Poison Centers and HIPAA

1
Poison Centers and HIPAA

• 2003 Mid Year AAPCC Meeting
• Robert J. Geller, M.D.
• Revised updated 2/13/2003

2
Disclaimer

• Although the following represents my best
  understanding of the subject, it should not be
  relied upon without seeking appropriate counsel
  from your own institution to be sure that the
  content is correct and appropriate to your own
  situation.

3
HIPAA Privacy

• Protect patient privacy by regulating disclosure
  of personal information
• Specifically cover health care providers and
  their business affiliates

4
HIPAA Definitions

• IIHI - Individually identifiable health
  information
• Covered entity - Health Care Provider - Sec.
  160.103 - can perform treatment activities.
  Performs services . . . a provider of medical or
  health services . . . .
• The Privacy Regulations specifically consider PCC
  as a health care provider and its services as
  treatment.

5
Federal Register Rules and Regulations
December 28, 2000 (65 250, p 82626)

• We note that poison control centers are health
  care providers for purposes of this rule. We
  consider the counseling and follow-up
  consultations provided by poison control centers
  with individual providers regarding patient
  outcomes to be treatment.

6
PC role

• As a Health Care Provider the Poison Control
  Center (PCC) will be required to comply if it
  performs activities that fall within the scope of
  a covered entity
• Treatment Sec 164.501 - The counseling and
  follow-up consultations provided by poison
  centers with individual providers regarding
  patient outcomes is treatment.

7
PC role

• Because PCC function is considered treatment, the
  PCC and other health care providers can share
  protected health information about the treatment
  of an individual without a business associate
  contract. Activities described by treatment
  involved health care providers supplying health
  care to a particular patient.

8
PC role

• If PCCs had not been classified as health care
  providers, then the PCC would have to have a
  contract with every covered entity to whom it
  would provide services
• This would, from a practical matter, be
  prohibitive and detrimental to patient care.

9
Minimum Necessary Standard

• Sec. 164.502
• Covered entities must make reasonable efforts to
  disclose only the minimum amount of information
  to accomplish the purpose for which it is
  disclosed.
• The minimum necessary requirement does not apply
  to disclosures by one covered entity to another
  for treatment purposes.

10
Consent to share info?

• Sec 164.512
• Uses and disclosures for which consent, an
  authorization, or opportunity to agree is not
  required, include
• a covered health entity may disclose IIHI for
  public health activities
• AAPCC TESS as a public health activity
• Is your PC a public health activity?

11
Georgia example

• We are designated by the State of Georgia,
  Division of Public Health, based on our
  contractual relationship with them, and on the
  roles we fill and the services we provide, to
  act with and on behalf of the Division of Public
  Health

12
Chart access

• The patient has the right under HIPAA when their
  record is accessed for purposes other than
  patient care, billing, or health care
  operations to know who accessed their record,
  when, and for what purpose
• Therefore, HIPAA requires that each access to
  each patients record needs to record this
  information

13
Health care operations- 45 CFR, section 164.501
(2) --selected portions -- page 1

• As published August 14, 2002 Health care
  operations means any of the following activities
  of the covered entity to the extent that the
  activities are related to covered functions
• (1) Conducting quality assessment and improvement
  activities, including outcomes evaluation and
  development of clinical guidelines, provided that
  the obtaining of generalizable knowledge is not
  the primary purpose of any studies resulting from
  such activities population-based activities
  relating to improving health or reducing health
  care costs, protocol development, case management
  and care coordination, contacting of health care
  providers and patients with information about
  treatment alternatives and related functions
  that do not include treatment

14
Health care operations- 45 CFR, section 164.501
(2) - selected portions -- page 2

• (2) Reviewing the competence or qualifications
  of health care professionals, evaluating
  practitioner and provider performance, health
  plan performance, conducting training programs in
  which students, trainees, or practitioners in
  areas of health care learn under supervision to
  practice or improve their skills as health care
  providers, training of non-health care
  professionals, accreditation, certification,
  licensing, or credentialing activities

15
Health care operations- 45 CFR, section 164.501
(2) - selected portions -- page 3

• (4) Conducting or arranging for medical review,
  legal services, and auditing functions, including
  fraud and abuse detection and compliance
  programs
• (5) Business planning and development, such as
  conducting cost-management and planning-related
  analyses related to managing and operating the
  entity, including formulary development and
  administration, development or improvement of
  methods of payment or coverage policies

16
Health care operations- 45 CFR, section 164.501
(2) - selected portions -- page 4

• (6) Business management and general
  administrative activities of the entity,
  including, but not limited to
• (i) Management activities relating to
  implementation of and compliance with the
  requirements of this subchapter
• (ii) Customer service, including the provision of
  data analyses for policy holders, plan sponsors,
  or other customers, provided that protected
  health information is not disclosed to such
  policy holder, plan sponsor, or customer.
• (iii) Resolution of internal grievances

17
Health care operations- 45 CFR, section 164.501
(2) - selected portions - page 5

• (iv) The sale, transfer, merger, or
  consolidation of all or part of the covered
  entity with another covered entity, or an entity
  that following such activity will be come a
  covered entity and due diligence related to such
  activity and
• (v) Consistent with the applicable requirements
  of 164.514, creating de- identified health
  information or a limited data set, and,
  fundraising for the benefit of the covered
  entity.

18
Issues needing further resolution

• Under HIPAA, the electronic record needs to be
  protected from inappropriate access - how best to
  do?

19
Issues 2

• Hospitals are often reluctant to share info when
  we call back. If a parent or patient is the one
  who has called us, our right to continued
  involvement seems clear. If the hospital
  initiated the call to us, it should also be
  clear.
• What if the original call came from a relative,
  babysitter, teacher, girlfriend, spouse or if we
  cannot "prove" the caller had a right to involve
  us?
• Under HIPAA, this is not a restricted activity.
  But the hospital may question if a treatment
  provider status exists!

20
Issues 3 - page 1

• What data or chart detail can we share with each
  other or make available to a paying contractor
  (directly or through the AAPCC) without violating
  HIPAA?
• Consent for our involvement is implied. Consent
  to share outside the scope of the above
  restrictions is not given. In essence this is
  sharing or selling a series of case reports, but
  the audience benefiting is more limited than all
  literature readers.

21
Issues 3- page 2

• Is there a degree chart redaction that is enough
  to be able to share?
• Probably requires either removal of IIHI or
  written individual patient consent.

22
Research

• If the observation is prospective and planned,
  must consent be obtained from the parent or
  patient?
• Would this change if the only reported data was a
  summary of pooled data?
• Likely requires involvement of local privacy
  board and/or IRB to decide on case-specific basis

23
Issues 4 - The Written Privacy Notice

• HIPAA requires that every patient receive a
  written privacy notice as soon as practicable
  after the emergency situation is resolved
• A posted notice may be used as an alternative
• For a telephone based operations such as a PC,
  how do we meet this?
• Does a website posting meet this?
• At the end of each call, do we need to offer
  every patient to mail them a copy?