23

C............. Notification Purposes........................................................................................................................................ 23

D............ Where Patient Is Present.................................................................................................................................. 23

E............. Limited Uses Where the Patient is Not Present................................................................................................. 24

XVII....... Special Rule for Incidental Uses and Disclosures................................................................................................................. 24

XVIII...... All Other Uses and Disclosures.......................................................................................................................................... 24

PART SIX: REQUIRED FORMS, POLICIES AND PROCEDURES

XIX........ Required Policies and Procedures....................................................................................................................................... 24

A............ Mandated Policies............................................................................................................................................. 24

B............. Implied Policies................................................................................................................................................. 25

C............. Policy Implications of the TPO Exception and “Minimum Necessary Rule”..................................................... 25

XX.......... Required Security Measures................................................................................................................................................ 26

XXI........ Authorizations.................................................................................................................................................................. 26

XXII....... Privacy  Practice Notices.................................................................................................................................................. 28

Exhibit Page Numbers: A(31), B(39), C(43), D(44), E(46), F(49)

CCMS 318924

 

End of TOC - Do not delete this paragraph!

 

PART ONE

INTRODUCTION

 

I.                    Introduction.

A.                 The Privacy Standards.  The HIPAA “Standards for Privacy of Individually Identifiable Health Information” (“the Privacy Standards”), found at 45 CFR Parts 160 and 164, are effective April 14, 2003.  The Privacy Standards establish a comprehensive system of federal law governing medical information confidentiality.  This marks a significant departure from historical practice.  Except for a limited set of regulations governing the use and disclosure of information regarding alcohol and drug abuse patients, the federal government has not previously regulated medical information confidentiality; leaving the area almost entirely to state governments.  This Guide is intended to serve as a resource to Nevada healthcare providers in their efforts to comply with the Privacy Standards. 

B.                 Covered Entities, Guide for Providers. The Privacy Standards govern the use and disclosure of “protected health information” by “covered entities”, including health care providers (“providers”).  This guide applies only to providers.    

C.                 The Privacy Standards Are Different.  The Privacy Standards go far beyond the scope of any previous confidentiality laws, either state or federal.  Some of the more striking differences are mentioned below.

1.                  The Standards Regulate “Internal Disclosure”.      Most providers are accustomed to being careful about disclosing a patient’s medical information to persons outside of the provider’s operations.  For example, a hospital is careful when answering a request for patient medical information from an attorney, and a physician’s office requires an authorization before sending a patient’s information to another physician’s office.  All providers are accustomed to being careful about such “external disclosure”; that is, when medical information leaves the provider’s operation or the control of the provider’s workforce.

However, the Privacy Standards also regulate “internal disclosure”; - the sharing of a patient’s medical information between and among the provider’s employees.  For example, if a doctor discusses a patient’s condition and proposed treatment with a nurse, this is an “internal disclosure” of a patient’s medical information under the Privacy Standards and it is regulated by the Privacy Standards.  That discussion cannot take place expect in circumstances permitted under the Privacy Standards, and

it may only be conducted in a manner permitted by the Privacy Standards.  Similarly, when the nurse in a physician’s office takes a patient over to the scheduler, and says “Schedule Mrs. Jones for a follow up appointment in three weeks”, that communication is an “internal disclosure” of a patient’s medical information under the Privacy Standards.  It is regulated by the Privacy Standards.  That discussion cannot take place expect in circumstances permitted under the Privacy Standards, and it may only be conducted in a manner permitted by the Privacy Standards.  When certain parts of Mrs. Jones’ medical record go to the biller, that involves an “internal disclosure” of a patient’s medical information under the Privacy Standards and it is regulated by the Privacy Standards.  That discussion cannot take place expect in circumstances permitted under the Privacy Standards, and it may only be conducted in a manner permitted by the Privacy Standards.  When a hospital administrator talks to a member of the medical staff about resolving a patient’s grievance, when a surgeon and an internist consult on a patient’s case, when medical records personnel follow up with a physician’s office about documentation in the patient medical record; - all of these communications are regulated by the Privacy Standards.

2.                  The Standards Regulate “Use”.   In addition to internal and external disclosure, the Privacy Standards regulate the “use” of a patient’s medical information by providers.  When the biller accesses chart information to prepare a bill, when the nurse calls out a patient’s name in the waiting room, when the surgeon’s office writes the patient’s name in the appointment book, when the hospital peer review committee accesses patient data to evaluate the competence of a colleague, any time a provider’s staff accesses and utilizes patient information for any reason; - these “uses” of medical information are regulated by the Privacy Standards.  A provider may not use a patient’s medical information except in circumstances and in a manner permitted by the Privacy Standards.

3.                  The Standards Broadly Define “Protected Health Information”.  Providers are accustomed to being careful about disclosing information relating to a patient’s condition or treatment.  “Protected Health Information” under the Privacy Standards also includes any information relating to payment for the patient’s care, past present or future, and any demographic information.  A patient’s name, standing alone, is protected health information under the Privacy Standards, and its use and disclosure is regulated by the Privacy Standards.  

4.                  Violations of the Standards May Be Severely Punished.   Violations of the Privacy Standards may be punished by the federal government both civilly and criminally.  The Office of Civil Rights (“OCR”) of the federal Department of Health and Human Services has responsibility for enforcement of the Privacy Standards.  Civil fines of no more than $100 “per violation”, up to a maximum of $25,000 per calendar year, may be assessed by the OCR for violations of an identical requirement or prohibition. For knowing misuse, which occurs when a person knowingly obtains or discloses protected health information in violation of the Privacy Standards,  a criminal prosecution may be brought.  The penalties vary according to classification of the violation. For “simple violations”, with no aggravating factors, violators face a fine of no more than $50,000 or one (1) year imprisonment per violation.   Where the violation is committed under false pretenses, the penalty is no more than $100,000 or five (5) years imprisonment per violation.  Where the offense is committed for commercial advantage, personal gain or malicious harm, the applicable penalty is a fine no greater than $250,000 or ten (10) years imprisonment per violation.

Investigation of violations will be complaint-driven.  The OCR has been instructed to try to resolve complaints informally, without resort to civil or criminal proceedings.

Patients will be able to sue providers for violations of the Privacy Standards under applicable state law theories.  These include misrepresentation and medical malpractice. 

D.                 Preemption of State Law, Other Federal Law.   The Privacy Standards do not uniformly preempt state laws governing the confidentiality of medical information.  Preemption is selective.  State laws that are “contrary” to the Privacy Standards are preempted.  State laws that are “more stringent” than the Privacy Standards continue in effect, and apply in conjunction with the Privacy Standards. 

Most Nevada state confidentiality laws appear to be more stringent than the Privacy Standards with respect to the use of medical information for marketing and research purposes.  Further, Nevada state law appears more stringent with respect to certain specific types of medical information; specifically, (i) blood, breath and urine test results, (ii) genetic information, (iii) communicable disease information, and (iv) mental health information. In addition, existing federal regulations covering alcohol and drug abuse treatment information have more  stringent restrictions than do the Privacy Standards.  (This subject is more fully discussed in the article “The Nevada Healthcare Provider’s Guide to The Application of Nevada’s Medical Information Confidentiality Laws under the HIPAA Privacy Standards” which can be found on the website of the Clark County Medical Society at www.