2 2 23 June 2016FY 11 VHA Privacy Office Applicable Confidentiality Statutes and Regulations The following legal provisions govern the collection, use, maintenance, and disclosure of information from VHA records. –The Freedom of Information Act (FOIA) (5 U.S.C. 552) –The Privacy Act of 1974 (5 U.S.C.552a) –38 U.S.C 5701 - The VA Claims Confidentiality Statute –38 U.S.C 7332 - Confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse, Infection with the Human Immunodeficiency Virus, and Sickle Cell Anemia Medical Records –38 U.S.C. 5705 - Confidentiality of Healthcare Quality Assurance Review Records –The HIPAA Privacy Rule, 45 C.F.R. Parts 160 and 164 All available at: http://www.gpoaccess.gov/uscode/index.htmlhttp://www.gpoaccess.gov/uscode/index.html
3 3 23 June 2016FY 11 VHA Privacy Office Freedom of Information Act (FOIA) FOIA requires VHA to disclose VHA records, or portions of VHA records, to any person upon written request which describes the records that are sought. However, VHA may withhold records under one or more of the nine exemptions outlined in the Freedom of Information Act. Generally, VHA is not required to release individually-identifiable Veteran information under FOIA. Contact your facility FOIA Officer if you receive, or have questions regarding, a FOIA request.
4 4 23 June 2016FY 11 VHA Privacy Office Privacy Act of 1974 Provides for the confidentiality of personal information about an individual and is retrieved by the individual’s name or other unique identifier, such as the SSN. Such information is contained in a system of records (SOR) and must be protected. Prohibits disclosure of any record contained in a SOR unless specifically authorized by an individual or there is a Routine Use Provides rights to the individuals to whom the personal information pertains. Contact your facility Privacy Officer with questions regarding the Privacy Act and systems of records.
5 5 23 June 2016FY11 VHA Privacy Office 38 U.S.C 5701 (VA Claims Confidentiality Statute) Provides for the confidentiality of all VHA patient claimant information, with special protection for their names and home addresses. Provides for the same information about their dependents. Prohibits disclosure of these names and addresses except as authorized by the Privacy Act. Does not apply to employee information
6 6 23 June 2016FY 11 VHA Privacy Office 38 U.S.C 7332 Protected Information Provides for the confidentiality of Drug Abuse, Alcoholism and Alcohol Abuse, Infection with the Human Immunodeficiency Virus, and Sickle Cell Anemia medical records and health information. Prohibits use or disclosure with a few exceptions. Must have specific written authorization in order to disclose in most cases, including for treatment by non-VA provider.
7 7 23 June 2016FY 09 VHA Privacy Office 38 U.S.C 5705 Provides for the confidentiality of Healthcare Quality Assurance (QA) Review Records. Records created by VHA as part of a designated medical quality-assurance program are confidential and privileged. VHA Directive 2008-077, Quality Management and Patient Safety Activities That Can Generate Confidential Documents. Contact your facility Privacy Officer or Quality Manager for additional information.
8 8 23 June 2016FY 11 VHA Privacy Office Health Insurance Portability and Accountability Act (HIPAA) VHA is the only covered entity –Health Plans- individual and group plans that provide or pay the cost of medical care. VHA is a health plan –Health Care Clearinghouses- entities that process nonstandard information they receive from another entity into a standard format or data content (billing service) –Health Care Providers- every health care provider, regardless of size, that conducts electronic health care transactions (e.g., billing, benefit inquiries, referral requests, etc.) VHA is also a health care provider
9 9 23 June 2016FY 11 VHA Privacy Office Payment –An activity undertaken by a health plan (like VHA’s) to obtain premiums, to determine its responsibility for coverage, or to provide reimbursement for health care –This could include pre-certification, utilization review or release of PHI to a third party insurance carrier for reimbursement.
10 10 23 June 2016FY 11 VHA Privacy Office Treatment –The coordination or management of health care or related services by one or more health care providers –This includes the coordination of health care by a health care provider with a third party, consultation between providers relating to a patient and the referral of a patient for health care from one health care provider to another
11 11 23 June 2016FY 11 VHA Privacy Office Health Care Operations –Those activities which are deemed essential to the effective operation of a medical center –These include conducting quality assessment and improvement activities, case management, reviewing competence or qualification of health care professionals, evaluating practitioner performance, legal services, business management, auditing and customer service evaluations
12 12 23 June 2016FY 11 VHA Privacy Office Relationship between the Laws When conflicts arise between the laws and regulations: –The more stringent law or regulation applies for uses and disclosures –The one that affords the greatest rights to the individual applies for privacy rights –VHA Handbook takes into consideration all of the Privacy regulations and incorporates them into the VHA Handbook 1605.1 In VHA we use VHA Directive 1605, VHA Privacy Program and VHA Handbook 1605.1, Privacy and Release of Information for policy guidance
14 14 What is a Use? VHA employees must use or access information only as legally permissible (changes under HIPAA Privacy Rule) Use is defined as the sharing, employment, application, utilization, examination, or analysis of information within VHA Fact Sheet: Use and/or Access of PHI and III by VHA Employees [ January 2009, Vol. 09., No.1] 23 June 2016
15 15 23 June 2016FY11 VHA Privacy Office Use of Information VHA employees must comply with all six statutes and regulations, where applicable, when using, accessing or disclosing information. VHA employees may access information in order to perform their official duties related to the treatment of veterans, the payment for care provided by VHA and/or the health care operations of VHA.
16 16 What is a Disclosure? Privacy Act Definition: Disclosure is the release of information contained in a system of records to any person, or to another agency, by any means of communication to any person, or to another agency. This includes to employees of the agency. VA Definition: Disclosure is the release, transfer, provision of access to or divulging in any other manner information outside VA.
18 18 23 June 2016FY 11 VHA Privacy Office Disclosures of Information VHA generally is not obligated to release information The general rule is that the use or disclosure of protected health information is prohibited unless authorized by all applicable confidentiality statutes and rules. Commonly permitted disclosures include: –For treatment, payment or health care operations –Authorized by the patient, or –Required for public health and/or certain law enforcement purposes, or –Where required by law, including pursuant to a qualifying court order.
19 19 23 June 2016FY 11 VHA Privacy Office Disclosures Made By Non ROI Staff Under some circumstances, it is necessary for non-ROI staff to release information, e.g. clinical staff. Written requests must be obtained from the requestor so that these can be accounted for in the ROI software or a spreadsheet must be kept by the non-ROI staff. For additional information on what needs to be accounted, contact your facility Privacy Officer
20 20 Providers Sharing Health Information Providers may provide information directly to a patient for purposes of patient education without obtaining a written request from the patient If the Veteran request information that is not for education purposes, the Veteran must sign a written request (10-5345a) prior to the provider giving a copy of the information to the Veteran. For additional information contact your facility Privacy Officer 23 June 2016FY 11 VHA Privacy Office
21 21 23 June 2016FY 11 VHA Privacy Office Authorization Requirements Any authorization for release of health information must be in writing and contain all required elements. Verbal authorizations are unacceptable under applicable Federal law. Most requests for records should be processed by the Release of Information (ROI) Unit. VA Form 10-5345, Request for and Authorization to Release Medical Records or Health Information meets the authorization requirements. VA Form 10-5345a, Individuals Request for a Copy of Their Health Information meets the written request requirement when Veterans request copies of their own health information.
22 22 23 June 2016FY 11 VHA Privacy Office Exception for the need of an Authorization There are situations where a disclosure may be made without an authorization. For example, Public Health Reporting. –Disclosure to Public Health Authorities charged with protection of the public may be done only with a standing written request letter on file, or other applicable legal authority. Contact your facility Privacy Officer for additional information on situations where an authorization is not required.
23 23 Types of VA Research Non-human research: almost always NOT sensitive (some rare exceptions) –Animal data –Laboratory data without human identifiers Human subjects data: –Primary data (individual subjects) is usually sensitive, with varying degrees of risk –Aggregate data is NOT sensitive Manuscripts and Grants/Protocols: –Not considered sensitive from the organization’s perspective
24 24 Various Research Committees Research & Development Committee (R&D) –Advises Medical Center Director whether research should be conducted Institutional Review Board (IRB) Committee –Review all research involving human subjects both initial and continuing reviews (at least annually) Data Monitoring Committee (DMC) –Advises the sponsor regarding the continuing safety of the research project’s subjects and validity and scientific merit of the project
25 25 23 June 2016FY 11 VHA Privacy Office Research VA Research requests must have approval from the Research &Development Committee and an Institutional Review Board (IRB). Because the privacy requirements to use health information for research are complex, the facility Privacy Officer or Research Compliance Officer should be contacted for assistance. For further information review VHA Handbook 1605.1 Privacy and Release of Information, paragraph 13.
26 26 23 June 2016FY 11 VHA Privacy Office Minimum Necessary Standard Requests for, and disclosures of, health information must be limited to only the minimum amount necessary to accomplish the needed purpose. Healthcare providers must be given what is needed for treatment of the individual which includes continuity of care. For other than treatment purposes, VHA employees are authorized access to protected health information (PHI) to perform their official VHA duties, however they may only have access to the minimum necessary PHI to perform their VHA duties Contact your facility Privacy Office for more information.
27 27 23 June 2016FY 11 VHA Privacy Office Functional Categories –All VHA personnel must be classified into at least one functional category based on the duties and responsibilities of the individual VHA Handbook 1605.2, Minimum Necessary Standard for Protected Health Information, Appendix A contains Functional Categories. All VHA personnel must know their functional category. If you do not know your functional category contact your supervisor.
28 28 23 June 2016FY 11 VHA Privacy Office Facility Directory Opt Out Except in limited circumstances, a VHA facility will ask a patient upon admission whether s/he wishes to be in the Patient Facility Directory. If the patient does not object, the facility may tell anyone who asks for the patient by name the patient’s name, location and general medical condition. If the patient objects to inclusion in the Directory, the facility identifies the patient by “!” on Gains and Losses report and in VistA Patient Inquiry, and cannot release any information whatsoever to anyone who asks for the patient– saying, “I am sorry but I have no information that I can give you whether Mr. X is a patient.” Patients may change their mind about being in the Directory at any time during their admission.
29 29 Facility Directory Opt Out Individuals may request exclusion from the Facility Directory during each inpatient admission, in accordance with CBO Procedure Guide 1601B.02, Inpatient Care (Chapter 2, Section E.4) The facility Directory Opt-Out provision does not apply to Emergency Rooms unless the patient is going to be admitted to an inpatient setting. The facility Directory Opt-Out provision does not apply to outpatient clinics. 23 June 2016FY 11 VHA Privacy Office
30 30 23 June 2016FY 11 VHA Privacy Office Veteran’s Privacy Rights Veterans have several Privacy Rights in their VHA patient records, including the right to: –Receive a notice of VHA’s privacy practices, –Request access to his/her VHA health records, –Request restrictions on VHA’s use and disclosure of the records, –Request that VHA amend the health records, –Request an accounting of VHA’s disclosures of the records, –Ask VHA to communicate with the patient about his health care in certain agreed upon methods, and –File a complaint about any VHA conduct with the patient’s PHI that the patient believes violates the HIPAA Privacy and Security Rules.
31 31 23 June 2016FY 11 VHA Privacy Office Veteran’s Privacy Rights Notice of Privacy Practices: VHA must notify Veterans in writing how they may use or disclose their health information, how they may exercise their privacy rights and how they may submit privacy complaints. (HIPAA Privacy Rule) VHA completed the revised mail out of the Notice of Privacy Practices in June 2009.
32 32 23 June 2016FY 11 VHA Privacy Office Veterans’ Right to Request Restrictions Restrictions: Veterans have the RIGHT to request restrictions on the use and disclosure of their protected health information The request must be in writing and signed by the Veteran; however, VHA is NOT required to grant restriction requests. You are to follow the procedure in VHA for processing requests for restrictions. In most cases, such requests will be denied. If granted, disclosure can occur only for purposes of treating the individual in a medical emergency. Restriction request denials do not receive appeal rights to the Office of General Counsel.
33 33 23 June 2016FY 11 VHA Privacy Office Veterans’ Amendment Right Amendments: The Veteran has the RIGHT to request an amendment to any information in his/her record The request must be in writing and adequately describe the specific information the Veteran believes to be inaccurate, incomplete, irrelevant or untimely, as well as the reason for this belief. The request must be signed.
34 34 23 June 2016FY 11 VHA Privacy Office Amendment Continued Individuals have the right to request amendment of their records under the: –Privacy Act when the records are not accurate, timely, complete and/or relevant; and –HIPAA Privacy Rule when the records are not accurate or complete Privacy Act affords the individual more rights, so it is used to determine when to grant an amendment Veteran has right to appeal an agency denial decision in full or in part to the Office of General Counsel
35 35 Right of Access Right of Access: Each agency that maintains a system of records shall; upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him to review the record and have a copy made of all or any portion thereof in a form comprehensible to him. [5 U.S.C. 552a(d)(1)] 23 June 2016FY 11 VHA Privacy Office
36 36 23 June 2016FY 09 VHA Privacy Office Veterans’ Accounting of Disclosure Right Accounting of Disclosures: A Veteran may request a list of all disclosures of information, both written and oral, from records pertaining to the individual The facility is required to keep an accurate accounting for each disclosure of a record to any person or to another agency Accountings are not required when the information being requested is for performance of official VA employee duties Access log requests are not considered an accounting of disclosure. However, an accounting of disclosure is required if an access log is requested and disclosed.
37 37 23 June 2016FY 11 VHA Privacy Office Veterans’ Request for Confidential Communications Confidential Communications: An individual has the RIGHT to request and receive communications confidentially by an alternative means (in person) or at an alternative location (address other than the individual’s permanent address) It is not appropriate to honor a request to receive communications via e-mail Written request is not required New VHA Directive 2009-013 – Confidential Communications
38 38 23 June 2016FY 11 VHA Privacy Office Veterans’ Right to File a Complaint Right to File a Complaint: Patients may file a written complaint with the facility Privacy Officer, the Office of Inspector General, the VHA Privacy Office or with the Department of Health and Human Services, Office for Civil Rights The facility must respond in writing to the complainant and put the information into the Privacy Violation Tracking System (PVTS)
39 39 23 June 2016FY 11 VHA Privacy Office Department of Health and Human Services ( HHS), Office for Civil Rights (OCR) If a VHA facility receives a complaint directly from the Department of Health and Human Services (HHS) Office for Civil Rights, contact the facility Privacy Officer immediately. The facility Privacy Officer will contact the VHA Privacy Office. The VHA Privacy Office will coordinate all responses to a HHS OCR complaint.
40 40 Training All VHA personnel including employees, volunteers, and students must be trained, at least annually, on privacy policies to include the requirements of Federal privacy and information laws, regulations, and VHA policy New personnel must be trained within 30 days of employment unless facility has implemented a more stringent policy (i.e. training prior to CPRS access) VA health care facilities must track completion of privacy training and be prepared if requested to report privacy training completion figures to the VHA Privacy Office All training must be completed by the LMS anniversary date 23 June 2016FY 11 VHA Privacy Office
41 41 23 June 2016FY 11 VHA Privacy Office Penalties Civil penalties: $100 per violation, up to $25,000 per person, per year for all violations of a requirement. Criminal penalties for knowing violations include: –Up to $50,000 and one year in federal prison. –Under “false pretenses” – up to $100,000 and up to five years in federal prison. –“Intent to sell, transfer or use” – up to $250,000 and up to 10 years in federal prison. In addition to the penalties listed above, administrative, disciplinary or other adverse actions (e.g., admonishment, reprimand or termination) may be taken against employees who violate any of the applicable legal provisions.
42 42 23 June 2016FY 11 VHA Privacy Office Operational Privacy Issues Faxes: Information may only be faxed when: –No other means exists to provide the requested information in a reasonable manner or time frame; –The fax machine is in a secure location; and –Reasonable steps have been taken to ensure the fax transmission is sent to the appropriate destination. –A fax cover sheet must used each time a fax is transmitted Email: No protected health information (PHI) should be sent unencrypted via Outlook. PHI should be encrypted prior to transmission by using VHA- approved means. Refer to VA Handbook 6500 for additional guidance.
43 43 23 June 2016FY 11 VHA Privacy Office Reasonable Safeguards Computer security: –Log off or lock work station when away from desk or office –Turn computer screen/monitor so it is not visible by people passing by –Secure passwords Office Security: –Protect information that is on your desk and implement the clean desk process –Lock doors to rooms containing medical records –Lock file cabinets containing health information or other individually-identifiable information (employee or Veteran)
44 44 23 June 2016FY 11 VHA Privacy Office Reasonable Safeguards Document Shredding: NO protected health information should be discarded in regular wastebaskets. All confidential information should be shredded to ensure patient privacy. Open Discussions: Absolutely NO health information should be the topic of discussion outside the clinical setting. This includes places such as the hallway, the canteen, elevators or the parking lot.
45 45 23 June 2016FY 11 VHA Privacy Office Accessing Employee Health Information An employee can not access another employee’s health information without an authorization unless the information is needed to perform their official duties and it is for payment, treatment or health care operations. Appropriate disciplinary action will be taken if an employee is found to be accessing information without an need to know and it is not in the performance of their official job responsibilities.
46 46 23 June 2016FY 11 VHA Privacy Office Office of General Counsel Advisory OGC Advisory 80-90 – There is NO authority under the HIPAA Privacy Rule for the disclosure of a VA employee’s health record to management or personnel officials for disciplinary investigation purposes without prior written authorization.
47 47 Accessing Patient Information It is not permitted to use your VA access to provide Veteran PHI to an outside attorney in support of an employee’s personnel grievance. It is also not permitted to share Veteran’s PHI with the Union or the EEOC in support of a personnel grievance as this becomes a privacy violation. If EEOC requires Veteran’s PHI they will contact the facility Privacy Officer or the ROI department. 23 June 2016FY 11 VHA Privacy Office
48 48 Former Employee Tort Claims If a former employee is involved in a paid tort claim, the employee may request to view the Veteran’s health record with the guidance of the Chief of HIMS or other designee. The former employee is not allowed to view CPRS without the Chief of HIMS “driving” for him or her. If the former employee requests a copy of the Veteran’s health record, the information may be provided on hard copy or placed on a CD. 23 June 2016FY 09 VHA Privacy Office
49 49 Former Employee Tort Claims Appropriate security restrictions are to be followed such as password protection and destroying the information upon completion of the use. For additional information contact your Risk Manager, Chief of HIMS or facility Privacy Officer. 23 June 2016FY11 VHA Privacy Office
50 50 23 June 2016FY 11 VHA Privacy Office Privacy Certificate I insert employee name certify that I attended this power point training given by the Privacy Officer insert date Privacy Officer NameInsert Date Privacy Officer Signature