Entune Behavioral Health | Specialized Mental Health Providers in Tucson

 

HIPAA Privacy Standards and Confidentiality

Purpose: To ensure staff follow obligations relating to the HIPAA laws and State laws and regulations related to the use, disclosure or when responding to requests for protected health information.

Definitions:

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA): A federal law that includes a section on administrative simplification requiring standardization of electronic date interchanges and greater protection of confidentiality and security of health data. The HIPAA Rule contains a number of words and phrases that have specific meaning as applied to the HIPAA Rule. Examples of such words and phrases include, but are not limited to, “treatment,” “payment,” “health care operations,” “designated record set” and “protected health information.” (45 C.F.R. §§ 160.103 and 164.501)

 

Policy: Entune BH must comply with the Privacy Rule when providing health care services and/or paying for services with state and federal funds. Employees must communicate with SECURE messaging platforms, HIPAA compliant, when coordinating information with Protected Health Information (PHI). Social Media and Text Messages from personal cell phones may not contain any PHI. Employees must only communicate regarding a patient to individuals outside of the organizations with a signed and dated release of information. Without this document, information regarding the patient may only be received; employees cannot confirm or deny if the patient is enrolled in treatment or discuss any services regarding the patient.

Procedure:

  1. Entune BH follows the “minimum necessary” standard and ensures that only the minimum information necessary to accomplish an intended purpose is requested and disclosed.
  2. Entune BH has a HIPAA Compliance Officer (Director of Operations) to hear complaints and address inquiries regarding the provider’s practices.
  3. Entune BH must keep medical and behavioral health records and all information contained in those records confidential and cannot disclose such information unless permitted or required by federal or state law. The law regulates two major categories of confidential information:
    • Information obtained when providing behavioral health services not related to alcohol or drug abuse referral, diagnosis and treatment; and
    • Information obtained in the referral, diagnosis and treatment of alcohol or drug abuse.
  4. Unless otherwise excepted by state or federal law, all information obtained about a person related to the provision of behavioral health services to the person is confidential whether the information is in oral, written, or electronic format.
  5. Disclosure of information to members of a clinical team may or may not require an authorization depending upon the type of information to be disclosed and the status of the receiving party. Information concerning diagnosis, treatment or referral for drug or alcohol treatment may only be disclosed to members of a clinical team with patient authorization.  Information not related to drug and alcohol treatment may be disclosed without patient authorization to members of a clinical team who are providers of health, mental health or social services, provided the information is for treatment purposes as defined in the HIPAA Rule.  Disclosure to members of a clinical team who are not providers of health, mental health or social services requires the authorization of the person or the person’s legal guardian or parent
  6. Disclosure of information to persons involved in court proceedings including attorneys, probation or parole officers, guardians ad litem and court appointed special advocates may or may not require an authorization depending upon the type of information to be disclosed and whether the court has entered orders permitting the disclosure.
  7. Below is a general description of all required or permissible disclosures:
    • To the individual and the individual’s health care decision maker
    • To health, mental health and social service providers for treatment, payment or health care operations
    • Incidental to a use or disclosure otherwise permitted or required by 45 C.F.R. Part 164, Subpart E
    • To a person or entity with a valid authorization
    • Provided the individual is informed in advance and has the opportunity to agree or prohibit the disclosure
    • For use in facility directories
    • To persons involved in the individual’s care and for notification purposes
    • When required by law
    • For public health activities
    • About victims of child abuse, neglect or domestic violence
    • For health oversight activities
    • For judicial and administrative proceedings
    • For law enforcement purposes
    • About deceased persons
    • For cadaveric organ, eye or tissue donation purposes
    • For research purposes
    • To avert a serious threat to health or safety or to prevent harm threatened by patients
    • To a human rights committee
    • For purposes related to the Sexually Violent Persons program
    • With communicable disease information
    • To personal representatives including agents under a health care directive
    • For evaluation or treatment
    • To business associates
    • To the Secretary of Health and Human Services or designee to investigate or determine compliance with the HIPAA Rule
    • For specialized government functions
    • For worker’s compensation
    • Under a data use agreement for limited data
    • For fundraising
    • To the Arizona Center For Disability Law in its capacity as the State Protection and Advocacy Agency
    • To a third party payor to obtain reimbursement
    • To a private entity that accredits a health care provider
    • To the legal representative of a health care entity in possession of the record for the purpose of securing legal advice
    • To a person or entity as otherwise required by state or federal law
    • To a person or entity permitted by the federal regulations on alcohol and drug abuse treatment (42 C.F.R. Part 2);
    • To a person or entity to conduct utilization review, peer review and quality assurance
    • To a person maintaining health statistics for public health purposes as authorized by law
    • To a grand jury as directed by subpoena.
  8. Entune BH is required to disclose information in a designated record set to an individual when requested unless contraindicated. Contraindicated means that access is reasonably likely to endanger the life or physical safety of the patient or another person
  9. Entune BH must provider requested records within a timely manner
  10. If access to medical records is denied, the client must be provided with the reason, which will be documented in the medical record, and the client must have the option to appeal this decision
  11. A copy of the authorization must be provided to the individual. The authorization must be written in plain language and must contain the following elements:
    • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
    • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
    • The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
    • A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
    • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository; and
    • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of the representative’s authority to act for the individual must also be provided.
  12. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
    • The individual’s right to revoke the authorization in writing, and either:
    • The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
    • A reference to the covered entity’s notice of privacy practices if the notice of privacy practices tells the individual how to revoke the authorization.
  13. Disclosure to health, mental health and social service providers for treatment, payment or health care operations; reports of abuse and neglect
    • Disclosure is permitted without patient authorization to health, mental health and social service providers involved in caring for or providing services to the person for treatment, payment or health care operations as defined in the HIPAA Rule.  These disclosures are typically made to primary care physicians, psychiatrists, psychologists, social workers (including DES and DDD) or other behavioral health professionals.  Entune BH may disclose for treatment activities of a health care provider including providers not covered under the HIPAA Rule. Entune BH may disclose to both covered and non-covered health care providers for payment activities. 
    • If the disclosure is not for treatment, payment, or healthcare operations or required by law, patient authorization is required.
  14. Disclosure to other persons including family members
    • Entune BH may disclose protected health information without authorization to other persons, including family members actively participating in the patient’s care, treatment or supervision. Prior to releasing information, an agency or non-agency treating professional or that person’s designee must have a verbal discussion with the person to determine whether the person objects to the disclosure. If the person objects, the information cannot be disclosed.  If the person does not object, or the person lacks capacity to object, the treating professional must perform an evaluation to determine whether disclosure is in that person’s best interests.  A decision to disclose or withhold information is subject to review pursuant to A.R.S. § 36-517.01.
    • Entune BH staff may only release information relating to the person’s diagnosis, prognosis, need for hospitalization, anticipated length of stay, discharge plan, medication, medication side effects and short-term and long-term treatment goals.
    • The HIPAA Rule imposes additional requirements when disclosing protected health information to other persons including family members. Entune BH may disclose to a family member or other relative the protected health information directly relevant to the person’s involvement with the individual’s care or payment related to the individual’s health care.  If the individual is present for a use or disclosure and has the capacity to make health care decisions, Entune BH may use or disclose the protected health information if it obtains the individual’s agreement, provides the individual with the opportunity to object to the disclosure and the individual does not express an objection.  If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. 
  15. Disclosure to an agent under a health care directive
    • Entune BH may treat an agent appointed under a health care directive as a personal representative of the individual.
  16. Deceased persons:
    • If under applicable law, an executor, administrator or other person has authority to act on behalf of a deceased individual or of the individual’s estate, Entune BH Health must treat such persons as a personal representative with respect to protected health information relevant to the personal representation. See 45 C.F.R. § 164.502(g)(4).  Entune BH may withhold protected health information if one or more of the exceptions in 45 C.F.R. § 164.502(g)(5) applies.  R.S. §§ 12-2294 (D) provides certain persons with authority to act on behalf of a deceased person.
  17. Disclosure for health oversight activities
    • Entune BH may disclose protected health information without patient authorization to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions or other activities necessary for appropriate oversight of entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards. See 45 C.F.R. § 164.512(d).
  18. Disclosure for judicial and administrative proceedings including court ordered disclosures: A covered entity may disclose protected health information without patient authorization in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by the order. See 45 C.F.R. § 164.512(e).  In addition, a covered entity may disclose information in response to a subpoena, discovery request or other lawful process without a court order if the covered entity receives satisfactory assurances that the requesting party has made reasonable efforts to provide notice to the individual or has made reasonable efforts to secure a qualified protective order.  See 45 C.F.R. §§ 164.512(e)(1)(iii),(iv) and (v) for what constitutes satisfactory assurances.
  19. Disclosure to prevent harm threatened by patients
    • Mental health providers have a duty to protect others against the harmful conduct of a patient.
    • When a patient poses a serious danger of violence to another person, the provider has a duty to exercise reasonable care to protect the foreseeable victim of the danger. Entune BH may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information without patient authorization if Entune BH, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat, or is necessary for law enforcement authorities to identify or apprehend an individual.
  20. Disclosure to the Arizona Department of Corrections
    • Protected health information may be disclosed without patient authorization to the state department of corrections in cases where prisoners confined to the state prison are patients in the state hospital on authorized transfers either by voluntary admission or by order of the court. See A.R.S. § 36-509(5) The HIPAA Rule limits disclosure to correctional institutions to certain categories of information that are contained in 45 C.F.R. § 164.512(k)(5).
  21. Disclosure of communicable disease information
    1. The general rule is that a person who obtains communicable disease related information in the course of providing a health service or pursuant to a release of communicable disease related information must not disclose or be compelled to disclose that information. Certain exceptions for disclosure are permitted to:
      • The individual or the individual’s health care decision maker
      • ADHS or a local health department for the purpose of notifying a Good Samaritan
      • An agent or employee of a health facility or a health care provider;
      • A health facility or a health care provider
      • A federal, state or local health officer
      • Government agencies authorized by law to receive communicable disease information
      • Persons authorized pursuant to a court order
      • The Department of Economic Security for adoption purposes
      • The Department of Health Services to conduct inspections
      • Insurance entities;
      • A private entity that accredits a health care facility or a health care provider.
  1. Disclosures to the Department of Health Services or local health departments are also permissible under certain circumstances:
    • Authorizations
    • Redisclosures
    • Disclosures for supervision, monitoring and accreditation
    • Listing information in death reports
    • Reports to the Department
    • Applicability to insurance entities.
  2. An authorization for the release of communicable disease related information must be signed by the protected person or, if the protected person lacks capacity to consent, the person’s health care decision maker (see A.R.S. § 36-664(F)). If an authorization for the release of communicable disease information is not signed, the information cannot be disclosed.  An authorization must be dated and must specify to whom disclosure is authorized, the purpose for disclosure and the time period during which the authorization is effective.  A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV-related information unless the authorization specifically indicates its purpose as authorization for the release of HIV-related information and complies with the requirements of A.R.S. § 36-664(F).
  3. The HIPAA Rule does not preempt state law with respect to disclosures of communicable disease information; however, it may impose additional requirements depending upon the type, nature and scope of disclosure. It is advisable to consult with the HIPAA Compliance Officer and/ or legal counsel prior to disclosure of communicable disease information.
  4. Release of information concerning diagnosis, treatment or referral from an alcohol or drug abuse program must be made only as follows:
    • The currently or previously enrolled person or their guardian authorizes the release of information. In this case, authorization must be documented on an authorization form which has not expired or been revoked by the patient.  The proper authorization form must be in writing and must contain each of the following specified items:
      • The name or general designation of the program making the disclosure;
      • The name of the individual or organization that will receive the disclosure;
      • The name of the person who is the subject of the disclosure;
      • The purpose or need for the disclosure;
      • How much and what kind of information will be disclosed;
      • A statement that the person may revoke the authorization at any time, except to the extent that the program has already acted in reliance on it;
      • The date, event or condition upon which the authorization expires, if not revoked before;
      • The signature of the person or guardian; and
      • The date on which the authorization is signed.
  1. Redisclosure
    • Authorization as provided above must be accompanied by the following written statement: “This information has been disclosed to you from records protected by federal confidentiality rules (42 C.F.R. part 2).  The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 C.F.R. Part 2.  A general authorization for the release of medical or other information is NOT sufficient for this purpose.  The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.”  
  2. If the person is deceased, authorization may be given by:
    • A court appointed executor, administrator, or other personal representative;
    • If no such appointments have been made, by the person’s spouse; or
    • If there is no spouse, by any responsible member of the person’s family.
  1. Authorization is not required under the following circumstances:
    • Medical Emergencies – information may be disclosed to medical personnel who need the information to treat a condition which poses an immediate threat to the health of any individual, not necessarily the currently or previously enrolled person, and which requires immediate medical intervention. The disclosure must be documented in the person’s medical record and must include the name of the medical person to whom disclosure is made and his or her affiliation with any health care facility, name of the person making the disclosure, date and time of the disclosure and the nature of the emergency.  After emergency treatment is provided, written confirmation of the emergency must be secured from the requesting entity.
  2. Audit and Evaluation Activities – information may be disclosed for the purposes of audit and evaluation activities according to the provisions of 42 C.F.R. § 2.53.
  3. Court-ordered disclosures
    • A state or federal court may issue an order that authorizes an agency to make a disclosure of identifying information that would otherwise be prohibited.  A subpoena, search warrant or arrest warrant is not sufficient standing alone, to require or permit an agency to make a disclosure.
  4. Crimes committed by a person on an agency’s premises or against program personnel
    • Agencies may disclose information to a law enforcement agency when a person who is receiving treatment in a substance abuse program has committed or threatened to commit a crime on agency premises or against agency personnel. In such instances, the agency must limit the information disclosed to the circumstances of the incident.  It may only disclose the person’s name, address, last known whereabouts and status as a person receiving services at the agency.
  5. Child abuse and neglect reporting
    • Federal law does not prohibit compliance with the child abuse reporting requirements contained in A.R.S. § 13-3620.
  6. Telemedicine
    • Refer to telemedicine policy and procedure