Preparation for Child Psych PRITE and Boards
Jump to: navigation, search
(Created page with "==Introduction== '''Health Insurance Portability and Accountability Act''' of 1996 (HIPAA) deals with employees keeping their insurance coverage, national electronic healthcar...")
 
(Introduction)
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Introduction==
 
==Introduction==
'''Health Insurance Portability and Accountability Act''' of 1996 (HIPAA) deals with employees keeping their insurance coverage, national electronic healthcare standards. THe part generally relevant to doctors have to do with the Privacy and Security provisions of the HIPAA law.
+
'''Health Insurance Portability and Accountability Act''' of 1996 (HIPAA) deals with employees keeping their insurance coverage, national electronic healthcare standards. Information relevant to doctors includes the '''Privacy''' and '''Security''' provisions of the HIPAA law. This article focuses on these topics.
 +
 
 +
'''Who is not bound by HIPAA'''
 +
*'''Covered entities''' include hospitals, insurance companies, and doctors are bound by the Privacy and Security rules of HIPAA.
 +
*Life insurance companies, employers, worker comp agencies, schools, and law enforcement are not covered entities.
 +
 
 +
==Security Rule==
 +
Security rule outlines the necessary safeguards in protecting electronic PHI.
 +
 
 +
==Privacy Rule==
 +
* regulates use and disclosure of protected health information (PHI) by covered entities.  PHI includes any part of medical record or billing history.
 +
 
 +
===Covered entities ''must'' disclose PHI===
 +
*to the patient (upon written request, within 30 days), and
 +
*when required by law (child abuse, gun shot wounds, etc)
 +
 
 +
===Covered entities ''may,'' but not required to, disclose PHI without written authorization for===
 +
*billing and insurance coverage
 +
** this includes traditional billing, ED giving PHI to ambulance company or outside lab, so they can bill.
 +
*to the individual (a '''must''' with written authorization)
 +
*for '''treatment'''
 +
** this includes releasing medical information to a specialist who will treat the pt., or to a nursing home, where pt. is being discharged.
 +
* '''psychotherapy notes''' is an important exception; written authorization is required for release of PHI to the individual or others.
 +
 
 +
====Additional wrinkles====
 +
* covered entities may design their own process of '''written consent''' for disclosing of PHI which does not normally require authorization under the Privacy Rule. Consent is not equivalent to '''written authorization''' which has specific Privacy Rule applications.
 +
** HIPAA does not require consent or authorization for a doctor to discuss the care of the patient with another doctor. However an institution may design its own consent procedure and require doctors to abide by it. In either case, patient must be notified how the institution handles the PHI via the Notice of Privacy Practices.
 +
* Entities must notify the patient about their disclosure practices (i.e. do they disclose PHI when permitted, without consent), and thus patients are asked to sign The Notice of Privacy Practices, and are given a HIPAA brochure.
 +
* Individuals have the right to request restrictions on how a covered entity will use and disclose protected health information about them for treatment, payment, and health care operations. A covered entity is not required to agree to the request for a restriction, but is bound by any restrictions to which it agrees.
 +
* Entities must accommodate reasonable requests for confidential communication (e.g. calling only at work and never at home).
 +
 
 +
==Children and Adolescents==
 +
Generally parents/guardians have the authority to make health care decisions for their children. This is mandated and regulated by State laws, not HIPAA. Many states withhold parental authority in instances of mental and sexual health.
 +
 
 +
When parents or guardians of minors (and legal guardians of mentally incompetent adults) have the authority to make healthcare decisions (most situations), they are considered '''personal representatives''' by HIPAA. They are can '''authorize the release of''' and '''receive PHI''' about a minor, with some exceptions.
 +
*State laws may specify if specific HPI is not available to parents.
 +
*Abuse, neglect and endangerment situations.
 +
 
 +
===Some examples:===
 +
*''' If''' a state grants the minor the authority to make decisions about her own psychotherapy treatments, a parent is not a "personal representative" '''under HIPAA Privacy Law''', and thus not entitled to receiving PHI about psychotherapy. Parent is still a "personal representative" when it comes to pneumonia treatment and have HIPAA right to receive PHI.
 +
 
 +
* State laws may or may not specify what PHI is available to parents when they do not have the authority to make health care decisions. (HIPAA does not apply since the parent is not a "personal representative.")
 +
** Under a state law, a minor may have the authority to decide to terminate a pregnancy, but a parent may have a right to obtain that PHI. It falls to the institution/health care provider to make the decision when the state law is vague.
 +
 
 +
==References==
 +
 
 +
(1) http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
 +
(2) http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html
 +
 
 +
[[Category:Concepts]]
 +
{{Brief report}}

Latest revision as of 21:53, 30 August 2015

Introduction

Health Insurance Portability and Accountability Act of 1996 (HIPAA) deals with employees keeping their insurance coverage, national electronic healthcare standards. Information relevant to doctors includes the Privacy and Security provisions of the HIPAA law. This article focuses on these topics.

Who is not bound by HIPAA

  • Covered entities include hospitals, insurance companies, and doctors are bound by the Privacy and Security rules of HIPAA.
  • Life insurance companies, employers, worker comp agencies, schools, and law enforcement are not covered entities.

Security Rule

Security rule outlines the necessary safeguards in protecting electronic PHI.

Privacy Rule

  • regulates use and disclosure of protected health information (PHI) by covered entities. PHI includes any part of medical record or billing history.

Covered entities must disclose PHI

  • to the patient (upon written request, within 30 days), and
  • when required by law (child abuse, gun shot wounds, etc)

Covered entities may, but not required to, disclose PHI without written authorization for

  • billing and insurance coverage
    • this includes traditional billing, ED giving PHI to ambulance company or outside lab, so they can bill.
  • to the individual (a must with written authorization)
  • for treatment
    • this includes releasing medical information to a specialist who will treat the pt., or to a nursing home, where pt. is being discharged.
  • psychotherapy notes is an important exception; written authorization is required for release of PHI to the individual or others.

Additional wrinkles

  • covered entities may design their own process of written consent for disclosing of PHI which does not normally require authorization under the Privacy Rule. Consent is not equivalent to written authorization which has specific Privacy Rule applications.
    • HIPAA does not require consent or authorization for a doctor to discuss the care of the patient with another doctor. However an institution may design its own consent procedure and require doctors to abide by it. In either case, patient must be notified how the institution handles the PHI via the Notice of Privacy Practices.
  • Entities must notify the patient about their disclosure practices (i.e. do they disclose PHI when permitted, without consent), and thus patients are asked to sign The Notice of Privacy Practices, and are given a HIPAA brochure.
  • Individuals have the right to request restrictions on how a covered entity will use and disclose protected health information about them for treatment, payment, and health care operations. A covered entity is not required to agree to the request for a restriction, but is bound by any restrictions to which it agrees.
  • Entities must accommodate reasonable requests for confidential communication (e.g. calling only at work and never at home).

Children and Adolescents

Generally parents/guardians have the authority to make health care decisions for their children. This is mandated and regulated by State laws, not HIPAA. Many states withhold parental authority in instances of mental and sexual health.

When parents or guardians of minors (and legal guardians of mentally incompetent adults) have the authority to make healthcare decisions (most situations), they are considered personal representatives by HIPAA. They are can authorize the release of and receive PHI about a minor, with some exceptions.

  • State laws may specify if specific HPI is not available to parents.
  • Abuse, neglect and endangerment situations.

Some examples:

  • If a state grants the minor the authority to make decisions about her own psychotherapy treatments, a parent is not a "personal representative" under HIPAA Privacy Law, and thus not entitled to receiving PHI about psychotherapy. Parent is still a "personal representative" when it comes to pneumonia treatment and have HIPAA right to receive PHI.
  • State laws may or may not specify what PHI is available to parents when they do not have the authority to make health care decisions. (HIPAA does not apply since the parent is not a "personal representative.")
    • Under a state law, a minor may have the authority to decide to terminate a pregnancy, but a parent may have a right to obtain that PHI. It falls to the institution/health care provider to make the decision when the state law is vague.

References

(1) http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf (2) http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html