Title: Poison Centers and HIPAA
1Poison Centers and HIPAA
- 2003 Mid Year AAPCC Meeting
- Robert J. Geller, M.D.
- Revised updated 2/13/2003
2Disclaimer
- Although the following represents my best
understanding of the subject, it should not be
relied upon without seeking appropriate counsel
from your own institution to be sure that the
content is correct and appropriate to your own
situation.
3HIPAA Privacy
- Protect patient privacy by regulating disclosure
of personal information - Specifically cover health care providers and
their business affiliates
4HIPAA Definitions
- IIHI - Individually identifiable health
information - Covered entity - Health Care Provider - Sec.
160.103 - can perform treatment activities.
Performs services . . . a provider of medical or
health services . . . . - The Privacy Regulations specifically consider PCC
as a health care provider and its services as
treatment.
5Federal Register Rules and Regulations
December 28, 2000 (65 250, p 82626)
- We note that poison control centers are health
care providers for purposes of this rule. We
consider the counseling and follow-up
consultations provided by poison control centers
with individual providers regarding patient
outcomes to be treatment.
6PC role
- As a Health Care Provider the Poison Control
Center (PCC) will be required to comply if it
performs activities that fall within the scope of
a covered entity - Treatment Sec 164.501 - The counseling and
follow-up consultations provided by poison
centers with individual providers regarding
patient outcomes is treatment.
7PC role
- Because PCC function is considered treatment, the
PCC and other health care providers can share
protected health information about the treatment
of an individual without a business associate
contract. Activities described by treatment
involved health care providers supplying health
care to a particular patient.
8PC role
- If PCCs had not been classified as health care
providers, then the PCC would have to have a
contract with every covered entity to whom it
would provide services - This would, from a practical matter, be
prohibitive and detrimental to patient care.
9Minimum Necessary Standard
- Sec. 164.502
- Covered entities must make reasonable efforts to
disclose only the minimum amount of information
to accomplish the purpose for which it is
disclosed. - The minimum necessary requirement does not apply
to disclosures by one covered entity to another
for treatment purposes.
10Consent to share info?
- Sec 164.512
- Uses and disclosures for which consent, an
authorization, or opportunity to agree is not
required, include - a covered health entity may disclose IIHI for
public health activities - AAPCC TESS as a public health activity
- Is your PC a public health activity?
11Georgia example
- We are designated by the State of Georgia,
Division of Public Health, based on our
contractual relationship with them, and on the
roles we fill and the services we provide, to
act with and on behalf of the Division of Public
Health
12Chart access
- The patient has the right under HIPAA when their
record is accessed for purposes other than
patient care, billing, or health care
operations to know who accessed their record,
when, and for what purpose - Therefore, HIPAA requires that each access to
each patients record needs to record this
information
13Health care operations- 45 CFR, section 164.501
(2) --selected portions -- page 1
- As published August 14, 2002 Health care
operations means any of the following activities
of the covered entity to the extent that the
activities are related to covered functions - (1) Conducting quality assessment and improvement
activities, including outcomes evaluation and
development of clinical guidelines, provided that
the obtaining of generalizable knowledge is not
the primary purpose of any studies resulting from
such activities population-based activities
relating to improving health or reducing health
care costs, protocol development, case management
and care coordination, contacting of health care
providers and patients with information about
treatment alternatives and related functions
that do not include treatment
14Health care operations- 45 CFR, section 164.501
(2) - selected portions -- page 2
- (2) Reviewing the competence or qualifications
of health care professionals, evaluating
practitioner and provider performance, health
plan performance, conducting training programs in
which students, trainees, or practitioners in
areas of health care learn under supervision to
practice or improve their skills as health care
providers, training of non-health care
professionals, accreditation, certification,
licensing, or credentialing activities
15Health care operations- 45 CFR, section 164.501
(2) - selected portions -- page 3
- (4) Conducting or arranging for medical review,
legal services, and auditing functions, including
fraud and abuse detection and compliance
programs - (5) Business planning and development, such as
conducting cost-management and planning-related
analyses related to managing and operating the
entity, including formulary development and
administration, development or improvement of
methods of payment or coverage policies
16Health care operations- 45 CFR, section 164.501
(2) - selected portions -- page 4
- (6) Business management and general
administrative activities of the entity,
including, but not limited to - (i) Management activities relating to
implementation of and compliance with the
requirements of this subchapter - (ii) Customer service, including the provision of
data analyses for policy holders, plan sponsors,
or other customers, provided that protected
health information is not disclosed to such
policy holder, plan sponsor, or customer. - (iii) Resolution of internal grievances
17Health care operations- 45 CFR, section 164.501
(2) - selected portions - page 5
- (iv) The sale, transfer, merger, or
consolidation of all or part of the covered
entity with another covered entity, or an entity
that following such activity will be come a
covered entity and due diligence related to such
activity and - (v) Consistent with the applicable requirements
of 164.514, creating de- identified health
information or a limited data set, and,
fundraising for the benefit of the covered
entity.
18Issues needing further resolution
- Under HIPAA, the electronic record needs to be
protected from inappropriate access - how best to
do?
19Issues 2
- Hospitals are often reluctant to share info when
we call back. If a parent or patient is the one
who has called us, our right to continued
involvement seems clear. If the hospital
initiated the call to us, it should also be
clear. - What if the original call came from a relative,
babysitter, teacher, girlfriend, spouse or if we
cannot "prove" the caller had a right to involve
us? - Under HIPAA, this is not a restricted activity.
But the hospital may question if a treatment
provider status exists!
20Issues 3 - page 1
- What data or chart detail can we share with each
other or make available to a paying contractor
(directly or through the AAPCC) without violating
HIPAA? - Consent for our involvement is implied. Consent
to share outside the scope of the above
restrictions is not given. In essence this is
sharing or selling a series of case reports, but
the audience benefiting is more limited than all
literature readers.
21Issues 3- page 2
- Is there a degree chart redaction that is enough
to be able to share? - Probably requires either removal of IIHI or
written individual patient consent.
22Research
- If the observation is prospective and planned,
must consent be obtained from the parent or
patient? - Would this change if the only reported data was a
summary of pooled data? - Likely requires involvement of local privacy
board and/or IRB to decide on case-specific basis
23Issues 4 - The Written Privacy Notice
- HIPAA requires that every patient receive a
written privacy notice as soon as practicable
after the emergency situation is resolved - A posted notice may be used as an alternative
- For a telephone based operations such as a PC,
how do we meet this? - Does a website posting meet this?
- At the end of each call, do we need to offer
every patient to mail them a copy?