RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
You are absolutely correct that there is much in HIPAA than what is in 42 C.F.R. Part 2. Isn't it nice that SAMHSA et al are being so timely with their assistance? The Legal Action Center, a well-known, well-respected non-profit based in New York that has done a lot of work in interpreting 42 C.F.R. Part 2, is also supposed to be coming out with a cross-walk supplement, but if people are not already working on this, well ... If anyone is interested, I can give you contact information for the Legal Action Center. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. -Original Message- From: Vicki Hohner [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 12:13 PM To: Darrell Rishel; [EMAIL PROTECTED] Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Alcohol and Drug Patient Privacy) I have been doing a lot of work with substance abuse programs and HIPAA, and while not deeply familar with 42 CFR protections we have identified that there are limited areas of overlap with HIPAA privacy. Many subject to 42 CFR mistakenly believe that the fact that they comply with this law, which is more stringent in its use and disclosure requirements, means they are exempt from complying with HIPAA. However, note that there are only a few overlaps between the two: primarily with uses and disclosures/minimum necessary, authorizations, and some limited parts of individual rights. This leaves a lot more under HIPAA that is not addressed in 42 CFR--all the policies and procedures, the privacy officer, business associate terms, the notice of privacy practices, and accounting of disclosures, to name a few. Note also that the definitions of what information is protected is broader under HIPAA than under 42 CFR. My understanding is that the feds (SAMHSA/CSAT) are working on a comparison matrix between the two--no idea when that may be available. Vicki Hohner FOX Systems, Inc. 360-970-6856 360-352-4584 Information transmitted is confidential and may be proprietary to FOX Systems, Inc. It is intended only for the person or entity to which it is addressed. Anyone else is prohibited from disclosing, copying, or disseminating the contents or attachments. If you receive this in error, please notify sender immediately, or us at www.foxsys.com and delete from your system. Darrell Rishel [EMAIL PROTECTED] 01/20/03 08:57 AM Matt- I'll take a stab at answering your question. Please remember that in an effort to keep it relatively brief, this is a fairly simplistic, high-level overview. Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other Drugs)regs), disclosure within a program is allowed on a need-to-know basis without the consent of the patient. This internal disclosure is limited to personnel having a need for the information in connection with their duties which arise out of the provision of diagnosis, treatment, or referral for treatment. In practice, I think this is very close to, if not the same as, the HIPAA use definition. Although the AOD regs do not require a formal minimum necessary analysis, the concept of only disclosing the minimum amount of information necessary to accomplish the purpose for making the disclosure is clearly embedded in the regs. It is the disclosure to external entities where, especially with the adoption of the August, 2002, HIPAA changes, a wide gap remains between the two sets of regs. While HIPAA allows treatment providers to disclose PHI for treatment and payment (even another provider's payment) without the patient's written consent, the AOD regs absolutely prohibit such disclosures related to payment, and disclosures for treatment (except for medical emergencies) require that a written agreement be in place and that the services which the external provider render be something different than what the primary provider is providing. This written agreement is known in the AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A QSOA is akin to a BA agreement, though much shorter and less complicated, charachteristics which are, unfortunately, soon to be a thing of the past. While a QSOA can be used in limited circumstances for treatment (the biggest problem is that we cannot have one with another AOD provider), its most common use is for operations, just as the HIPAA BA agreement will be used (e.g., we have a QSOA with our auditor, or outside attorneys, the company which prints and sends out our bills, the lab which analyzes the urine specimens we collect, etc.). But, if we want to be able to bill an insurance company or any other third party payer, we have to have the patient's written consent (in fact, we cannot even call to get pre-authorization without written consent; how's that for customer friendly?).
RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
Matt- I'll take a stab at answering your question. Please remember that in an effort to keep it relatively brief, this is a fairly simplistic, high-level overview. Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other Drugs)regs), disclosure within a program is allowed on a need-to-know basis without the consent of the patient. This internal disclosure is limited to personnel having a need for the information in connection with their duties which arise out of the provision of diagnosis, treatment, or referral for treatment. In practice, I think this is very close to, if not the same as, the HIPAA use definition. Although the AOD regs do not require a formal minimum necessary analysis, the concept of only disclosing the minimum amount of information necessary to accomplish the purpose for making the disclosure is clearly embedded in the regs. It is the disclosure to external entities where, especially with the adoption of the August, 2002, HIPAA changes, a wide gap remains between the two sets of regs. While HIPAA allows treatment providers to disclose PHI for treatment and payment (even another provider's payment) without the patient's written consent, the AOD regs absolutely prohibit such disclosures related to payment, and disclosures for treatment (except for medical emergencies) require that a written agreement be in place and that the services which the external provider render be something different than what the primary provider is providing. This written agreement is known in the AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A QSOA is akin to a BA agreement, though much shorter and less complicated, charachteristics which are, unfortunately, soon to be a thing of the past. While a QSOA can be used in limited circumstances for treatment (the biggest problem is that we cannot have one with another AOD provider), its most common use is for operations, just as the HIPAA BA agreement will be used (e.g., we have a QSOA with our auditor, or outside attorneys, the company which prints and sends out our bills, the lab which analyzes the urine specimens we collect, etc.). But, if we want to be able to bill an insurance company or any other third party payer, we have to have the patient's written consent (in fact, we cannot even call to get pre-authorization without written consent; how's that for customer friendly?). If we want to refer the patient to another health care provider, of whatever type, or consult with another provider (like their primary care provider) who has seen the patient, we must have the patient's written consent unless the situation fits within the pretty narrow exception where a QSOA can be used and we have (or can get) one in place (the logistics and pain of trying to get a QSOA with all of those providers, which make doing so pretty impracticle). The requirements in the AOD regs for a valid written consent are very similar to those for a HIPAA authorization: who is disclosing the information, to whom is the information being disclosed, what information is being disclosed and why is it being disclosed, there must be a reasonble, identifiable expiration date, the patient must be able to revoke the consent at any time (one specific exception here for persons referred by an element of the criminal justice system where treatment is a part of the disposition), the name of the patient, the patient's signature and the date of the signature. The remaining situations where disclosure can be made without written patient consent under the AOD regs are very limited. I'll list only a few of the major differences between the HIPAA and AOD regs. There is no general exception for otherwise required by law. I've forgotten exactly when the exception for allowing a child abuse report to be filed if required by state law was added, sometime around 1990, I think, but that used to be quite a problem and even now the exception is very limited. There are no exceptions for reporting any other kind of abuse. The HIPAA law enforcement exception. There are provisions for disclosure in response to a court order, but it requires a very specific order after following very specific procedures. I hope this has been helpful. Let me know if you have any other questions. Darrell Rishel, J.D. Director of Information Services Arapahoe House, Inc. This message is not legal advice or a binding signature. -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 18, 2003 5:02 PM To: Darrell Rishel; 'WEDI SNIP Privacy Workgroup List' Subject: RE: HIPAA privacy and people Darrell, Thank you for sharing your thoughts. And now that you brought it up, how would you compare the 42 CFR consent with the (voluntary) HIPAA-consent and the HIPAA-authorization. In my mind, the 42 CFR allows a more generalized use and disclosure for TPO, and consequently is more equivalent to the (voluntary) HIPAA-consent,
RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)
Darrell, Thank you very much for this wonderful comparison of the HIPAA regulations to the signed-consent aspects of the AOD regulations (42 CFR part 2). This is very helpful to many of us who work in SAMHSA-funded programs. Best regards, Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Darrell Rishel [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 19, 2003 4:43 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy) Matt- I'll take a stab at answering your question. Please remember that in an effort to keep it relatively brief, this is a fairly simplistic, high-level overview. Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and Other Drugs)regs), disclosure within a program is allowed on a need-to-know basis without the consent of the patient. This internal disclosure is limited to personnel having a need for the information in connection with their duties which arise out of the provision of diagnosis, treatment, or referral for treatment. In practice, I think this is very close to, if not the same as, the HIPAA use definition. Although the AOD regs do not require a formal minimum necessary analysis, the concept of only disclosing the minimum amount of information necessary to accomplish the purpose for making the disclosure is clearly embedded in the regs. It is the disclosure to external entities where, especially with the adoption of the August, 2002, HIPAA changes, a wide gap remains between the two sets of regs. While HIPAA allows treatment providers to disclose PHI for treatment and payment (even another provider's payment) without the patient's written consent, the AOD regs absolutely prohibit such disclosures related to payment, and disclosures for treatment (except for medical emergencies) require that a written agreement be in place and that the services which the external provider render be something different than what the primary provider is providing. This written agreement is known in the AOD regs as a Qualified Service Organization Agreement (QSOA, for short). A QSOA is akin to a BA agreement, though much shorter and less complicated, charachteristics which are, unfortunately, soon to be a thing of the past. While a QSOA can be used in limited circumstances for treatment (the biggest problem is that we cannot have one with another AOD provider), its most common use is for operations, just as the HIPAA BA agreement will be used (e.g., we have a QSOA with our auditor, or outside attorneys, the company which prints and sends out our bills, the lab which analyzes the urine specimens we collect, etc.). But, if we want to be able to bill an insurance company or any other third party payer, we have to have the patient's written consent (in fact, we cannot even call to get pre-authorization without written consent; how's that for customer friendly?). If we want to refer the patient to another health care provider, of whatever type, or consult with another provider (like their primary care provider) who has seen the patient, we must have the patient's written consent unless the situation fits within the pretty narrow exception where a QSOA can be used and we have (or can get) one in place (the logistics and pain of trying to get a QSOA with all of those providers, which make doing so pretty impracticle). The requirements in the AOD regs for a valid written consent are very similar to those for a HIPAA authorization: who is disclosing the information, to whom is the information being disclosed, what information is being disclosed and why is it being disclosed, there must be a reasonble, identifiable expiration date, the patient must be able to revoke the consent at any time (one specific exception here for persons referred by an element of the criminal justice system where treatment is a part of the disposition), the name of the patient, the patient's signature and the date
