PowerPoint Presentation

Series 1: Meaningful Use for Behavioral Health Providers9/2013From the CIHS Video Series Ten Minutes at a Time

Module 10: HIPAA Privacy & Security and 42 CFR Part 2 (Confidentiality)

Welcome to the SAMHSA-HRSA Center for Integrated Health Solutions video series Ten Minutes at a Time. This comprehensive information system on how to select an electronic health record system and how to meet the standards for Meaningful Use is organized into brief, convenient modules targeted to behavioral health providers. This is Series 1 Meaningful Use for Behavioral Health Providers, Module 10, HIPAA Privacy & Security and 42 CFR Part 2 (confidentiality of treatment provider patient data). The goal of this module is to help providers understand the issues and identify resources regarding the challenges behavioral health providers must address if they intend to participate in the exchange of patient information to improve patient care.1OverviewDifferences between privacy, security and confidentiality

Meaningful Use and HIPAA Privacy and Security

Understanding and applying 42 CFR Part 2 in Meaningful Use

Resources for implementation

In this module we will summarize the highlights of privacy, security and confidentiality regulations, which will help to differentiate them. We will look at the impact of Meaningful Use on these regulations and ensure understanding of how to apply 42 CFR Part 2 in meeting the Meaningful Use standard. We will also review some resources for implementation.2HIPAA and 42 CFR Part 2 are intended to support (not impede) the appropriate exchange of patient information

Exchange of patient information is central to Meaningful Use

Ensure understanding of the data sets to be exchanged (Module 9) and what the rules REALLY say about when and how personal health information may be shared among providersWhat HIPAA really says: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclosuresfortpo.html What 42 CFR Part 2 really says:http://www.lac.org/index.php/lac/webinar_archive A Note on Sharing Patient InformationIn the new paradigm for health care represented by the Meaningful Use standard, sharing patient information is central to the effectiveness, efficiency and quality of patient care. There may be a tendency among health care providers to withhold patient information that actually should be shared, often out of a simple misunderstanding of the rules and regulations. Policies and procedures should reflect what the actual rules and regulations allow. When information that should be shared is withheld, the effectiveness, efficiency and quality of care are significantly diminished.

3Privacy, Security and ConfidentialityPrivacy and SecurityHealth Information Protection and Accountability Act (HIPAA)Privacy rules identify national standards (45 CFR Part 160 and Subparts A and E of Part 164)Security rules operationalize these standards (Subparts A and Cof Part 164)Patient information protected by HIPAA can be exchanged between covered entities in the coordination of patient care without additional consent Protected by DHS Office of Civil Rights, increased penalties in Stage 1

ConfidentialityConfidentiality of Alcohol and Drug Abuse Patient Records Act (42 CFR Part 2) Identifies and operationalizes standardsPatient information cannot be exchanged without patient consentProtected be federal law, otherwise, no penalties

Privacy and Security Rules are established in the Health Information Protection and Accountability Act (HIPAA, 1996) and implemented by the HIPAA covered entity (45 C.F.R. 160.103). These rules are intended to protect personal health information that is held or transferred in electronic form by safeguarding data and setting limits and conditions on uses and disclosures. The Privacy Rule establishes national standards for this protection, and the Security Rule operationalizes these standards by addressing the technical and non-technical safeguards that covered entities must put into place. Patient information can be exchanged between covered entities in the coordination of patient care without obtaining additional consents. It is protected by the Department of Health and Human Services Office of Civil Rights.

Confidentiality regulations are established in the Confidentiality of Alcohol and Drug Abuse Patient Records Act (42 CFR Part 2). These regulations acknowledge the complex legal and social issues surrounding the effective and efficient treatment of this type of disorder. They are implemented by the treatment provider and applied to the disclosure and re-disclosure of any identifying patient information by requiring the individual patients consent, first. This additional layer of protection is intended to encourage those with a substance use disorder to seek treatment. Otherwise, protections would not extend beyond those afforded by HIPAA, thereby making potentially damaging information accessible to law enforcement, the legal system, professional licensing boards, insurance organizations and so on. But patient information may be exchanged with a qualified service organization, for example a billing clearinghouse, using a special agreement oriented to organizations. And patients who are referred to a treatment provider at the direction of the court have limited privileges concerning re-disclosure. Regulations concerning confidentiality are enforced by federal law (42 U.S.C. 290dd-2).

The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164The Security Rule is located at 45 CFR Part 160 and Subparts A and Cof Part 164The Confidentiality of Alcohol and Drug Abuse Patient Records Act can be located at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&rgn=div5&view=text&node=42:1.0.1.1.2&idno=42#42:1.0.1.1.2.1 4Core Objective/Measure #15

http://www.healthit.gov/providers-professionals/ehr-privacy-security More about this Objective

Meeting Objective 15 can be broken out into two tasks. The first is to identify conditions where electronic protected health information could be disclosed without proper authorization, be improperly modified, or be unavailable when needed. This task is applied to the entire system, not just to EHR software. The second task would be to implement reasonable and appropriate safeguards to reduce risk to an acceptable level.

More about this Objective: http://www.healthit.gov/providers-professionals/ehr-privacy-security 5When ConductedCMS Guidance says EPs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review

Stage 1, Year 1 Acquire, Implement, Use for 90 days conduct during this 90 days

To meet the grant requirement prior to health information exchange

In the EP Incentive program, the Objective is met during the 90 day Acquire, Implement and Use phase of Stage 1 Year 1. So in the process of meeting the grant requirements for Meaningful Use, Measure 15 would probably be one of the first Objectives to be met, especially if an electronic health record system is already in use. 6Starting Points HIPAA and Meaningful UseCore Measure 15 - Protect Electronic Health Information comprehensive ONC resource (National Learning Consortium)www.healthit.gov/providers-professionals/achieve-meaningful-use/core-measures/protect-electronic-health-information

Health Information Privacy and Security 10 Step Planhttp://www.healthit.gov/providers-professionals/ehr-privacy-security/10-step-plan

Nationwide Privacy and Security Frameworkhttp://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov_privacy_security_frame-work/1173

Workflow redesign templates http://www.healthit.gov/providers-professionals/workflow-redesign-templates

There is a wealth of online resources and tools to support the implementation of this Objective. But individual states may require Behavioral Health providers to adhere to additional rules and regulations that exceed HIPAA requirements. In this case, the plan might be to develop the strategy for addressing the HIPAA regulations first, and the state regulations second. But please note that, unless state regulations prohibit it, HIPAA allows the exchange of patient health information between two covered entities without additional patient consents.7ConfidentialityEnsure HIPAA Privacy and Security Objective has been met

Apply 42 CFR Part 2 only to patient information that emerges from a treatment provider (record should be flagged in EHR)

To meet the Meaningful Use standard for the grant, apply strategy to PBHCI enrolleesMajority of states cannot use state HIEs to exchange patient record that contains confidential informationAlmost all states are using Nationwide Health Information Network Direct as part of their statewide HIE plan

As noted, HIPAA Privacy and Security rules and 42 CFR Part 2 are intended to support the appropriate exchange of patient information. The current dilemma is that confidential information protected under 42 CFR Part 2 is combined in the EHR with general patient health information protected by the lesser standard represented by HIPAA. Once in the database, it is usually not possible to implement a data segmentation strategy that allows the provider to parse the information generated for the CCR/CCD or for the Clinical Summary. So, if the behavioral health organization includes a treatment provider that is using the same EHR, or if data from a treatment provider is accepted and included in the EHR, there has to be a strategy in place for managing the exchange of this information.

The first step would be to meet the standard for HIPAA Privacy and Security, and then any additional safeguards put into place by the state. After this, the provider can implement existing policies and procedures for exchanging 42 CFR Part 2 protected information - but in this case they would be using NwHIN Direct for point-to-point transmission and receipt instead of surface mail or fax. Direct is described in Modules 3 and 8 of this series. Patient records that dont contain information protected by 42 CFR Part 2 can usually be exchanged through the state HIE. But at this time it is up to the Behavioral Health provider to ensure that no records with confidential information are included in the state HIE. 8SAMHSA- Federal Initiatives Related to Data Sharinghttp://www.samhsa.gov/co-occurring/topics/data/data-sharing.aspx

Office of the National Coordinator for Health Information Technology Behavioral Health Roundtablehttp://www.healthit.gov/sites/default/files/bh-roundtable-findings-report_0.pdf

Center for Integrated Health Solutions (includes links to SAMHSA 42 CFR Part 2 FAQs)http://www.integration.samhsa.gov/operations-administration/hit Starting Points 42 CFR Part 2 and Meaningful Use

A great deal of thought and discussion has gone into the electronic exchange of confidential patient information. One thing that emerged clearly is that there is a great deal of misunderstanding about how the statute itself should be applied, even in the paper-based environment. SAMHSA provided a set of FAQs that respond to many providers questions about this regulation. And some clear guidelines have emerged that will allow the provider to meet the requirements for the PBHCI grant and also the requirements for Meaningful Use. There is an abundance of material available that the provider can use for crafting procedures. 9SummaryPrivacy, Security and Confidentiality mean different things, especially in Behavioral HealthMeet the Objective 15 Measure sooner rather than later to ensure a baseline of quality in the exchange of patient informationPrivacy and Security allow the exchange of patient information for the coordination of care between HIPAA covered entities without additional consent check state regulations and then policies and procedures to ensure this barrier to integration are not in placeFor the exchange of confidential patient health information use Nationwide Health Information Network (NwHIN) DirectNwHIN Direct can be used to meet all HIT-related grant requirements (see Module 8)

So, here are the important things to keep in mind. Sometimes providers use the words privacy, security and confidentiality interchangeably. But in health care and especially in Behavioral Health, they actually mean different things as defined by two very different federal statutes. Meeting the Measure for Objective 15 is probably one of the first things to focus on, since it is the basis for effective and efficient patient information exchange. If your agency does not include a treatment provider, or data from an external treatment provider as described in 42 CFR Part 2, and state regulations regarding behavioral health information dont inhibit the exchange, then patient information can usually be shared according to HIPAA Privacy and Security rules. Additional consents are not necessary. For those agencies that include treatment providers, or data from treatment providers in their EHR, NwHIN Direct can be used to exchange the information. This allows the provider to remain in compliance with federal regulations, meet the PBHCI grant requirements and also the requirements for Meaningful Use. 10We Have Solutions for Integrating Primary and Behavioral Healthcare

Contact CIHS for all types of primary and behavioral health care integration technical assistance and training needs

1701 K Street NW, Ste 400 Washington DC 20006

Web: www.integration.samhsa.govEmail:integration@thenationalcouncil.orgPhone:202-684-7457

Prepared and presented by Colleen ODonnell, MSW, PMP, CHTS-IM for the Center for Integrated Health Solutions

Our thanks go to SAMHSA and to HRSA for providing support to the Center for Integrated Health Solutions (CIHS) for this and many other forms of training and technical assistance related to the integration of primary and behavioral health care. Please visit our web site at www.integration.samhsa.gov, email us at integration@thenationalcouncil.org, or just pick up the phone and give us a call at 202-684-7457.

11