Embed Size (px)
Citation preview
1
Critical Decision Points: The Intersection of Law Enforcement and Patient Care
November 29, 2017
CHA Webinar
Welcome
Patricia ViolettCalifornia Hospital Association
2
Continuing Education
Continuing education will be offered for this program for compliance, health information, healthcare executives, legal, nursing and risk managers.
Full attendance, and completion of online evaluation and attestation of attendance are required to receive CEs for this webinar.
CEs are complimentary and available for the registrant only.
3
Faculty
Linda Garrett, of Garrett Consulting Group, LLC, provides risk management consulting services to more than 45 county public health, mental health and correctional health care programs in addition to several county hospitals. Ms. Garrett’s work includes providing training and consultation on a variety of medical/legal topics to health care providers, administrators, compliance and privacy officers, and QA/QI coordinators.
4
3
Faculty
Lois Richardson has served as CHA’s legal resource for the past 26 years and is the author of numerous CHA publications, including the Consent Manual, California Hospital Compliance Manual, California Health Information Privacy Manual and California Hospital Survey Manual. Lois has also served as the executive director for the California Society for Healthcare Attorneys since 2000, providing legal education and networking opportunities for California’s health care attorneys.
5
Critical Decision Points: The Intersection of Law Enforcement and Patient Care
Linda GarrettGarrett Consulting Group, LLC
Lois RichardsonCalifornia Hospital Association
4
Polling Question 1
7
How would you describe your knowledge of health information privacy issues when it comes to disclosures to law enforcement? I’m fairly new to the field and don’t have a lot of
information on this topic area yet
I’ve been in the field for several years now and feel fairly confident that I can answer most health information privacy questions, or would know where to find the answers
I’m the “expert” on health information privacy at my facility
Agenda
Health Information Privacy & Confidentiality (our focus today)
• HIPAA, CMIA, LPS, Health & Safety Code (HIV), 42 CFR Part 2
• Disclosures to Law Enforcement (permitted & required)
• Patient confidentiality vs. “obstructing justice”
Exploring Common Interactions
• Subpoenas, search warrants, court orders & other requests
• Missing and unidentified people
• ICE
• Interactions initiated by healthcare facility/provider
Proactive Steps to Prevent Mistakes and Improve Relationships
8
5
Survey
9
Health Care-Related Confidentiality Laws
• HIPAA – 45 CFR Parts 160 and 164
• State law
• Confidentiality of Medical Information Act –CMIA – Civil Code §56 et seq. (physical healthinformation and some MH information)
• Civil Code §56.30 – says CMIA does not applyto criminal justice requests by state lawenforcement agencies (incl AG, DAs); thoserequests are covered by Penal Code §1543 -written authorization, court order or searchwarrant generally required (HIPAA still applies,which allows disclosures with authorization,court order or search warrant)
10
6
Health Care-Related Confidentiality Laws (cont.)
• State law (cont.)
• LPS Act – Welfare & Institutions Code §5328 et seq. (generally, mental health information from psych hospitals, psych units, counties, 5150s, and certain other programs)
• HIV – Health and Safety Code §120980 et seq.
• Other federal law
• Substance Use Disorder (SUD) - 42 CFR Part 2
11
Basic Privacy Rule (Applicable to All Disciplines)
Don’t talk unless you MUST or MAY!
If you aren’t sure:
• “May I put you on hold for just a minute?” or
• “Would you mind waiting here for just a minute?” or
• “Can I get your name and number and call you back?”
12
7
So, Which Law Do I Follow?
1. HIPAA and
2. HIV Test Results and
3. Part 2 SUD (if applicable) and
4. CMIA or LPS
But what if they conflict with each other?
13
HIPAA: Basic Rule
45 CFR Part 164 (HIPAA Rules)
Subpart E – Privacy Rule
• Tells Covered Entities (providers, plans, clearinghouses) and their Business Associates (HITECH Act) what they can and cannot do with Protected Health Information (“PHI”)
• §164.502 – “A covered entity may not use or disclose PHI except as permitted or requiredby this subpart or [to respond to investigation by federal government]”
14
one p two p
8
HIPAA: Preemption Rule
Part 160, Subpart B – Preemption of State Law• If state law is “contrary to” HIPAA, follow HIPAA
• “Contrary to” means it is impossible to comply with both state law and HIPAA
• Otherwise, follow “most stringent” provision (one that protects the patient’s privacy the most or that provides the most benefits or rights to the patient)
15
HIPAA: Preemption Rule and Other Federal Laws (SUD – 42 CFR Part 2)
DHHS has stated that in enacting HIPAA it did not intend to repeal other stricter Federal privacy laws
• 42 CFR Part 2 – very strict federal regulations from 1975 (amended in 1987,1995 and 2017) that protect substance use disorder (SUD) treatment program records
• More specific and narrowly drawn than HIPAA
• Look at HIPAA, if disclosure is ok, then look at SUD law and follow it!
• SUD programs generally follow 42 CFR Part 2 because it provides much more privacy protection –“more stringent” – than HIPAA
16
9
How Does Preemption Work in Real Life?
1. Look at HIPAA for an exception to privacy
2. Look at California laws that apply (i.e., what KIND of record?)
3. If there is a conflict, follow HIPAA (e.g., the rule that says you MUST disclose to the Secretary of DHHS investigating HIPAA)
4. If no conflict, follow most stringent privacy law, or provision that allows no disclosure, or most limited, disclosure of PHI
17
For Example, Before We Can Disclose to Law Enforcement, Apply Preemption Rule:
• No conflict: The HIPAA rule that says you “may” disclose to law enforcement officer looking for the perpetrator of a crime; CA law (LPS) says you “must” disclose to officer who lodges with an inpatient psych facility an arrest warrant for a serious or violent felony; W&I §5328(t) –there is no conflict, so follow CA law
• Conflict: HIPAA says you MUST disclose to the Secretary of DHHS investigating HIPAA problem, CA law does not specifically list this exception – follow HIPAA
• No conflict, most stringent: HIPAA says you “may” disclose to law enforcement; CA law (LPS) does not include exception for missing person inquiry (except patient escape) and is therefore more stringent – follow CA law
18
10
HIPAA: Minimum Necessary –Just the Tiniest Amount Necessary to Get the Job Done!
19
HIPAA: Minimum Necessary Rule
45 CFR §164.514(d)(3)(ii)
• Covered Entity or Business Associate must only disclose the information reasonably necessary to accomplish the purpose for which disclosure is sought or made, and doesn’t exceed what is required for the stated purpose (the “minimum necessary”)
• So, even if disclosure to law enforcement is permitted, ONLY disclose amount of information necessary to accomplish the stated purpose and not any more!
20
11
Survey
21
HIPAA: Permitted Disclosures to Law Enforcement
• No HIPAA required disclosures to lawenforcement
• HIPAA permitted disclosures to lawenforcement – three possible gates:
1. With written authorization (permission) fromthe patient (45 CFR §164.508)
2. With verbal authorization (permission) fromthe patient (45 CFR §164.510)
3. Without authorization (no permission) fromthe patient (45 CFR §164.512)
22
12
But Remember, LEO Can Be First Responder (EMTs, Paramedics) or Payer
Note: 45 CFR §164.506 –disclosure for treatment, payment or operations
• Treatment exception would not likely apply to law enforcement disclosures unless the officers are EMTs or paramedics performing duties as “health care providers”
• If it applies, CMIA (treatment or diagnosis), LPS (provider with medical or psychological responsibility for patient) and SUD law (medical emergency and consent is not able to be obtained for that reason) would permit a disclosure to first responder through this “treatment purpose” gate
• Also required notification of communicable disease exposure
23
1. With Written Authorization
• HIPAA, CMIA, SUD, HIV test results, all permit disclosures of PHI to third parties with patient’s written authorization/permission
• LPS – W&I Code 5328 (b) – mental health records – ok to disclose to third parties with permission of client AND approval of provider –but approval of provider may be preempted
• Authorization form must meet requirements of applicable law(s) – see CHA Form 16-1
24
13
Examples of Disclosures with Written Authorization
• DUI test results (forensic labs) – patientauthorizes the release of lab work to the officer(or to DA or court)
• Police investigating assault and battery case,and victim provides written authorization forrelease of ED recordsoutlining extent ofinjuries
25
Survey
26
14
Proactive Step
• When the law permits you to releaseinformation to law enforcement, itimproves relationships if you do so in ahelpful way that protects privacy whilestill helping “in the interests of justice”
• Always consider asking the patient forpermission when it is a “may”
27
Survey
28
15
Nancy Paulikas
29
Missing/Unidentified Persons
• Nancy Paulikas, 56, has been missing since Oct. 15, 2016 when she walked away from LAC Museum of Art
• Family/LE/volunteers have placed over 2,000 calls to hospitals in LA and surrounding area (ED, psych, social services, admissions, different shifts, etc.)
• In-person visits to health facilities
• No consistency from hospital to hospital, shift to shift, employee to employee
30
16
2. With Verbal Permission
Disclosure to LEO to Help Notify Family/Friends of Patient’s Location, Condition, Death –
• HIPAA and CMIA are virtually identical:
• If patient is available (present) and has decision making capacity, must:
• CMIA: obtain patient’s verbal agreement or provide an opportunity to object, or reasonably infer that patient does not object
• LPS: obtain verbal agreement
• SUD: obtain written agreement
31
Disclosure to LEO to Help Notify Family/Friends of Patient’s Location, Condition, Death
If patient cannot agree to disclosure due to incapacity or emergency circumstance:
• CMIA: disclosure ok if provider, in exercise of professional judgment, determines that disclosure in best interest of patient. Can disclose only PHI needed for notification purposes (minimum necessary) [45 CFR §164.510(b); Civil Code §56.1007]
• LPS: No (but see Privacy Manual about disclosures directly to family)
• SUD: No32
17
Proactive Steps: Missing/Unidentified Persons
• Does your facility have a policy aboutnaming unidentified patients – different fromcelebrities, VIPs, no-information patients?
• How would you look up a patient in your EHR if youdon’t know the patient’s name/SSN/DOB/etc.?
• Do you keep a list of unidentified patients with theirphysical description and other potentially identifyinginformation? Who is responsible for maintaining it?
• Does your switchboard operator know who isresponsible?
• Does your policy including reaching out to lawenforcement for help?
33
Survey
34
18
LEO as Visitor
LEO not requesting info for a criminal proceeding
• CMIA: Treat as any other visitor. If visitor knows the patient’s name, can provide room number, one-word condition, unless patient opted out of hospital directory (NPP)
• LPS: Obtain verbal permission
35
Other Examples of Disclosures to Law Enforcement with Verbal Permission
• Patient wishes to file a police report because his car was broken into in the hospital parking lot and asks you to provide information about what your security guard saw when called to investigate the break-in
• Patient is “in the field” and requests that your PES provider talk on phone to law enforcement re: probable cause to “write a 5150 hold” (W&I §5150.05 encourages this in establishing basis for “probable cause”)
36
19
LEO Wishes to Interview Patient
Do you have a policy? Updated Slide
Patient may be victim, witness, or suspect
• CMIA, LPS: obtain patient verbal agreement (advise patient if any adverse medical consequences)
• CMIA: if patient objects, and officer persists, escalate to officer’s supervisor – this stress could affect patient’s medical condition
• LPS: no – can’t even confirm/deny patient is present
37
Permitted Disclosures WithoutAuthorization – HIPAA
Disclosures to LEOs permitted by HIPAA without authorization [45 CFR §164.512]:
a. Required by law (e.g., suspicious injury reporting, injury/condition in patient transferred from another health facility, LPS patient escapes and disappearances) – If reporting requirement applies to your facility under state law, then OK under CMIA and LPS. Reporting requirements probably N/A to SUD facilities.
b. Reporting child, elder, dependent adult abuse and neglect – OK under CMIA and LPS; mandated report involving SUD has to “hide” SUD “connection.” Minimum necessary (“to the extent the disclosure is required by law and limited to relevant requirements of the law”)
c. Decedents (e.g., to coroner or medical examiner) – OK under CMIA and LPS. SUD: ok to report crimes committed on the premises, so if death occurred because of criminal activity on the premises, report is allowed
38
20
Permitted Disclosures WithoutAuthorization – HIPAA (cont.)
Disclosures to LEOs permitted by HIPAA without authorization [45 CFR §164.512] (cont.):
d. To avert threat to health or safety – OK under CMIA (§56.10(c)(14)); by a psychotherapist under CMIA and LPS (serious/imminent threat to reasonably foreseeable victim). Consider Tarasoff case for nonpsychotherapist
e. Various law enforcement purposes (e.g., disclosures to identify or locate missing person; determine if patient/decedent is a crime victim) – see upcoming slides for details
f. Various “specialized government functions” (e.g., about military personnel and veterans; to protect the President and other elected officials) – see upcoming slides for details
39
Disclosures to Law Enforcement (cont.)
HIPAA - 45 CFR §164.512(f) – allows disclosures for various law enforcement purposes and various “specialized government functions”
CMIA overall principle:
• Information and records sought by law enforcement agencies under Chapter 3.5 (commencing with section 1543) of the Penal Code (sections related to criminal investigations), are not covered by CMIA. Thus, CMIA permissible disclosures for directory or the §56.10(c)(14) exception do not apply. Need written consent, appropriate court order, or search warrant prior to disclosure (unless disclosure to specific agencies is required by law, such as child abuse report).
• If not sought by law enforcement for a criminal proceeding – for example, LEO is looking for a missing person - then §56.10(c)(14) exception (arguably) applies
LPS, SUD: need to look at specific provisions
40
21
Court Order, Warrant, Subpoena or Summons
45 CFR §164.512(f)(1)(ii) – Disclosure OK in compliance with a court order, warrant, or subpoena or summons issued by a court
• CMIA – Civil Code §56.10(b)(9) and (c)(14)
• LPS: W&I Code §5328(f) – “disclosure to the courts in theadministration of justice” (not to a third party)
• LPS: W&I Code §5328(t) – limited disclosure if patient is in a lockedpsychiatric facility, and law enforcement asks if patient is there andhas arrest warrant for violent or serious felony
• SUD: 42 CFR Subpart E – Court Orders – Section 2.61 et seq. –Court order can be issued only after patient has opportunity for ahearing on the matter
41
Survey
42
22
Victims of Crime
45 CFR §164.512(f)(3) - HIPAA allows disclosure of PHI to LEO about patient who is, or is suspected to be, a crime victim other than reportable assault/abuse/neglect if:
1. Patient agrees or
2. Patient unable to agree due to incapacity or other emergency circumstance, provided that: (a) LEO says info need to determine whether a violation of law by a person other than the victim has occurred, and the info is not intended to be used against the victim; (b) LEO says material adverse affect by waiting until patient able to agree; and (c) disclosure in best interests of patient
• CMIA – Probably criminal proceeding, so no CMIA exceptions apply. Need authorization, court order or warrant
• SUD – no
43
Victims of Crime (cont.)
• LPS – W&I 5328.4 – The physician in charge of the patient, or the professional person in charge of the facility or his or her designee, when he or she has probable cause to believe that a patient, while hospitalized has committed, or has been the victim of:
• Murder, manslaughter, mayhem, aggravated mayhem, kidnapping, carjacking, robbery, assault with intent to commit a felony, arson, extortion, rape, forcible sodomy, forcible oral copulation, unlawful possession of a weapon …, or escape from a hospital by a mentally disordered sex offender …, the provider shall release information
• Assault or battery, may release information about the patient to governmental law enforcement agencies
• This section shall be limited solely to information directly relating to the factual circumstances of the commission of the enumerated offenses and shall not include any information relating to the mental state of the patient or the circumstances of his or her voluntary or involuntary admission, commitment or treatment 44
23
Survey
45
Crime on Premises
45 CFR §164.512(f)(5) – HIPAA allows disclosure to report a crime on the premises
• CMIA – ok; Civil Code §56.10(c)(14) (notrequested by LEO in criminal matter) – but becareful when answering questions!
• LPS – ok to call 911 for help for yourself – becareful about disclosing PHI (see previous slide)
• SUD - 42 CFR §2.12 – ok to report crimescommitted on the premises, or threats againststaff or facility
46
24
Crime While Providing Emergency Care
45 CFR §164.512(f)(6) to report a crime NOT on the premises but in the course of providing emergency medical care (not MH or SUD)
• CMIA – ok; Civil Code §56.10(c)(14)
• LPS – ok to call 911 for help for yourself ifyou are first responder – be careful aboutdisclosing PHI
• SUD – no
47
Survey
48
25
Serious and Imminent Threats
45 CFR §164.512(j) – avert a serious threat to health or safety – to law enforcement as necessary to prevent or lessen serious and imminent threat to the health or safety of a person or the public or to identify or apprehend an individual
• CMIA – Civil Code §56.10(c)(14) (not requested by LEO in criminal proceeding)
• LPS – W&I Code §5328(g) – To governmental law enforcement agencies as needed for the protection of federal and state elective constitutional officers and their families
49
Serious and Imminent Threats (cont.)
• LPS – W&I Code §5328(r) When the patient, in the opinion of his or her psychotherapist, presents a serious danger of violence to a reasonably foreseeable victim or victims, then any of the information or records specified in this section may be released to that person or persons and to law enforcement agencies and county child welfare agencies as the psychotherapist determines is needed for the protection of that person or persons. For purposes of this subdivision, “psychotherapist” means anyone so defined in Evidence Code §1010.
• But remember Tarasoff case, if another professional is concerned – judge created a new exception
• SUD – Tarasoff warning without linking patient to SUD treatment program
50
26
Survey
51
ICE
HIPAA permits, but does not require these disclosures:
• 45 CFR 164.512(k) – uses and disclosures forspecialized government functions
• 45 CFR 164.512(k)(2) – National Security andintelligence activities to authorized federalofficials for the conduct of lawful intelligence,counter-intelligence, or other national securityactivities authorized by the National Security Actand implementing authority
Need to look at state law for answer52
27
ICE (cont.)
53
ICE (cont.)
• OK to take ICE agent to a non-public area where employees are not present to verify whether agent has a warrant, provided no consent to search nonpublic areas is given in the process
• Question: what is a public vs. non-public area?
54
28
Protecting President and Other Elected Officials
• 45 CFR §164.512(k)(3) – Protective services for the president or other constitutionally elected officers, or foreign heads of state
• CMIA – Civil Code §56.10(c)(14)
• LPS – W&I Code §5328(g) – To governmental law enforcement agencies as needed for the protection of federal and state elective constitutional officers and their families
• Weaving these together, probably only applies to federal and state elective constitutional officers (not foreign heads of state, families) – unless another exception applies 55
Protecting President and Other Elected Officials (cont.)
• LPS – W&I Code §5328(r): When the patient, in the opinion of his or her psychotherapist, presents a serious danger of violence to a reasonably foreseeable victim or victims, then any of the information or records specified in this section may be released to that person or persons and to law enforcement agencies and county child welfare agencies as the psychotherapist determines is needed for the protection of that person or persons. For purposes of this subdivision, “psychotherapist” means anyone so defined in Evidence Code §1010
• But remember Tarasoff case, if another professional is concerned – judge created a new exception
• SUD – Tarasoff warning without linking patient to SUD treatment program
56
29
Reporting Workplace Violence
Violence in the workplace involving different types of events
• Type 1 – committed by someone who has no connection to your workplace
• Type 2 – committed by patients, visitors, or others who are connected to your workplace and often the recipient of your “services”
• Type 3 – committee by an employee or former employee
• Type 4 – committee by someone who has or had a personal relationship with an employee
57
Reporting Workplace Violence (cont.)
• Reporting to local law enforcement – assault or battery against on-duty hospital personnel must be reported if it results in injury or involves use of firearm or dangerous weapon (even if no injury); law does not require including name of patient or employee (best not to; unless it involves staff under the age of 18 or 65 and older in which case child abuse/elder abuse reporting is done)
• May also need to report to Cal/OSHA, CDPH (adverse event), depending on circumstances. See CHA’s Healthcare Workplace Violence Preventionmanual
58
30
Body Cams, DUI on your Property, Officers as Patients, 5150s and Other Privacy Concerns
• Law enforcement body cams – should you insist that they be turned off while in your facility?
• Calling 911 when patients leave intending to drive their own vehicle while still under the influence of medications
• Law enforcement in your ED – should you monitor their access to patient areas more carefully?
59
More Concerns …
Law enforcement officers visiting patients – if they are on duty do you have rules re: carrying guns into patient areas?
60
31
More Concerns …
Law enforcement and homeless patients
61
Steps to Consider to Improve Relationships With Law Enforcement
Look at your policies dealing with law enforcement issues:
• Obtaining consent from in-custody individuals getting medical clearance prior to transport to jail
• Sharing information with jail nurse re: medical clearance
• Consent for lab work
• Confidentiality
• Calling 911 for help
62
32
Steps to Consider to Improve Relationships (cont.)
Look at your policies dealing with law enforcement issues (cont.):
• Checklists to make sure processes are uniform
• Designated back up
• Resolving issues to prevent future problems
• (formal process that can be triggered?)
• 5150 situations including need for sitters and transport
• How do you identify Jane/John Doe patients?
63
Steps to Consider to Improve Relationships (cont.)
Who is managing your hospital’s relationship with each law enforcement agency in your area?
• CEO/COO
• External Affairs
• Security
• ED Manager
• Disaster Planning
• Workplace Violence Prevention
• Other?
64
33
Steps to Consider to Improve Relationships (cont.)
• Regular meetings – Senior Lead Officer
• Develop complementary P&Ps
• Provide tours, maps, info about alarms, key cards, phone numbers, utility/TV shut-offs
• Safety Assessment
• Communications plan/escort
65
Planning Ahead Saves Potential Headaches Later!
66
34
Citations/Internet Resources
• HIPAA (45 CFR Parts 160 and 164) – www.ecfr.gov
• Confidentiality of Medical Information Act (California Civil Code §56 et seq.), Lanterman-Petris-Short Act (Welfare & Institutions Code §5328 et seq.), HIV test results (Health and Safety Code §§120980, 120985, 121010) –www.leginfo.legislature.ca.gov
• SUD programs (42 CFR Part 2) – www.ecfr.gov
• Office of Civil Rights (enforces HIPAA Privacy and Security Rules) – www.hhs.gov/ocr/privacy/index.html
• California Office of Health Information Integrity (Cal OHII) – www.calohii.ca.gov
67
CHA Resources
California Health Information Privacy Manual
Consent Manual (reporting requirements)
www.calhospital.org/manuals
68
35
Thank You
Linda GarrettGarrett Consulting Group, [email protected]
Lois RichardsonCalifornia Hospital [email protected]
69
Questions
Online questions:Type your question in the Q & A box, hit enter
Phone questions:To ask a question, hit *1
36
Upcoming Programs
Behavioral Health Care Symposium and Emergency Services ForumDec. 4 – 5: Behavioral Health Care SymposiumDec. 6: Emergency Services ForumRiverside, CA
The annual Behavioral Health Care Symposium and Emergency Services Forum will provide you with three days of need-to-know content that will inspire and motivate you to create change in your facility. For additional information, visit www.calhospital.org/behavioral-symposium orwww.calhospital.org/emergency-services-forum
Upcoming Programs
Navigating the New Centralized Licensing Application Process WebinarDecember 12, 201710:00 – 11:30 a.m., Pacific Time
Learn about changes to the licensure application process. A panel from the California Department of Public Health’s Centralized Application Unit will share the most common issues applicants encounter and provide a roadmap for completing the application process in a timely manner. For additional information, visit www.calhospital.org/navigating-centralized-licensing-process-web.
37
Thank You and Evaluation
Thank you for participating in today’s seminar. An online evaluation will be sent to you shortly.
For education questions, contact Robyn Thomason at (916) 552-7514 or [email protected].
