Public Discussion on Confidentiality and Privacy Issues Related to Psychological Testing

Posted on September 8, 2010 by Colin J. Zick

The Substance Abuse and Mental Health Services Administration ("SAMHSA"), in close cooperation with the Department of Health and Human Services Office for Civil Rights ("OCR"), is conducting a study of the “Confidentiality and Privacy Issues Related to Psychological Testing Data.”  This study was specifically called for in section 13424 of the Health Information Technology for Economic and Clinical Health ("HITECH") Act.  

HIPAA’s Privacy Rule includes special protections relating to the use and disclosure of psychotherapy notes; this SAMHSA study will address whether these special protections also be applied to test data that is related to direct responses, scores, items,forms, protocols, manuals or other materials that are part of a mental health evaluation.

To this end, SAMHSA has announced a regional public meeting in Chicago, Illinois,on October 7, 2010, to give the public a chance to learn about this issue and express opinions. Registration is necessary, but there is no charge for attending. Another regional meeting will beheld this year in Los Angeles in late November or early December.  The meeting is designed for mental health professionals, consumers, health care providers and health plans, agency administrators, health information technology experts, and test developers

The significant concepts and issues being addressed in this project include:

·        What activities and information are considered the “test data” that is part of a mental health evaluation? What are the relevant distinctions among test materials, raw data, and reports or assessments with respect to the level of protection currently afforded and/or otherwise necessary?

·        Does the individual (i.e., the subject of the test data) need to know, or have an interest in, inspecting or obtaining a copy of such information?

·        Are there circumstances under which test data should be disclosed to third parties?

·        Should the individual’s authorization be required prior to such a disclosure? To whom should test data be released?

·        How would affording mental health test data a higher level of protection affect the workflow in medical, behavioral health, or psychological practices? Are there any additional implications with respect to clinical integration efforts and the increasing availability of mental health services in general health care settings?

·        How is the issue of greater protection for test data affected by State and Federal laws other than HIPAA?

·        In light of the increasing reliance on electronic health records and the exchange of electronic health data, what are the implications of setting more stringent requirements for the use and disclosure of test data?

Small groups will consider these and other central questions following brief presentations by SAMHSA’s and OCR’s study team.

Tags: , , , , , , ,

Update on HIPAA Business Associate Regulations -- OCR Says They Still Aren't Ready, Gives No Date

Posted on March 18, 2010 by Colin J. Zick

In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services ("OCR") acknowledged its delay in issuing regulations for HIPAA business associate agreements.  Those regulations are now a month overdue and from OCR's language, they do not appear imminent:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

(Emphasis added.)  What does seem clear from this notice is that OCR enforcement of the underlying law is not imminent and that more guidance on that will come when the regulations are issued.

 

Tags: , , , , ,

HHS Reports 35 Breaches Impacting 500 or More People

Posted on March 2, 2010 by Colin J. Zick

At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals.  OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 individuals, due to the theft of a  laptop to 501 individuals impacted by the theft of a portable USB device). 

This posting by OCR was required by the August 2009 Interim Final Rule, which was issued pursuant to the HITECH Act.  In particular, § 164.408 of this breach notification interim final rule implements § 13402(e)(3) of the HITECH Act. The rule became effective September 23, 2009. 

Under this rule, breaches that affected 500 or more individuals must be reported to OCR within 60 days, via an OCR online notification form.  Training materials and related guidance on breach notification can be found on the OCR web site.  

Tags: , , , , , ,

HIPAA Breach Notification Made Simple -- Just Fill in the Blanks

Posted on December 7, 2009 by Colin J. Zick

The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.” 

The online form is straightforward, featuring pull-down options tied to the new HITECH rules:  it will let you report whether your breach is for more than 500 individuals (or fewer than that), the type and location of the breach, etc.  OCR estimates the form will take 15-30 minutes to complete. 

Interestingly, the form does not require a statement on penalty of perjury from the submitting party, only a statement that I attest, to the best of my knowledge, that the above information is accurate.”  This could be seen to be an attempt to encourage reporting, by not saddling breach reporters with potential liability for making false statements to the government.  However, it would also seem to encourage anonymous reporting, via the use of an alias.

Tags: , , ,

Good News and Bad News: An Employer Is Hiring; It's The HHS Office of Civil Rights!

Posted on July 17, 2009 by Colin J. Zick

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS's "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information."  If you are a privacy officer, this could be the federal government stimulus you've been waiting for!

Tags: , , ,